W3C home > Mailing lists > Public > public-credentials@w3.org > June 2017

Re: "Identity" - is a modal notion and the matrix

From: David Chadwick <D.W.Chadwick@kent.ac.uk>
Date: Fri, 2 Jun 2017 22:30:50 +0100
To: christoph@christophdorn.com
Cc: public-credentials@w3.org
Message-ID: <7bef7987-6862-e03d-5f76-d1a7ece2af6b@kent.ac.uk>


On 02/06/2017 19:11, Christoph Dorn wrote:
> 
> On June 2, 2017 05:58:30 am PDT, "David Chadwick"
> <D.W.Chadwick@kent.ac.uk> wrote:
> 
>> My take on identity (or more properly the process of identifying an
>> entity) is that it is needed by everyone and everything for the
>> functional purpose of authorisation, which is the most generic of all
>> functions. It encapsulates all possible actions, including tracking
>> (from Joe's narrower definition). All actions need to be
>> authorised/controlled, thus they need to identify the actors.
>>
>> I identify you to decide whether I want to have or continue a
>> relationship with you (and not with someone else).
> 
> 
> The "functional" point of view being at the "root" seems to be
> consistent with Jordan Peterson's psychological perspective on Relevance
> Conception: Does something Help, Hinder or is it Irrelevant?
> 
> Quick overview: https://www.youtube.com/watch?v=bZXJ_6B07NY

Very good. I think we could all sometimes do with a dose of framing and
relevance to keep us on track with what we are trying to achieve with VCs.

regards
David

> 
> Christoph
> 
> 
>>
>> Governments identify us to decide if we allowed to be citizens, drive
>> cars, have health care etc.
>>
>> Web services identify us to provide us with a service.
>>
>> I am hard pushed to find any use of 'identity' that does not have
>> authorisation as the base requirement.
>>
>> Examples that you might think are not related to authorisation, are
>> identifying celebrities, identifying inanimate objects, identifying
>> criminals from mug shots. Looking at each one of these in more detail:
>>
>> I identify celebrities to decide whether I want to follow them, read
>> about them, or ignore them etc. Each of my actions require
>> authorisation, (by my brain) and thus I need to identify who is the
>> person in the magazine to decide whether to read further about them or
>> turn the page and ignore them.
>>
>> I identify inanimate objects to decide whether to ignore them, pick them
>> up, switch them on etc. If I cannot identify one object from another
>> then I cannot decide what to do with it (i.e. an access control
>> decision).
>>
>> I see a picture of a criminal on a police wanted poster. I identify him
>> to decide whether to phone the police or not when I see a stranger
>> walking down the street who may or may not match the mugshot.
>>
>> So I strongly believe that we identify entities in order to authorise
>> actions by them or on them (depending upon whether they are the subject
>> or object of the action).
>>
>> I would be pleased to hear from anyone who can specify a purpose of
>> identity/identification that does not involve authorisation.
>>
>> regards
>>
>> David
>>
>> On 02/06/2017 11:07, Henry Story wrote:
>>> If you favor a functional answer then you are not far from also coming
>>> to see
>>> the relevance of a logical one, and also of a pragmatic one. The
>>> relations between functions and types is made clear in the "new"
>>> foundational maths called Homotopy Type Theory. (The key book is online
>>> here https://homotopytypetheory.org/ and even compilable from github
>>> if you want the latest version with all the corrections. The first two
>>> chapters
>>> are very readable for someone with computing experience.)
>>>
>>> This is a built on type theory, which takes functions as the basic
>>> entity relating types. But where other maths assume identity problems
>>> to be relatively easy, HoTT develops this into the core of the
>>> theory. To specify a type of an
>>> object is to specify
>>> ways of finding when two objects of that type are identical. This is
>>> constructive mathematics so in their examples they mostly use
>>> mathematical objects. I think one can move to thinking about physical
>>> objects if one
>>> starts
>>> with the space of all possibilities and things of various types in that
>>> space.
>>>
>>> The intuition one should take back from HoTT is that types require a
>>> specification
>>> of the identity of an object, so that one can specify when two things
>>> are equal.
>>> Eg, two sets are equal if they contain the same elements.
>>>
>>> When is a ship the same from one moment to the next, is by the way not
>>> a problem without pragmatic consequences. If identity of a person
>>> were a material one then eating a burger would be a way to get out of
>>> a murder
>>> charge. To understand people as processes that keep their identity
>>> through
>>> change is important for contracts to work, to also be able to pardon
>>> people ("he is now a changed man"), etc... I think it is this thought of
>>> identity in change
>>> that gets people hung up, as they keep thinking what is it that
>>> remains the
>>> same from instant to instant - they think of the essence of something as
>>> another thing that is always there, and so they start looking for the
>>> soul as a
>>> physical entity.
>>> In constructive mathematics one can name a type by showing how to
>>> construct elements
>>> of it. With object in physical space other criteria may be needed which
>>> are more
>>> likely to latch on for natural kinds, how the things themselves
>>> function, how they
>>> evolved, how they survived, etc...
>>>
>>> So yes, we can be functional. If a human person is a process then for
>>> example it is a certain type of process, a biological one, that
>>> starts at a certain time
>>> and goes
>>> through a huge number of transformation. As I pointed out one can choose
>>> other types to identify a person: a citizen perhaps would allow
>>> aliens from other planets to be citizens and so could not be reduced
>>> to humans. One
>>> can then have a partial map from citizens to  humans. Good modeling
>>> here would require that one notice that a person can be the citizen
>>> of more than one nation and indeed even change citizenship.
>>>
>>> As a human being is a process that interacts with other processes
>>> there will
>>> be an infinite number of ways of identifying it indirectly, though
>>> causal relations
>>> it has with any other number of things, from being the person who
>>> created a
>>> document at a time to being the person who helped save someone's life.
>>>
>>> In description logic (and hence in OWL and RDF) one can describe types
>>> by their relations to other types, and individual by relations
>>> between them
>>> and other things. So we slowly end up at the semantic web if we want
>>> to think about this in relation to the global information system that
>>> the
>>> web is.
>>>
>>> As for your comments on identity being completely in the head, that
>>> is the private language fallacy that Wittgenstein spent a lot of time
>>> analyzing and dismantling in his "Philosophical Investigations".
>>> Language
>>> is by nature not private, or else all communication would be impossible.
>>> Language is also by nature one that requires that those playing the
>>> game of talking and listening abide by the logical consequences of
>>> what they
>>> say (see "Between Saying and Doing - Towards an Analytic Pragmatism"
>>> by Robert B. Brandom
>>>
>>> https://global.oup.com/academic/product/between-saying-and-doing-9780199542871
>>> )
>>>
>>> This means of course being able to bring different propositions
>>> together, combining
>>> them and being able to arrive at conclusions. Ie. merging propositions
>>> and reasoning is the nature of a linguistic system.  If one needs to
>>> limit who can
>>> read some information there
>>> are other ways to do that: such as access control or legal requirements
>>> on usage of information.
>>>
>>> Now to come back to the Lana Wachowski, director of The Matrix, talk
>>> on Identity, Privacy  and Anonymity here
>>> https://youtu.be/crHHycz7T_c?t=317
>>>
>>> What Lana Wachowski is against is subdivision of Humans into two
>>> exclusive types, and the assignation of strict roles to those types.
>>> That is
>>> clearly a modelling
>>> error, a simplification that is easy to do, but that does not capture
>>> reality correctly
>>> and so leaves people deaf to the problem of those who don't fit the
>>> categories.
>>>
>>> But that is not an argument against types, just one against a particular
>>> set of
>>> types, and a particular set of distinctions. She does make the point
>>> well that
>>> anonymity is then very useful - though what she means is not
>>> anonymity but
>>> pseudonymity, as her hairdresser for example has no difficulty
>>> identifying her,
>>> and knew a lot about her, except that she was the director of the
>>> Matrix. She was
>>> able to live a life where people did not know the relation between one
>>> aspect of
>>> her life and the other. Of course there is no way she could completely
>>> control
>>> the leakage of information (as we know from how much has been leaked
>>> through
>>> Wikileaks).
>>>
>>> So my conclusions:
>>>  • language is for communication (but that does not mean one has to
>>> shout everything off the rooftop)
>>>  • types come with identity criterion (when are two things in that type
>>> the same thing? With abstract
>>>   objects from Maths this may  be part of the structure of the thing,
>>> with physical objets it may   actually be discovered later)
>>>  • the open world assumption that is part of the web allows the same
>>> objet to have an indefinite    number of names, and also to be
>>> described using anonymous nodes. It
>>> is the relation between
>>>    things that count.
>>>
>>> I could also argue that anonymity is not the only good in the system.
>>> Pure anonymity makes
>>> discussion impossible. If I can't tell that I am speaking with the same
>>> person between sentences
>>> then I cannot even have a reasoned discussion. Pseudonymity allows one
>>> to re-indentify someone
>>> over time which allows for a conversation to take place. Information by
>>> its nature is about relations.
>>> Think about functions as a specific type of relation.
>>>
>>> Henry
>>>
>>>
>>>
>>>> On 2 Jun 2017, at 09:54, Joe Andrieu <joe@joeandrieu.com
>>>> <mailto:joe@joeandrieu.com>> wrote:
>>>>
>>>> For what it's worth, I fear I've triggered the tar pit that many of
>>>> us were trying to avoid.
>>>>
>>>> My initial request was simply to avoid demonizing identity and instead
>>>> be rigorous when we use the term. That begs the question of what such
>>>> rigor would mean, which, inevitably, triggers the impassioned
>>>> arguments.
>>>>
>>>> I did not provide a definition. Instead I laid a framework for
>>>> distinguishing
>>>> between two different, valid ways for engineers to approach identity:
>>>> (a) compositionally--identity as the collection of attributes related
>>>> to an
>>>>        entity
>>>> (b) functionally--identity based on how it works and how we use it
>>>>
>>>> I will shortly provide a definition, but I want to ground the thread
>>>> in my
>>>> belief that, as engineers, these are the two productive ways to view
>>>> identity when the goal is to designing and building identity systems.
>>>> (Or, in our case, to design systems that impact identity.)
>>>>
>>>> There are other ways to view identity: political, cultural,
>>>> psychological, even meta-physical perspectives. These are the root
>>>> of many of the impassioned arguments. They are important. Not just
>>>> valid. IMPORTANT. However, while they may drive important trade-offs
>>>> in design decisions--in the WHY of any given system choice--they do not
>>>> help one communicate or understand HOW an identity systems works.
>>>>
>>>> Historically, we--meaning engineers--have treated identity
>>>> compositionally,
>>>> as if it were a thing that we could represent in attributes.
>>>> Attributes that
>>>> could be stored, shared, protected, regulated. This is defined
>>>> explicitly
>>>> in the ISO standard.
>>>>
>>>> My assertion is that treating identity this way is the root of many
>>>> problems in today's identity systems, and that thinking about how
>>>> identity
>>>> functions
>>>> may be a more fruitful path forward.
>>>>
>>>> The definition I'm going to present may not be the best one, but it is
>>>> one based on its function. I'd love to hear other suggested functional
>>>> definitions.
>>>> I am sure there is room for improvement.
>>>>
>>>> But I also know, not only from my own experience, but from the
>>>> empirical
>>>> and academic record that designing systems based on how they should
>>>> function--rather than simply modeling the data the system
>>>> contains--is a legitimate and productive way to approach complex
>>>> system design.
>>>>
>>>> I think it provides a better approach than limiting the definition
>>>> to the static notion of attributes. You can disagree with me on that
>>>> and
>>>> still
>>>> work with me to define a common framework for thinking about
>>>> identity functionally. If there were a viable identity system, *both*
>>>> definitions
>>>> should hold merit. I argue the compositional model is incomplete. I ask
>>>> you to indulge me and help define a functional model, then we can
>>>> compare which teaches us more about how such systems can be and
>>>> eventually should be built.
>>>>
>>>> FWIW, I don't expect to do this work *within* the VCWG or even the
>>>> community group. I'll be writing and publishing elsewhere. I'll
>>>> share that work as it occurs in case it might prove helpful.
>>>>
>>>> Here's my definition of Identity:
>>>>
>>>> Identity is how we keep track of people and things and, in turn how
>>>> they
>>>> keep track of us.
>>>>
>>>> That’s it. We learn people’s names, we observe them and hear gossip
>>>> and consume media. We then apply that sense of who they are to our
>>>> dealings with them. Others do the same in return.
>>>>
>>>> In ICT systems, we assign identifiers, we accumulate observations, we
>>>> correlate those observations with entities, we make conclusions based
>>>> on those observations and we apply those conclusions in interactions
>>>> with those same entities.
>>>>
>>>> In other contexts, we give people name tags, we share business cards,
>>>> and we wear bracelets. All to facilitate keeping track of each other.
>>>>
>>>> This simple definition is surprisingly provocative. It triggers
>>>> associations
>>>> with Big Brother and the surveillance state. It brings up ideas about
>>>> embedded chips and tattooed serial numbers. It conjures fears of
>>>> government or corporations constantly tracking what we do.
>>>>
>>>> Which is ok, because, in fact, those are the most feared abuses of
>>>> identity. It’s important to realize when we talk about identity that
>>>> we are
>>>> always talking about how we keep track of people. It is important to
>>>> understand how identity systems limit or avoid (a) tracking
>>>> EVERYTHING about (b) everyone and sharing that with (c) anyone.
>>>>
>>>> What functional identity doesn't do is attempt to define what
>>>> identity *is*; it focuses on what it does for us and how we use it.
>>>>
>>>> Organizations and people are going to use identity to keep track of
>>>> people and things no matter what we do. Fixating on sets of attributes
>>>> ignores the ways that we use identity information, whereas focusing on
>>>> the function of identity affords significant visibility into both
>>>> potential
>>>> harms and techniques for enhancing or limiting that functionality.
>>>>
>>>> In contrast, attributes themselves aren't harmful (they are inert
>>>> data) and
>>>> not only have we shown they are almost impossible to contain, we
>>>> know that the correlation of identities across contexts can occur based
>>>> on so many different observations that even if we could contain a
>>>> specific
>>>> set of attributes, we still could not prevent re-identification even in
>>>> "anonymized" data sets. In short: even the most rigorous attribute
>>>> management system cannot prevent undesired identification. Conclusion:
>>>> identity *must* be more than just the attributes in an ICT system
>>>> related
>>>> to an entity. This is at the core of my motivation to move beyond
>>>> attributes. Clearly
>>>> our identities can be compromised even with the most thorough
>>>> attention paid to protecting attributes. Attributes simply are not
>>>> enough
>>>> to capture the scope of identity.
>>>>
>>>> As I described in the subjective notion of identity, not only can we
>>>> not
>>>> adequately record the subjective sense of, for example, "Joe Andrieu"
>>>> in the minds of everyone who knows me, there is no way to control
>>>> those subjective notions nor a way to prevent people from using those
>>>> notions in their considerations of how to deal with me. So even if
>>>> we could magically conceptualize the platonic form of forms that
>>>> collectively represents "Joe Andrieu" we still would be lacking any
>>>> understanding about how that notion functions: how it is used by actual
>>>> people. And it is in that use that harms occur.
>>>>
>>>> To respond to a few anchoring bits amidst the thread without
>>>> slight to the other thoughtful comments:
>>>>
>>>> On Thu, Jun 1, 2017, at 11:59 AM, Henry Story wrote:
>>>>> Yes, it looks like Joe's definition is one of what makes a thing the
>>>>> thing it is.
>>>>>
>>>>>> On 1 Jun 2017, at 20:08, Steven Rowat <steven_rowat@sunshine.net
>>>>>> <mailto:steven_rowat@sunshine.net>> wrote:
>>>>>>
>>>>>> On 2017-06-01 9:06 AM, Joe Andrieu wrote:
>>>>>>>  Identity is innately
>>>>>>> trans-system. Any given "digital identity" may not be, but our real
>>>>>>> world "identity" absolutely is. By its very nature. We have an
>>>>>>> identity
>>>>>>> completely independent of any system or authority.
>>>>>
>>>>> This I suppose is behind Heraclitus statement that "You could not
>>>>> step twice into the same river."
>>>>>
>>>>> It is also the old question of how much change one can make to
>>>>> something and it still be the same thing, as the old paradox of
>>>>> Theseus Ship makes clear https://www.wikiwand.com/en/Ship_of_Theseus
>>>>
>>>> Actually, I think the functional definition makes the question of
>>>> Theseus's
>>>> ship moot. That question is grounded in the compositional notion that
>>>> the identity of "Theseus's ship" is initially based on the components
>>>> of his initial ship. A functional definition would ask whether or not
>>>> the ship
>>>> in question was recognized as the same ship throughout its tenure.
>>>> If the current ship is recognized as the same ship, then,
>>>> functionally, it
>>>> has the
>>>> identity of "Theseus's ship". Whether or not is *is* the same ship is
>>>> philosophical and not relevant to engineering and identity system.
>>>>
>>>> From what I understand, the basis for Steven Rowat's argument about
>>>> "essences" follows that same compositional notion. The functional model
>>>> doesn't care. If a person is recognized as an individual, then as
>>>> long as
>>>> the recognition holds, they have that identity. Whether or not they
>>>> *are*
>>>> in fact that person is a meta-physical, psychological, or philosophical
>>>> question, which I'm intentionally taking off the table so we engineers
>>>> can
>>>> figure out what we are trying to build together.
>>>>
>>>>>> On 1 Jun 2017, at 11:08 AM, Steven Rowat <steven_rowat@sunshine.net
>>>>>> <mailto:steven_rowat@sunshine.net>> wrote:
>>>>>>
>>>>>> I believe Joe and Henry are talking past each other in a fundamental
>>>>>> way that might be a good example of the tar-pit that Manu likes to
>>>>>> talk of.
>>>>
>>>> Yes. And I apologize for the distraction. Hopefully we can get this
>>>> out of
>>>> our systems and let the list get back to technical discussions in
>>>> short order.
>>>>
>>>>>> Joe's position (in my words, using Henry's terminology)
>>>>>> I believe Joe is most concerned with the fact that a given thing
>>>>>> (person) is unique in the world. And that any collection of labels
>>>>>> that relate to that person is part of an assumed superset relating to
>>>>>> them, and "Identity" is the whole superset. How much of the superset
>>>>>> we see at one time varies, but it exists because the person exists.
>>>>
>>>> I'm not sure I care about uniqueness. I don't think that's actually
>>>> relevant for a
>>>> functional model of identity. Certainly, identities can become
>>>> confused. Such
>>>> is the fodder for much comedy throughout literature and media. I
>>>> wouldn't say
>>>> that such confusion--or ambiguity if the identity is simply limited in
>>>> its specificity--
>>>> means we aren't dealing with identity.
>>>>
>>>> I will also say that while the superset could conceptually be
>>>> constructed in an
>>>> all-knowing thought experiment, any essential identity ultimately
>>>> resides in
>>>> the minds' eyes of the beholders who recognize a thing. What's in my
>>>> head is inevitably different than what is in someone else's, even if
>>>> we both
>>>> are aware of
>>>> all the attributes ever recorded in any ICT system.
>>>>
>>>> Hence, while we could discuss the uber-set of all such mental notions,
>>>> it is not
>>>> clear that would ever be a superset of which some of us share
>>>> subsets, as
>>>> much as a collection of distinct notions. To get philosophical, we
>>>> can't even
>>>> know if your sense of "red" is the same as mine; it would seem
>>>> unlikely that
>>>> we could ever know if your sense of me is the same as anyone else's.
>>>>
>>>>
>>>> On Thu, Jun 1, 2017, at 12:16 PM, David Chadwick wrote:
>>>>> On 01/06/2017 17:06, Joe Andrieu wrote:
>>>>>
>>>>>     On Thu, Jun 1, 2017, at 12:44 AM, David Chadwick wrote:
>>>>>
>>>>>         On 01/06/2017 07:48, Joe Andrieu wrote:
>>>>>
>>>>>     If we mean "digital identity", then say it. Don't confuse it with
>>>>>     "identity".
>>>>>
>>>>>     The objections to "identity" are often because of conflation of
>>>>>     the two.
>>>>>     We discuss A when we mean B. We discuss "identity" when what we
>>>>>     really
>>>>>     mean is "the isolated domain-specific digital identity that only
>>>>>     applies
>>>>>     to this particular ICT system".
>>>>>
>>>>>
>>>>> Ok, but I prefer to use the term identity information when
>>>>> referring to
>>>>> the information held about a person in an information system. If
>>>>> the IS
>>>>> is physical and paper based, then the identity information will be
>>>>> held
>>>>> in paper files. If the IS is an ICT system, then it will indeed be
>>>>> digital identity information that is stored there.
>>>>
>>>> I like the term "identity information". That's much clearer than
>>>> referring
>>>> to a collection of attributes as someone's identity.
>>>>
>>>>> But I have never moved this discussion in the direction of talking
>>>>> about
>>>>> a single isolated ICT system, so I am not sure where you got that idea
>>>>> from. I said 'any and every ICT system'.
>>>>
>>>> The ISO standard does:
>>>>
>>>>     An identity is the information used to represent an entity in an
>>>>     ICT system.
>>>>
>>>>
>>>> It certainly does not say that identity is cross-system.
>>>>
>>>> That would, IMO, be much more rigorous to say either:
>>>> "A digital identity is the information used to represent an entity in
>>>> an ICT system."
>>>>
>>>> Or "Identity information is used to represent an entity in an ICT
>>>> system."
>>>>
>>>> However, our "real" identities are fundamentally external to any ICT
>>>> system.  I am "Joe Andrieu" whether it is in an ICT system or not.
>>>>
>>>>>
>>>>>     The problem is that these digital identities don't stay isolated.
>>>>>
>>>>>
>>>>> Of course they dont. Who said they did? Federated identity management
>>>>> has always been about sharing digital identity information.
>>>>
>>>> And yet, the ISO definition of "identity" is anchored in "an ICT
>>>> system". The
>>>> whole point of federation is to match the identity information in one
>>>> system with the identity information in another. The nature of the
>>>> problem is
>>>> that
>>>> these are *distinct* sets of identity information, distinct digital
>>>> identities, for
>>>> which some sense of equivalence is sought. That equivalence becomes
>>>> a shared sense of identity--and it almost never includes a
>>>> transference of all
>>>> related attributes. Even the ISO "identity" of a system isn't
>>>> transferred during
>>>> federation. Some subset of identifying information is. And yet, that
>>>> shared
>>>> sense of identity will still never match the entirety of any given
>>>> individual's
>>>> identity. The ISO definition conflates the shared sense of identity,
>>>> the ineffable subjective collective sense of identity, and the
>>>> identity information
>>>> in an ICT system when it refers to this last item as "identity". This
>>>> is the problem.
>>>>
>>>>>
>>>>>     Similarly, rights and privileges tied to our real identities are
>>>>>     often
>>>>>     ignored
>>>>>     or dismantled because *in a given system* it didn't seem relevant
>>>>>     to the engineers who designed and built it. Identity is innately
>>>>>     trans-system. Any given "digital identity" may not be, but our
>>>>> real
>>>>>     world "identity" absolutely is. By its very nature. We have an
>>>>>     identity
>>>>>     completely independent of any system or authority.
>>>>>
>>>>>
>>>>> Your last sentence conflicts with your other sentences in 'Identity
>>>>> Crisis' in which you state 'identity is an emergent phenomenon that
>>>>> does
>>>>> not have an existence independent of the observer'
>>>>>
>>>>> So which is it? Is identity completely independent or rather does not
>>>>> have an existence independently?
>>>>
>>>> I can see how that is confusing. However, both are accurate.
>>>>
>>>> Identity exists in the minds of observers, which is independent of
>>>> any authority. No single observer has the authority to decide their
>>>> version of my identity is authoritative, except to themselves, which
>>>> really is just a matter of the sovereignty of our own minds. Even *I*
>>>> don't have that authority. This was actually one of my rants against
>>>> many early testimonies about the awesome power of self-sovereign
>>>> identities. Nobody controls anyone else's  subjective state. We can
>>>> influence, but that state is innately independent of outside authority.
>>>>
>>>>> I dont think I know anyone who regards identity information as being
>>>>> specific to a single ICT system. Certainly everyone in the FIM world
>>>>> knows that identity information is meant for sharing. And people in
>>>>> the
>>>>> privacy world know that PII is allowed to be shared providing it stays
>>>>> within the rules. The GDPR is there to ensure the rules are obeyed,
>>>>> otherwise unscrupulous data controllers would share it in ways it was
>>>>> never intended for. Even the VC work does not believe in the full and
>>>>> free sharing of PII, rather it should be under the control of the
>>>>> holder. So there is no conflict between ISO, GDPR and VC work as
>>>>> far as
>>>>> I can see.
>>>>
>>>> On the contrary, identity information need not EVER be shared. It is
>>>> not *meant* to be shared. It is meant to provide a given system with
>>>> the information it needs to customize services in relation to a given
>>>> entity.
>>>> Not even ISO presumes that identity information is designed to be
>>>> shared.
>>>> That's a privacy nightmare.
>>>>
>>>> In a federated system, yes, fundamentally, identity information is
>>>> being
>>>> shared, but that is what makes federation federation, NOT what makes
>>>> identity information identity information. And when an individual's
>>>> identity is treated as if it is entirely defined by the attributes
>>>> in the system,
>>>> we have fundamentally compromised human dignity by subjugating
>>>> individuals to the tyranny of the data. Believe me, I've spent six
>>>> months
>>>> in Amazonian purgatory because the database was in error about my
>>>> identity. No matter what Amazon thought, my *identity* was
>>>> fundamentally
>>>> *not* what was captured by their set of attributes.
>>>>
>>>> There is a growing awareness that PII is an insufficiently defined
>>>> set to rigorously regulate anything. Even the GSA says "it requires a
>>>> case-by-case
>>>> assessment of the specific risk that an individual can be identified."
>>>> [1]
>>>> There isn't even agreement as to what the acronym stands for. [2]
>>>>
>>>> Unfortunately GDPR is too young to discern its true strengths and
>>>> weaknesses. However, there are known flaws of the OECD
>>>> privacy principles which helped inform EU privacy law and I expect are
>>>> still lingering in GDPR. Namely, a complete lack of awareness that a
>>>> data
>>>> controller or data processor may also be the data subject. We ran into
>>>> this in VRM conversations about personal data stores. The dominant
>>>> paradigm assumes that, in essence, corporations have and control data
>>>> about people and that people have certain rights in that situation. The
>>>> world view remains firmly in the lens of our corporate overlords and
>>>> how
>>>> we protect the proletariat from their evils. In this world, like in
>>>> ISO,
>>>> "Identity" is something given to you, not something innately
>>>> existing in
>>>> the relationships that form social bonds.
>>>>
>>>> In short, *none* of these approaches to identity should be considered
>>>> resolved or adequate. The primary drivers in the modern era have been
>>>> corporations focused on securing their ability to profit from
>>>> information.
>>>> More recently, in the EU, the state has picked up its original
>>>> charge in
>>>> defining identity, acting as a force in the other direction, figuring
>>>> out how
>>>> to realize the EU constitutional right to privacy in the face of
>>>> corporate
>>>> data systems.
>>>>
>>>> [1] https://www.gsa.gov/portal/content/104256
>>>> [2] https://en.wikipedia.org/wiki/Personally_identifiable_information
>>>>
>>>>
>>>>>
>>>>>     aligned with the W3C mental
>>>>>     model of security by domain isolation as a response to things like
>>>>>     cross-site scripting hacks.
>>>>>
>>>>>
>>>>> I think you are confusing two separate issues, security
>>>>> vulnerabilities
>>>>> and data sharing. The Same Origin Policy is there to stop hackers
>>>>> linking systems that should not be linked, whereas FIM and token
>>>>> binding
>>>>> etc. are there to ensure that data can be shared safely and securely.
>>>>
>>>> Yes. Linking systems that should not be linked is how privacy is
>>>> violated.
>>>> It feels comfortable to consider contextual integrity as a security
>>>> problem.
>>>> Thinking of it in this manner leads to whitewashing information sharing
>>>> through consent ceremonies that users can't understand for uses that
>>>> are unexpected. There is a consistent perspective that within a given
>>>> domain, privacy and identity are the purview of the domain controller.
>>>> This is baked into the mental model of isolated systems sharing
>>>> specific
>>>> bits of "identity" under controlled terms--with near complete disregard
>>>> for both the downstream sharing and the systemic effects on privacy and
>>>> identity. The framing is that "if we solve privacy and identity within
>>>> our
>>>> isolated contexts, we'll have done the right thing."  But
>>>> fundamentally,
>>>> privacy and identity are greater than any isolated context. This is the
>>>> disconnect that, IMO, is the core architectural flaw in how most
>>>> contemporary systems deal with privacy and identity.
>>>>
>>>>>
>>>>>     If we want to make sure we don't undermine beneficial--or
>>>>> unwittingly
>>>>>     enable undesired--aspects of real-world identity, we need to
>>>>>     acknowledge
>>>>>     that identity is inevitably more than the digital identity in
>>>>>     any given system.
>>>>>
>>>>>
>>>>> I think we all realise that. No one has been arguing for the opposite.
>>>>
>>>> The ISO standard itself defines identity as merely the attributes
>>>> related to
>>>> an entity in an ICT system. So arguing for the ISO standard argues for
>>>> that opposite.
>>>>
>>>> -- 
>>>>
>>>> That's all for now. I think I've said more than enough. I've
>>>> appreciated
>>>> the thoughtful responses and hope I've stretched some mental models.
>>>> It'd be great if the idea of treating identity functionally rather than
>>>> compositionally resonates enough to help us avoid the delicious yet
>>>> distracting rabbit holes of philosophical, cultural, and political
>>>> identity.
>>>>
>>>> As Manu suggested, I'll bring my perspective to comments and
>>>> suggestions
>>>> in actual specification text. That's where I think we can most
>>>> concretely see
>>>> if anything I'm suggesting has merit.
>>>>
>>>> -j
>>>>
>>>> -- 
>>>> Joe Andrieu, PMP
>>>> joe@joeandrieu.com <mailto:joe@joeandrieu.com>
>>>> +1(805)705-8651
>>>> http://blog.joeandrieu.com
>>>>
>>>
>>
> 
> 
Received on Friday, 2 June 2017 21:31:28 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 July 2018 21:19:38 UTC