Sunday, November 27, 2005

imho concentration of information


Chicago Liberty: ahs

Franconia Fraternity:
Earlier in this imho thread, I introduced the notion of an “identity system of records,” or iSoR. I introduced it in the context of how a credit bureau that has no prior B2C account relationship with a particular individual (whose identity the bureau tracks) might authenticate/authorize someone who purports to be that individual to access the individual’s system of records:

“Essentially, they authenticate you by doing a Q&A session in which you and they match your respective iSoRs. They pose a series of multiple-choice questions to you, drawn from data in your iSoR (held by them), and score your responses. These are questions that only you (the identity subject, mining your own personal iSoR which you, hopefully, have never divulged in its entirety to any other party) can be expected to answer correctly. If you answer the Q&A session perfectly—or near perfectly—the credit bureau authenticates you and authorizes you to access the iSoR that they hold on you.”

One issue I didn’t raise in this context is: What if the subject of the iSoR doesn’t have a clue about their own assets, investments, finances, and transactions? What if they haven’t kept their own centralized/consolidated iSoR? What if their iSoR is hopelessly out of date or inaccurate? What if you’ve trashed older records corresponding to those that the credit bureaus still maintain? What if you’ve kept all of these records (paper and/or electronic) but haven’t gotten around to sorting through it and documenting it concisely for your own consumption? Then you--the subject of the credit bureau’s iSoR--are likely to fail the iSoR-matching zero-knowledge Q&A test. And you will be prevented from accessing and, if necessary, correcting your own credit history.

In an ideal world, each of us would preside over our own personal IdP domain, and others—including big impersonal institutions—would bid for access to our identity data—to our iSoR. One corollary of that vision is that each of us would be the master concentration point for all identity data, current and past, that constitutes our iSoR.

But let’s get real. That’s a big burden for most people, and a supremely boring tedious activity. Personally, I’d rather be listening to than poring through mutual fund statements. Tracking our own financial profiles/histories becomes a bigger pain in the neck as you accumulate more investments and engage in a growing volume of transactions. The longer you’ve lived, the more challenging it becomes. Just imagine the burden that awaits your heirs when, upon your demise, they attempt to aggregate your overstuffed financial iSoR onto theirs.

Who can keep track of this stuff? That’s why the wealthier hire financial advisers to help them track their assets. Which is just another institution you trust to manage your iSoR. Perhaps you can also task this institution with the ongoing job of tracking and requesting corrections to copies of your iSoR that are held by other institutions.

Which institution do you trust more? How do you know when your personal iSoR manager isn’t robbing you blind? How do you know when this and other institutions are in cahoots in that endeavor?

Concentrate on your identity information. Concentrate on your finances. Concentrate on your concentrators.

Don’t let yourself get hypnotized by confidence artists.