A question of identity

It happens in the blink of an eye. You press the tip of your finger against your phone. A capacitative sensor determines the pattern of ridges and valleys in your fingeprint . An algorithm matches the pattern against a digital representation stored in a secure enclave on your mobile device. If it finds a match, it unlocks your phone (or does whatever other task you were attempting to authorise).

There are other means of authentication, such as facial recognition, PIN codes and passwords, but I think that fingerprint recognition is particularly interesting because it illustrates important differences between the ways that humans and machines and systems deal with identity. (By ‘systems’ I mean all formal, process driven methods of interaction - not just those implemented in software on computers.)

When humans think about identity we think about an individual, a person. When we say that we know someone, we mean that we know many things about them: not just their name and their profession, but aspects of their behaviour and personality. It is remarkable how quickly we form an impression of a person: even if we have only shaken hands and shared a meeting room with someone for an hour or two, we come away with some idea of what they are like. (Of course, our impressions are also subject to bias and preconceptions: the speed with which we form ideas about others is not always a good thing.) When we encounter that person again, we don’t typically feel that they need to prove their identity. We recognise them.

Even though computers get better and better at seeming to recognise us, they don’t work with identity in the same way. Whatever system we are interacting with (even if it is a system whose job it is to manage identities) does not (yet) form a view of our identity in the same way that a fellow human does. It may know our bank balance and our transactions, it may know our buying patterns and preferences, but it does not know us. It merely correlates a set of signals which it connects to a record in a database. Whereas a human might say, ‘I recognise you,’ a machine might say, ‘I recognise that I have been presented with data which matches a particular entity.’

This is the case even when the technology used in identification and authorisation is advanced and impressive. Fingerprint recognition is an every day miracle: billions of people in the world carry devices containing sensors and software capable of doing something - recognising fingerprints - that humans cannot do without time and tools, and doing it so fast that, most of the time, we do not notice any delay. Yet, all that advanced and impressive technology is doing is deriving one more digital signal from the world: even though it knows our fingerprint, it does not really know us.

Why is it important to understand how computers process identity? Is it not enough to press our fingers against our phones and accept the convenience and security they offer? As this series of articles argues, the more the world is built out of computers and software, the more important it is for us to understand how they work - and the stronger the duty of those people who work with technology to explain. This is particularly acute for questions of identity - because identity is valuable.

There are roughly three groups of people in the world who care about your digital identity. First, there are people, such as your bank, who provide you with paid services. You can’t get access to those services without proving who you are, and you and the service provider both have an interest in establishing a reliable method of providing this proof. Second, there are people, such as search providers, who don’t require you to prove your identity to use their service, but do have an interest in forming a picture of you, as they are usually funded by advertising. The first and the second groups overlap: companies who provide you with paid services typically want to provide with more services, so have an interest in figuring out what you want; while companies who offer free services increasingly also offer paid services.

But the big reason to understand identity is the third group. This is the group of bad actors who understand that computers don’t really recognise you - they just recognise a set of signals - and try to intercept or compromise those signals so that they can impersonate you. They may only wish to impersonate you for a moment, to empty your bank account, or they may wish to impersonate you for months, steal your identity entirely. Either is devastating, and understanding how identity works may help you protect yourself - or, if you run a company, protect your customers.

In this article we’ve only considered how your phone attempts to verify your identity. While this is an everyday marvel, it is simple compared to the way in which your bank manages your identity and tries to verify it. In the next article we’ll explore that in a bit more depth.

The Round Trip Question: Journey Map

This series of articles is driven by a conviction that computing is increasingly important to our lives, but many people don’t understand how computing works, and that those of us working? in the industry therefore have a duty to explain. It attempts to answer The Round Trip Question: what happens when you press ‘send’ on the mobile banking app on your phone?

I’m using this section at the bottom to capture the list of questions which arise as I write each article. If I go wrong, or if you have other questions, please tell me in the comments.

To-do:

Who are all these humans who write code? How do they work?

How does my bank’s computer know that I am me?

Why do action heroes ‘break into the computer room to hack the mainframe’? How realistic is that?

What’s a mainframe?

What’s a computer room?

[From Bradley Safer] Who else can see my data? What are they allowed to do with it?

[From Prakash Sethuraman] What is data? Why is it important to protect it?

There will be plenty more questions. For now, though, here’s the very rough picture of what we have covered so far:

(Views in this article are my own.)