Who Are You?

It looks as if the question of identity is the main one since the beginning of the year.

I got my papers stolen. If you never had to prove who you are without any piece of ID, you just can’t imagine how hard life can be. Proving formally who you are is one of the most underrated and difficult things to do. But managing your online identity (or identities) can be equally challenging.

The current norm on personal identification is having what’s called “a third party confirmation of who you are”: basically, you are issued by someone who can be trusted (the government, your company, whatever) something that they feel adequate to prove who you are, in order to grant you some privileges. Usually, the bare minimum requirements for a decent ID is a picture (recent and recognizable), a name, and some peripheral confirmation items (a number that can be checked in a computer system being the current favorite).

If you don’t have that, well…

Quick (and true) story: right after I got my papers (and credit card) stolen, I went to the bank to withdraw some cash, to, you know, eat and stuff. I had with me the police report stating that my papers were stolen, a couple of bills sent to my full name and physical address, the contract for the opening of the account, and various receipts of transactions I had done in the past with the bank. To no avail. No picture on an ID, no cash. Except, it’s stupid. It’s a lot harder to come up with all the “peripheral” items I had brought with me than with a fake ID. The ultimate failover, after I casually threatened to sue, was to compare signatures. SIGNATURES! Needless to say, I am appalled.

I have no idea how to make the ID system better, but I’ve watched enough spy movies to know that a picture ID and a signature is far from enough to be certain of someone’s identity.

In computers, identity is both easier and trickier.

To log in on an ultra secure computer, there are a variety of high tech biometric ways to make sure you are who you claim to be. Retinal scans, fingerprints, voice patterns, DNA, password, keycard, trick questions, or a combination of these. If you want to have a physical identification process that’s secure, I guess you can do it.

Remote login, now, is a different story altogether. You can send in through the network all of the above, but it means that you have to trust the path the information takes in between, and the path the remote computer takes to retrieve the information it will be comparing the supplied data with. Basically, you have to add another layer of trust: the network.

But I’m talking military grade authentication here. Most of the websites out there rely on a simple login/password scheme. The underlying assumption is that you won’t share those with anyone, and therefore the worst that can happen is that you forgot the code. Oh and that the server won’t be hacked into. Alright, fine, I guess that even with things that store some very personal and sensitive information, it’s enough in 95% of the cases. So let’s put this problem aside for a bit.

I have started playing around with iMessages. What’s cool about it is that the messages sent or received on my mac/iphone/ipad are all in sync. For all intent and purposes, the person on the other side of the screen doesn’t know (and doesn’t care) which of my devices I’m using to communicate. And on my side, I can type a lot faster on my computer, so that saves me some time (and autocorrect frustration), when I’m home, and I can still reply to messages when I’m moving around.

But, what iMessages does is that it aggregates 2 (or more) IDs/addresses and makes it YOU. So my correspondent might receive messages indiscriminately from my phone number or my email address. And I can send messages to any ID I want too (if I know both). What it does is blur the “technical” bits and makes it look like I’m talking to a person.

Of course, I understand the why: whether you send a text message, an email, or a chat message, to someone, in the end you send it to a person. And they may respond through their own choice of communication. And it shouldn’t make a difference. Except, to me, it does.

I won’t say the same things in a tweet or in a blog post (case in point). And I won’t say the same things (or in the same way) in a text message, or an email, or on Facebook (no, I don’t have an account), or in person. Because I think that beyond the problem of identifying a person as a unique individual, the medium through which we express something does tend to add a bias too.

A little example to specify what I’m talking about here: I have some friends in the business. When we’re knocking down some drinks and talk, we can be free of being “like at home”, and talk about projects and problems freely. If I send them an email about some project or problem, it’s in written form, and I have to anticipate all the questions that can arise, as well as keeping in mind that they might show/forward the mail to a third party.

The worst part is that you may generate a different perception of who you are even without lying. Some clients I’ve had a long email conversation with about a project are surprised when they see me in person. I don’t feel like I’ve not been myself at any point of the conversation, but they had a different image in their head anyway. Or people who know me personally will read a tweet or a blog post and be surprised by what I write. And so on and so forth.

Don’t get me wrong, I don’t think it’s necessarily a bad thing. I’m a child of usenet and IRC, and I know quite a bit about anonymity, posturing, and fake IDs. But I’m primarily focusing on identifying someone here. If I get a text message from an unknown number that makes references to personal stuff, it might be someone I know, or someone who’s heard it second-hand, or a stalker. The same goes for an email: if I know the person, or the person who referred that other person to me, my response will be different, especially if it’s for help, or a quote on a project.

All in all, I’ve been pondering about this identification thing for a while now, and I still don’t know how to make it better, or even how our brains process all the peripheral information we get to be able to say “I know who this person is”. But this is the root of the trust tree, and most of my actions stem from this single fact. It kind of scares me when I think about it. All of this hinges on… nothing much really.

PPSN (post publication side note):
The whole UDID thing with the iPhone is a prime developer’s example of what this identity thing is: how does one make sure a user is uniquely tagged?
The easiest way, till now, was to basically say “you = your phone”. Apple has decided that it was not an acceptable way of doing things. I kind of agree. Then again, Apple, my appleid isn’t me either.


Leave a Reply