We need only juxtapose the physical and cyber worlds to see the need for
improved online identity systems. In the physical world, identity is based on
social custom, followed by the creation of identity documents and derivative
identity documents. By way of example, a child will likely be named at birth,
which is when his or her first identity document-the birth certificate-will be
created. This document is later used to create additional public- and
private-sector identity documents: when the child is ready to drive, he or she
will produce that birth certificate to get a driver's license; when the child
wants to open a bank account, the bank will use that driver's license to “know
their customer,” open an account, and issue a bank card; when that child wants
to travel overseas, the post office will ask for two forms of identity, the
birth certificate and the driver's license (which, of course, was issued based
on the birth certificate) before issuing a passport.
Compare this process to the one we use to create an Internet “identity.” This
same person will go to a Web site and enter “secret” data (such as his birth
date and mother's maiden name), the recipient Web site will verify this data
with a third party, and identity will be established. The problem, of course,
is that this “secret” data is not secret at all: many people have access to this
information and could inappropriately use it to “authenticate” themselves as
this person. It becomes clear, therefore, that if we want to apply solutions
from the physical world to problems of identity on the Internet, we must create
digital Internet identities that are based on in-person proofing (IPP) and the
issuance of true secrets (digital certificates) that permit unique
identification claims. With these tools in place, people can assert identity or,
even better, identity attributes (such as age or residency), enabling other
people and organizations to more safely trust that information. Of course, this
identity system will not be perfect, but physical identity documents are subject
to misuse, too. The point is that we can create online identity systems that are
more robust than the ones we have today. Moreover, these online identity
systems could provide greater protections for security and privacy than we
currently achieve when using documents to prove identity in the physical world.
Scott Charney, Corporate Vice President, Trustworthy Computing - Microsoft Corporation |
Online identity management systems are important if we're to address the
Internet's growing crime problem. The range of criminal activity that the
Internet supports is broad, including consumer threats (such as compromised
computers being used for unauthorized activities, identity theft, financial
fraud, and child endangerment), enterprise threats (such as the theft of
financial information, loss of personally identifiable information, economic
espionage, and extortion via threats of denial-of-service attacks), and
government threats (such as information warfare). These crimes are pervasive in
part because the Internet has four attributes that make it attractive to
criminals: global connectivity, anonymity, a lack of traceability, and valuable
targets. Without proactive controls (such as neighborhood watches and police
patrols) and absent reactive effectiveness (due to anonymity and lack of
traceability), those who commit crimes on the Internet have little concern about
identification and capture and, therefore, little to deter them. This is one
reason why identity management is so important.
Not surprisingly, however, mentioning the words “identity” and “the Internet”
in the same sentence gives many people pause, in large part because the Internet
has been so transformative in the areas of free speech and communication-areas
where anonymity plays an important part in ensuring the free flow of ideas.
Social networking represents the new town square, and blogging has turned
citizens into journalists. Therefore, while the thought of strong digital
identities cannot be proposed lightly, absent a way to create, transmit, and
consume robust identity on the Internet, people will lack the data necessary to
protect their own security and privacy online. To enable robust identity on the
Internet, we need to create an “identity metasystem” to enable better trust
decisions and help solve difficult real-world problems such as identity theft.
Anonymity concerns
Although necessary and beneficial, the creation of an identity metasystem
raises important social issues. Two of the more pressing concerns relate to
protecting anonymity and privacy. The first concern is that if authenticated
identity is required to engage in Internet activity, anonymity and the benefits
that it provides will be reduced. Although anonymity might exist on the Internet
due to historical evolution, the fact is that it serves many useful purposes.
For example, anonymity supports important policies regarding the promotion of
free speech, even if harm sometimes occurs because of the anonymous nature of
the communication. Indeed, it is important to remember that some societies have
long accepted and promoted anonymous speech, despite these concerns. This is
why it is still possible to make anonymous phone calls (pay phones being
replaced with disposable cell phones), and you can mail packages (containing
contraband) with no return address. Even with the potential risks that anonymous
Internet speech can bring, there are both practical and philosophical reasons
to continue to permit it. The second concern is that authenticated identifiers
could be aggregated and analyzed, thus facilitating profiling (although there
is certainly concern about data profiling even in the absence of an identity
metasystem). Three factors, however, help mitigate this concern. First, people
will have many forms of identity and can provide different identifiers in
different contexts, thus reducing the risk of profiling.
Second, the use of identity attributes, as opposed to sharing your full
identity, should help protect privacy. Finally, social rules can be constructed
to support anonymity in appropriate contexts. Clearly, this approach might not
satisfy those who see the Internet's anonymity as the ultimate protector of
privacy and an identity metasystem as a threat to greater anonymity. The fact
remains, however, that if we hope to reduce crime and protect privacy, we need
to give users the ability to know with whom they are dealing (if they so choose)
and give law enforcement the capability to find bad actors.
Although this debate cannot be resolved to everyone's satisfaction because it
is impossible to prove what will happen a priori, we could argue that people
have long shown an interest in and support for anonymity; markets will support
anonymity, much as you can shop today without providing proof of identity; and
anonymity and privacy protections can be established through regulation.
The future: creating an online identity metasystem
Given these arguments, if we agree that an identity metasystem's benefits
outweigh its risks, the challenge is to create this IPP-based identity
metasystem. Such a system requires five components.
First, for consumers to obtain robust digital credentials, we need
organizations capable of conducting IPP. The IPP locations must be ubiquitous,
but can be either public or private institutions. Second, we need organizations
to manage identity claims, including revoking certificates when credentials are
lost. In some cases, the IPP entity might also issue and manage the IT
infrastructure necessary to transmit claims and revoke certificates. In other
cases, however, the organization that conducts the IPP event and the
organization that issues, manages, and revokes digital certificates might be
different.
Third, we need easy-to-use formats that are supported by widely available
technology. For example, magnetic stripes are familiar to consumers, and the
security issues associated with such technology might not be problematic if the
only data encoded on the stripe is meant to be public (such as data signed with
a private key that is meant to be shared and then verified with a
public key). Smart cards allow for computations, but neither smart cards nor
card readers are currently ubiquitous, particularly in the consumer space. Other
forms of two-factor authentication might include USB dongles and smart phones.
Fourth, we need to ensure social, political, economic, and information
technology alignment. For example, at the same time consumers obtain such
certificates, governments and businesses must build the infrastructure necessary
to consume such identities and policy makers must create a regulatory framework
that advances-or at least does not inhibit-the identity metasystem.
Fifth, it must be remembered that criminals are creative, adaptive, and
persistent. Therefore, any identity metasystem must have a carefully constructed
and comprehensive threat model. While robust digital identities based on IPP and
digital certificates might make it harder for criminals to impersonate others
and commit crimes, we should expect that criminals will find new ways to
circumvent these defensive measures. For example, a criminal might bribe an IPP
agent, steal a valid certificate and PIN, steal the keys used to sign
certificates, or social engineer a call center after claiming to have lost a
digital certificate. These and other threats should be considered and mitigated
by business process and technology.
Collaboration is the key
If we want the Internet to reach its full potential, we need a safer, more
trusted online environment. To achieve this, we at Microsoft have proposed a
vision outlining the reasons for end-to-end trust. But Microsoft and the
technology industry alone can't create a trusted online experience. For this to
happen, industry must not only band together but work with customers, partners,
governments, and security and privacy experts worldwide to help take trustworthy
computing to the Internet.