A primer to the nuances of authorisation, authentication, and identification

Abstract

Whether online or offline, questions of identities and identification have been a topic of ongoing discussion and debate in society for many years. In many Western societies, the last decades have seen an ever-growing emphasis placed upon the malleability and flux of identities. This is in contrast to the perceived stability of human identities in the past, often characterised by “stable relationships” in society, family or lifelong employment. The celebration of the relative historical novelty of these aspects of identity often overshadows the importance of social categorisation, i.e. the categorisation of others, in shaping an individual’s experiences in society . Self or group identification, i.e. how individuals or groups identify themselves, is but one mode of identification. The fundamental process of identifying involves specifying what something or someone is and what it is not, including its or their properties or characteristics. Humans regularly engage in dialectic processes of identification with internal and external moments, involving how they identify themselves, how others identify them, and the ongoing interplay of these processes in social identification. Those others may not only be humans but also institutions. Since at least the fourteenth century, states have created increasingly intricate administrative systems for tracking individual identities in order to better register and control their populations, in the pursuit of, e.g., improving tax collection and conscription. This included the development of a range of categorisation and identification practices and documents, including seals, stamps, signatures, and identity papers. Beyond the impact of specific legislations such as the Real ID Act of 2005 in the USA or Regulation 2019/1157 on strengthening the security of identity cards in the EU, we can observe three qualitative changes in recent years. First, the issuance of authoritative identities is not anymore restricted to state actors but is increasingly performed by private actors such as companies. Second, these are not limited to paper documents but have become complex digital identities. Finally, we can observe an increasing convergence of the different identification systems, state and private, analogue and digital, to the benefits of both states and companies, e.g. when matching state-issued and online IDs for social networks. Behind this apparent harmony of state and private interests, a privatisation of state prerogatives in the area of authoritative identities is taking place, driven by commercial interests. Characterised by what Evgeny Morozov calls ``technological solutionism’’ — the idea that given the right software and data, technology can solve all of humankind’s problems — companies have a strong incentive to oversell digital identity systems they create and operate. The multitude and fuzziness of underlying concepts of identity and identification, social, legal and technical, has given rise to misunderstandings about what is built into certain systems, what the characteristics and what the consequences are. For example, a recent decision by the French Cour de Cassation on 2-factor authentication is based on the false understanding that the existence of multiple modalities guaranteed security without consideration of the underlying security of each modality. Thus, these misunderstandings can have in turn severe legal implications. We understand that there are difficulties with the translation of certain aspects between the disciplines and that the infrastructure — including the legal infrastructure — of identity systems is generally built upon assumptions that are made based on past social, legal, and technical experiences, assumptions which might not really be true in online settings. Thus, our aim with this chapter is to provide more solid grounding for people working on identities, analogue and digital, and identification practices and systems at the interface of law and computing. This chapter, focused on the nuances between authorisation, authentication, and identification, is structured as follows. We start by going over conceptual aspects and setting some definitions around identification and authentication, from adversarial frameworks to information linking and leaking. We follow with a quick overview of the state of the art on technical solutions for authentication. Finally, we discuss the issues of power and normativity in their relationships to identity.

Publication
*Preprint of a chapter of L’identité numérique en construction. Quels enjeux et quels modèles ? (eds. J. Eynard and G. Macilotti), Larcier Intersentia *