W3C home > Mailing lists > Public > public-credentials@w3.org > June 2017

Re: "Identity" - is a modal notion and the matrix

From: Timothy Holborn <timothy.holborn@gmail.com>
Date: Fri, 02 Jun 2017 08:10:35 +0000
Message-ID: <CAM1Sok05gESt6MsG5Z+rHPy4dbdUwfOE77jw4faTXCs2sFmb_g@mail.gmail.com>
To: Joe Andrieu <joe@joeandrieu.com>, public-credentials@w3.org
Who were the identified contributors to the work that went to WG?

Did it reflect the contributors involved over the entire lifecycle or more
simply, the most recent version...?

I think an open letter on digital identity for citizens to use to send to
their elected Parliamentarians is a better pathway.

If change occurs it can happen by having changes made to exisiting
technology in a Sooner timeframe than is proposed to be available by making
new technology to solve this problem believed to be the result of a
technical flaw.


On Fri., 2 Jun. 2017, 5:55 pm Joe Andrieu, <joe@joeandrieu.com> wrote:

> For what it's worth, I fear I've triggered the tar pit that many of
> us were trying to avoid.
> My initial request was simply to avoid demonizing identity and instead
> be rigorous when we use the term. That begs the question of what such
> rigor would mean, which, inevitably, triggers the impassioned arguments.
> I did not provide a definition. Instead I laid a framework for
> distinguishing
> between two different, valid ways for engineers to approach identity:
> (a) compositionally--identity as the collection of attributes related to
> an
>        entity
> (b) functionally--identity based on how it works and how we use it
> I will shortly provide a definition, but I want to ground the thread in my
> belief that, as engineers, these are the two productive ways to view
> identity when the goal is to designing and building identity systems.
> (Or, in our case, to design systems that impact identity.)
> There are other ways to view identity: political, cultural,
> psychological, even meta-physical perspectives. These are the root
> of many of the impassioned arguments. They are important. Not just
> valid. IMPORTANT. However, while they may drive important trade-offs
> in design decisions--in the WHY of any given system choice--they do not
> help one communicate or understand HOW an identity systems works.
> Historically, we--meaning engineers--have treated identity compositionally,
> as if it were a thing that we could represent in attributes. Attributes
> that
> could be stored, shared, protected, regulated. This is defined explicitly
> in the ISO standard.
> My assertion is that treating identity this way is the root of many
> problems
> in today's identity systems, and that thinking about how identity functions
> may be a more fruitful path forward.
> The definition I'm going to present may not be the best one, but it is one
> based on its function. I'd love to hear other suggested functional
> definitions.
> I am sure there is room for improvement.
> But I also know, not only from my own experience, but from the empirical
> and academic record that designing systems based on how they should
> function--rather than simply modeling the data the system contains--is
> a legitimate and productive way to approach complex system design.
> I think it provides a better approach than limiting the definition to
> the static notion of attributes. You can disagree with me on that and still
> work with me to define a common framework for thinking about
> identity functionally. If there were a viable identity system, *both*
> definitions
> should hold merit. I argue the compositional model is incomplete. I ask
> you to indulge me and help define a functional model, then we can
> compare which teaches us more about how such systems can be and
> eventually should be built.
> FWIW, I don't expect to do this work *within* the VCWG or even the
> community group. I'll be writing and publishing elsewhere. I'll share
> that work as it occurs in case it might prove helpful.
> Here's my definition of Identity:
> Identity is how we keep track of people and things and, in turn how they
> keep track of us.
> That’s it. We learn people’s names, we observe them and hear gossip
> and consume media. We then apply that sense of who they are to our
> dealings with them. Others do the same in return.
> In ICT systems, we assign identifiers, we accumulate observations, we
> correlate those observations with entities, we make conclusions based
> on those observations and we apply those conclusions in interactions
> with those same entities.
> In other contexts, we give people name tags, we share business cards,
> and we wear bracelets. All to facilitate keeping track of each other.
> This simple definition is surprisingly provocative. It triggers
> associations
> with Big Brother and the surveillance state. It brings up ideas about
> embedded chips and tattooed serial numbers. It conjures fears of
> government or corporations constantly tracking what we do.
> Which is ok, because, in fact, those are the most feared abuses of
> identity. It’s important to realize when we talk about identity that we
> are
> always talking about how we keep track of people. It is important to
> understand how identity systems limit or avoid (a) tracking
> EVERYTHING about (b) everyone and sharing that with (c) anyone.
> What functional identity doesn't do is attempt to define what identity
> *is*; it focuses on what it does for us and how we use it.
> Organizations and people are going to use identity to keep track of
> people and things no matter what we do. Fixating on sets of attributes
> ignores the ways that we use identity information, whereas focusing on
> the function of identity affords significant visibility into both
> potential
> harms and techniques for enhancing or limiting that functionality.
> In contrast, attributes themselves aren't harmful (they are inert data)
> and
> not only have we shown they are almost impossible to contain, we
> know that the correlation of identities across contexts can occur based
> on so many different observations that even if we could contain a specific
> set of attributes, we still could not prevent re-identification even in
> "anonymized" data sets. In short: even the most rigorous attribute
> management system cannot prevent undesired identification. Conclusion:
> identity *must* be more than just the attributes in an ICT system related
> to an entity.
> This is at the core of my motivation to move beyond attributes. Clearly
> our identities can be compromised even with the most thorough
> attention paid to protecting attributes. Attributes simply are not enough
> to capture the scope of identity.
> As I described in the subjective notion of identity, not only can we not
> adequately record the subjective sense of, for example, "Joe Andrieu"
> in the minds of everyone who knows me, there is no way to control
> those subjective notions nor a way to prevent people from using those
> notions in their considerations of how to deal with me. So even if
> we could magically conceptualize the platonic form of forms that
> collectively represents "Joe Andrieu" we still would be lacking any
> understanding about how that notion functions: how it is used by actual
> people. And it is in that use that harms occur.
> To respond to a few anchoring bits amidst the thread without
> slight to the other thoughtful comments:
> On Thu, Jun 1, 2017, at 11:59 AM, Henry Story wrote:
> Yes, it looks like Joe's definition is one of what makes a thing the thing
> it is.
> On 1 Jun 2017, at 20:08, Steven Rowat <steven_rowat@sunshine.net> wrote:
> On 2017-06-01 9:06 AM, Joe Andrieu wrote:
>  Identity is innately
> trans-system. Any given "digital identity" may not be, but our real
> world "identity" absolutely is. By its very nature. We have an identity
> completely independent of any system or authority.
> This I suppose is behind Heraclitus statement that
> "You could not step twice into the same river."
> It is also the old question of how much change one can make to something
> and it still
> be the same thing, as the old paradox of Theseus Ship makes clear
> https://www.wikiwand.com/en/Ship_of_Theseus
> Actually, I think the functional definition makes the question of Theseus's
> ship moot. That question is grounded in the compositional notion that
> the identity of "Theseus's ship" is initially based on the components
> of his initial ship. A functional definition would ask whether or not the
> ship
> in question was recognized as the same ship throughout its tenure. If the
> current ship is recognized as the same ship, then, functionally, it has the
> identity of "Theseus's ship". Whether or not is *is* the same ship is
> philosophical and not relevant to engineering and identity system.
> From what I understand, the basis for Steven Rowat's argument about
> "essences" follows that same compositional notion. The functional model
> doesn't care. If a person is recognized as an individual, then as long as
> the recognition holds, they have that identity. Whether or not they *are*
> in fact that person is a meta-physical, psychological, or philosophical
> question, which I'm intentionally taking off the table so we engineers can
> figure out what we are trying to build together.
> On 1 Jun 2017, at 11:08 AM, Steven Rowat <steven_rowat@sunshine.net>
> wrote:
> I believe Joe and Henry are talking past each other in a fundamental
> way that might be a good example of the tar-pit that Manu likes to
> talk of.
> Yes. And I apologize for the distraction. Hopefully we can get this out of
> our systems and let the list get back to technical discussions in short
> order.
> Joe's position (in my words, using Henry's terminology)
> I believe Joe is most concerned with the fact that a given thing
> (person) is unique in the world. And that any collection of labels
> that relate to that person is part of an assumed superset relating to
> them, and "Identity" is the whole superset. How much of the superset
> we see at one time varies, but it exists because the person exists.
> I'm not sure I care about uniqueness. I don't think that's actually
> relevant for a
> functional model of identity. Certainly, identities can become confused.
> Such
> is the fodder for much comedy throughout literature and media. I wouldn't
> say
> that such confusion--or ambiguity if the identity is simply limited in its
> specificity--
> means we aren't dealing with identity.
> I will also say that while the superset could conceptually be constructed
> in an
> all-knowing thought experiment, any essential identity ultimately resides
> in
> the minds' eyes of the beholders who recognize a thing. What's in my head
> is
> inevitably different than what is in someone else's, even if we both are
> aware of
> all the attributes ever recorded in any ICT system.
> Hence, while we could discuss the uber-set of all such mental notions, it
> is not
> clear that would ever be a superset of which some of us share subsets, as
> much as a collection of distinct notions. To get philosophical, we can't
> even
> know if your sense of "red" is the same as mine; it would seem unlikely
> that
> we could ever know if your sense of me is the same as anyone else's.
> On Thu, Jun 1, 2017, at 12:16 PM, David Chadwick wrote:
> On 01/06/2017 17:06, Joe Andrieu wrote:
> On Thu, Jun 1, 2017, at 12:44 AM, David Chadwick wrote:
> On 01/06/2017 07:48, Joe Andrieu wrote:
> If we mean "digital identity", then say it. Don't confuse it with
> "identity".
> The objections to "identity" are often because of conflation of the two.
> We discuss A when we mean B. We discuss "identity" when what we really
> mean is "the isolated domain-specific digital identity that only applies
> to this particular ICT system".
> Ok, but I prefer to use the term identity information when referring to
> the information held about a person in an information system. If the IS
> is physical and paper based, then the identity information will be held
> in paper files. If the IS is an ICT system, then it will indeed be
> digital identity information that is stored there.
> I like the term "identity information". That's much clearer than referring
> to a collection of attributes as someone's identity.
> But I have never moved this discussion in the direction of talking about
> a single isolated ICT system, so I am not sure where you got that idea
> from. I said 'any and every ICT system'.
> The ISO standard does:
> An identity is the information used to represent an entity in an ICT
> system.
> It certainly does not say that identity is cross-system.
> That would, IMO, be much more rigorous to say either:
> "A digital identity is the information used to represent an entity in an
> ICT system."
> Or "Identity information is used to represent an entity in an ICT system."
> However, our "real" identities are fundamentally external to any ICT
> system.
> I am "Joe Andrieu" whether it is in an ICT system or not.
> The problem is that these digital identities don't stay isolated.
> Of course they dont. Who said they did? Federated identity management
> has always been about sharing digital identity information.
> And yet, the ISO definition of "identity" is anchored in "an ICT system".
> The
> whole point of federation is to match the identity information in one
> system
> with the identity information in another. The nature of the problem is that
> these are *distinct* sets of identity information, distinct digital
> identities, for
> which some sense of equivalence is sought. That equivalence becomes
> a shared sense of identity--and it almost never includes a transference of
> all
> related attributes. Even the ISO "identity" of a system isn't transferred
> during
> federation. Some subset of identifying information is. And yet, that
> shared
> sense of identity will still never match the entirety of any given
> individual's
> identity. The ISO definition conflates the shared sense of identity,
> the ineffable subjective collective sense of identity, and the identity
> information
> in an ICT system when it refers to this last item as "identity". This is
> the problem.
> Similarly, rights and privileges tied to our real identities are often
> ignored
> or dismantled because *in a given system* it didn't seem relevant
> to the engineers who designed and built it. Identity is innately
> trans-system. Any given "digital identity" may not be, but our real
> world "identity" absolutely is. By its very nature. We have an identity
> completely independent of any system or authority.
> Your last sentence conflicts with your other sentences in 'Identity
> Crisis' in which you state 'identity is an emergent phenomenon that does
> not have an existence independent of the observer'
> So which is it? Is identity completely independent or rather does not
> have an existence independently?
> I can see how that is confusing. However, both are accurate.
> Identity exists in the minds of observers, which is independent of
> any authority. No single observer has the authority to decide their
> version of my identity is authoritative, except to themselves, which
> really is just a matter of the sovereignty of our own minds. Even *I*
> don't have that authority. This was actually one of my rants against
> many early testimonies about the awesome power of self-sovereign
> identities. Nobody controls anyone else's  subjective state. We can
> influence, but that state is innately independent of outside authority.
> I dont think I know anyone who regards identity information as being
> specific to a single ICT system. Certainly everyone in the FIM world
> knows that identity information is meant for sharing. And people in the
> privacy world know that PII is allowed to be shared providing it stays
> within the rules. The GDPR is there to ensure the rules are obeyed,
> otherwise unscrupulous data controllers would share it in ways it was
> never intended for. Even the VC work does not believe in the full and
> free sharing of PII, rather it should be under the control of the
> holder. So there is no conflict between ISO, GDPR and VC work as far as
> I can see.
> On the contrary, identity information need not EVER be shared. It is
> not *meant* to be shared. It is meant to provide a given system with
> the information it needs to customize services in relation to a given
> entity.
> Not even ISO presumes that identity information is designed to be shared.
> That's a privacy nightmare.
> In a federated system, yes, fundamentally, identity information is being
> shared, but that is what makes federation federation, NOT what makes
> identity information identity information. And when an individual's
> identity
> is treated as if it is entirely defined by the attributes in the system,
> we have fundamentally compromised human dignity by subjugating
> individuals to the tyranny of the data. Believe me, I've spent six months
> in Amazonian purgatory because the database was in error about my
> identity. No matter what Amazon thought, my *identity* was fundamentally
> *not* what was captured by their set of attributes.
> There is a growing awareness that PII is an insufficiently defined set to
> rigorously regulate anything. Even the GSA says "it requires a
> case-by-case
> assessment of the specific risk that an individual can be identified." [1]
> There isn't even agreement as to what the acronym stands for. [2]
> Unfortunately GDPR is too young to discern its true strengths and
> weaknesses. However, there are known flaws of the OECD
> privacy principles which helped inform EU privacy law and I expect are
> still lingering in GDPR. Namely, a complete lack of awareness that a data
> controller or data processor may also be the data subject. We ran into
> this in VRM conversations about personal data stores. The dominant
> paradigm assumes that, in essence, corporations have and control data
> about people and that people have certain rights in that situation. The
> world view remains firmly in the lens of our corporate overlords and how
> we protect the proletariat from their evils. In this world, like in ISO,
> "Identity" is something given to you, not something innately existing in
> the relationships that form social bonds.
> In short, *none* of these approaches to identity should be considered
> resolved or adequate. The primary drivers in the modern era have been
> corporations focused on securing their ability to profit from information.
> More recently, in the EU, the state has picked up its original charge in
> defining identity, acting as a force in the other direction, figuring out
> how
> to realize the EU constitutional right to privacy in the face of corporate
> data systems.
> [1] https://www.gsa.gov/portal/content/104256
> [2] https://en.wikipedia.org/wiki/Personally_identifiable_information
> aligned with the W3C mental
> model of security by domain isolation as a response to things like
> cross-site scripting hacks.
> I think you are confusing two separate issues, security vulnerabilities
> and data sharing. The Same Origin Policy is there to stop hackers
> linking systems that should not be linked, whereas FIM and token binding
> etc. are there to ensure that data can be shared safely and securely.
> Yes. Linking systems that should not be linked is how privacy is violated.
> It feels comfortable to consider contextual integrity as a security
> problem.
> Thinking of it in this manner leads to whitewashing information sharing
> through consent ceremonies that users can't understand for uses that
> are unexpected. There is a consistent perspective that within a given
> domain, privacy and identity are the purview of the domain controller.
> This is baked into the mental model of isolated systems sharing specific
> bits of "identity" under controlled terms--with near complete disregard
> for both the downstream sharing and the systemic effects on privacy and
> identity. The framing is that "if we solve privacy and identity within our
> isolated contexts, we'll have done the right thing."  But fundamentally,
> privacy and identity are greater than any isolated context. This is the
> disconnect that, IMO, is the core architectural flaw in how most
> contemporary systems deal with privacy and identity.
> If we want to make sure we don't undermine beneficial--or unwittingly
> enable undesired--aspects of real-world identity, we need to acknowledge
> that identity is inevitably more than the digital identity in
> any given system.
> I think we all realise that. No one has been arguing for the opposite.
> The ISO standard itself defines identity as merely the attributes related
> to
> an entity in an ICT system. So arguing for the ISO standard argues for
> that opposite.
> --
> That's all for now. I think I've said more than enough. I've appreciated
> the thoughtful responses and hope I've stretched some mental models.
> It'd be great if the idea of treating identity functionally rather than
> compositionally resonates enough to help us avoid the delicious yet
> distracting rabbit holes of philosophical, cultural, and political
> identity.
> As Manu suggested, I'll bring my perspective to comments and suggestions
> in actual specification text. That's where I think we can most concretely
> see
> if anything I'm suggesting has merit.
> -j
> --
> Joe Andrieu, PMP
> joe@joeandrieu.com
> +1(805)705-8651
> http://blog.joeandrieu.com
Received on Friday, 2 June 2017 08:11:23 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 July 2018 21:19:38 UTC