Update: Good news Anthem Press will be publishing this as a book. Check back in January for a link to order it or join my mailing list to get notified when it comes out.
Join to get updates from Identity Woman
Kaliya is beginning to share regular updates about her work. This will help keep you up to date with all her work.
The Domains of Identity
by Kaliya “Identity Woman” Young, MSIMS
Abstract: The Domains of Identity outlines sixteen key categories of transactions which cause personally identifiable information to be stored in databases. The purpose of this research is to address challenges of Identity Management that involve interactions of almost all people in almost all institutional/organizational contexts. Enumerating the sixteen domains and describing the characteristics of each domain is intended to clarify which problems arise and how they can be solved within each domain. Discussions of identity management are often confusing because they mix issues from multiple domains, or because they try unsuccessfully to apply solutions from one domain to problems in another. Part of the objective of this article is to eliminate this confusion and enable clearer conversations about identity management problems and solutions.
About this Paper: The first version was submitted to the University of Texas at Austin to fulfill the report requirement for the Master of Science in Identity Management and Security. The Co-Supervisors were Dr. Dawna Ballard and Dr. Bob Blakley.
From the Introduction: There are a few very obvious and much-discussed archetypical identity management scenarios:
- employee to employer
- citizen to government
- consumer to merchant
Each one of these has very different power relationships and characteristics. Through conversations arising out of the UT Austin Masters of Science in Identity Management program, it became clear that these three simple scenarios were not comprehensive enough to hold the whole range of activities that lead to individual’s Personally Identifiable Information (PII) being collected, ending up in databases, and being used and misused. I worked to define a simple comprehensives set of domains, each with different processes and contexts, where individual’s data (PII) ends up in databases. The result is the sixteen domains of identity. Once the domains had been defined, I dove into all the academic research relative to identity management, finding more than 900 articles in the UT Library, and then sifted through them to identify papers that specifically explained and defined the domains. For my masters report, I wrote out detailed descriptions of each domain based on the literature. This article defines the domains and presents a symbol for each the relationship to other domains along with the roles and sources of PII.
The big challenge with the fields of identity management and privacy is that both involve issues across the lifespan of all people and across virtually all institutional/organizational contexts they encounter. Everyone in our society participates in some type of “identity management” on almost a daily basis. It is so common that we do not really think about it. As a result, the discourse about identity often conflates radically different issues.
The black market in which personal data is bought and sold is very different from the contemporary data broker industry, but it is not uncommon for people with fears about personal data use to lump these two contexts together – forgetting that one is a legal business market and the other is a result of criminal activity. For example, an enterprise with weak one factor authentication that is attacked in a spear phishing attack to gain access to the employee directories, exfiltrate information, and sell it on the black market. This type of attack is quite different than the type of data breach Target experienced where the criminals accessed customer credit card information via the controls in the HVAC system and put it on the black market. This research outlines sixteen domains that can hold a comprehensive set of use cases across all the domains that identity management happens in. I define identity domains as the contexts where databases of personally identifying information about people are created or used. These domains are not new. All of them existed 100 years ago. However, computer technologies have changed how they operate.
Enumerating the sixteen domains and describing the characteristics of each domain is intended to enable clear thinking about which problems arise in each domain, and how problems can be solved within each domain. Discussions of identity management are often confusing because they mix issues from multiple domains, or try unsuccessfully to apply solutions from one domain to problems in another domain. One of the objectives of this paper is to eliminate this confusion and enable clearer conversation about identity management problems and solutions that will enhance security and increase privacy.