Wednesday, November 21, 2012

The Identity Conundrum - context and origins


The Identity Management and Privacy ecosystems are currently grappling with several issues on how to balance the divergent needs of stakeholders (businesses, governments and individuals) such as targeting, security, usability and privacy. The stakeholders are unable to agree to common anything - whether it is techniques, levels of verification, protection mechanisms or approaches (centralized vs federated, single-identity vs plurality, etc.).

The trigger to this post one such disagreement - with Kaliya Hamlin (@IdentityWoman) and Robin Wilton (@futureidentity) - on whether all identity is contextual and socially constructed. While I agree that all identity (and identity-verification) is contextual, I feel that there are aspects to identity that are not socially constructed. Rather, they are individually asserted and must be taken as such.

For example, do I consider my name and my date of birth to be:
  1. attributes and assertions that constitute a part of my identity? (yes, I do)
  2. if so, should I consider them to be socially constructed? (no, I don't)
  3. are they socially relevant? (yes, they are)
I am therefore, distinguishing between relevance (and correlation) and construction (causation).

This of course, raises some interesting questions.
  • What if I had used a pseudonym? Would it not be socially constructed? I don't think so. I created that pseudonym myself. If I let the social context influence this, it was by my discretion. So the causation is not automatic by any stretch of logic.
  • What if I had used a pseudo date of birth? I contend that it still is not socially constructed. I am deliberately skipping arguments regarding why this should be necessary and whether this should be allowed at all. That topic deserves an entire post for itself.
This is not to confuse attributes with identity, of course. But the logic applies to any identity constructed out of such attributes.

I don't know whether we are splitting hairs on a minor details or in genuine disagreement on something very fundamental: that of the context of the Identity Problem that we are discussing.

At the root of this discussion is the very context and concept of Identity. I am talking about Identity in the digital world - primarily for the purpose of authentication. By authentication, I mean verification of the assertions / claims of the nature of: attribute=value made by an individual. Variations like Age > 18 also fall under the same category. The identity problem exists for organizations / entities too, but I digress.

Worth mentioning in this context are some of the blog posts by Stephen Wilson (@Steve_Lockstep) where he argues that we are over-theorizing the whole thing: "Speaking plainly about identity". Steve appears to differ from Kaliya on the matter of Identity as a spectrum metaphor (in his blog post: "Surfacing Identity"). I agree more with Steve than Kaliya on this.

I believe it is important to understand the relationships and interactions between IdPs (Identity Service Providers) and RPs (Relying Parties). The claims by an individual (requestor) will usually be for a subset of a "whole big set of attributes" pertaining to the individual. There can be multiple IdPs that I (the individual) deal with - each of them maintaining a different but overlapping set of my attributes. I can choose which IdP I refer an RP to for verification. I only claim what I (and the RP) deem as necessary attributes for the purpose of my interaction with the RP. Let us pause here and see why this important to this discussion.

Should we call this (subset of assertions) as a contextually / socially constructed identity? Is that a reason why we are unable to agree? Not sure, but I don't see any point in treating each set of attribute-value pairs as a separate identity. I would rather speak plainly and say "this is my name & age; go check with this/my IdP if you want". Even so, why would we want a concept of "constructing the identity for the specific purpose at hand"? Why not say to the IdP: "these are my attributes (name, age, address, etc.), these are the pseudonyms, email addresses, etc., I like to use (the personas idea), ...". The IdP could relay them to any asking RP along with whether or not a given attribute is verified by them and how well. Of course, some attributes such as pseudonyms don't need verification. RPs who accept pseudonyms can substitute them in place of names - and don't need to pretend that they know my real name.

Let us consider another alternative explanation for this disagreement. Do I consider myself as using different identities in different contexts - as in: a father, an employee, a customer, etc? I think not. They are all assertions of various combinations of my attributes - all derived from the data I've already shared with my IdP (and, to varying degrees of confidence, verified by them). 

Perhaps more clarity will emerge after further discussion.

Before I wrap up, a bit of background. In early 2001, I pushed hard and succeeded in having the (Indian) Ministry of Corporate Affairs accept the use of Digital Signature Certificates to issue strong credentials of directors of companies, professionals (Chartered Accountants, Company Secrtaries, ...). To my chagrin, my solution was grossly inadequate (something I realized only a few years later, when checking on the implementation) and did not solve the social issues (e.g., of directors' trust in CAs) as well as other usability problems. It is nearly totally broken now, but the legacy lives on in the MCA21 project. Alas, the Government refuses to acknowledge the problem, ergo it doesn't exist.

More recently, I've been grappling with this in the context of the UIDAI project and its implementation in Haryana. This work is now a part of the guidelines for UID (a.k.a Aadhaar) based authentication for Government (citizen) services delivery by Haryana Government. That document is in the public domain but perhaps not online. I've also been involved in the review of the National e-Authentication Framework (now renamed as e-Pramaan Framework) of the Govt of India (will be somewhere on the DeitY site - the URL keeps changing), about which the less said the better it is. Needless to say, I think they totally lost the plot.

I am now working on a new model using 2FA and Govt-as-IdP for the Haryana Govt as a part of a new project. We should be able try it out in the field in early 2013. I'll be happy to share those results as they come in.

In all this, I have mostly been looking at the Identity problem from Government (citizen) services delivery point of view. So my views are probably strongly influenced (biased?) by those perspectives. Part of the pleasure in working in this area with all the wonderful people and their diverse ideas is the opportunity to expand those horizons.

2 comments:

  1. Sastry - That's a fair account of the types of disagreements. I like the way you're trying to work out the reasons for the disagreements. But I think we could be going back and forth for an indefinite length of time!

    So have you seen my argument that maybe we should forget about "identity"? http://lockstep.com.au/blog/2012/11/10/forget-identity

    Pragmatically, we could solve a lot of problems around usability, security, privacy and ease of registration if we dropped down a level and improved the way that claims and attributes are exchanged digitally. We don't have to take a position on the philosophical questions of "identity" and we don't need to force changes on businesses in the way they put together claims / attributes to define relationships with people. It shouldn't really matter at the operational and technological levels whether identity is socially constructed or individually expressed.

    Cheers, Steve Wilson.

    ReplyDelete
  2. Thanks, Steve. The disagreements have been around for a while and probably will continue that way. I do agree that implementation of what each of us consider to be acceptable solutions can proceed in parallel (i.e., without waiting for the debate to settle down), though at the risk of rework.

    Yes, I read the post you mentioned. I agree with what you are saying. That is probably because both of us appear to be focusing in use cases where real identity is closely linked to digital identity. These are also use cases related to authenticated access to "systems" and services.

    Things start getting a bit (only a bit) messy when we add valid/reasonable/legitimate use cases with anonymity and pseudonymity to the mix. Those who are focusing in this area appear to be missing out on the more-numerous (my assumption) applications in the authenticated access domain.

    Another prominently missing piece on my radar is that of "apparently" reasonable use cases of surveillance, as well as the need to impose limits on Freedom of Expression and the resulting constraints on identity management. I am a libertarian by instinct - and hence am allergic to such constraints. However, these arguments deserve due consideration. It is something I am hoping to achieve through discussions such as this.

    ReplyDelete