Search This Blog

Tuesday, 10 May 2011

What Is Identity, Anyway?

I was a pleasure to join a CSFI round-table discussion on identity today. It was the latest in a series of discussions to elucidate the problems with the current approach to identifying customers (and providers) in the financial services context. Subsequent discussions will focus on potential improvements and alternative solutions.

It was a broad-ranging discussion, as you'd expect, and tough to do justice to everyone's remarks, but worth a quick summary. Dr Ian Brown of the Oxford Internet Institute set the context in terms of the various meanings of 'identity' and how other disciplines view it. However, he doesn't believe it's helpful to think in terms of 'identity' itself, as opposed to 'reputation', for example. And it's not actually necessary in many cases for someone to be identified (e.g. a tube journey). People's attitudes to privacy vary with context: students have been shown to disclose more in their responses to an informal student survey than to official university research questionnaires. Ian also explained how the technological landscape is evolving - and ought to be encouraged to evolve - including the work of David Chaum and others on how to ensure 'unconditional anonymity' or that transactions you undertake are not shown as related. He suggested that approach could be promoted via initiatives like Project Stork (a project to enable interoperability of EU member state ID cards).

Marc Dautlich of Olswang pointed out that "identity" itself is not legally prescribed, but explained the relevant provisions of the Data Protection Act and the offences created by the Identity Documents Act 2010 relating to the possession of false documentation with improper intent. However, he believes the law does not adequately address the fact that the consequences of misuse of identity or personal data vary greatly according to the context. His sense is that it would be more helpful in the future to regulate for appropriate outcomes rather than regulate identity or personal data itself.

My role was to say something about alternative legal approaches to identity.

From the outset, given the pan-European approach to regulating data protection and money laundering, it's important to consider the difference between common law and civil law attitudes to regulation. In common law jurisdictions the law tends to follow commerce, whereas in civil law jurisdictions there's an expectation that the law should stipulate what can and cannot be done. That means UK players can't sit back and leave market forces to reveal any need for new regulations to support a shift to a new identity model. The EC will be under pressure to regulate how the new paradigm should work, and to influence such regulation we would need to participate in the EU 'social dialogue'.

At any rate, 'identity' is not a constant, but flexible in terms of the data used to distinguish the subject from everyone else, the sources of that data, who controls it and the source of any requirement to identify the subject. Identity is contextual, as Ian mentioned. Some personal data we volunteer happily in a social media situation (or on reality TV), but less so in a formal or institutional situation. Often we have no control over the process. Money laundering regulation, for instance, casts an obligation on product providers to identify their customers by reference to official data.

An organisation's attitude to identity data also tends to be governed by whether the organisation is a 'facilitator' (which exists to solve its customers' problems) or an 'institution' (which primarilty exists to solve its own problems). Facilitators try much harder than institutions to ensure that their collection and use of personal data, and treatment of identity, is transparent and proportionate to the customer activity being facilitated, and 'friction' in the customer experience is kept to a minimum.

However, some institutional identity requirements may be disproportionate partly because the government views the institutions concerned as useful 'choke points' for imposing requirements for public policy purposes, like anti-terrorism or serious crime prevention.

In future, I suggested that we determine identity requirements from the consumer/customer standpoint, and ensure they are facilitative and proportionate (rather than simply a hurdle to be cleared). That may also mean solving public policy identification requirements in different ways. The semantic web represents an ideal opportunity to minimise identity issues. For instance, I've long been a proponent of the idea that you should have an applet on your computer that holds your personal profile and can interrogate product provider's semantic datafeeds to find, say, an insurance product that's right for you without requiring you to disclose your personal data.

I look forward to seeing the output of this round table process in due course.

Image from Brainstorm Services.