CTO Articles
Published in IT World
January 10, 2006
Taking the 'I' out of Identity
Few e-business subjects have caused such deep furrowing of brows as the concept of identity.
'Obviously', some business folk say, 'to really do E-Business, we will need a way of guaranteeing that a visitor to our web site is who they say they are.'
'Sure thing', the younger engineering folk say, 'it is just a matter of technology. We will start coding and/or buying stuff to make it all just work.'
'Not so fast', the older engineering folk say, 'this problem is broader and deeper than you think. Electronic identity is subtle at best, certainly insanely complicated and possibly even intractable.'
As is often the case with seemingly intractable problems, revisiting basic assumptions is always a worthwhile exercise. The big assumption here is that to do business electronically with someone, you need to know who they are. Is that really true?
Sometimes it most definitely is true of course but there are a significant number of use cases where it is not true. Sometimes lurking behind the phrase 'we need to know who they are' lies the real substance of the concern which is 'we need to know they can pay' or, more generically 'we need to know that the person/thing we are interacting with can conduct a value exchange.'
The cracking noise you can hear in the background is the rending of two concepts that tend to be bound together. The concept of identity on one hand and the separate concept of 'ability to conduct value exchange' on the other. People turn up with cash. They can clearly pay. People turn up with checkbooks. They can clearly pay. People turn up with credit cards, they can clearly pay...
But, people can pay for things with credit cards on-line. In other words, credit cards are usable today without the physical exchange of paper and without physical presence. How does that work? When you take an order with a credit card on-line, do you really know that the person is who they say they are?
No you do not. What you do know is twofold (a) that the details provided to you are considered good by the credit card company and (b) the credit card company is taking on the risk in return for a percentage of the transaction value.
I guess what I'm saying is that credit cards have already removed the need to know anything about the person/thing you are dealing with - the 'I' in identity. All you are interested in, is that the credentials are valid according to the credit card company and that you can use the credentials to conduct the value exchange.
Some think this is messy and not really a solution to the identity problem in E-Business. Some think that we need to establish identity firmly to move on. Some think that it is only a matter of time before biometrics or some such technology steps into the breach to solve this problem. Then and only then, so the story goes, can we really get down to serious e-business.
Perhaps, but I doubt it. As in so many other areas, the Web has a way of cooking up an exquisitely balanced sweet and sour blend of simplicity and complexity. In the case of identity, I think we are well on the way to jettisoning the knee-jerk binding of identities to people in favor of a more abstract concept of "thing that can engage in value exchange".
I sometimes hear folks talking about e-cash and personalized agents and bots and what have you, in the future tense. From where I'm standing, we already have these things. To Amazon, I am indistinguishable from a bot. I might as well not exist for all Amazon's web site cares. It is the credit card company who worries about whether or not I am real.