[Neil McEvoy] I’ve been at the EEMA e-Identity conference in Tallinn, Estonia. I’ve heard a lot of people say that relying parties need to know the ‘level of assurance’ that can be ascribed to someone’s claimed identity, or in some attribute associated with an identity. A somewhat stronger version of this that I’ve also heard is that they must know the ‘probability’ that a claimed identity (or attribute) is correct.

This leaves me perplexed. If I see a die that looks like a regular cube, I can postulate that there is a one in six probability that if I throw it once I will get a six. I have implicitly assumed a couple of things; that my vision is sufficiently acute to spot any irregularity in its shape, and that the die is of an even density (strictly speaking, that the distribution of mass has cubic symmetry). I can test my proposition by throwing the die (say) 96 times. If I get roughly 16 of each number, my confidence will be increased (in a way which can be quantified) that it is a true die and that my initial postulation is correct. The points here are that:

  • my assertion on the probability rests on a limited number of assumptions
  • it can be tested
  • the more tests I do, the more confidence I can have
  • the past is a reliable guide to the future.

None of these are the case when trying to assess the veracity of a claim to a certain identity. If you receive a bundle of bits that encodes ‘Neil McEvoy’ (with some ancillary bits that indicate that some process, designed to validate the claim to my identity, has occurred), you cannot know the probability that I caused that bundle to reach you. I either did or I didn’t; but the number of ways in which I might not have is not known to you—or anyone.  Neither would you generally be in a position to repeat the process a hundred times and check the number of times that it is me or isn’t me. And, even if you could, there is no way that you can be sure that the past experience is a reliable guide to the future.

If we want an analogy with a die, it is that you receive some bits from me that purport to represent one throw of one die. Now, a die may not have been thrown—I could have made it up. It may have been thrown and I reported the wrong number, by accident or design; someone may have told me to type ‘6’ while holding a gun to my head; someone may have tricked me by handing me a die with two sixes and no ones; someone may have stolen the credentials I use to ‘prove’ that I entered a report; someone may have broken the cryptographic algorithm used to sign the transmission; or, for that matter, some Rumsfeldian ‘unknown unknown’ may have occurred. I think it is pretty clear that the probability that a report reaching you is truthful cannot be calculated, nor divined by any experiment.

So what should a relying party want? Clearly, not to be told by a provider that they can provide electronic identities that are 99.9% truthful, for such a person is a fool or a knave. By all means, he should expect the provider to have confidence in his service; but that is worth nothing unless he puts his money where his mouth is. The provider who accepts liability and has the balance sheet or the insurance to meet any losses that might ensue from your reliance on a false claim, that they have endorsed, is the only one that is worthy of your business. They will have every incentive to employ cost-effective business processes and technical measures that will limit the necessity for meeting claims.

These are personal opinions and should not be misunderstood as representing the opinions of
Consult Hyperion or any of its clients or suppliers

1 comment

  1. There are a couple of tnihgs that you can do. First, contact all 3 credit bureau reporting agencies (Experian, Equifax, and TransUnion) They all have websites and on those you can also find their phone numbers. You can also request individual credit reports from them or order a 3-in1 report (this is the fastest and easiest way to get all the info in one shot/place). However there is a fee for the 3-in-1 but it’s worth it trust me. Once you contact them, request that they put a fraud alert on your report (they do so by using your SS#) because of identity theft. Next once you get your credit reports there is a portion on them where you can dispute the information that is on your report and it will have a part where you can state I am a victim of identity theft. They will work with the places like Direct Tv and give them the information. The other option you have is that if you know who used your SS# to order these tnihgs and run up bills in your name you can take them to small claims court to get the matter resolved and once you have a judgement you can also send that to the companies to show that you are taking steps to clear up the matter. Once you dispute these items they will come off your credit report.

Leave a Reply

Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.
%d bloggers like this:
Verified by MonsterInsights