We think we're talking about a thing when we refer to identity provisioning, or "Bring Your Own Identity", or the choice of identity that's axiomatic in NSTIC. The Laws of Identity encouraged us to think in terms of identity as a commodity, but at the same time the Laws cannily defined Digital Identity as a "set of claims".
So identity is not a thing.
Rather, identity is a state of affairs: Identity is How I Am Known.[Update February 2013. I am embarrassed to admit I have only just discovered the work of Goffman and the dramaturgical analysis of identity. Goffman found that identity is an emergent property from social interaction, that it comes dynamically from the roles play, and that it is formed by the way we believe others see us. That is, personal identity is partly impressed upon us. This is the sort of view I have arrived at with Digital Identity. Read on ...]
Digital identity is really just the conspicuous surface of a relationship we have with the Identity Provider (IdP). That relationship grows over time, starting from the evidence of identity (like the legislated "100 point" check in Australian banking) gathered at registration time, after which the IdP issues our identifier. But the identifier is really just a proxy for the relationship we have with a service provider, a relationship which can be deep and unfolding, and usually more complex than any identifier on its own would suggest. The original evidence of identity is just a boundary condition; it might be common across several relationships for a time, but it's really not what the ongoing relationship is all about.
So what can it mean to try and exercise a choice of identity? In business it's the Relying Party that bears most of the risk if an identity is wrong, and so it is that the Relying Party is very often the IdP, for then they can best manage their risk. And here the choice of business identity is moot. If you don't have an identity that meets the RP's needs, then they have the perogative to turn you away. Think about a store that doesn't accept Diners Club; do you have any prospect of negotiating with them to pay by Diners if that's your choice of card? Can it make any difference to the store owner that you might have extra credentials to present in real time?
However, in social dealings, identity is different. Here we do narrate our own life stories, we curate our own identities.
What's going on here? How do we reconcile these contradictions across our plurality of identities? It might help to describe two different orders of Digital Identity:
- Expressed Identities that we control for ourselves and exercise in social circles, and
- Impressed Identities that are bestowed upon us by employers, businesses and government. We have little or no control over how the Impressed identities are created, save for the ultimate power to simply decline a job, a bank account or a passport if we don't like the conditions that go with them.
And every now and then, Expressed and Impressed identities come into conflict, never more viscerally than in what I call the High School Reunion Effect. Most of us have probably experienced the psychic dislocation of meeting old school friends for the first time in decades at a reunion. You've changed; they've changed; our current lives and contexts are unknown and unknowable to our old peers. Instead the group context is frozen in time, and we all struggle to relate to one another according to old identities, while editing ourselves to reflect the new individuals that we have become in new contexts. But here's the thing: our old identities actually return, to varying degrees, impressed by how the group as a whole used to be. So identity is plastic.
High school reunions showcase the dynamic mixture of Impressed and Expressed identities. The way we choose to express ourselves is molded to a point to fit an inter-personal context impressed upon us by a community.
Another example - of greater practical importance - of the tension between impressed and expressed identity is the "Real Name" policies of Google and Facebook. Here we saw a mighty clash of the rights of people to define how they are known in distinct spheres, and the interests of network operators to "know" their users for commercial purposes. Perhaps that type of conflict would be better understood if we saw how different orders of identity have different degrees of freedom? Identity is literally relative.
And then there is the Bring Your Own Identity movement, another battle ground where competing intuitions about identity are playing out. Here the claimed right to use whatever identification method one likes butts up against the enterprise's need to set its own standards for authentication technology and identification risk management. Some BYOI advocates say this is not just about user convenience; businesses may save serious money through BYOI because it will save them from issuing their own IDs, just as BYOD is thought to reduce device support costs. But in most cases, the cost to the business of mapping and interfacing all the expressed identities that users might elect to bring simply exceeds the cost of the organisation impressing IDs for itself.
Digital Identity is a heady intersection of social, technological, business and political frames of reference. Our intuitions - not surprisingly really - can fail us in cyberspace. I reckon progress in NSTIC and similar initiatives will depend on us appreciating that identity online isn't always what it seems.