W3C home > Mailing lists > Public > public-credentials@w3.org > June 2017

Re: "Identity" - is a modal notion and the matrix

From: Henry Story <henry.story@bblfish.net>
Date: Fri, 2 Jun 2017 12:07:13 +0200
Message-Id: <DBE3D227-2F70-4E2F-A022-3098F6FFAF6C@bblfish.net>
Cc: public-credentials@w3.org
To: Joe Andrieu <joe@joeandrieu.com>
If you favor a functional answer then you are not far from also coming to see
the relevance of a logical one, and also of a pragmatic one. 

The relations between functions and types is made clear in the "new" 
foundational maths called Homotopy Type Theory. (The key book is online
here https://homotopytypetheory.org/ <https://homotopytypetheory.org/> and even compilable from github
if you want the latest version with all the corrections. The first two chapters
are very readable for someone with computing experience.)

This is a built on type theory, which takes functions as the basic entity relating types. 
But where other maths assume identity problems to be relatively easy, HoTT 
develops this into the core of the theory. To specify a type of an object is to specify
ways of finding when two objects of that type are identical. 

This is constructive mathematics so in their examples they mostly use mathematical 
objects. I think one can move to thinking about physical objects if one starts
with the space of all possibilities and things of various types in that space.

The intuition one should take back from HoTT is that types require a specification
of the identity of an object, so that one can specify when two things are equal.
Eg, two sets are equal if they contain the same elements.

When is a ship the same from one moment to the next, is by the way not
a problem without pragmatic consequences. If identity of a person were 
a material one then eating a burger would be a way to get out of a murder
charge. To understand people as processes that keep their identity through
change is important for contracts to work, to also be able to pardon people 
("he is now a changed man"), etc... I think it is this thought of identity in change
that gets people hung up, as they keep thinking what is it that remains the
same from instant to instant - they think of the essence of something as another 
thing that is always there, and so they start looking for the soul as a physical entity.
In constructive mathematics one can name a type by showing how to construct elements
of it. With object in physical space other criteria may be needed which are more
likely to latch on for natural kinds, how the things themselves function, how they
evolved, how they survived, etc...

So yes, we can be functional. If a human person is a process then for example it is a 
certain type of process, a biological one, that starts at a certain time and goes
through a huge number of transformation. As I pointed out one can choose other 
types to identify a person: a citizen perhaps would allow aliens from 
other planets to be citizens and so could not be reduced to humans. One can then have a 
partial map from citizens to  humans. Good modeling here would require that 
one notice that a person can be the citizen of more than one nation and 
indeed even change citizenship.

As a human being is a process that interacts with other processes there will
be an infinite number of ways of identifying it indirectly, though causal relations
it has with any other number of things, from being the person who created a
document at a time to being the person who helped save someone's life.

In description logic (and hence in OWL and RDF) one can describe types
by their relations to other types, and individual by relations between them
and other things. So we slowly end up at the semantic web if we want to 
think about this in relation to the global information system that the web is.

As for your comments on identity being completely in the head, that
is the private language fallacy that Wittgenstein spent a lot of time
analyzing and dismantling in his "Philosophical Investigations". Language
is by nature not private, or else all communication would be impossible.
Language is also by nature one that requires that those playing the
game of talking and listening abide by the logical consequences of what they
say (see "Between Saying and Doing - Towards an Analytic Pragmatism"
by Robert B. Brandom
 https://global.oup.com/academic/product/between-saying-and-doing-9780199542871 <https://global.oup.com/academic/product/between-saying-and-doing-9780199542871> )

This means of course being able to bring different propositions together, combining
them and being able to arrive at conclusions. Ie. merging propositions and reasoning 
is the nature of a linguistic system.  If one needs to limit who can read some information there
are other ways to do that: such as access control or legal requirements on usage 
of information.

Now to come back to the Lana Wachowski, director of The Matrix, talk on 
Identity, Privacy  and Anonymity here https://youtu.be/crHHycz7T_c?t=317 <https://youtu.be/crHHycz7T_c?t=317>

What Lana Wachowski is against is subdivision of Humans into two exclusive 
types, and the assignation of strict roles to those types. That is clearly a modelling
error, a simplification that is easy to do, but that does not capture reality correctly
and so leaves people deaf to the problem of those who don't fit the categories.

But that is not an argument against types, just one against a particular set of
types, and a particular set of distinctions. She does make the point well that
anonymity is then very useful - though what she means is not anonymity but
pseudonymity, as her hairdresser for example has no difficulty identifying her,
and knew a lot about her, except that she was the director of the Matrix. She was
able to live a life where people did not know the relation between one aspect of
her life and the other. Of course there is no way she could completely control
the leakage of information (as we know from how much has been leaked through
Wikileaks).

So my conclusions:
 • language is for communication (but that does not mean one has to shout everything off the rooftop)
 • types come with identity criterion (when are two things in that type the same thing? With abstract
  objects from Maths this may  be part of the structure of the thing, with physical objets it may 
  actually be discovered later)
 • the open world assumption that is part of the web allows the same objet to have an indefinite 
   number of names, and also to be described using anonymous nodes. It is the relation between
   things that count.

I could also argue that anonymity is not the only good in the system. Pure anonymity makes
discussion impossible. If I can't tell that I am speaking with the same person between sentences
then I cannot even have a reasoned discussion. Pseudonymity allows one to re-indentify someone
over time which allows for a conversation to take place. Information by its nature is about relations.
Think about functions as a specific type of relation.
 
Henry



> On 2 Jun 2017, at 09:54, Joe Andrieu <joe@joeandrieu.com> wrote:
> 
> For what it's worth, I fear I've triggered the tar pit that many of 
> us were trying to avoid.
> 
> My initial request was simply to avoid demonizing identity and instead
> be rigorous when we use the term. That begs the question of what such
> rigor would mean, which, inevitably, triggers the impassioned arguments.
> 
> I did not provide a definition. Instead I laid a framework for distinguishing
> between two different, valid ways for engineers to approach identity:
> (a) compositionally--identity as the collection of attributes related to an
>        entity
> (b) functionally--identity based on how it works and how we use it
> 
> I will shortly provide a definition, but I want to ground the thread in my 
> belief that, as engineers, these are the two productive ways to view 
> identity when the goal is to designing and building identity systems.
> (Or, in our case, to design systems that impact identity.)
> 
> There are other ways to view identity: political, cultural, 
> psychological, even meta-physical perspectives. These are the root
> of many of the impassioned arguments. They are important. Not just
> valid. IMPORTANT. However, while they may drive important trade-offs
> in design decisions--in the WHY of any given system choice--they do not 
> help one communicate or understand HOW an identity systems works.
> 
> Historically, we--meaning engineers--have treated identity compositionally,
> as if it were a thing that we could represent in attributes. Attributes that 
> could be stored, shared, protected, regulated. This is defined explicitly
> in the ISO standard.
> 
> My assertion is that treating identity this way is the root of many problems 
> in today's identity systems, and that thinking about how identity functions
> may be a more fruitful path forward.
> 
> The definition I'm going to present may not be the best one, but it is one 
> based on its function. I'd love to hear other suggested functional definitions.
> I am sure there is room for improvement.
> 
> But I also know, not only from my own experience, but from the empirical
> and academic record that designing systems based on how they should 
> function--rather than simply modeling the data the system contains--is 
> a legitimate and productive way to approach complex system design.
> 
> I think it provides a better approach than limiting the definition to 
> the static notion of attributes. You can disagree with me on that and still
> work with me to define a common framework for thinking about
> identity functionally. If there were a viable identity system, *both* definitions
> should hold merit. I argue the compositional model is incomplete. I ask
> you to indulge me and help define a functional model, then we can
> compare which teaches us more about how such systems can be and
> eventually should be built.
> 
> FWIW, I don't expect to do this work *within* the VCWG or even the
> community group. I'll be writing and publishing elsewhere. I'll share 
> that work as it occurs in case it might prove helpful.
> 
> Here's my definition of Identity:
> 
> Identity is how we keep track of people and things and, in turn how they 
> keep track of us.
> 
> That’s it. We learn people’s names, we observe them and hear gossip 
> and consume media. We then apply that sense of who they are to our 
> dealings with them. Others do the same in return. 
> 
> In ICT systems, we assign identifiers, we accumulate observations, we 
> correlate those observations with entities, we make conclusions based 
> on those observations and we apply those conclusions in interactions 
> with those same entities.
> 
> In other contexts, we give people name tags, we share business cards, 
> and we wear bracelets. All to facilitate keeping track of each other.
> 
> This simple definition is surprisingly provocative. It triggers associations 
> with Big Brother and the surveillance state. It brings up ideas about 
> embedded chips and tattooed serial numbers. It conjures fears of 
> government or corporations constantly tracking what we do.
> 
> Which is ok, because, in fact, those are the most feared abuses of 
> identity. It’s important to realize when we talk about identity that we are 
> always talking about how we keep track of people. It is important to 
> understand how identity systems limit or avoid (a) tracking 
> EVERYTHING about (b) everyone and sharing that with (c) anyone.
> 
> What functional identity doesn't do is attempt to define what identity 
> *is*; it focuses on what it does for us and how we use it.
> 
> Organizations and people are going to use identity to keep track of 
> people and things no matter what we do. Fixating on sets of attributes 
> ignores the ways that we use identity information, whereas focusing on 
> the function of identity affords significant visibility into both potential 
> harms and techniques for enhancing or limiting that functionality. 
> 
> In contrast, attributes themselves aren't harmful (they are inert data) and 
> not only have we shown they are almost impossible to contain, we 
> know that the correlation of identities across contexts can occur based 
> on so many different observations that even if we could contain a specific
> set of attributes, we still could not prevent re-identification even in 
> "anonymized" data sets. In short: even the most rigorous attribute
> management system cannot prevent undesired identification. Conclusion:
> identity *must* be more than just the attributes in an ICT system related
> to an entity. 
> 
> This is at the core of my motivation to move beyond attributes. Clearly 
> our identities can be compromised even with the most thorough 
> attention paid to protecting attributes. Attributes simply are not enough 
> to capture the scope of identity.
> 
> As I described in the subjective notion of identity, not only can we not
> adequately record the subjective sense of, for example, "Joe Andrieu"
> in the minds of everyone who knows me, there is no way to control
> those subjective notions nor a way to prevent people from using those
> notions in their considerations of how to deal with me. So even if
> we could magically conceptualize the platonic form of forms that 
> collectively represents "Joe Andrieu" we still would be lacking any 
> understanding about how that notion functions: how it is used by actual
> people. And it is in that use that harms occur.
> 
> To respond to a few anchoring bits amidst the thread without 
> slight to the other thoughtful comments:
> 
> On Thu, Jun 1, 2017, at 11:59 AM, Henry Story wrote:
>> Yes, it looks like Joe's definition is one of what makes a thing the thing it is.
>> 
>>> On 1 Jun 2017, at 20:08, Steven Rowat <steven_rowat@sunshine.net <mailto:steven_rowat@sunshine.net>> wrote:
>>> 
>>> On 2017-06-01 9:06 AM, Joe Andrieu wrote:
>>>>  Identity is innately
>>>> trans-system. Any given "digital identity" may not be, but our real
>>>> world "identity" absolutely is. By its very nature. We have an identity
>>>> completely independent of any system or authority.
>> 
>> This I suppose is behind Heraclitus statement that 
>> "You could not step twice into the same river."
>> 
>> It is also the old question of how much change one can make to something and it still 
>> be the same thing, as the old paradox of Theseus Ship makes clear 
>> https://www.wikiwand.com/en/Ship_of_Theseus <https://www.wikiwand.com/en/Ship_of_Theseus>
> 
> Actually, I think the functional definition makes the question of Theseus's
> ship moot. That question is grounded in the compositional notion that 
> the identity of "Theseus's ship" is initially based on the components 
> of his initial ship. A functional definition would ask whether or not the ship 
> in question was recognized as the same ship throughout its tenure. If the 
> current ship is recognized as the same ship, then, functionally, it has the
> identity of "Theseus's ship". Whether or not is *is* the same ship is 
> philosophical and not relevant to engineering and identity system.
> 
> From what I understand, the basis for Steven Rowat's argument about 
> "essences" follows that same compositional notion. The functional model 
> doesn't care. If a person is recognized as an individual, then as long as 
> the recognition holds, they have that identity. Whether or not they *are* 
> in fact that person is a meta-physical, psychological, or philosophical 
> question, which I'm intentionally taking off the table so we engineers can 
> figure out what we are trying to build together.
> 
>>> On 1 Jun 2017, at 11:08 AM, Steven Rowat <steven_rowat@sunshine.net <mailto:steven_rowat@sunshine.net>> wrote:
>>> 
>>> I believe Joe and Henry are talking past each other in a fundamental 
>>> way that might be a good example of the tar-pit that Manu likes to
>>> talk of.
> 
> Yes. And I apologize for the distraction. Hopefully we can get this out of 
> our systems and let the list get back to technical discussions in short order.
> 
>>> Joe's position (in my words, using Henry's terminology) 
>>> I believe Joe is most concerned with the fact that a given thing
>>> (person) is unique in the world. And that any collection of labels
>>> that relate to that person is part of an assumed superset relating to
>>> them, and "Identity" is the whole superset. How much of the superset
>>> we see at one time varies, but it exists because the person exists.
> 
> I'm not sure I care about uniqueness. I don't think that's actually relevant for a 
> functional model of identity. Certainly, identities can become confused. Such
> is the fodder for much comedy throughout literature and media. I wouldn't say
> that such confusion--or ambiguity if the identity is simply limited in its specificity--
> means we aren't dealing with identity.
> 
> I will also say that while the superset could conceptually be constructed in an 
> all-knowing thought experiment, any essential identity ultimately resides in
> the minds' eyes of the beholders who recognize a thing. What's in my head is 
> inevitably different than what is in someone else's, even if we both are aware of
> all the attributes ever recorded in any ICT system. 
> 
> Hence, while we could discuss the uber-set of all such mental notions, it is not 
> clear that would ever be a superset of which some of us share subsets, as 
> much as a collection of distinct notions. To get philosophical, we can't even 
> know if your sense of "red" is the same as mine; it would seem unlikely that 
> we could ever know if your sense of me is the same as anyone else's.
> 
> 
> On Thu, Jun 1, 2017, at 12:16 PM, David Chadwick wrote:
>> On 01/06/2017 17:06, Joe Andrieu wrote:
>> On Thu, Jun 1, 2017, at 12:44 AM, David Chadwick wrote:
>> On 01/06/2017 07:48, Joe Andrieu wrote:
>> If we mean "digital identity", then say it. Don't confuse it with
>> "identity".
>> 
>> The objections to "identity" are often because of conflation of the two.
>> We discuss A when we mean B. We discuss "identity" when what we really
>> mean is "the isolated domain-specific digital identity that only applies
>> to this particular ICT system".
>> 
>> Ok, but I prefer to use the term identity information when referring to
>> the information held about a person in an information system. If the IS
>> is physical and paper based, then the identity information will be held
>> in paper files. If the IS is an ICT system, then it will indeed be
>> digital identity information that is stored there.
> 
> I like the term "identity information". That's much clearer than referring 
> to a collection of attributes as someone's identity.
> 
>> But I have never moved this discussion in the direction of talking about
>> a single isolated ICT system, so I am not sure where you got that idea
>> from. I said 'any and every ICT system'.
> 
> The ISO standard does:
> An identity is the information used to represent an entity in an ICT system.
> 
> It certainly does not say that identity is cross-system.
> 
> That would, IMO, be much more rigorous to say either:
> "A digital identity is the information used to represent an entity in an ICT system."
> 
> Or "Identity information is used to represent an entity in an ICT system."
> 
> However, our "real" identities are fundamentally external to any ICT system.  
> I am "Joe Andrieu" whether it is in an ICT system or not.
> 
>> 
>> The problem is that these digital identities don't stay isolated.
>> 
>> Of course they dont. Who said they did? Federated identity management
>> has always been about sharing digital identity information.
> 
> And yet, the ISO definition of "identity" is anchored in "an ICT system". The 
> whole point of federation is to match the identity information in one system 
> with the identity information in another. The nature of the problem is that
> these are *distinct* sets of identity information, distinct digital identities, for 
> which some sense of equivalence is sought. That equivalence becomes
> a shared sense of identity--and it almost never includes a transference of all
> related attributes. Even the ISO "identity" of a system isn't transferred during 
> federation. Some subset of identifying information is. And yet, that shared 
> sense of identity will still never match the entirety of any given individual's 
> identity. The ISO definition conflates the shared sense of identity,
> the ineffable subjective collective sense of identity, and the identity information
> in an ICT system when it refers to this last item as "identity". This is the problem.
> 
>> 
>> Similarly, rights and privileges tied to our real identities are often
>> ignored
>> or dismantled because *in a given system* it didn't seem relevant
>> to the engineers who designed and built it. Identity is innately
>> trans-system. Any given "digital identity" may not be, but our real
>> world "identity" absolutely is. By its very nature. We have an identity
>> completely independent of any system or authority.
>> 
>> Your last sentence conflicts with your other sentences in 'Identity
>> Crisis' in which you state 'identity is an emergent phenomenon that does
>> not have an existence independent of the observer'
>> 
>> So which is it? Is identity completely independent or rather does not
>> have an existence independently?
> 
> I can see how that is confusing. However, both are accurate. 
> 
> Identity exists in the minds of observers, which is independent of 
> any authority. No single observer has the authority to decide their 
> version of my identity is authoritative, except to themselves, which 
> really is just a matter of the sovereignty of our own minds. Even *I*
> don't have that authority. This was actually one of my rants against 
> many early testimonies about the awesome power of self-sovereign 
> identities. Nobody controls anyone else's  subjective state. We can 
> influence, but that state is innately independent of outside authority.
> 
>> I dont think I know anyone who regards identity information as being
>> specific to a single ICT system. Certainly everyone in the FIM world
>> knows that identity information is meant for sharing. And people in the
>> privacy world know that PII is allowed to be shared providing it stays
>> within the rules. The GDPR is there to ensure the rules are obeyed,
>> otherwise unscrupulous data controllers would share it in ways it was
>> never intended for. Even the VC work does not believe in the full and
>> free sharing of PII, rather it should be under the control of the
>> holder. So there is no conflict between ISO, GDPR and VC work as far as
>> I can see.
> 
> On the contrary, identity information need not EVER be shared. It is 
> not *meant* to be shared. It is meant to provide a given system with 
> the information it needs to customize services in relation to a given entity.
> Not even ISO presumes that identity information is designed to be shared.
> That's a privacy nightmare.
> 
> In a federated system, yes, fundamentally, identity information is being 
> shared, but that is what makes federation federation, NOT what makes 
> identity information identity information. And when an individual's identity 
> is treated as if it is entirely defined by the attributes in the system,
> we have fundamentally compromised human dignity by subjugating 
> individuals to the tyranny of the data. Believe me, I've spent six months
> in Amazonian purgatory because the database was in error about my 
> identity. No matter what Amazon thought, my *identity* was fundamentally
> *not* what was captured by their set of attributes.
> 
> There is a growing awareness that PII is an insufficiently defined set to 
> rigorously regulate anything. Even the GSA says "it requires a case-by-case 
> assessment of the specific risk that an individual can be identified." [1] 
> There isn't even agreement as to what the acronym stands for. [2]
> 
> Unfortunately GDPR is too young to discern its true strengths and 
> weaknesses. However, there are known flaws of the OECD 
> privacy principles which helped inform EU privacy law and I expect are 
> still lingering in GDPR. Namely, a complete lack of awareness that a data 
> controller or data processor may also be the data subject. We ran into 
> this in VRM conversations about personal data stores. The dominant 
> paradigm assumes that, in essence, corporations have and control data 
> about people and that people have certain rights in that situation. The 
> world view remains firmly in the lens of our corporate overlords and how 
> we protect the proletariat from their evils. In this world, like in ISO, 
> "Identity" is something given to you, not something innately existing in 
> the relationships that form social bonds.
> 
> In short, *none* of these approaches to identity should be considered 
> resolved or adequate. The primary drivers in the modern era have been 
> corporations focused on securing their ability to profit from information. 
> More recently, in the EU, the state has picked up its original charge in 
> defining identity, acting as a force in the other direction, figuring out how 
> to realize the EU constitutional right to privacy in the face of corporate
> data systems.
> 
> [1] https://www.gsa.gov/portal/content/104256 <https://www.gsa.gov/portal/content/104256>
> [2] https://en.wikipedia.org/wiki/Personally_identifiable_information <https://en.wikipedia.org/wiki/Personally_identifiable_information>
> 
> 
>> 
>> aligned with the W3C mental
>> model of security by domain isolation as a response to things like
>> cross-site scripting hacks.
>> 
>> I think you are confusing two separate issues, security vulnerabilities
>> and data sharing. The Same Origin Policy is there to stop hackers
>> linking systems that should not be linked, whereas FIM and token binding
>> etc. are there to ensure that data can be shared safely and securely.
> 
> Yes. Linking systems that should not be linked is how privacy is violated. 
> It feels comfortable to consider contextual integrity as a security problem. 
> Thinking of it in this manner leads to whitewashing information sharing 
> through consent ceremonies that users can't understand for uses that 
> are unexpected. There is a consistent perspective that within a given 
> domain, privacy and identity are the purview of the domain controller. 
> This is baked into the mental model of isolated systems sharing specific 
> bits of "identity" under controlled terms--with near complete disregard 
> for both the downstream sharing and the systemic effects on privacy and 
> identity. The framing is that "if we solve privacy and identity within our 
> isolated contexts, we'll have done the right thing."  But fundamentally, 
> privacy and identity are greater than any isolated context. This is the 
> disconnect that, IMO, is the core architectural flaw in how most 
> contemporary systems deal with privacy and identity.
> 
>> 
>> If we want to make sure we don't undermine beneficial--or unwittingly
>> enable undesired--aspects of real-world identity, we need to acknowledge
>> that identity is inevitably more than the digital identity in
>> any given system.
>> 
>> I think we all realise that. No one has been arguing for the opposite.
> 
> The ISO standard itself defines identity as merely the attributes related to 
> an entity in an ICT system. So arguing for the ISO standard argues for 
> that opposite.
> 
> --
> 
> That's all for now. I think I've said more than enough. I've appreciated 
> the thoughtful responses and hope I've stretched some mental models. 
> It'd be great if the idea of treating identity functionally rather than 
> compositionally resonates enough to help us avoid the delicious yet 
> distracting rabbit holes of philosophical, cultural, and political identity.
> 
> As Manu suggested, I'll bring my perspective to comments and suggestions 
> in actual specification text. That's where I think we can most concretely see 
> if anything I'm suggesting has merit.
> 
> -j
> 
> --
> Joe Andrieu, PMP
> joe@joeandrieu.com <mailto:joe@joeandrieu.com>
> +1(805)705-8651
> http://blog.joeandrieu.com
> 
Received on Friday, 2 June 2017 10:07:56 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 July 2018 21:19:38 UTC