Friday, December 10, 2004

imho Regarding Kim Cameron’s “four laws of identity”


Kim Cameron is a powerfully probing thinker. He’s also a lot of fun to speak to. He doesn’t mince words and isn’t afraid to twist the tail of the “authority” (i.e., Microsoft) that has issued him an important piece of his “identity” (i.e., designated identity visionary, evangelist, and provocateur within Microsoft). Of course, even if Kim and his current employer went their separate ways for whatever reason, Kim’s core identity—visionary identity guru—would endure. His blog is a great medium for channeling Kim’s unvarnished thinking to us, direct from his head to ours, come what may.

I have to take issue with Kim’s recently proposed “four laws of identity,” from his blog. To do that, let me first propose Kobielus’ “four principles of identity,” and then use that to move into a specific critique of Kim’s approach. In doing so, I’m responding to Craig Burton’s call for more conceptual and lexical clarity in this discussion.

Kobielus’ four principles of identity recognize that identity is a resource for controlling entities, the transactions in which they may engage, and their vulnerabilities to various risks and liabilities. Kobielus’ four principles are:

* Identity is a uniquely denotative set of one or more attributes associated with a designated entity.
* Identity is issued, owned, asserted, vouched, interchanged, controlled, disclosed, and administered by one or more recognized authorities, which may be the designated entity itself (i.e., self-declaration) and/or various third parties with responsibility over various roles, transactions, or scenarios in which that entity participates (and who may provision or deprovision some aspect of the entity’s identity at their pleasure, will, or whim, depending on their power over him/her/it in various spheres).
* Identity is queried, retained, and relied upon by one or more other parties when engaging in various relationships or interactions, public or private, with the designated entity.
* Identity is control over the entity that it designates, and that control may reside to varying degrees in the designated entity, various recognized identity authorities, and/or various relying parties.

Cameron’s four laws of identity are all geared to maximizing the control wielded by the designated entity over its own identity. In other words, they are laws that ensure accountability while safeguarding privacy protection and ensuring permission-based attribute sharing. They assume that the identity’s “owner” is the designated entity, and that any authorities and relying parties are simply stewards or consumers of others’ identities. Cameron’s four laws are:

* Technical identity systems must only reveal information identifying a user with the user's consent.
* The solution which discloses the least identifying information is the most stable, long-term solution.
* Technical identity systems must be designed so the disclosure of identifying information is limited to parties having a necessary and justifiable place in a given identity relationship.
* A universal identity system must support both "omnidirectional" identifiers for use by public entities and "unidirectional" identifiers for use by private entities, thus facilitating discovery while preventing unnecessary release of correlation handles.

Contrary to what he claims, Cameron’s “laws” are not “a set of ‘objective’ dynamics that will constrain the definition of an identity system capable of being widely enough accepted that it can enable distributed computing on a universal scale.” If they were value-neutral positive theorems for how identity systems actually behave, or are actually accepted (or rejected) in practice, they would have to account for the persistence of stable, legitimate identity regimes in which entities don’t control their identities and/or don’t control the circumstances in which others disclose, access, and rely on their identities. For example, where the issuing authorities and/or relying parties are government agencies with monopoly jurisdiction over some critical identity/credential (e.g., driver’s license, social security number, passport), the designated entity has no choice but to accept that identity regime, regardless of whether it conforms to Cameron’s “laws.” Where the authorities and relying parties are commercial organizations with considerable market share and clout (e.g., credit card companies), one also must largely accept their rules rather than attempt to “buck the system” (for example, by panhandling or living up in the mountains, eschewing money or credit cards altogether). Like it or not, in these real-world instances some major portions of your identity are granted to you by an overpowering authority, who may just as easily take them away from you.

At heart, Cameron’s “laws” are merely ideological, normative precepts with a transparent agenda and a limited, though laudable, aim. Privacy protection is important. Personal control over one’s own identity information is important. But they aren’t the only requirements that must be addressed in a full-blown identity service bus. They don’t address cases where there’s a legitimate need for anonymity, or for full disclosure (over a designated entity’s objections) of identity. Should illegitimate political regimes be able to penetrate the veil of anonymity in which freedom fighters cloak their righteous activities? By the same token, should suspected terrorists own those identity attributes pertaining to themselves that, disclosed to the proper, legitimate authorities in the nick of time, would prevent massive death and destruction?

Kim: This is 2004, not 1994. Put aside the cypherpunk assumptions of yesteryear. Personal empowerment and privacy are critically important, where identity is concerned. But your “laws” are at odds with the real, legislated, post-9/11 laws in this country and elsewhere. There are overarching authorities who are rendering your hoped-for privacy-friendly identity regime politically infeasible.

Please rethink and recast them in that broader context.