Authentication of People

Authentication of People

Define the identity of a person X to comprise those attributes true of X. This definition operationalizes our view of X. For example, the identity of Prof. Schneider would include his shoe size, his hair color, but not his name, "Fred B. Schneider." The string of characters that represent his name is termed an identifier. An identifier is just a label for an identity. And the process of establishing an identity is termed identification.

Privacy is concerned with the right of an individual to make choices about when, where, and on what terms which elements of its identity are revealed (and to whom). So, for example, privacy would be concerned with whether someone is able to specify whether or not its underwear size becomes known. Privacy is typically relative---when clothes shopping, one might well not mind revealing underwear size, whereas under other circumstances you might not desire that this information be revealed. As a right, privacy is relatively recent. In days of olde, if you hung your clothes on the clothesline, anyone could walk up and determine your underwear size. Similarly, people observed each other and "talked" so few secrets stayed that way for long.

There is often a conflict between security (which often involves establishing an identity so actions can be attributed) and privacy (which seeks to conceal an identity).

If we lived in a world with exactly one form of identification, then there would be limited privacy, since all actions by an individual could be linked. One way to prevent this correlation is to associate multiple identities with each person. We each might carry multiple different credit cards, membership cards, etc. Use of just one of these forms of identification prevents the agency with which we are interacting from associating an action with those actions we might have taken using a different form of identification. The member of the "NRA" is never seen by that organization to also be a member of the "Pacifists Club", for example.

If you work in security then ultimately, it is likely that you will be involved in building a system that authenticates people. One should be mindful of the risks:

• Unauthorized authentication: Authorization without a person's consent or knowledge.
• Overcollection of personal information: Historically, this was checked by cost and public sensitivity. The cost of collecting information and correlating it is no longer high, so this activity becomes more likely.
• Combining information: Use of a single identifier creates opportunities for linking identities. This erodes privacy by facilitating correlation of actions.
• Introduction of new points of social control: The addition of authentication procedures brings new opportunities for social control (and fraudulent use).

Yet there are advantages to authenticating people. First, it provides a basis for authorization. Not only might we want bank withdrawals restricted to a specific bank account owner, but we might want to restrict the age of people who are buying alcohol at a bar (age is a person's attribute so establishing a person's age is authentication) or the height (another attribute) of people who are allowed to venture onto a roller-coaster. Second, authentication provides the means to hold actors accountable for their actions.