[Log In] []

Exploring the science and magic of Identity and Access Management
Saturday, May 18, 2024

Mathemeticians and Engineers, Identity and Privacy

Author: Mark Dixon
Wednesday, August 3, 2005
3:30 pm

The Identity and Privacy debate reminds me of an old engineer-and-mathematician

seems that an engineer woke up to see a small fire burning in the corner of
his bedroom. He grabbed his fire extinguisher, emptied it on the base of the
flame, observed that the fire was out, breathed a sigh of relief, and went back
to sleep.

A mathematician awoke in a similar situation. Seeing the small fire in the
corner of his room, he carefully considered the fire, contemplated the fire
extinguisher, make some lengthy calculations and proofs, and proclaimed "Aha!"
Then, realizing that mathematics has no practical application, he went back
to sleep.

Most frequently in life and business, we settle for solutions that provide
comfortably practical answers — maybe not as academically pure as our mathematician,
but also not as brutally forceful as our engineer.

At the Catalyst Conference, Bob
, Chief Scientist for Security and Privacy at IBM, argued that Identity
and Privacy are incompatible. He reasoned that truth in identity information
requires that a measure of personal privacy be forfeited. Conversely, if one
wants to preserve his privacy, he must not be forced to reveal the truth about
his identity. Bob put it this way: "Privacy is the ability to lie about
yourself and get away with it."

So, what has this to do with fire, engineers and mathematicians?

If we take the purely mathematical approach (by the way, Bob’s presentation
was entitled "The Logic of Identity") , we may never built workable
systems. One could argue that since the ideal is unattainable, we shouldn’t

If we take the brute force engineering approach, we would require all people
to forfeit Identity Privacy rights, issue National Identity Cards, tattoo personal
ID numbers on everyone’s foreheads
and proceed to implement secure, efficient online systems.

I fear that too often, politicians tend to favor brute-force methods while
academics favor theoretical approaches. In reality, enterprises and the Internet
needs solutions that just work.

Like most cases, the answer probably lies in the practical middle road. Most
people will probably be content with giving up a little privacy to make online
systems easier to use and reasonably secure. We do it now in the physical world.
We offer up bits of personal information to get drivers licenses or credit cards.
We’re willing to share personal information to get a loan or register a new
car. If we care to travel internationally, we use passports. Even though we
might argue that giving up personal information is a privacy compromise and
security risk, we do it out of practical necessity.

This seems consistent with Mike
‘s observation at Catalyst that we can achieve security only
at the cost of reducing privacy and efficiency. Jamie
stated that the desire for privacy both enables and inhibits IdM.
The need for privacy fuels demand for systems to securely and privately manage
identities, but this very need holds people back because the ideal solution
is not yet available.

We haven’t achieved the correct balance yet. As awareness of online privacy
and identity become widespread, the demand for government regulations and correct
business practices increases. In his Catalyst speech, Scott
highlighted a Harris-Westin survey published in June 2005 claiming
"59% of people say current laws and business practices to protect privacy
are inadequate." Jamie Lewis states that "The Internet lacks sufficient
identity and security infrastructure" to meet privacy and security demands.

Theoretically, the move toward User-Centric Identity Management looks interesting
as a way for individuals to manage their own balance between privacy and Identity. However,
from a practical viewpoint, I wonder whether enough people will take the time
and initiative to take control of their own identities, even if the technology
infrastructure evolves to allow it.

Most of my work is done where the rubber
hits the road
in Identity Management deployments. Down in the trenches,
we are all about practical, implementable, reliable systems. I’ll be interested
to see how real-life solutions emerge to solve the tension between Privacy and
Identity. Will the solutions be brute force, more purely academic, or, as I
predict, of the more practical, compromise variety?



One Response to “Mathemeticians and Engineers, Identity and Privacy”

    sori i’m recently doing some research for a debate on identity cards and privacy and i would like to ask u abt ways of making identity cards less of a pose to privacy~thx a lot~

    Comment by airlie on February 6, 2006 at 8:46 am

Copyright © 2005-2016, Mark G. Dixon. All Rights Reserved.
Powered by WordPress.