Mesh Identities

The Utah Department of Technology Services (DTS) notified the Utah Department of Health (UDOH) on Monday the server that houses Medicaid claims was hacked. On Wednesday, the UDOH publicly announced the breach. On Friday, DTS revealed the damage: 181,604 Medicaid and Children’s Health Insurance Plan (CHIP) recipients had their personal information stolen. Of those, 25,096 appear had their Social Security numbers (SSNs) compromised.

Source

The sheer scale, not to mention regularity, of data breaches even in just the last couple years exists at the cusp of our capacity to comprehend. Such stories strike fear in our heart: was our information in that set? Our relatives? Our friends? Since most data breaches are not publicized, how would you even know if you were a victim of identity theft, until it happened?

Partly, these hazards of modern living have come about as systems that were never built to be connected to an always-on, global network, attempt to stumble their way onto the interwebs, and suffer the same fate as a cavalry charge against machine-gun nests. But even more critically, they are failures of design, and failed conceptions of identity.

As with farm plots, so with identity. James C. Scott’s astute observations in Seeing Like A State have guided many a government’s attitude toward identity, pushing inexorably towards more comprehensive, increasingly unique identifiers. Housing addresses no longer suffice, nor do identification cards without photographs. The valid concerns of citizens have prevented this tendency from fully taking root, but this force is insistent; for centralized institutions, better categorizations and taxonomies are downhill forces.

What has actually taken root, far more quickly and comprehensively than government ID cards has been the notion of the social network identity, has been the social profile. Here there is a spectrum of choices, from anonymous channels on 4chan to the information-rich personal profiles Facebook. But the culture has shifted away from the handle and avatar in the cultures of Facebook and Google+ (and elsewhere) and towards “true” identities.

This is a slippery conceit. Our own identities, apart from their various digital augmentations, are composites that are constantly in flux. Our self esteem, our beliefs and our moods shift and sway as our sugar and sleep levels adjust, as the blood pressure settles after that argument with our spouse. The foolish phase involving hallucinogens, or plaid, or karma needs to be buried and moved on from. But our “profiles” have tended towards the static, the absolute; rigid demarcations of our education, sex, political positions, preferred literature.

Not only that, but as our online identities grow consilient, and as certain profiles become master-profiles through the magic of OAuth or OpenID, we increase the risk potential of reliance upon such devices. Losing control of my Google or Facebook profile could be as damaging as losing a credit card or my social security number.

I’m not sure how this would look, technically. I’ll just throw this notion out into the void, and see what comes of it.

I suspect identity would be much more resilient if we actively thought of it as cumulative, and composite. This is done in some spheres, already. To sign up for Couchsurfing, for instance, you need to create a profile with an email, link that to a credit card, and receive a postcard at a stated address. But the default for many contexts is a single identifier; what if the baseline were three or more identifiers? Christina Trapolino’s bet of making her Google Voice number makes sense, there. The idea is that no single identy fragment “is” your identity, and that identity demands scale according to the challenge made upon it. Structurally, this is similar to how the Bitcoin vets transactions across the network, but instead of a financial transaction, it would be a test to see if you’re you; a test across n nodes, where each node is an element (bank account, Twitter handle, what have you). These identifiers could decay naturally or be forcefully revoked, but the identity itself could be robust against all but the most determined attack.