I would like to begin by describing four different scenarios. Each of
these scenarios is completely within the reach of our current digital
identity technology, in fact some of them have already been implemented!
The technology itself is really not the point of these examples.
Scenario 1: You have two keys to your house, and a key to the
garage. Then there's the key to your car, and to your husband's car, and
two keys for work. Throw in the key to the gym, the mailbox, and perhaps
a few others and it's a wonder you don't suffer from back trouble just
carrying them all around!
Imagine if you had just a single "key" -- some sort of an electronic
identifier. You would set the locks on your house, your car, your
office, etc to admit that key. You could easily set your house locks to
let the neighbor's kid in with HER key for a week so she can feed the
cat for you while you're on vacation. It's a technology that makes
everyone's lives easier in a number of tiny little ways.
Scenario 2: We issue ID cards to all of our employees. Each ID
card has a picture, along with their title and clearances prominently
displayed. Everyone is required to present their card in order to enter
the building. Visitors such as family members are permitted, but must be
accompanied at all times by someone with an appropriate ID card. The
elevator to the executives' floor will only operate if presented with an
executive card, so anyone else must call ahead to be accompanied by an
Both of these scenarios are possible, using the same technology. One
exists today, the other is a pipe dream.
Scenario 3: Handing your credit card number and expiration date
to every clerk you encounter is a real security risk. And quite a few
people are (or were at first) especially wary about using a credit card
over the internet. We've all heard about the cases (fortunately quite
rare) where thousands of credit cards had to be re-issued because a
hacker compromised an online retailer's database.
Imagine if you set up a web-purchasing client -- call it an "e-wallet"
-- running on the end consumer's machine alongside their browser. When
the merchant wanted to make a purchase, they could supply a
cryptographically tagged "invoice" for the amount. The software on the
customer's machine could then "approve" the charge, and return some
cookie to the merchant. The cookie would be sent to the card processor,
who could verify what card it came from and the amount of the charge
authorized, but card number would never even be transmitted, thus
eliminating all risk of it's secrecy being compromised!
Scenario 4: The same idea of an "e-wallet" running on the
customer's machine and integrated with their web browser could be used
in a different fashion. The idea of preventing credit card details from
being transmitted openly sounds good, but it might not be universally
compatible, so we'll simply transmit the data without special
protections. One big advantage to the customer is that they won't need
to actually TYPE IN the number off of the card -- the software can
pre-fill it for them along with their name and address. The other thing
that this software could do would be to monitor every purchase that the
consumer makes, and every website that they visit while simply browsing.
THIS information could then be collected by the company offering the
"e-wallet" service, and it would be very valuable indeed if sold to
There IS a technology known as "e-wallets", and it works as described in
. . . . . . . . . .
So by now I think you can begin to see the point that I am trying to
make here. In my opinion, the technical hurdles -- fascinating though
they are -- are not the biggest problem facing Digital Identity. Most of
what we want Digital Identities to do has been possible since the
invention of public key cryptography, and is only advanced, not
fundamentally altered, by recent advances in fingerprint scanning,
facial recognition, and so forth.
No, the biggest problem facing Digital Identity is a social and cultural
problem. There is a difference (a significant one) between those
applications which would benefit individual members of society, and
those applications which would benefit large influential corporations.
Unfortunately, the kinds of systems that we are talking about can really
only be implemented by large corporations. Such systems -- even if they
save money once implemented -- require large initial capital outlays.
They also tend to work best only when very widely used, which makes it
difficult for individuals make independent choices. And evaluating
Digital Identity systems involves some fairly advanced and technical
considerations, which most individuals are woefully ill-equipped to
research and evaluate. So such systems are almost sure to be designed
and set up by (and for) large corporations.
Thus, I assert that the largest problem Digital Identity is that,
despite much potential for benefiting everyone, our current social
structures are such that AS IMPLEMENTED it will benefit a few large
players (mostly corporations or governments), to the detriment of the
individual. If the social implications of these technologies are not
properly addressed, then instead of eagerly awaiting the promise of
Digital Identity we fear it.
To my mind, an open discussion forum such as this one is the perfect
place to begin addressing those social implications, and discussing what
we (as a society) can do to make Digital Identity technologies work for
-- Michael Chermside