There are an increasing number of ways in which we can interact with other people or with devices, using a variety of media. These may include video, the Internet and other data networks, voice, or within virtual worlds. Our interaction may therefore be face-to-face, but is increasingly done remotely. Indeed, remote interaction may often be the way in which we deal with someone or something.
The key question to be considered at the sandpit, therefore, is how we both establish confidence in the identity of the person or entity with which we are dealing, and just as importantly, how we maintain that confidence over time. The establishment and maintenance of confidence in identity is obviously important for the delivery of services, and these are increasingly being delivered remotely, via electronic means. We must be able to provide benefit for all, do this at minimum cost, and while still stopping those who wish to abuse the system. We may also need to take into account of the level of cooperation we have from the person being identified. There is also the deeper question of trying to determine what “identity” means, particularly regarding the relationship between the identity of a human being and the electronic persona or device that is interacting on their behalf.
What does 'identity' mean?
Identity may apply to a variety of entities in different contexts. Most obviously, we are often concerned with the identity of a person, but we may equally be interested in the identity of another entity, such as an organisation (for example, during a financial transaction), the team of which you are a part, a device, or perhaps even a virtual identity in a virtual world. Identity therefore is a matter of definition, dependent upon the application of interest.
We also need to take into account the notion of “relative” identity – we do not need to necessarily know exactly with whom or what we are dealing in all circumstances, and may only have partial information about the entity in question. For example, many free Internet services only verify that the subscriber has a valid email address, but do not establish any other identifying information. However, we usually do need to know that we are dealing with the same person or device as last time, and that they will perhaps behave in a consistent manner. Our systems for establishing confidence in identity may also have to take into account gender, ethnicity, age and cultural differences.
The notion of “relative” identity naturally leads on to the concept of levels of confidence. What levels of confidence are achievable or appropriate, and for what tasks? This may be related to the type of transaction for which we are trying to establish or confirm identity. Various frameworks have been developed to codify levels of identity, but they are based upon what is intuitively reasonable, and there are few scientific or quantifiable measures to back them up. Can we develop a science base to allow one to argue about levels of confidence from well-established, peer-reviewed principles?
We may also be able to build up confidence over time, perhaps using evidence from a variety of sources and media. This begs the question as to how we combine contrasting the degrees of confidence obtained from these different sources. This is a key problem, and leads to subsidiary questions. For example, does physical evidence imply more confidence than electronic or remotely obtained evidence? What is to be gained from using separate identities in different contexts? How does identity change over time and what is the effect of this?
What's not covered?
There is a large body of previous work that has focussed on the development and validation of authentication factors as a means of establishing identity, i.e. something you know (e.g. a password), something you have (e.g. a smart card), or something you are (e.g. a biometric). Previous work has also focussed on the secondary issue of establishing the provenance of an information asset. Digital signatures have been traditionally used in this context to attribute identity to an action (e.g. authorship of a document), but we might also wish to attribute identity to a much wider range of activities. This sandpit is focussed on both the use and fusion of identity and attribution information that can be obtained from these technologies, rather than on the development of new technologies for authentication or attribution.
Some key questions
To summarise, the key questions that we would like the sandpit to consider are:
- What does “identity” mean, particularly regarding the relationship between the identity of a human being and the electronic persona or device that is interacting on their behalf?
- How do we establish confidence in the identity of the person or entity with which we are dealing, and how do we maintain that confidence over time?
- How do we fuse identities derived from multiple sources, all with different levels of confidence, and where some relate closely to the human individual involved and others relate more closely to their electronic persona, or the role they are playing, or the device that they are using?
- Do we need to take into account gender, ethnicity, age and cultural differences when establishing identity? If so, how?
- Can we develop a science base to allow one to argue about levels of confidence from well-established, peer-reviewed principles?
We would expect contributions from researchers working in a wide range of fields. These will include, but are not limited to, computer science, mathematics, sociology, behavioural sciences, electronics, sensor technology, design, psychology, genetics, cultural and social anthropology, human factors, and law.