DIDW: How Identity is Overused and Misunderstood
Here’s my rough notes from the second session, formatting be damned. My comments / editorializing in brackets prefaced with “SJC”
Jim Harper - Director of Information Policy Studies, Cato Institute - Author of Identity Crisis
- Wanted to write a book about why we don’t want a national ID card. How do you know who
- Typical identity: Something you are, something you have, something you know
- Wants to add a fourth, something you are assigned. (Your name, your location, etc.)
- How would a national ID card work? Then you can examine the issues around it.
Threats to national ID cards
- Surveillance - easy to tie separate sets of data together.
- Power - information is power, access to data allows the government to find you and affect your life. Access to databases reverses the incentive structure: ordinary incentive is for law enforcement to learn about crime, then track down who did it. With more data it is easier to say anyone must have done something wrong, and then start mining that data to find out what it was.
- Tend towards insecurity - Identity fraud is made easier by the existence of SSN. Single key system means one error compromises multiple systems [SJC: Sounds like some of the issues with biometrics]
Need heterogeneous ID system so that consumers can select the systems they need without participating in a single system.
Think of authorization as coming first. In everything you do, you decide if something is going to go forward or not. Let’s call that authorization. Hugs, handshake, alcohol sales, network access, etc. all have authorization steps. What do I need to know about you in order to shake hands with you? What do I need to know about you in order to hug you?
What level of proof do I need that what I know about you is correct? That level of proof is authentication. Authorization: what you are allowed to do. Authentication: degree of proof provided to allow that transaction to transpire.
So many DHS programs are unwisely relying on identity. Just knowing who someone is not necessary. Don’t need to know who the person sitting next to you is, just need to know that the person on plane can’t hurt you. [SJC: This doesn't seem to apply at all to enterprise networks. I hope he realizes this isn't a universal constant]
RealID act was passed in May of 2005. By May of 2008 states need to issue ID cards in compliance with federal standards. Standards like no more mail-in renewals etc. Dedicated adversaries will bypass these systems (pay-off DMV folks, etc.) but it will be painful to the rest of us.
Big laugh from crowd by suggesting that Identity should be 3rd or 4th, not center. Talks about using a fake-id at all of his dealings requiring credit cards.
Phil came on at the end to suggest that this talk is all about understanding what you accomplish with a given identity check.