We think we're talking about a thing when we refer to identity provisioning, or "Bring Your Own Identity", or the "choice" of identity that's axiomatic in NSTIC and similar federation proposals. The Laws of Identity encouraged us to think in terms of identity as a commodity, but at the same time the Laws cannily defined Digital Identity as a "set of claims" (that is, attributes of the identified Subject).
So identity is not a thing.
Rather, identity is a state of affairs: Identity is How I Am Known.[Update February 2013. I am embarrassed to admit I have only just discovered the work of Goffman and his "dramaturgical" analysis of identity. Goffman found that identity is an emergent property from social interaction, that it comes dynamically from the roles we play, and that it is formed by the way we believe others see us. That is, personal identity is partly impressed upon us. This is the sort of view I have arrived at with Digital Identity. Read on.]
Digital identity is really just the conspicuous surface of a relationship we have with a service provider or counterparty. That relationship grows over time, starting from the evidence of identity gathered at registration time (classically a KYC check to open a bank account), after which we get an identifier. But identifiers are really just macros for the relationships we have with our service providers, which can be deep and unfolding, and often more complex than any identifier on its own would suggest. The original evidence of identity is just a boundary condition; it might be common across several relationships for a time, but it's not actually what the ongoing relationship is all about.
So what can it mean to try and exercise a choice of identity? In business it's the Relying Party that bears most of the risk if an identity is wrong, and so it is that the Relying Party is very often the "Identity Provider", for then they can best manage their risk. And here the choice of business identity is moot. If you don't have an identity that meets the RP's needs, then they have the perogative to turn you away. Think about a store that doesn't accept Diners Club; do you have any prospect of negotiating with them to pay by Diners if that's your choice of card? Can it make any difference to the store owner that you might have extra credentials to present in real time?
However, in social dealings, identity is different. Here we do narrate the visible surface of own life stories, and thus curate our own identity (or identities, plural).
What's going on here? How do we reconcile these contradictions of self determination in some cases, and all those counterparty interests across many other cases? I find it helps to describe two different orders of Digital Identity:
And every now and then, Expressed and Impressed identities come into conflict, never more viscerally than in what I call the High School Reunion Effect. Most of us have probably experienced the psychic dislocation of meeting old school friends for the first time in decades at a reunion. You've changed; they've changed; all our current lives and contexts are unknown to our peers of old. Instead, the group context is frozen in time as it was at school, and we all struggle to relate to one another according to old identities, while editing ourselves to reflect the new individuals that we have become. But here's the thing: our old identities actually return, to varying degrees, impressed on us by how the group as a whole used to be. It's a vivid demonstration of how identity is plastic, and how it's shaped by different forces, some outside our control. High school reunions showcase the dynamic mixture of Impressed and Expressed identities. The way we choose to express ourselves is molded (to a point) to fit an inter-personal context impressed upon us by a community.
Another example - of greater practical importance - of the tension between impressed and expressed identity is the "Real Name" policies of Google and Facebook. Here we saw a mighty clash of the rights of people to define how they are known in distinct spheres, and the interests of social network operators to "know" their users (to put it clinically, index them) for commercial purposes. Perhaps that type of conflict would be better understood if we saw how different orders of identity have different degrees of freedom? Identity is literally relative.
And then there is the Bring Your Own Identity movement, another battle ground where competing intuitions about identity are playing out. Here the claimed right to use whatever identification method one likes butts up against the enterprise's need to set its own standards for identification risk management. Some BYOI advocates say this is not just about user convenience; businesses may save serious money through BYOI because it will save them from issuing their own IDs, just as BYOD can reduce device support costs. But in most cases, the cost to the business of mapping and integrating all the expressed identities that users might elect to bring simply exceeds the cost of the organisation impressing IDs for itself.
Digital Identity is a heady intersection of social, technological, business and political frames of reference. Our intuitions - not surprisingly really - can fail us in cyberspace. I reckon progress in NSTIC and similar initiatives will depend on us appreciating that identity online isn't always what it seems.