We think we're talking about a thing when we refer to identity provisioning, or "Bring Your Own Identity", or the choice of identity that's axiomatic in NSTIC. The Laws of Identity encouraged us to think in terms of identity as a commodity, but at the same time the Laws cannily defined Digital Identity as a "set of claims".
So identity is not a thing.
Rather, identity is a state of affairs: Identity is How I Am Known.[Update February 2013. I am embarrassed to admit I have only just discovered the work of Goffman and the dramaturgical analysis of identity. Goffman found that identity is an emergent property from social interaction, that it comes dynamically from the roles play, and that it is formed by the way we believe others see us. That is, personal identity is partly impressed upon us. This is the sort of view I have arrived at with Digital Identity. Read on ...]
Digital identity is really just the conspicuous surface of a relationship we have with the Identity Provider (IdP). That relationship grows over time, starting from the evidence of identity (like the legislated "100 point" check in Australian banking) gathered at registration time, after which the IdP issues our identifier. But the identifier is really just a proxy for the relationship we have with a service provider, a relationship which can be deep and unfolding, and usually more complex than any identifier on its own would suggest. The original evidence of identity is just a boundary condition; it might be common across several relationships for a time, but it's really not what the ongoing relationship is all about.
So what can it mean to try and exercise a choice of identity? In business it's the Relying Party that bears most of the risk if an identity is wrong, and so it is that the Relying Party is very often the IdP, for then they can best manage their risk. And here the choice of business identity is moot. If you don't have an identity that meets the RP's needs, then they have the perogative to turn you away. Think about a store that doesn't accept Diners Club; do you have any prospect of negotiating with them to pay by Diners if that's your choice of card? Can it make any difference to the store owner that you might have extra credentials to present in real time?
However, in social dealings, identity is different. Here we do narrate our own life stories, we curate our own identities.
What's going on here? How do we reconcile these contradictions across our plurality of identities? It might help to describe two different orders of Digital Identity:
- Expressed Identities that we control for ourselves and exercise in social circles, and
- Impressed Identities that are bestowed upon us by employers, businesses and government. We have little or no control over how the Impressed identities are created, save for the ultimate power to simply decline a job, a bank account or a passport if we don't like the conditions that go with them.
And every now and then, Expressed and Impressed identities come into conflict, never more viscerally than in what I call the High School Reunion Effect. Most of us have probably experienced the psychic dislocation of meeting old school friends for the first time in decades at a reunion. You've changed; they've changed; our current lives and contexts are unknown and unknowable to our old peers. Instead the group context is frozen in time, and we all struggle to relate to one another according to old identities, while editing ourselves to reflect the new individuals that we have become in new contexts. But here's the thing: our old identities actually return, to varying degrees, impressed by how the group as a whole used to be. So identity is plastic.
High school reunions showcase the dynamic mixture of Impressed and Expressed identities. The way we choose to express ourselves is molded to a point to fit an inter-personal context impressed upon us by a community.
Another example - of greater practical importance - of the tension between impressed and expressed identity is the "Real Name" policies of Google and Facebook. Here we saw a mighty clash of the rights of people to define how they are known in distinct spheres, and the interests of network operators to "know" their users for commercial purposes. Perhaps that type of conflict would be better understood if we saw how different orders of identity have different degrees of freedom? Identity is literally relative.
And then there is the Bring Your Own Identity movement, another battle ground where competing intuitions about identity are playing out. Here the claimed right to use whatever identification method one likes butts up against the enterprise's need to set its own standards for authentication technology and identification risk management. Some BYOI advocates say this is not just about user convenience; businesses may save serious money through BYOI because it will save them from issuing their own IDs, just as BYOD is thought to reduce device support costs. But in most cases, the cost to the business of mapping and interfacing all the expressed identities that users might elect to bring simply exceeds the cost of the organisation impressing IDs for itself.
Digital Identity is a heady intersection of social, technological, business and political frames of reference. Our intuitions - not surprisingly really - can fail us in cyberspace. I reckon progress in NSTIC and similar initiatives will depend on us appreciating that identity online isn't always what it seems.
Those who wish to implement a third party identity provider system have a problem. As you state, identity is a surface characteristic associated with relationships. Another way of thinking about identity is to visualise identity in a network. The vertices of the network are individuals or organisatins. The edges, or connections, between the vertices are relationships. In such a model identity is a property of an edge - not a vertice. As such there are two parties involved and they have to agree on how they identify each other. Google can insist that it will not have a relationship with a person unless they know who they are, however Google should not force a condition on a relationships between other parties using Google+. The BYOI is a starting point in the establishment of the identity of a relationship but because identity is a property of the relationship then a label on the vertice is not sufficient for a identity. This means that identity is established for each new relationship. The insistence on systems designers to ignore this means that efforts, such as Australia's healthid, are going to result in a very expensive systems to run and operate because the system does not reflect the underlying reality of relationships and identity.
Kevin, interesting. If identity is a link on a graph joining the Subject and Relying Party, then in general there should actually be two links per pair: one where A identifies itself to B and the other where B identifies itself to A.
If my idea of Expressed vs Impressed identity has validity, then we can think of Expressed identity as A revealing itself to B in a way determined more or less by A, and Impressed identity as A revealing itself to B in a way determined by B.
As for Australia's health ID efforts, for individuals and providers, I agree it's a basket case, but maybe for different reasons from you. Fundamentally I have no problem with health authorities impressing a unique UHID on us ... if that UHID is carefully managed via privacy enhancing, replay-resistant smart technologies, and if the UHID is not necessarily universal. It must co-exist alongside other unlinked optional identifiers, used for example in:
- insurances private and public
- local clinical practice
- workplace PEHR
- sensitive segmented clinical domains like mental health
- research & clinical trials, and
- medical social networking.
A few of these would be expressed identities, but it makes sense to me that most health IDs be impressed.