Citation
Lips, M. (2009), "The quest for managing identity management", Online Information Review, Vol. 33 No. 3. https://doi.org/10.1108/oir.2009.26433caa.001
Publisher
:Emerald Group Publishing Limited
Copyright © 2009, Emerald Group Publishing Limited
The quest for managing identity management
Article Type: Introduction From: Online Information Review, Volume 33, Issue 3
What is “online identity” and how can we best represent, use, verify or authenticate it in a variety of online service environments, such as e-banking, e-shopping, e-trading, e-learning and e-government? These questions are becoming increasingly important now that individuals are replicating many aspects of their personal and professional lives in emerging online environments. Worldwide, industry, business and governments are exploring solutions for identity management (IDM) in their online service relationships. Indeed, many organisations consider the application of IDM as the sine qua non for a further uptake of online transactional services, as the introduction of IDM systems in online service environments is perceived to be similar to enhancing trust (e.g. EU Ministerial E-Government Declaration, 2005).
With the rise and rise of online services and simultaneously growing numbers of cases of “identity fraud” or even “theft”, it is not surprising that IDM has become the focus of both practitioners’ and scholarly attention (Crompton, 2004; Cameron, 2006; FIDIS, 2006; OECD, 2007; Birch, 2007). While a proper definition of IDM seems to be essential for offering trustworthy online services, activities in both academia and industry indicate that we are still on a discovery tour of how to reconceptualise and design ways in which we can be, or should be, managing our identity online. Although the term “identity management” has become widely used, a commonly accepted meaning for the term is lacking so far (Bamford, 2007; Oxford Internet Institute, 2007; Crompton, 2004). This lack of a common understanding can be explained by the fact that IDM is a relatively new term.
Even though identification and other identity management processes are common in service environments in the physical world, the representation of personal identity in online environments seems to take place on a different footing (Lips et al., 2006). Traditionally for instance, in the physical world, individuals have been used to identifying themselves on the basis of specific types of personal information, such as name, address or date of birth, often supported by particular identification documents like a passport, driver’s licence or birth certificate. In these emerging online relationships we are representing ourselves differently from representation in the traditional physical world, sometimes using the same types of personal data, but often using new forms of personal information, such as e-mail address, credit card number, caller-ID or IP address. Moreover, we are differently identified, “known” and “knowable” by people and organisations at the other side of these online relationships (Lips et al., 2009). Identity knowledge gathered in digital environments is based on informational representation rather than physical representation (Lips, 2007).
Also, the digital nature of this informational representation offers new possibilities for using identity data compared to identification processes in the physical world. For instance, it is much easier to merge previously compartmentalised personal data, to discover and track personal information in real time across physical barriers and locations, or to make personal data publicly available as a result of an increased blurring of lines between public and private places (Marx, 2003; Camp, 2003). In other words, we are dealing with substantially different ways of representing and managing our personal identity compared to identity management processes in traditional face-to-face or paper-based service environments.
Furthermore, our traditional trust mechanisms for IDM processes cannot be reproduced easily in the emerging online world (Camp, 2003). For instance, in online environments, we usually are not able to look each other in the eye to see whether we can trust each other in providing and consuming a service. We also do not have a digital equivalent of a driver’s licence or passport that we can submit as proof of who we are. Consequently, we will need to build up and develop new trust mechanisms suitable for establishing effective online relationships (Greenwood, 2007).
Even more complicated, with an increasing demand for IDM solutions that can be used across different online service relationships, so that users do not need to manage an online identity for each online service relationship they are involved in, there is a growing interest in defining “circles of trust” among clusters or “families” of online service providers. An important development in this respect is the introduction of federated IDM solutions.
The development and application of IDM in online service provision will not only require the search for suitable technical solutions, our attention will need to be focused particularly on the management and governance side of IDM. The technology offers us capabilities that, in the further development of our information society, can support us either way – towards an information paradigm that fully supports “identity”, namely the maximisation of collecting, managing and using personal information on the user; or towards an information paradigm that fully supports “anonymity”, by minimising the collection, management and use of personal information on the user (Lips and Pang, 2008).
Internationally, so far most organisations seem to be leaning towards adoption of the first mentioned information paradigm and, with that, towards IDM solutions that are “organisation-centric” – centralised, cross-domain IDM solutions where the service-providing organisation keeps and manages personal information on the user. More recently however, so-called “user-centric” IDM solutions are being explored and adopted by organisations worldwide, such as in the New Zealand Government’s All-of-government Authentication Programme and the Austrian Government’s Citizen Card initiative (Lips, 2007). User-centric IDM provides for IDM solutions in which the user has control over his or her personal information. Usually, the user is also the only party who knows the links between different personal information accounts (e.g. Oxford Internet Institute, 2007; OECD, 2007). With this shift of attention towards another information paradigm, in exploring IDM solutions we can observe that besides accommodating information security as an important value in IDM solutions, privacy protection is becoming a central element in the design of new IDM solutions. Here, as Brands (2002) reminds us, enhanced privacy protection doesn’t need to be delivered at the cost of information security – improved privacy protection and information security actually can go hand in hand.
Although IDM is still an evolving concept, it is clear that managing identity in the digital age raises considerable social, technical, legal and economic challenges to the historically stable relationships between people, business and government. Some of the papers in this issue of Online Information Review reflect several of these challenges in the development and implementation of IDM. With new IDM solutions being introduced in a wide range of online services, we have arrived at the crossroads of important developments in our society – we are about to make important design choices for the information society of the future. Although the technical design of IDM solutions will continue to need our attention, we will need to broaden our current focus on IDM and start thinking about how to manage IDM effectively. Whether we will end up with user-centric, organisation-centric or perhaps other IDM solutions in our future information society is not decided yet.
Miriam Lips Professor of E-Government at Victoria University of Wellington, New Zealand
References
Bamford, J. (2007), “Identity management: achieving data protection compliance and inspiring public confidence”, Position Paper for the Forum on e-Infrastructures for Identity Management and Data Sharing, Oxford Internet Institute, Oxford
Birch, D.G.W. (Ed.) (2007), Digital Identity Management: Perspectives on the Technological, Business and Social Implications, Gower, Farnham
Brands, S. (2002), “Secure access management: trends, drivers and solutions”, Information Security Technical Report, Vol. 7 No. 3, pp. 81–94
Cameron, K. (2006), “The laws of identity”, Microsoft Web Services Technical Article, available at: http://msdn.microsoft.com/en-us/library/ms996456.aspx (accessed 12 March 2009)
Camp, L.J. (2003), “Identity in digital government”, a research report of the Digital Government Civic Scenario Workshop, Kennedy School of Government, Harvard University, Cambridge, MA
Crompton, M. (2004), “Proof of ID required? Getting identity management right”, paper presented at the Australian IT Security Forum, Sydney, 30 March
EU Ministerial E-Government Declaration (2005), “Transforming public services”, Ministerial e-Government Conference 2005, 24 November, Manchester, available at: www.egov2005conference.gov.uk/documents/proceedings/pdf/051124declaration.pdf (accessed 12 March 2009)
FIDIS (2006), Inventory of Topics and Clusters, Future of IDentity in the Information Society Project, 21 September, WP2, D2.1, available at www.fidis.net/resources/deliverables/identity-of-identity/#;c1755 (accessed 12 March 2009)
Greenwood, D. (2007), “The context for identity management architectures and trust models”, paper presented at the OECD Workshop on Digital Identity Management, Trondheim
Lips, A.M.B. (2007), “Separating the informational from the electronic: challenges and opportunities for New Zealand government in an information age”, inaugural lecture, Victoria University of Wellington, 20 November
Lips, A.M.B. and Pang, C. (2008), “Identity management in information age government: exploring concepts, definitions, approaches and solutions”, working paper, vuw, June, available at: http://e-government.vuw.ac.nz/research_projects_2008/IDM%20IN%20GOVT%20REVIEW.pdf (accessed 12 March 2009)
Lips, A.M.B. and Taylor, J. (2006), “Identity management as public innovation: looking beyond ID cards and authentication systems”, in Bekkers, V.J.J.M. , van Duivenboden, H.P.M. and Thaens, M. (Eds), ICT and Public Innovation: Assessing the Modernisation of Public Administration, IOS Press, Amsterdam
Lips, A.M.B., Taylor, J.A. and Organ, J. (2009), “Identity management, administrative sorting and citizenship in new modes of government”, Information, Communication & Society, accepted for publication July 2009 (forthcoming)
Marx, G.T. (2003), “Varieties of personal information as influences on attitudes toward surveillance”, paper presented at The New Politics of Surveillance and Visibility, available at: http:/web.mit.edu/gtmarx/www/vancouver.html (accessed 12 March 2009)
OECD (2007), “At a crossroads: ‘personhood’ and digital identity in the information society”, Organisation for Economic Co-operation and Development, STI Working Paper 2007/7, 29 February 2008, Paris
Oxford Internet Institute (2007), “e-Infrastructures for identity management and data sharing: perspectives across the public sector”, working paper, Oxford Internet Institute, Oxford