I got the chance to take part today in a workshop session at the Internet Governance Forum in Baku, and as, for once, I had made some written notes, I thought I’d get a little more mileage out of them by posting a summary here… I hope this is useful. Comments welcome, as ever.
A 1, 2, 3 of digital identity
Having listened to the very diverse views and interpretations of identity here at the IGF this week, my worry is that we’re talking about governing something that we haven’t clearly defined. So here’s a perspective on digital identity, under three headings:
- One evolutionary sequence: how did we get here?
- Two models of what digital identity is…
- Three issues
In the 80s, your ‘identity’ meant either your passport, or – if you were one of the few who used a computer – your account on a mainframe or (higher education) server. Siloed and incomprehensible to other systems or organisations.
In the early 2000s, it started to make sense to talk about your ‘network identity’; the collection of things that a panoptical third party could know about you, by looking at all the places where information about you was stored online (IDs, accounts, user profiles, etc.).
By the middle of that decade, federated identity was a reality, at least among large enterprises. A non-siloed digital credential that could be used to identify you to an organisation that had not issued it to you.
The current goal could be described as “Internet-scale” federation: a framework which can cater for many kinds of credential, understandable by many organisations, in different sectors, for different purposes, with different models for trust and liability. This is the aim of programs like the US National Strategy for Trusted Identities in Cyber-space and a similar initiative in the UK, for example.
In short: the goal is a digital ‘identity’ as multi-faceted and versatile as our real-life, individual identity as a person. That’s a long way from where we were 30 years ago – and we’re by no means there yet.
2. So let me describe two ways of looking at digital identity. I’ll describe the first one and then contrast its characteristics with the second. The first, I’ll call the Classic model. It is based on:
– Single authoritative source
– Binary (Y or N)
– Level of assurance and a chain of trust, both of which can be formalised into procedures and assigned liability models (retroactive).
The second is what I’ll call the Emerging model. It looks like this:
– Multiple, low-assurance sources
– Contextual and adaptive
– A web of trust, notions of mutable reputation, and quantifiable mainly in terms of risk management (predictive).
3. So, what issues does that present us with?
The Classic model is fundamentally retrospective. It’s the historical way of thinking about identity, it establishes an identity relationship between what’s happening now and a trusted event in the past, and liability is – basically – the arrangement for what you do after something has gone wrong.
As a result, one problem is that it copes badly with cases where an identity was issued for one purpose and is later used for other purposes – but you can’t stop that from happening.
The Emerging model is future-facing. It is much more dynamic, and it is also completely compatible with anonymous authorisation. But it alters our conception of identity and trust, and relies on immature disciplines such as reputation management and contextual authorisation.
It is a model whose working parts are almost entirely hidden from the end user – where the Classic model at least (usually) requires the user’s involvement at the point of authentication. The Emerging model poses real questions of user control and consent.
And lastly, there’s a catch. This isn’t an either/or decision. We need both the classic and the emerging models – because neither, on its own, can get your digital identity close to being a reflection of your personal identity.