Identity is not a thing

We think we’re talking about a thing when we refer to identity provisioning, or “Bring Your Own Identity”, or the “choice” of identity that’s axiomatic in NSTIC and similar federation proposals. The Laws of Identity encouraged us to think in terms of identity as a commodity, but at the same time the Laws cannily defined Digital Identity as a “set of claims” (that is, attributes of the identified Subject).

So identity is not a thing.

Rather, identity is a state of affairs: Identity is How I Am Known.

Digital identity is really just the conspicuous surface of a relationship we have with a service provider or counterparty. That relationship grows over time, starting from the evidence of identity gathered at registration time (classically a KYC check to open a bank account), after which we get an identifier. But identifiers are really just macros for the relationships we have with our service providers, which can be deep and unfolding, and often more complex than any identifier on its own would suggest. The original evidence of identity is just a boundary condition; it might be common across several relationships for a time, but it’s not actually what the ongoing relationship is all about.

So what can it mean to try and exercise a choice of identity? In business it’s the Relying Party that bears most of the risk if an identity is wrong, and so it is that the Relying Party is very often the “Identity Provider”, for then they can best manage their risk. And here the choice of business identity is moot. If you don’t have an identity that meets the RP’s needs, then they have the perogative to turn you away. Think about a store that doesn’t accept Diners Club; do you have any prospect of negotiating with them to pay by Diners if that’s your choice of card? Can it make any difference to the store owner that you might have extra credentials to present in real time?

However, in social dealings, identity is different. Here we do narrate the visible surface of own life stories, and thus curate our own identity (or identities, plural).

What’s going on here? How do we reconcile these contradictions of self determination in some cases, and all those counterparty interests across many other cases? I find it helps to describe two different orders of Digital Identity:

  • Expressed Identities that we control for ourselves and exercise in social circles, and
  • Impressed Identities that are bestowed upon us by employers, businesses, governments and the like. We have little or no control over how the Impressed identities are created, save for the ultimate power to simply decline a job, a bank account or a passport if we don’t like the conditions that go with them.
  • And every now and then, Expressed and Impressed identities come into conflict, never more viscerally than in what I call the High School Reunion Effect. Most of us have probably experienced the psychic dislocation of meeting old school friends for the first time in decades at a reunion. You’ve changed; they’ve changed; all our current lives and contexts are unknown to our peers of old. Instead, the group context is frozen in time as it was at school, and we all struggle to relate to one another according to old identities, while editing ourselves to reflect the new individuals that we have become. But here’s the thing: our old identities actually return, to varying degrees, impressed on us by how the group as a whole used to be. It’s a vivid demonstration of how identity is plastic, and how it’s shaped by different forces, some outside our control. High school reunions showcase the dynamic mixture of Impressed and Expressed identities. The way we choose to express ourselves is molded (to a point) to fit an inter-personal context impressed upon us by a community.

    Another example – of greater practical importance – of the tension between impressed and expressed identity is the “Real Name” policies of Google and Facebook. Here we saw a mighty clash of the rights of people to define how they are known in distinct spheres, and the interests of social network operators to “know” their users (to put it clinically, index them) for commercial purposes. Perhaps that type of conflict would be better understood if we saw how different orders of identity have different degrees of freedom? Identity is literally relative.

    And then there is the Bring Your Own Identity movement, another battle ground where competing intuitions about identity are playing out. Here the claimed right to use whatever identification method one likes butts up against the enterprise’s need to set its own standards for identification risk management. Some BYOI advocates say this is not just about user convenience; businesses may save serious money through BYOI because it will save them from issuing their own IDs, just as BYOD can reduce device support costs. But in most cases, the cost to the business of mapping and integrating all the expressed identities that users might elect to bring simply exceeds the cost of the organisation impressing IDs for itself.

    Digital Identity is a heady intersection of social, technological, business and political frames of reference. Our intuitions – not surprisingly really – can fail us in cyberspace. I reckon progress in NSTIC and similar initiatives will depend on us appreciating that identity online isn’t always what it seems.