I came back a few weeks ago from the Ping Cloud Identity Summit with one of those obnoxious summer colds and ended up in bed for a few days. That combination of immersion in the world of “identity” followed by immersion
in daytime television heightened my attention to the way the rest of the world—those not attending identity conferences—views identity.
In one TV show scene a character was asked for their ID and immediately pulled
their driver’s license out of their wallet and handed it over. I’ve done this hundreds of times myself, but what caught my attention was what a simple act this is when you are in the presence of the person asking for your identity and what a complex act this is when you aren’t. It also made me think about all the recent conversations I’ve been monitoring on Twitter and in blogs about how identity and personal information attributes (like your name and address, for example) are really the same thing.
I don’t believe that is true. Here’s why.
For the person or company requesting a consumer’s identity in person the process is straight forward. The consumer is right there and you can see that the picture on the ID matches the person in front of you. In some cases maybe you care about their name and address attributes in other cases you may not. You may want to verify they are of a certain age. Pretty simple stuff really, but again, only if they are in front of you.
So what if they aren’t? What if they are on the other end of the internet? If you ask them for their ID what do they do? They probably fill in a screen of data including their name and address. But that isn’t their identity; it’s just data. The reason a relying party (the identirati use this term to refer to any entity who relies on an identity provided by someone else) accepts John Smith’s driver’s license as his identity is that it isn’t John Smith’s driver’s license; it’s the state government’s driver’s license. It’s not his assertion; it is the government’s vetting of his assertion on which relying parties rely.
If you still think identity is just a combination of personal information attributes, try this for an experiment. The next time you are asked for your ID, hand over a little piece of paper with your hand-written name and address and see if it is accepted. When others ask for your ID, they aren’t really asking about your personal information: they are asking for an assurance that someone else other than you agrees that you are who you say you are. Further, they want assurance that the next time they ask for your identity, that they will receive the same identity you gave them the last time. This last assurance, for consistency over time, is important for them in case you come back.
My premise is that Identity is just an assurance from an independent, third party that who you say you are now will be the same person you claim to be in the future. It’s not a name or address or phone number or email address: identity is a token provided to a relying party that an independent entity guarantees a distinct and repeatable relationship.
So back to the problem of obtaining an identity over the internet. I’ve established that just providing a set of personal attributes isn’t the same thing as providing an identity if that set of attributes is not verified by a third party and, therefore, can’t be guaranteed to be distinct and consistent over time. But it is possible to convert those personal information attributes into an identity. To do so requires those attributes to be vetted by a third party that can vouch for the distinctness of that identity now, and the sameness of that identity later.
At PacificEast we provide this attribute-to-identity conversion by using the global uniqueness of a phone number to provide distinctness and consistency over time. Our Telified™ service integrates the consumer attribute vetting capabilities of phone companies. Telified provides a foundational level of assurance on which additional levels of assurance can be built if needed.
What we think of as a personal identity is really only personal information. No man is an island and no man’s information is an identity. For a personal identity to be trusted, it can only be forged in the identity furnace of a third party. Personal information attributes are important for many reasons, but they aren’t the same thing as an identity.