Written by Technorati Tags: authentication, ID cards, privacy, security
The thing is that proving our actual identity is a special case: in almost all of the transactions we take part in every day, our real identity is immaterial. It is generally used a proxy for some other credential — you’re an employee, you’re allowed to park here — because it’s the key that’s used to look up that credential in a database of some description. Now, if it is possible to carry that credential around with you in a token capable of supporting a reasonable degree of authentication, then not only do we have a more secure system overall, we also have a much cheaper system (since we don’t need to manage or control the proxy database).
This is why we should try and change the paradigm around identity management. Many people still think in terms of people proving who they are to log on to a web site rather than what they are: British, over 18, an eBayer with more than 100 stars and so on. The latter example indicates why I’m curious about the potential for paradigm shift. When I buy things on eBay, I don’t care who people are, I care about their stars. It’s a reputation economy.
I remember writing about this in the past, using the emergence of stock markets as an example. The first modern stock market began in Amsterdam back in the seventeenth century. One of the interesting lessons from that time is that the courts had no mechanism for dealing with the transactions that were being undertaken: the contracts could not be enforced in court. Yet the market grew and traders began to experiment with new instruments. This market worked because contracts were self-enforcing with the group and the means of enforcement was reputation. As Adam Smith noted later that century in the UK, “when a person makes 20 contracts in a day, he cannot gain some much by endeavouring to impose on his neighbours, as the very appearance of a cheat would make him lose”. Much like eBay today, a trader’s reputation was the basis of their earning power and a low-overhead enforcement mechanism for the community. System based on reputation do seem to work, although without the "security infrastructure" they are open to abuse. They are also open to non-technological abuse, if you see what I mean (authors recommending each other’s books and that sort of thing) which is another topic in its own right.
At a personal level, reputation is a good basis for competitive advantage. For one thing, it’s long-lasting. It’s hard to forge a useful reputation — not that people haven’t succeeded: remember Frank Abagnale and the movie Catch Me If You Can — and difficult to buy one. When I’m calling a plumber, I’d be much happier choosing one with lots of stars: thus, the plumber’s livelihood depends on having the stars and (the subject for another post sometime) taking away stars might be a more effective form of sanction than taking away some money. If plumbers, policemen and everyone else had tokens that could give up (and verify) credentials, then it seems to me that many business models would be changed.
Imagine going to buy a car and having the dealer’s "stars" verified by your own ID card, phone or PDA at the same time as the dealer is verifying your "stars" from the bank.
