Bell Curve The Law Talking Guy Raised by Republicans U.S. West
Well, he's kind of had it in for me ever since I accidentally ran over his dog. Actually, replace "accidentally" with "repeatedly," and replace "dog" with "son."

Wednesday, March 11, 2009

Authorization and Profiling Systems

I have been thinking a lot lately about identity theft, driver licenses, voter registration, passports, ATM cards, etc., and so I wanted to try to build a framework for discussing these issues. Sometimes discussions of specific solutions marginalize the larger discussion of the underlying purpose of such systems, and I have been as guilty as anyone in that regard. I see two distinct purposes for identification systems.

The first purpose is authorization: Various public and private authorities would like to be able permit some people to do some things but not others. (For example, I should be authorized to cancel my own cell phone service, and perhaps also that of my husband, but not that of my neighbor.) But authorization is not quite the same as identification. Assigning permissions to identity profiles and associating those identity profiles with individuals is merely one way to implement an authorization system. For an authorization system to function it is not necessary to know who you are, only that you are authorized (or not) to do whatever it is you are trying to do. Even imprisoning someone technically requires only the knowledge that the person has been convicted and sentenced.

The second purpose is profiling: Various public and private authorities want to know our ages, where we live, what we purchase, etc. This is the aspect of identification most people worry about, because we rightly fear our loss of privacy. Nevertheless there are some purposes for which most would concede some level of profiling is acceptable, such as the census, or perhaps the income tax. But again, profiling is not quite the same thing as identification either. Profiling is about gathering statistics and correlating data. For example, the census may wish to know that exactly one person lives at a certain address, and that the person living at this address is African-American, but that person need not be identified in any other way--they need not even be named.

The foregoing discussion leads me to wonder: is it possible to separate the authorization and profiling systems somehow? Might it even be possible to implement some of these functions without resorting to a classic "identification" system at all? The classic authorization system, which requires no identification whatsoever, is of course the humble key. Anyone can use it, and ownership implies authorization. We do not need to "log in" to enter our homes or use our cars--we need not prove who we are. Perhaps some series of public/private keys (in the figurative sense) could be used to accomplish some of the authorization functions without storing information in an identity profile?

Anyway, I have no answers, but I thought I would share my musings. I just thought it was interesting that we often focus the debate immediately on "identity" whereas the underlying goals are authorization and profiling, which are not quite the same thing.

3 comments:

Anonymous said...

Interesting thought. You are correct that I have often confused identity with authorization.

This reminds me of a couple of things that bug me. Why does the phone company need my social security number to give me phone service? Why can't they use some other method of authorizing my phone access?

Another thought . . . many times stores, like Safeway and Staples have these customer loyality programs. I have often been told that they just collect trend data, but that it isn't tied to my identity. Ok, so why do you hand me a paper that asks for all my personal information? And why do they need a loyality card to track that stuff? They can see if in their inventory evaluations and weekly sales data. What they can't see if my ethnicity and the like. But in my view, they don't need to know that.

I am not sure how you can seperate authorization from identity, unless you closely card the access keys. I am thinking of my job, where I have a photo ID and that ID has a small computer chip. The chip has "certificates" on it, in addition to information like my blood type (I guess that is for emergencies), age, employement status, etc. The certificates authorize me to do certain things, like log into my computer or gain entry to my office building. And this happens regardless of the photo ID on the card. The only time I need the photo ID is when I have to pass by a guard.

So my organization could just give blank IDs with certificates, but the moment one of those is lost by an employee (as has happened to me) then anyone could pick it up and use it. In fact that is the case now unless I immediately report it stolen/lost or unless by chance somone asks to see it.

The Law Talking Guy said...

A couple thoughts.

We moved away from using things like an "official seal" or anonymous keys to control the flow of money (the usual issue) because confirmation of identity is harder to forge or counterfeit. The signature is the only remnant of the former system, and it is terribly flawed. I'm not sure we can go back.

What you call "profiling" is really more like "database building." The idea is that to confirm one's identity there should be a substantial amount of information about you lodged somewhere against which you may be compared. It is the impossibility of limiting the uses of that data that makes people justly worry about privacy in collecting it at all.

Another issue is tracking. I was asked recently why I would object to having cameras on every street corner, if it would dramatically reduce crime by making it much easier to catch criminals after the fact. I said that even if you could bar review of such cameras until after a crime had been committed, I would still find being watched all day too intrusive.

Dr. Strangelove said...

"Profiling" as I was describing it is not really about storing a lot of information somewhere to confirm who you are. Certainly profiles are used that way, but I do not believe that is the underlying purpose per se.

My main point was that very rarely do we truly care about "identity" for its own sake. Usually what we really want to do is just be able to grant (or deny) permissions, or collect/correlate data.

I keep thinking the public/private dual PGP key system (or something inspired by it) might hold the key (metaphorically speaking) to designing a system were limiting the release of data would not be impossible.

I would also find being watched all day to be intrusive... But I am OK with being watched while walking in public spaces.