Identity is one of those elusive concepts that underpin several important debates. It appears to me that identity can be tied to a systemic view or an individual view. The former is the provenance of centralised systems and intrusive governments, the latter usually confined to the realms of philosophy or psychology. I’d argue that individual focus plays an increasingly important role in the online world as individuals drive their own identity. My aim (in working on the VRM project) is to find ways to equip them with better tools to continue to do so in all areas of their life, if they choose so.
Offline, we have the crowd who argue about identity in the political sphere, where the debate is really about privacy, rights of the individual, the relationship between the state and its citizens, efficacy of various methods of authentication and security implications. This involves fighting the Big and Bureaucratic Brother in all his shapes and guises, and his equally overbearing cousin the national database or register.
Online, we have the identity gangs within Identity Commons, Identity 2.0 and other identity related projects. Let’s look at Dick’s articulate case for digital identity, Identity 2.0. Without going into too much details, I believe the objective is to mimic the modern identity that revolves around photo IDs (passport, driving license, student card etc) in our online identity transactions. In other words, to enable the user to have the kinds of benefit in the online environment that identity management affords us in the offline world. The requirements for that are scalability of trust, privacy, re-usability, less fragmented identity, convenient ways of accessing and managing one’s identity, secure and private handling of sensitive or private information. For example, the same way your driving license proves your age and allows you to buy alcohol legally, Identity 2.0 is about you being able to prove claims relevant to your online transactions. On another level it is making it more convenient to manage what is currently an ‘identity’ scattered across the net – the ubiquitous logins with passwords, one for every time you deal with someone who created a platform to a) interact or transact with them and b) offer some functionality/capability in exchange for your data. The requirements for that is to be simple & open.
This is all good, as Doc is fond of saying, but this is not the kind of identity I had in mind when thinking about where to start with VRM and how identity relates to it.
According to Dick Hardt identity is what I say about me and what others say about me. The latter being more trustworthy, it makes sense to identify myself through referring to someone who can corroborate what I say. I am therefore defined by external, verifiable and validated statements, facts and information – identifiers. Dick defines his identity as consisting roughly of address, date of birth, URLs of blogs he writes, emails he uses, phone numbers, banks, airlines, clothes and car brands he uses, books, movies and magazines he likes.
These are all shortcuts to what constitutes Dick Hardt as a person, they put his identity in a recognisable frame of reference and allow him to participate in identity transactions.
In the offline world identity is really third-party driven, to put it crudely, we are what our papers say we are. Your birth certificate attests to your date of birth, your utility bills to your residence, your diploma to your education etc etc. It has been so because our identity management has had several fundamental features – it is centralised, system-centric and it is read-only. We are used to deriving our authority and credibility from a system that grants and confirms it. It is important that we can do that as the only way we can transact in a hierarchical environment is via authorisation from the level above us. (a definition of hierarchy is that in order to interact with somebody on the same level I have to go via a superior level).
Whatever the web turns out to be, it is not a hierarchy. It is a network, i.e. a heterarchy, a network of elements in which each element shares the same “horizontal” position of power and authority, each playing a theoretically equal role. This has impact on how my identity is defined and who defines it. From blogs to social network profiles, people are learning how to define their thoughts and ideas, record their lives in multimedia formats, share their experiences, swarm around causes and defy companies, institutions and authorities. From linky love to P2P, they are bypassing traditional media and distribution channels, learning the ways of direct connections.
People online build and destroy reputations, create and squander careers, establish themselves as experts or celebrities. That’s the bird’s eye view. The closer look reveals emergence of self-defined (and self-driven) identities. By writing I learn to articulate my thoughts better, by sharing I learn to differentiate from, as well as identify with, others. I become aware of myself and my preferences in ways that in the times before the web were available to a select few – writers, artists, politicians and the more articulate celebrities. We have ways of connecting with others who become validators and authenticators of our self-defined and persistent identities. The challenge is to understand and find how to evolve and use those for other than communication and information transactions.
And yet, instead we build platforms – vestiges of offline identity – third-party defined spaces designed to ‘contain’ bits of your identity. They clash with my ability as an individual to define and drive my identity. Over time I learn to manage who I am and as more tools and networks emerge my fractured existence, scattered across others’ silos becomes more obvious. The silos are a result of various platforms vying for my data, offering bits and pieces of functionality that I find useful and empowering. It got me where I am now as an ‘empowered’ individual. However, a picture of fractured identity emerges.
Centralised database(s) of identity information and its verification, authentication etc is based on a hierarchy mindset. In a heterarchy, each node is self-defined first and then defined by its relationships. I want to have an identity that evolves and exists in a network, i.e. a structural heterarchy. Why not start by ‘defragging’ identity by outsourcing its definition to individuals as they are capable of creating much richer identities than any system.
To my amazement I often see logins and passwords to various sites and platforms described as “identity”. I don’t think of them as my identity, but as things that I currently need to access bits of my scattered identity, at best they are my meta-identity. (Btw, by self-defined identity I am not referring to self-asserted identity which still relates to identifiers of the kind I’d call meta-identity. I am looking for ways of establishing identifiers that are part emergent, part validated by relationships rather than by a systemic-level third parties designed to do that. Let’s not have a ‘centralised’ trust, let’s have distributed one.)
What I want is option (with set of tools) for individuals taking charge of their identities.* And on the web that starts with exercising sovereignty over my data. This alternative must be networked and not third party dependent or platform based. As I have said before, there are only two ‘natural’ online platforms – the individual and the web.
But what about authentications and authorisations that are needed for transactions, aside from all the fluffy social empowering self-publishing identity utopia? …I hear you cry. As is often the case on the web, there may be other ways to skin the authentication cat than using identity. The key is in realising that authorisation and identity are related but separate.
Authentication is the act of establishing an identity – this is separate from the existing identity approach where the focus is on collection and disbursement of bits of data to do with someone. The cheap and cheerful explanation of this is that you can authenticate with a password (i.e. something that only you know). However, that password need not reveal anything about you/your identity. It just reveals that you are someone who knows the password. Therefore, authentication is free to be separate from identity. They are in separate but related domains. Have I mentioned that they are separate?
I owe this point to Alec who explains:
Traditionally authentication is one-or-more of three things.
- something you KNOW, e.g, you KNOW the password
- something you HAVE, e.g, you HAVE the door key,
- something you ARE, e.g, you ARE a 4-star general on an army base
The latter tends to be a bit weak, as authentication goes, in my experience it is prone to social hacking. Good authentication might be combining something like: KNOWING the password that UNLOCKS the certificate that you HAVE on the laptop, that permits a remote website to challenge you and get the response it expects, since it KNOWS that you have your certificate on your laptop…
In short, let me have a go at my identity myself, on my own terms, the web way, without intermediaries, ‘trusted’ parties and hierarchical non-direct ways. Locking me into new ‘better’ platforms, offering ’services’ to manage my meta-identity is like putting a band-aid on a gaping wound. Instead, give me tools, flexible and modular, to reclaim my digital personae, help me piece together my fractured identity. And then allow me to drive it forward with all of the benefits that it can bring me and to those I interact and transact with. Learn to live with the unpredictability and emergent juicy goodness that comes from my independence and lack of your control over me. Finally, let me learn from my mistakes, my first uncertain steps with my data sovereignty. Without those how can I ever learn to fully value privacy, security and engage in mutually beneficial interactions?
*I plan to cover this in more detail in the upcoming white paper on the infrastructural level elements (the Mine! and FeedMe) that enable people to reclaim their data, manage and share them on their own terms whilst being connected, networked and part of the web.