Who are you, anyway?
In our industry we use the terms “identity assertion” or “identity claim,” and I think there are a lot of people who don’t know what we mean, so I thought I would write a blog post about it.
We all think we know what “identity” is. In general, we don’t think about it much. You go to the bank to cash a check and the teller asks for proof of your identity. You give her your driver’s license and everything is fine. Your identity has been established. Or has it?
To get started, let’s back up a bit and look at the concept of identity at the root level. There are essentially two notions of identity – one is biological, and one is social. Let’s look at the biological identity first. Biological identity is established by DNA – essentially a long code that makes you unique among all of the other people on the planet. But we are using “unique” here just a bit loosely. It is theoretically possible that two completely unrelated people will have the same DNA, but that probability is astronomical, so we will just assume for this discussion that DNA is truly unique among individuals. Interestingly, 99.9% of our DNA is all the same, but that leaves plenty that is still unique. The FBI has said that they consider that if the odds of a false match are 1:267 billion, they consider that the same person. Fair enough, and we will use that definition here.
So, in the biological sense we establish a unique identity when a new person is conceived. That’s interesting, but not very satisfying for day-to-day business. We could register every new baby into a national database and then use some sort of magic box to test DNA of people we wanted to verify. That’s technologically possible, but expensive (right now) and it has all sorts of practical complications. For an interesting view of how this might look, see the movie Gattaca.
In the social realm, we aren’t so concerned about biological identity. Instead, we are concerned about identity in a certain context. When you cash the check at the bank, they are only concerned about one small aspect of your identity – are you the same person who opened the account? They don’t care about whether you really got a PhD from Princeton, or all the other things that make up your social identity. All of those other things are attributes of your identity, and they are relevant for different types of contexts.
Let’s look at that bank transaction in a little more detail. You present your driver’s license to the teller. You are making an identity claim, and using that license to back your claim. What does that claim mean, though? That claim is established through a chain of trust. That starts with the birth certificate, which is usually required in order to get a driver’s license. That process looks something like this:
- A child is born
- A doctor or hospital certifies the birth
- A birth certificate is registered with the state
- The grown-up person goes to the state and applies for a driver’s license
- The state examines the birth certificate and issues a license.
In terms of identity, the driver’s license is essentially a proxy for the birth certificate, with a photo thrown in for secondary verification. It is only as good as that entire chain of events. And that’s assuming the driver’s license isn’t fake in the first place. As you can see from this example, there are lots of opportunities for fraud – people can be bribed; parent’s can lie; supporting documents can be faked. All of these things happen, and yet our financial system doesn’t fall apart.
This system isn’t perfect, but no system of identity is perfect (even DNA). Identity comes down to trying establish what is good enough. Banks have lots of data on their levels of fraud, and they manage this closely as one of their costs. As an interesting side example of this, consider credit card transactions. Credit card transactions typically have involved two forms of identity claim – the physical possession of the card and a signature. These are both weak forms of identity, but they seem to work pretty well (typical fraud rates are 1%-2%). But some merchants drop the signature requirement for small transactions because they would rather have the lower friction instead of the very slightly reduced fraud that comes with signatures.
So how is identity done in regular social life? In general, one of two things happens: someone you don’t know at all tries to contact you through email/phone, or you get introduced through someone you know. Consider the following people coming to you with an opportunity:
- A Nigerian prince sends you an email
- A salesman makes a cold call
- You get an email from someone who claims to be a friend of a friend
- You get an introductory email from an acquaintance
- You get an introductory email from a trusted colleague or friend
Most people would treat these quite a bit differently. A Nigerian prince in principle represents a great business opportunity, but the identity claim behind it is extremely weak. In contrast, a warm introduction from a friend represents a strong claim.
Let’s look at how identity is done on the Internet. One of my pet peeves about Internet terminology in this area is that people use “identity” in the weakest possible way. Google is an identity provider. While that is strictly clue, the only identity attribute they are certifying is that you have a particular email address. That’s not nothing, but it is practically nothing. For many websites, that’s perfectly fine. They don’t care who you are at all. ” and user “3389318984” are essentially the same identity claim. They just need an identifier to track, so that they can remember your preference, pitch you things they think you would like, or whatever.
Things break down when we start to get into more complex transactions, though. There are many, many more transactions that need a stronger identity claim than a simple email identified. Financial transactions are an obvious example, but there are many others – review sites, dating sites, online forums, and government sites to name a few. In those cases, we need stronger identity claims, and that is where BeehiveID comes in.
We provide means for a very low-friction, relatively strong identity claim that is tied to your social network presence. It isn’t backed by any government, but it is still strong because it relies on your social network to provide strengthening ties. Conceptually, our model is a prototypical identity claim with its own sets of strengths and weaknesses. But the Internet is in dire need of new methods for claiming identity, and we believe our solution is totally new, and future of strong identity.