I had the opportunity to do an encore presentation at work of “Informational Identity: Digital Identity in Context,” which I originally presented at Identity Week America in Washington, D.C. on September 11th. At Identity Week I presented, and expanded on, the idea of ‘Informational Identity,’ of which digital identity is a proper subset, and which I argue is one of our two fundamental modern identities, alongside personal identity. I first started exploring these ideas in my 2019 post here “Identity Proofing: Turtles All the Way Down.”
There was a lively side discussion in chat in the Teams meeting during my encore presentation. One of the topics was on the use of DNA in identity. Reviewing that later, I thought I might be able to clarify a few misconceptions people have about DNA and identity, so I shared an extended thought about it with them, which was the genesis of this post. That audience had just had a full pitcher of Informational Identity Kool-Aid, so had more immediate context for this than you may have. I will try to flesh it out more here, but you may find it useful to read the thread on Informational Identity first that starts with the post linked above.
TL;DR DNA does not guarantee a digital identity “is” the individual with that DNA pattern.
The use of biometrics such as DNA in identity and access management is a little nuanced.
In a biometric authentication, the DNA – or the retina scan, or the palm vein print, or the gait pattern, etc. – serves as both the authenticator as well as the ‘pointing’ part of the associated informational identity – what I call the ‘deictic.’ In linguistics, ‘deixis’ refers to words whose meaning is dependent on the spatial/temporal/personal location of the speaker vs other places, times or people. Words such as ‘soon’, or ‘there’, or ‘you’. The deictic is the part of the informational identity that uniquely points to an individual. A biometric serves as such a unique identifier. As with any identifier, the key moment in its use in identity and access management is what I call ‘the christening’ – the moment that identifier is associated with the individual and that association is recorded in an informational identity, whether in memory, parchment or silicon.
If Luther hacks into the UK government database and puts Ethan Hunt’s DNA profile into Keir Starmer’s digital identity record, Hunt can get through the DNA scanner into the secret Cabinet War Room deep under Whitehall to push the big red button to prevent WW III.
As an authenticator, many biometrics make the credential they are part of ‘non-repudiable’. With password-based authentication, for example, even with a second factor such as a one-time text password, the user can always maintain “someone else guessed my password and had control of my phone.” And while there may be forensic evidence to the contrary, it is difficult to prove otherwise. With a well-implemented biometric authenticator, there is (close enough to) certain knowledge that the individual with that biometric trait donned the associated informational identity and exercised its privileges to do some stuff, so they can be held legally and morally accountable for those actions. That does not necessarily mean the rest of the digital identity record – the demographics and addresses – is about them. Confidence in that is a function of how strongly their identity was proofed at the creation of the digital identity record when the biometric pattern was recorded.
So, in addition to being problematic to use as an authenticator in practice – taking some hair or bodily fluid and patterning the DNA is hard to do remotely – maybe a little keyboard based thing that pricks your finger? call the patent office! : ) – the use of DNA doesn’t ‘solve’ identity.
I say “well implemented” above, because there are a number of biometrics that can be digitally spoofed – such as photographs and voice prints – which is why they are frequently complemented by a “liveness” check to ensure their provenance.
The Identity Week presentation wasn’t recorded, but the internal company one was. I will see if I can figure out how to get it posted soon. TTFN.
Health IT Architect 