Re: "Identity" - is a modal notion and the matrix from Joe Andrieu on 2017-06-02 (public-credentials@w3.org from June 2017)

From: Joe Andrieu <joe@joeandrieu.com>
Date: Fri, 02 Jun 2017 00:54:39 -0700
To: public-credentials@w3.org
Message-Id: <1496390079.2200920.996222392.06638692@webmail.messagingengine.com>
For what it's worth, I fear I've triggered the tar pit that many of 
us were trying to avoid.

My initial request was simply to avoid demonizing identity and instead
be rigorous when we use the term. That begs the question of what such
rigor would mean, which, inevitably, triggers the impassioned arguments.
I did not provide a definition. Instead I laid a framework for
distinguishingbetween two different, valid ways for engineers to approach identity:
(a) compositionally--identity as the collection of attributes
    related to an       entity
(b) functionally--identity based on how it works and how we use it

I will shortly provide a definition, but I want to ground the
thread in mybelief that, as engineers, these are the two productive ways to view 
identity when the goal is to designing and building identity systems.
(Or, in our case, to design systems that impact identity.)

There are other ways to view identity: political, cultural, 
psychological, even meta-physical perspectives. These are the root
of many of the impassioned arguments. They are important. Not just
valid. IMPORTANT. However, while they may drive important trade-offs
in design decisions--in the WHY of any given system choice--they do nothelp one communicate or understand HOW an identity systems works.

Historically, we--meaning engineers--have treated identity
compositionally,as if it were a thing that we could represent in attributes.
Attributes thatcould be stored, shared, protected, regulated. This is defined
explicitlyin the ISO standard.

My assertion is that treating identity this way is the root of
many problemsin today's identity systems, and that thinking about how identity
functionsmay be a more fruitful path forward.

The definition I'm going to present may not be the best one, but it is
onebased on its function. I'd love to hear other suggested functional
definitions.I am sure there is room for improvement.

But I also know, not only from my own experience, but from the empiricaland academic record that designing systems based on how they should 
function--rather than simply modeling the data the system contains--isa legitimate and productive way to approach complex system design.

I think it provides a better approach than limiting the definition to 
the static notion of attributes. You can disagree with me on that and
stillwork with me to define a common framework for thinking about
identity functionally. If there were a viable identity system, *both*
definitionsshould hold merit. I argue the compositional model is incomplete. I askyou to indulge me and help define a functional model, then we can
compare which teaches us more about how such systems can be and
eventually should be built.

FWIW, I don't expect to do this work *within* the VCWG or even the
community group. I'll be writing and publishing elsewhere. I'll share 
that work as it occurs in case it might prove helpful.

Here's my definition of Identity:

Identity is how we keep track of people and things and, in turn how theykeep track of us.

That’s it. We learn people’s names, we observe them and hear gossip 
and consume media. We then apply that sense of who they are to our 
dealings with them. Others do the same in return. 

In ICT systems, we assign identifiers, we accumulate observations, we 
correlate those observations with entities, we make conclusions based 
on those observations and we apply those conclusions in interactions 
with those same entities.

In other contexts, we give people name tags, we share business cards, 
and we wear bracelets. All to facilitate keeping track of each other.

This simple definition is surprisingly provocative. It triggers
associationswith Big Brother and the surveillance state. It brings up ideas about 
embedded chips and tattooed serial numbers. It conjures fears of 
government or corporations constantly tracking what we do.

Which is ok, because, in fact, those are the most feared abuses of 
identity. It’s important to realize when we talk about identity
that we arealways talking about how we keep track of people. It is important to 
understand how identity systems limit or avoid (a) tracking 
EVERYTHING about (b) everyone and sharing that with (c) anyone.

What functional identity doesn't do is attempt to define what identity*is*; it focuses on what it does for us and how we use it.

Organizations and people are going to use identity to keep track of 
people and things no matter what we do. Fixating on sets of attributesignores the ways that we use identity information, whereas focusing onthe function of identity affords significant visibility into both
potentialharms and techniques for enhancing or limiting that functionality. 

In contrast, attributes themselves aren't harmful (they are inert data)
andnot only have we shown they are almost impossible to contain, we 
know that the correlation of identities across contexts can occur basedon so many different observations that even if we could contain a
specificset of attributes, we still could not prevent re-identification even in"anonymized" data sets. In short: even the most rigorous attribute
management system cannot prevent undesired identification. Conclusion:
identity *must* be more than just the attributes in an ICT system
relatedto an entity. 

 This is at the core of my motivation to move beyond attributes. Clearlyour identities can be compromised even with the most thorough 
attention paid to protecting attributes. Attributes simply are
not enoughto capture the scope of identity.

As I described in the subjective notion of identity, not only can we notadequately record the subjective sense of, for example, "Joe Andrieu"
in the minds of everyone who knows me, there is no way to control
those subjective notions nor a way to prevent people from using those
notions in their considerations of how to deal with me. So even if
we could magically conceptualize the platonic form of forms that 
collectively represents "Joe Andrieu" we still would be lacking any 
understanding about how that notion functions: how it is used by actualpeople. And it is in that use that harms occur.

To respond to a few anchoring bits amidst the thread without 
slight to the other thoughtful comments:

On Thu, Jun 1, 2017, at 11:59 AM, Henry Story wrote:
> Yes, it looks like Joe's definition is one of what makes a thing the
> thing it is.> 
>> On 1 Jun 2017, at 20:08, Steven Rowat
>> <steven_rowat@sunshine.net> wrote:>> 
>> On 2017-06-01 9:06 AM, Joe Andrieu wrote:
>>>  Identity is innately
>>> trans-system. Any given "digital identity" may not be, but our real>>> world "identity" absolutely is. By its very nature. We have an
>>> identity>>> completely independent of any system or authority.
> 
> This I suppose is behind Heraclitus statement that 
> "You could not step twice into the same river."
> 
> It is also the old question of how much change one can make to
> something and it still> be the same thing, as the old paradox of Theseus Ship makes clear 
> https://www.wikiwand.com/en/Ship_of_Theseus

Actually, I think the functional definition makes the question of
Theseus's ship moot. That question is grounded in the compositional notion thatthe identity of "Theseus's ship" is initially based on the components 
of his initial ship. A functional definition would ask whether or
not the shipin question was recognized as the same ship throughout its
tenure. If thecurrent ship is recognized as the same ship, then, functionally,
it has theidentity of "Theseus's ship". Whether or not is *is* the same ship is 
philosophical and not relevant to engineering and identity system.

>From what I understand, the basis for Steven Rowat's argument about 
"essences" follows that same compositional notion. The functional modeldoesn't care. If a person is recognized as an individual, then as long
asthe recognition holds, they have that identity. Whether or not
they *are*in fact that person is a meta-physical, psychological, or philosophicalquestion, which I'm intentionally taking off the table so we
engineers canfigure out what we are trying to build together.

>> On 1 Jun 2017, at 11:08 AM, Steven Rowat
>> <steven_rowat@sunshine.net> wrote:>> 
>> I believe Joe and Henry are talking past each other in a fundamental>> way that might be a good example of the tar-pit that Manu likes to
>> talk of.

Yes. And I apologize for the distraction. Hopefully we can get
this out ofour systems and let the list get back to technical discussions in
short order.
>> Joe's position (in my words, using Henry's terminology) 
>> I believe Joe is most concerned with the fact that a given thing
>> (person) is unique in the world. And that any collection of labels
>> that relate to that person is part of an assumed superset relating to>> them, and "Identity" is the whole superset. How much of the superset>> we see at one time varies, but it exists because the person exists.

I'm not sure I care about uniqueness. I don't think that's actually
relevant for a functional model of identity. Certainly, identities can
become confused. Suchis the fodder for much comedy throughout literature and media. I
wouldn't saythat such confusion--or ambiguity if the identity is simply limited in
its specificity--means we aren't dealing with identity.

I will also say that while the superset could conceptually be
constructed in anall-knowing thought experiment, any essential identity ultimately
resides inthe minds' eyes of the beholders who recognize a thing. What's in
my head isinevitably different than what is in someone else's, even if we both
are aware ofall the attributes ever recorded in any ICT system. 

Hence, while we could discuss the uber-set of all such mental
notions, it is notclear that would ever be a superset of which some of us share
subsets, asmuch as a collection of distinct notions. To get philosophical, we
can't evenknow if your sense of "red" is the same as mine; it would seem
unlikely thatwe could ever know if your sense of me is the same as anyone else's.


On Thu, Jun 1, 2017, at 12:16 PM, David Chadwick wrote:
> On 01/06/2017 17:06, Joe Andrieu wrote:
>> On Thu, Jun 1, 2017, at 12:44 AM, David Chadwick wrote:
>>> On 01/06/2017 07:48, Joe Andrieu wrote:
>> If we mean "digital identity", then say it. Don't confuse it with
>> "identity".
>> 
>> The objections to "identity" are often because of conflation of
>> the two.>> We discuss A when we mean B. We discuss "identity" when what
>> we really>> mean is "the isolated domain-specific digital identity that only
>> applies>> to this particular ICT system".
> 
> Ok, but I prefer to use the term identity information when
> referring to> the information held about a person in an information system.
> If the IS> is physical and paper based, then the identity information will be
> held> in paper files. If the IS is an ICT system, then it will indeed be
> digital identity information that is stored there.

I like the term "identity information". That's much clearer than
referringto a collection of attributes as someone's identity.

> But I have never moved this discussion in the direction of
> talking about> a single isolated ICT system, so I am not sure where you got that idea> from. I said 'any and every ICT system'.

The ISO standard does:
> An identity is the information used to represent an entity in an
> ICT system.
It certainly does not say that identity is cross-system.

That would, IMO, be much more rigorous to say either:
"A digital identity is the information used to represent an entity in an
ICT system."
Or "Identity information is used to represent an entity in an ICT
system."
However, our "real" identities are fundamentally external to any
ICT system.I am "Joe Andrieu" whether it is in an ICT system or not.

> 
>> The problem is that these digital identities don't stay isolated.
> 
> Of course they dont. Who said they did? Federated identity management> has always been about sharing digital identity information.

And yet, the ISO definition of "identity" is anchored in "an ICT
system". Thewhole point of federation is to match the identity information in
one systemwith the identity information in another. The nature of the
problem is thatthese are *distinct* sets of identity information, distinct digital
identities, forwhich some sense of equivalence is sought. That equivalence becomes
a shared sense of identity--and it almost never includes a
transference of allrelated attributes. Even the ISO "identity" of a system isn't
transferred duringfederation. Some subset of identifying information is. And yet,
that sharedsense of identity will still never match the entirety of any given
individual'sidentity. The ISO definition conflates the shared sense of identity,
the ineffable subjective collective sense of identity, and the identity
informationin an ICT system when it refers to this last item as "identity". This is
the problem.
> 
>> Similarly, rights and privileges tied to our real identities
>> are often>> ignored
>> or dismantled because *in a given system* it didn't seem relevant
>> to the engineers who designed and built it. Identity is innately
>> trans-system. Any given "digital identity" may not be, but our real
>> world "identity" absolutely is. By its very nature. We have an
>> identity>> completely independent of any system or authority.
> 
> Your last sentence conflicts with your other sentences in 'Identity
> Crisis' in which you state 'identity is an emergent phenomenon
> that does> not have an existence independent of the observer'
> 
> So which is it? Is identity completely independent or rather does not> have an existence independently?

I can see how that is confusing. However, both are accurate. 

Identity exists in the minds of observers, which is independent of 
any authority. No single observer has the authority to decide their 
version of my identity is authoritative, except to themselves, which
really is just a matter of the sovereignty of our own minds. Even *I*don't have that authority. This was actually one of my rants against 
many early testimonies about the awesome power of self-sovereign 
identities. Nobody controls anyone else's  subjective state. We can 
influence, but that state is innately independent of outside authority.
> I dont think I know anyone who regards identity information as being
> specific to a single ICT system. Certainly everyone in the FIM world
> knows that identity information is meant for sharing. And
> people in the> privacy world know that PII is allowed to be shared providing it stays> within the rules. The GDPR is there to ensure the rules are obeyed,
> otherwise unscrupulous data controllers would share it in ways it was> never intended for. Even the VC work does not believe in the full and> free sharing of PII, rather it should be under the control of the
> holder. So there is no conflict between ISO, GDPR and VC work
> as far as> I can see.

On the contrary, identity information need not EVER be shared. It is 
not *meant* to be shared. It is meant to provide a given system with 
the information it needs to customize services in relation to a
given entity.Not even ISO presumes that identity information is designed to be
shared.That's a privacy nightmare.

In a federated system, yes, fundamentally, identity information is beingshared, but that is what makes federation federation, NOT what makes 
identity information identity information. And when an
individual's identityis treated as if it is entirely defined by the attributes in the system,we have fundamentally compromised human dignity by subjugating 
individuals to the tyranny of the data. Believe me, I've spent
six monthsin Amazonian purgatory because the database was in error about my 
identity. No matter what Amazon thought, my *identity* was fundamentally*not* what was captured by their set of attributes.

There is a growing awareness that PII is an insufficiently
defined set torigorously regulate anything. Even the GSA says "it requires a
case-by-caseassessment of the specific risk that an individual can be
identified." [1]There isn't even agreement as to what the acronym stands for. [2]

Unfortunately GDPR is too young to discern its true strengths and 
weaknesses. However, there are known flaws of the OECD 
privacy principles which helped inform EU privacy law and I expect arestill lingering in GDPR. Namely, a complete lack of awareness
that a datacontroller or data processor may also be the data subject. We ran intothis in VRM conversations about personal data stores. The dominant 
paradigm assumes that, in essence, corporations have and control data 
about people and that people have certain rights in that situation. Theworld view remains firmly in the lens of our corporate overlords and howwe protect the proletariat from their evils. In this world, like in ISO,"Identity" is something given to you, not something innately existing inthe relationships that form social bonds.

In short, *none* of these approaches to identity should be considered 
resolved or adequate. The primary drivers in the modern era have been 
corporations focused on securing their ability to profit from
information.More recently, in the EU, the state has picked up its original charge indefining identity, acting as a force in the other direction,
figuring out howto realize the EU constitutional right to privacy in the face of
corporatedata systems.

[1] https://www.gsa.gov/portal/content/104256
[2] https://en.wikipedia.org/wiki/Personally_identifiable_information


> 
>> aligned with the W3C mental
>> model of security by domain isolation as a response to things like
>> cross-site scripting hacks.
> 
> I think you are confusing two separate issues, security
> vulnerabilities> and data sharing. The Same Origin Policy is there to stop hackers
> linking systems that should not be linked, whereas FIM and
> token binding> etc. are there to ensure that data can be shared safely and securely.
Yes. Linking systems that should not be linked is how privacy is
violated.It feels comfortable to consider contextual integrity as a
security problem.Thinking of it in this manner leads to whitewashing information sharingthrough consent ceremonies that users can't understand for uses that 
are unexpected. There is a consistent perspective that within a given 
domain, privacy and identity are the purview of the domain controller.This is baked into the mental model of isolated systems sharing specificbits of "identity" under controlled terms--with near complete disregardfor both the downstream sharing and the systemic effects on privacy andidentity. The framing is that "if we solve privacy and identity
within ourisolated contexts, we'll have done the right thing."  But fundamentally,privacy and identity are greater than any isolated context. This is thedisconnect that, IMO, is the core architectural flaw in how most 
contemporary systems deal with privacy and identity.

> 
>> If we want to make sure we don't undermine beneficial--or unwittingly>> enable undesired--aspects of real-world identity, we need to
>> acknowledge>> that identity is inevitably more than the digital identity in
>> any given system.
> 
> I think we all realise that. No one has been arguing for the opposite.
The ISO standard itself defines identity as merely the attributes
related toan entity in an ICT system. So arguing for the ISO standard argues forthat opposite.

--

That's all for now. I think I've said more than enough. I've appreciatedthe thoughtful responses and hope I've stretched some mental models. 
It'd be great if the idea of treating identity functionally rather thancompositionally resonates enough to help us avoid the delicious yet 
distracting rabbit holes of philosophical, cultural, and
political identity.
As Manu suggested, I'll bring my perspective to comments and suggestionsin actual specification text. That's where I think we can most
concretely seeif anything I'm suggesting has merit.

-j

--
Joe Andrieu, PMP
joe@joeandrieu.com
+1(805)705-8651
http://blog.joeandrieu.com
Received on Friday, 2 June 2017 07:55:12 UTC