Like Beyond Fear (review), Bruce Schneier’s book on technology and security, this book sits at point where technology and political interest cross. Jim Harper at the time of the book’s writing was Director of Information Policy Studies at the Cato Institute. Cato is one of those Washington think tanks
to which most folks, even those of us who follow politics, don’t really pay much attention. They all have agendas. It’s hard to read their work sometimes because their biases are so pervasive. That goes for the self-described libertarian
Cato Institute. Nevertheless, this is a pretty good book.
One of my college professors, Phillip Windley, posted a talk that Jim Harper gave at IT Conversations. It’s a pretty good talk, so I ordered his book, hoping for more detailed information. Right up front, I’ll tell you this: if you are limited on time, listen to the talk and don’t read the book. You’ll get the summary there in much less time. It also shows less of Harper’s anti-government bias than does his book.
Harper covers a number of major topics in the book. The first section details the technical issues regarding identity: how you an be identified, how it can fail, and other related processes like authorization. It’s a very good section for those unversed in identity theory. Essentially, there are four ways to identify a person: by who they are (e.g., fingerprints, DNA, hair color), something assigned to them (e.g., S.S.N., name), something they know (e.g., password, mother’s maiden name), or something they have (e.g., driver’s license, magnetic card-key). Most security folks split these into three categories, but Harper split out the something you are assigned
category and I think it’s useful at least in non-technical terms. Each of these methods of identification carries it’s own class of risks and problems. I think one key point in this section is that identity is risk management. To be absolutely sure about someone’s identity is costly, and not necessary. I don’t need proof of who someone is to let them in for a party. I just need to be reasonably sure they were invited.
The second section deals with what identity can do as well as the uses for the lack of identity, or anonymity. Harper writes about the movie, Minotaur. In the film, an Israeli secret agent named Alex sees a woman (Thea) on the street and becomes enamored of her. But since he’s a secret agent, he can’t become personally involved. So he starts to write her letters, leaving a drawing of a minotaur to identify himself. And that’s all he uses to identify himself. No history. No background. No other information. Because he’s a secret agent and he can’t. Thea reciprocates by writing letters back, and they conduct a not-so-torrid love affair this way. Harper’s point about all this is that the story doesn’t ring true at all for him. His thesis is that identity is the base for relationships. By identifying someone, we use the identity to recall all the things we know about that person. Without identity, none of the good feelings and history can be meaningfully attached. It’s 50 First Dates. Identity also allows us to hold people accountable. The identity is the index to everything we know about them. Without that, we’d be lucky if we punished a person who messed up. We’d more likely be punishing one of the other thousands of people who are in the same broad vicinity as the actions needing correction.
Identity is key to these things. But the converse of identity is also useful. Harper illustrates a small town, where everyone knows what you’ve done because everyone knows your identity. One reason why cities have such diversity is not just that there are so many more people trying more things. It’s that the larger numbers of people make it more difficult for everyone
to know what you are doing. There’s a practical anonymity. I may know generally there is someone running a sex club on Queen Anne Hill in Seattle, but the large number of people in Seattle means that I wouldn’t know if that’s my co-worker or neighbor. And so I can’t practically pressure the proprietor with my disapproval. With anonymity comes freedom.
His further sections expand on these themes. How various methods of identification can fail, and what the limitations on their use are if we can identify a person. For instance, we could have identified the 9/11 hijackers. We knew their names. What we couldn’t know was that they were intent on driving planes into targets. (At least not without better intelligence on al-Qaeda we couldn’t know.) The hijackers used real
names. They didn’t hide their fingerprints. Identity helped law enforcement only to trace how they did it afterward. Establishing a national identity card, as some have proposed, would not have prevented 9/11. Intelligence on terrorists would have stopped it. Knowing an attack was planned would have helped. Good identification would have been key to that had we the knowledge of who would be perpetrating the scheme. Identification is of limited use in preventing problems.
One thing that peeved me a bit while reading is that Harper blames the needless identification systems we have on entrenched bureaucracy malevolently using their positions to enhance their positions. He claims DMVs have failed to get secure identification systems in place, and we have rewarded them by increasing their budgets. He claims this is backward. In his view, we’d incentivize them to get better by cutting their budgets. That’s how business does it he says. But he’s wrong. When, with little budget and little time, my groups were unable to complete our projects, the usual response was to increase the resources allocated to the tasks so that we could finish. Competition productivity gains (which is what he’s talking about here) work differently from his scenario. I wish I had the memory for quick recall of the economics involved, but suffice to say he’s wrong on this one.
That’s his libertarian viewpoint pushing it’s way into the otherwise solid work. On the technical and freedom portions, he gets it right as far as I can tell. On the economic and political parts, that’s less the case. Overall, Jim Harper’s writing is well done. He introduces each chapter with anecdotes that illustrate the points he’s trying to make, and that goes a long way to making them accessible to people who aren’t security geeks. I think he could have been a bit more succinct in his later chapters. It’s not that they are overly long, but each of them does repeat some of the information from earlier chapters. Good conclusions though.
Title: Identity crisis: how identification is overused and misunderstood
Author: Jim Harper
Imprint / publisher: The Cato Institute
Format: Paperback
Length: 276 p. (includes index)
Publication date: May 2006
ISBN-10: 1-930865-85-6
Subject: Privacy, Right of — United States
Subject: Identification — United States
LC classification: JC596.2.U5H37 2006
