I just want to add to that by saying that it's not about having a single identifier; it's about having confidence about who's on the other side of the transaction. I have today already in my real life, both online and in person, lots of identifiers, and what's good about that is it allows me to segment and compartmentalize my life so that I can only share this much information with this organization and this much information over there.
A single identifier will allow somebody to see everywhere that I've gone across the Internet. The service that we have with the Government of Canada is that the thing you originally asked for was a service that had a single identifier. You wanted an MBUN service, a meaningless but unique number that I could use across government, and when we looked at this we said this is a terrible idea because you're going to create a surveillance network. You're going to be able to see everywhere: they went to the beer store, the doctor, the beer store, the doctor, the tax department. You could have followed me everywhere. I don't want this thing. We designed triple-blind privacy to solve that problem. It's not about getting to a single identifier. In government, the service we built actually gives you a plurality of identifiers.
When I go to each government department, I have a unique identifier that I only use there and that's a better scheme because my relationship is contextual. I don't have a global view of my data. I have very contextualized, compartmentalized view of my life and I want it to stay that way. I don't want a big honey pot somewhere. Giving people the tools and the capabilities to do this is important.
I just want to pick up on Mr. Anthony's comments for a moment, though. The passport is not an authentication document. We use it for identity to prove that you're in the government's book of names. Let me just share something that's really important when you get to identity. When you are asking who somebody is, you're asking two questions that have to be answered at the same time. The first question is: Does such a person named Andre Boysen exist? The government, without dispute, is the author of that record and has domain over that record.
The second question has to be answered concurrently: Is he Andre Boysen? If you can't answer those two questions at the same time, you can't do a good job. Awesome authentication that's really strong but you don't know who it is, it's not that helpful. You have to be able to bind it to who did it. If you can combine it with self-interest, then the users will do the right thing when they lose access to the credential, which means the crook gets shut down. An identity is three components and they need to be kept separate.