In the trenches // Jon ShamahIdentity fundamentals. pt. 1: Who cares who you are anyway?

Published 6 June 2009

Identity can be defined as a combination of the uniqueness of an individual (or device) and the attributes which are associated with that uniqueness; in the absence of a standard unique personal identification number, personal names are often used to build a single view across different unconnected applications

Who cares who you are? Well, for one, the shopkeeper who just took my credit card does not. He is looking for just one outcome from the use of my credit card. He wants to get paid for what I just bought from him. He does not even care who pays him. There is no further interest. Later he may be interested in whether he can obtain even more money from me — but who I am or what my name is irrelevant to him. He does not care who I really am, and has no interest in any other attributes that I may have. All he cares about is my ability to authorise payments.

So why is my name printed on my credit card? No one really cares.

This highlights why the ID-card privacy argument is confused. The confusion is the result of a lack of understanding of the actual concept of identity.

The concept of identity
Arguably, identity can be defined as a combination of the uniqueness of an individual (or device) and the attributes which are associated with that uniqueness.

So, is my name really important?

Let us look at the shopping trip again: Most transactions only need one attribute — “Can the payment be authorised?” My shopkeeper only needs to know whether my bill will be paid, not who I am. The main alternative is cash money, which is anonymous.

My name is also irrelevant to the owner of the nightclub that I frequent. My uniqueness, however, is important to him. The owner is concerned that the ID-card holder is over the legal age of entry (attribute). He is also interested whether the unique owner of the card has been banned from the club for some misdemeanour (uniqueness + attribute). He does not care about my name.

Also, in reality, most of the e-Government applications are only seeking uniqueness and the attribute of qualification for a certain benefit. Has the person applied twice for the same benefit? (uniqueness) Does the person deserve it or have a right to do something? (attribute).

Demonstrating a uniqueness that links a credential such as an ID-card to a flesh-and-blood person is called authentication, and can be deemed stronger or weaker depending on how the link is established. A pin number can be considered weak. A fingerprint (which might also be considered as a descriptive attribute in some cases) is considered stronger. A combination of multiple methods is considered still stronger.