Re: "Identity" - is a modal notion and the matrix

On June 2, 2017 05:58:30 am PDT, "David Chadwick" 
<D.W.Chadwick@kent.ac.uk> wrote:

> My take on identity (or more properly the process of identifying an
> entity) is that it is needed by everyone and everything for the
> functional purpose of authorisation, which is the most generic of all
> functions. It encapsulates all possible actions, including tracking
> (from Joe's narrower definition). All actions need to be
> authorised/controlled, thus they need to identify the actors.
>
> I identify you to decide whether I want to have or continue a
> relationship with you (and not with someone else).


The "functional" point of view being at the "root" seems to be 
consistent with Jordan Peterson's psychological perspective on 
Relevance Conception: Does something Help, Hinder or is it Irrelevant?

Quick overview: https://www.youtube.com/watch?v=bZXJ_6B07NY

Christoph


>
> Governments identify us to decide if we allowed to be citizens, drive
> cars, have health care etc.
>
> Web services identify us to provide us with a service.
>
> I am hard pushed to find any use of 'identity' that does not have
> authorisation as the base requirement.
>
> Examples that you might think are not related to authorisation, are
> identifying celebrities, identifying inanimate objects, identifying
> criminals from mug shots. Looking at each one of these in more detail:
>
> I identify celebrities to decide whether I want to follow them, read
> about them, or ignore them etc. Each of my actions require
> authorisation, (by my brain) and thus I need to identify who is the
> person in the magazine to decide whether to read further about them or
> turn the page and ignore them.
>
> I identify inanimate objects to decide whether to ignore them, pick them
> up, switch them on etc. If I cannot identify one object from another
> then I cannot decide what to do with it (i.e. an access control decision).
>
> I see a picture of a criminal on a police wanted poster. I identify him
> to decide whether to phone the police or not when I see a stranger
> walking down the street who may or may not match the mugshot.
>
> So I strongly believe that we identify entities in order to authorise
> actions by them or on them (depending upon whether they are the subject
> or object of the action).
>
> I would be pleased to hear from anyone who can specify a purpose of
> identity/identification that does not involve authorisation.
>
> regards
>
> David
>
> On 02/06/2017 11:07, Henry Story wrote:
>> If you favor a functional answer then you are not far from also coming
>> to see
>> the relevance of a logical one, and also of a pragmatic one. The 
>> relations between functions and types is made clear in the "new" 
>> foundational maths called Homotopy Type Theory. (The key book is 
>> online
>> here https://homotopytypetheory.org/ and even compilable from github
>> if you want the latest version with all the corrections. The first two
>> chapters
>> are very readable for someone with computing experience.)
>>
>> This is a built on type theory, which takes functions as the basic
>> entity relating types. But where other maths assume identity 
>> problems to be relatively easy, HoTT develops this into the core of 
>> the theory. To specify a type of an
>> object is to specify
>> ways of finding when two objects of that type are identical. This is 
>> constructive mathematics so in their examples they mostly use
>> mathematical objects. I think one can move to thinking about 
>> physical objects if one
>> starts
>> with the space of all possibilities and things of various types in that
>> space.
>>
>> The intuition one should take back from HoTT is that types require a
>> specification
>> of the identity of an object, so that one can specify when two things
>> are equal.
>> Eg, two sets are equal if they contain the same elements.
>>
>> When is a ship the same from one moment to the next, is by the way not
>> a problem without pragmatic consequences. If identity of a person 
>> were a material one then eating a burger would be a way to get out 
>> of a murder
>> charge. To understand people as processes that keep their identity through
>> change is important for contracts to work, to also be able to pardon 
>> people ("he is now a changed man"), etc... I think it is this 
>> thought of
>> identity in change
>> that gets people hung up, as they keep thinking what is it that remains the
>> same from instant to instant - they think of the essence of something as
>> another thing that is always there, and so they start looking for 
>> the soul as a
>> physical entity.
>> In constructive mathematics one can name a type by showing how to
>> construct elements
>> of it. With object in physical space other criteria may be needed which
>> are more
>> likely to latch on for natural kinds, how the things themselves
>> function, how they
>> evolved, how they survived, etc...
>>
>> So yes, we can be functional. If a human person is a process then for
>> example it is a certain type of process, a biological one, that 
>> starts at a certain time
>> and goes
>> through a huge number of transformation. As I pointed out one can choose
>> other types to identify a person: a citizen perhaps would allow 
>> aliens from other planets to be citizens and so could not be reduced 
>> to humans. One
>> can then have a partial map from citizens to  humans. Good modeling 
>> here would require that one notice that a person can be the citizen 
>> of more than one nation and indeed even change citizenship.
>>
>> As a human being is a process that interacts with other processes there will
>> be an infinite number of ways of identifying it indirectly, though
>> causal relations
>> it has with any other number of things, from being the person who created a
>> document at a time to being the person who helped save someone's life.
>>
>> In description logic (and hence in OWL and RDF) one can describe types
>> by their relations to other types, and individual by relations between them
>> and other things. So we slowly end up at the semantic web if we want 
>> to think about this in relation to the global information system 
>> that the
>> web is.
>>
>> As for your comments on identity being completely in the head, that
>> is the private language fallacy that Wittgenstein spent a lot of time
>> analyzing and dismantling in his "Philosophical Investigations". Language
>> is by nature not private, or else all communication would be impossible.
>> Language is also by nature one that requires that those playing the
>> game of talking and listening abide by the logical consequences of what they
>> say (see "Between Saying and Doing - Towards an Analytic Pragmatism"
>> by Robert B. Brandom
>>
>> https://global.oup.com/academic/product/between-saying-and-doing-9780199542871 
>> )
>>
>> This means of course being able to bring different propositions
>> together, combining
>> them and being able to arrive at conclusions. Ie. merging propositions
>> and reasoning is the nature of a linguistic system.  If one needs to 
>> limit who can
>> read some information there
>> are other ways to do that: such as access control or legal requirements
>> on usage of information.
>>
>> Now to come back to the Lana Wachowski, director of The Matrix, talk 
>> on Identity, Privacy  and Anonymity here 
>> https://youtu.be/crHHycz7T_c?t=317
>>
>> What Lana Wachowski is against is subdivision of Humans into two 
>> exclusive types, and the assignation of strict roles to those types. 
>> That is
>> clearly a modelling
>> error, a simplification that is easy to do, but that does not capture
>> reality correctly
>> and so leaves people deaf to the problem of those who don't fit the
>> categories.
>>
>> But that is not an argument against types, just one against a particular
>> set of
>> types, and a particular set of distinctions. She does make the point
>> well that
>> anonymity is then very useful - though what she means is not anonymity but
>> pseudonymity, as her hairdresser for example has no difficulty
>> identifying her,
>> and knew a lot about her, except that she was the director of the
>> Matrix. She was
>> able to live a life where people did not know the relation between one
>> aspect of
>> her life and the other. Of course there is no way she could completely
>> control
>> the leakage of information (as we know from how much has been leaked through
>> Wikileaks).
>>
>> So my conclusions:
>>  • language is for communication (but that does not mean one has to
>> shout everything off the rooftop)
>>  • types come with identity criterion (when are two things in that type
>> the same thing? With abstract
>>   objects from Maths this may  be part of the structure of the thing,
>> with physical objets it may   actually be discovered later)
>>  • the open world assumption that is part of the web allows the same
>> objet to have an indefinite    number of names, and also to be 
>> described using anonymous nodes. It
>> is the relation between
>>    things that count.
>>
>> I could also argue that anonymity is not the only good in the system.
>> Pure anonymity makes
>> discussion impossible. If I can't tell that I am speaking with the same
>> person between sentences
>> then I cannot even have a reasoned discussion. Pseudonymity allows one
>> to re-indentify someone
>> over time which allows for a conversation to take place. Information by
>> its nature is about relations.
>> Think about functions as a specific type of relation.
>>
>> Henry
>>
>>
>>
>>> On 2 Jun 2017, at 09:54, Joe Andrieu <joe@joeandrieu.com
>>> <mailto:joe@joeandrieu.com>> wrote:
>>>
>>> For what it's worth, I fear I've triggered the tar pit that many of 
>>> us were trying to avoid.
>>>
>>> My initial request was simply to avoid demonizing identity and instead
>>> be rigorous when we use the term. That begs the question of what such
>>> rigor would mean, which, inevitably, triggers the impassioned arguments.
>>>
>>> I did not provide a definition. Instead I laid a framework for
>>> distinguishing
>>> between two different, valid ways for engineers to approach identity:
>>> (a) compositionally--identity as the collection of attributes related
>>> to an
>>>        entity
>>> (b) functionally--identity based on how it works and how we use it
>>>
>>> I will shortly provide a definition, but I want to ground the thread
>>> in my
>>> belief that, as engineers, these are the two productive ways to view
>>> identity when the goal is to designing and building identity systems.
>>> (Or, in our case, to design systems that impact identity.)
>>>
>>> There are other ways to view identity: political, cultural,
>>> psychological, even meta-physical perspectives. These are the root
>>> of many of the impassioned arguments. They are important. Not just
>>> valid. IMPORTANT. However, while they may drive important trade-offs
>>> in design decisions--in the WHY of any given system choice--they do not
>>> help one communicate or understand HOW an identity systems works.
>>>
>>> Historically, we--meaning engineers--have treated identity
>>> compositionally,
>>> as if it were a thing that we could represent in attributes.
>>> Attributes that
>>> could be stored, shared, protected, regulated. This is defined explicitly
>>> in the ISO standard.
>>>
>>> My assertion is that treating identity this way is the root of many
>>> problems in today's identity systems, and that thinking about how identity
>>> functions
>>> may be a more fruitful path forward.
>>>
>>> The definition I'm going to present may not be the best one, but it is
>>> one based on its function. I'd love to hear other suggested functional
>>> definitions.
>>> I am sure there is room for improvement.
>>>
>>> But I also know, not only from my own experience, but from the empirical
>>> and academic record that designing systems based on how they should 
>>> function--rather than simply modeling the data the system 
>>> contains--is a legitimate and productive way to approach complex 
>>> system design.
>>>
>>> I think it provides a better approach than limiting the definition 
>>> to the static notion of attributes. You can disagree with me on 
>>> that and
>>> still
>>> work with me to define a common framework for thinking about
>>> identity functionally. If there were a viable identity system, *both*
>>> definitions
>>> should hold merit. I argue the compositional model is incomplete. I ask
>>> you to indulge me and help define a functional model, then we can
>>> compare which teaches us more about how such systems can be and
>>> eventually should be built.
>>>
>>> FWIW, I don't expect to do this work *within* the VCWG or even the
>>> community group. I'll be writing and publishing elsewhere. I'll 
>>> share that work as it occurs in case it might prove helpful.
>>>
>>> Here's my definition of Identity:
>>>
>>> Identity is how we keep track of people and things and, in turn how they
>>> keep track of us.
>>>
>>> That’s it. We learn people’s names, we observe them and hear gossip
>>> and consume media. We then apply that sense of who they are to our
>>> dealings with them. Others do the same in return.
>>>
>>> In ICT systems, we assign identifiers, we accumulate observations, we
>>> correlate those observations with entities, we make conclusions based
>>> on those observations and we apply those conclusions in interactions
>>> with those same entities.
>>>
>>> In other contexts, we give people name tags, we share business cards,
>>> and we wear bracelets. All to facilitate keeping track of each other.
>>>
>>> This simple definition is surprisingly provocative. It triggers
>>> associations
>>> with Big Brother and the surveillance state. It brings up ideas about
>>> embedded chips and tattooed serial numbers. It conjures fears of
>>> government or corporations constantly tracking what we do.
>>>
>>> Which is ok, because, in fact, those are the most feared abuses of
>>> identity. It’s important to realize when we talk about identity that
>>> we are
>>> always talking about how we keep track of people. It is important to
>>> understand how identity systems limit or avoid (a) tracking
>>> EVERYTHING about (b) everyone and sharing that with (c) anyone.
>>>
>>> What functional identity doesn't do is attempt to define what 
>>> identity *is*; it focuses on what it does for us and how we use it.
>>>
>>> Organizations and people are going to use identity to keep track of
>>> people and things no matter what we do. Fixating on sets of attributes
>>> ignores the ways that we use identity information, whereas focusing on
>>> the function of identity affords significant visibility into both
>>> potential
>>> harms and techniques for enhancing or limiting that functionality.
>>>
>>> In contrast, attributes themselves aren't harmful (they are inert
>>> data) and
>>> not only have we shown they are almost impossible to contain, we
>>> know that the correlation of identities across contexts can occur based
>>> on so many different observations that even if we could contain a specific
>>> set of attributes, we still could not prevent re-identification even in
>>> "anonymized" data sets. In short: even the most rigorous attribute
>>> management system cannot prevent undesired identification. Conclusion:
>>> identity *must* be more than just the attributes in an ICT system related
>>> to an entity. This is at the core of my motivation to move beyond 
>>> attributes. Clearly
>>> our identities can be compromised even with the most thorough
>>> attention paid to protecting attributes. Attributes simply are not enough
>>> to capture the scope of identity.
>>>
>>> As I described in the subjective notion of identity, not only can we not
>>> adequately record the subjective sense of, for example, "Joe Andrieu"
>>> in the minds of everyone who knows me, there is no way to control
>>> those subjective notions nor a way to prevent people from using those
>>> notions in their considerations of how to deal with me. So even if
>>> we could magically conceptualize the platonic form of forms that 
>>> collectively represents "Joe Andrieu" we still would be lacking any 
>>> understanding about how that notion functions: how it is used by 
>>> actual
>>> people. And it is in that use that harms occur.
>>>
>>> To respond to a few anchoring bits amidst the thread without
>>> slight to the other thoughtful comments:
>>>
>>> On Thu, Jun 1, 2017, at 11:59 AM, Henry Story wrote:
>>>> Yes, it looks like Joe's definition is one of what makes a thing the
>>>> thing it is.
>>>>
>>>>> On 1 Jun 2017, at 20:08, Steven Rowat <steven_rowat@sunshine.net
>>>>> <mailto:steven_rowat@sunshine.net>> wrote:
>>>>>
>>>>> On 2017-06-01 9:06 AM, Joe Andrieu wrote:
>>>>>>  Identity is innately
>>>>>> trans-system. Any given "digital identity" may not be, but our real
>>>>>> world "identity" absolutely is. By its very nature. We have an identity
>>>>>> completely independent of any system or authority.
>>>>
>>>> This I suppose is behind Heraclitus statement that "You could not 
>>>> step twice into the same river."
>>>>
>>>> It is also the old question of how much change one can make to
>>>> something and it still be the same thing, as the old paradox of 
>>>> Theseus Ship makes clear 
>>>> https://www.wikiwand.com/en/Ship_of_Theseus
>>>
>>> Actually, I think the functional definition makes the question of
>>> Theseus's
>>> ship moot. That question is grounded in the compositional notion that
>>> the identity of "Theseus's ship" is initially based on the components
>>> of his initial ship. A functional definition would ask whether or not
>>> the ship
>>> in question was recognized as the same ship throughout its tenure. 
>>> If the current ship is recognized as the same ship, then, 
>>> functionally, it
>>> has the
>>> identity of "Theseus's ship". Whether or not is *is* the same ship is
>>> philosophical and not relevant to engineering and identity system.
>>>
>>> From what I understand, the basis for Steven Rowat's argument about
>>> "essences" follows that same compositional notion. The functional model
>>> doesn't care. If a person is recognized as an individual, then as long as
>>> the recognition holds, they have that identity. Whether or not they *are*
>>> in fact that person is a meta-physical, psychological, or philosophical
>>> question, which I'm intentionally taking off the table so we engineers
>>> can
>>> figure out what we are trying to build together.
>>>
>>>>> On 1 Jun 2017, at 11:08 AM, Steven Rowat <steven_rowat@sunshine.net
>>>>> <mailto:steven_rowat@sunshine.net>> wrote:
>>>>>
>>>>> I believe Joe and Henry are talking past each other in a fundamental
>>>>> way that might be a good example of the tar-pit that Manu likes to
>>>>> talk of.
>>>
>>> Yes. And I apologize for the distraction. Hopefully we can get this
>>> out of
>>> our systems and let the list get back to technical discussions in
>>> short order.
>>>
>>>>> Joe's position (in my words, using Henry's terminology)
>>>>> I believe Joe is most concerned with the fact that a given thing
>>>>> (person) is unique in the world. And that any collection of labels
>>>>> that relate to that person is part of an assumed superset relating to
>>>>> them, and "Identity" is the whole superset. How much of the superset
>>>>> we see at one time varies, but it exists because the person exists.
>>>
>>> I'm not sure I care about uniqueness. I don't think that's actually
>>> relevant for a
>>> functional model of identity. Certainly, identities can become
>>> confused. Such
>>> is the fodder for much comedy throughout literature and media. I
>>> wouldn't say
>>> that such confusion--or ambiguity if the identity is simply limited in
>>> its specificity--
>>> means we aren't dealing with identity.
>>>
>>> I will also say that while the superset could conceptually be
>>> constructed in an
>>> all-knowing thought experiment, any essential identity ultimately
>>> resides in
>>> the minds' eyes of the beholders who recognize a thing. What's in my
>>> head is inevitably different than what is in someone else's, even 
>>> if we both
>>> are aware of
>>> all the attributes ever recorded in any ICT system.
>>>
>>> Hence, while we could discuss the uber-set of all such mental notions,
>>> it is not
>>> clear that would ever be a superset of which some of us share subsets, as
>>> much as a collection of distinct notions. To get philosophical, we
>>> can't even
>>> know if your sense of "red" is the same as mine; it would seem
>>> unlikely that
>>> we could ever know if your sense of me is the same as anyone else's.
>>>
>>>
>>> On Thu, Jun 1, 2017, at 12:16 PM, David Chadwick wrote:
>>>> On 01/06/2017 17:06, Joe Andrieu wrote:
>>>>
>>>>     On Thu, Jun 1, 2017, at 12:44 AM, David Chadwick wrote:
>>>>
>>>>         On 01/06/2017 07:48, Joe Andrieu wrote:
>>>>
>>>>     If we mean "digital identity", then say it. Don't confuse it with
>>>>     "identity".
>>>>
>>>>     The objections to "identity" are often because of conflation of
>>>>     the two.
>>>>     We discuss A when we mean B. We discuss "identity" when what we
>>>>     really
>>>>     mean is "the isolated domain-specific digital identity that only
>>>>     applies
>>>>     to this particular ICT system".
>>>>
>>>>
>>>> Ok, but I prefer to use the term identity information when referring to
>>>> the information held about a person in an information system. If the IS
>>>> is physical and paper based, then the identity information will be held
>>>> in paper files. If the IS is an ICT system, then it will indeed be
>>>> digital identity information that is stored there.
>>>
>>> I like the term "identity information". That's much clearer than
>>> referring
>>> to a collection of attributes as someone's identity.
>>>
>>>> But I have never moved this discussion in the direction of talking about
>>>> a single isolated ICT system, so I am not sure where you got that idea
>>>> from. I said 'any and every ICT system'.
>>>
>>> The ISO standard does:
>>>
>>>     An identity is the information used to represent an entity in an
>>>     ICT system.
>>>
>>>
>>> It certainly does not say that identity is cross-system.
>>>
>>> That would, IMO, be much more rigorous to say either:
>>> "A digital identity is the information used to represent an entity in
>>> an ICT system."
>>>
>>> Or "Identity information is used to represent an entity in an ICT system."
>>>
>>> However, our "real" identities are fundamentally external to any ICT
>>> system.  I am "Joe Andrieu" whether it is in an ICT system or not.
>>>
>>>>
>>>>     The problem is that these digital identities don't stay isolated.
>>>>
>>>>
>>>> Of course they dont. Who said they did? Federated identity management
>>>> has always been about sharing digital identity information.
>>>
>>> And yet, the ISO definition of "identity" is anchored in "an ICT
>>> system". The
>>> whole point of federation is to match the identity information in one
>>> system with the identity information in another. The nature of the 
>>> problem is
>>> that
>>> these are *distinct* sets of identity information, distinct digital
>>> identities, for
>>> which some sense of equivalence is sought. That equivalence becomes
>>> a shared sense of identity--and it almost never includes a
>>> transference of all
>>> related attributes. Even the ISO "identity" of a system isn't
>>> transferred during
>>> federation. Some subset of identifying information is. And yet, that
>>> shared
>>> sense of identity will still never match the entirety of any given
>>> individual's
>>> identity. The ISO definition conflates the shared sense of identity,
>>> the ineffable subjective collective sense of identity, and the
>>> identity information
>>> in an ICT system when it refers to this last item as "identity". This
>>> is the problem.
>>>
>>>>
>>>>     Similarly, rights and privileges tied to our real identities are
>>>>     often
>>>>     ignored
>>>>     or dismantled because *in a given system* it didn't seem relevant
>>>>     to the engineers who designed and built it. Identity is innately
>>>>     trans-system. Any given "digital identity" may not be, but our real
>>>>     world "identity" absolutely is. By its very nature. We have an
>>>>     identity
>>>>     completely independent of any system or authority.
>>>>
>>>>
>>>> Your last sentence conflicts with your other sentences in 'Identity
>>>> Crisis' in which you state 'identity is an emergent phenomenon that does
>>>> not have an existence independent of the observer'
>>>>
>>>> So which is it? Is identity completely independent or rather does not
>>>> have an existence independently?
>>>
>>> I can see how that is confusing. However, both are accurate.
>>>
>>> Identity exists in the minds of observers, which is independent of
>>> any authority. No single observer has the authority to decide their
>>> version of my identity is authoritative, except to themselves, which
>>> really is just a matter of the sovereignty of our own minds. Even *I*
>>> don't have that authority. This was actually one of my rants against
>>> many early testimonies about the awesome power of self-sovereign
>>> identities. Nobody controls anyone else's  subjective state. We can
>>> influence, but that state is innately independent of outside authority.
>>>
>>>> I dont think I know anyone who regards identity information as being
>>>> specific to a single ICT system. Certainly everyone in the FIM world
>>>> knows that identity information is meant for sharing. And people in the
>>>> privacy world know that PII is allowed to be shared providing it stays
>>>> within the rules. The GDPR is there to ensure the rules are obeyed,
>>>> otherwise unscrupulous data controllers would share it in ways it was
>>>> never intended for. Even the VC work does not believe in the full and
>>>> free sharing of PII, rather it should be under the control of the
>>>> holder. So there is no conflict between ISO, GDPR and VC work as far as
>>>> I can see.
>>>
>>> On the contrary, identity information need not EVER be shared. It 
>>> is not *meant* to be shared. It is meant to provide a given system 
>>> with the information it needs to customize services in relation to 
>>> a given
>>> entity.
>>> Not even ISO presumes that identity information is designed to be shared.
>>> That's a privacy nightmare.
>>>
>>> In a federated system, yes, fundamentally, identity information is being
>>> shared, but that is what makes federation federation, NOT what makes
>>> identity information identity information. And when an individual's
>>> identity is treated as if it is entirely defined by the attributes 
>>> in the system,
>>> we have fundamentally compromised human dignity by subjugating 
>>> individuals to the tyranny of the data. Believe me, I've spent six 
>>> months
>>> in Amazonian purgatory because the database was in error about my 
>>> identity. No matter what Amazon thought, my *identity* was 
>>> fundamentally
>>> *not* what was captured by their set of attributes.
>>>
>>> There is a growing awareness that PII is an insufficiently defined 
>>> set to rigorously regulate anything. Even the GSA says "it requires 
>>> a
>>> case-by-case
>>> assessment of the specific risk that an individual can be identified."
>>> [1]
>>> There isn't even agreement as to what the acronym stands for. [2]
>>>
>>> Unfortunately GDPR is too young to discern its true strengths and
>>> weaknesses. However, there are known flaws of the OECD
>>> privacy principles which helped inform EU privacy law and I expect are
>>> still lingering in GDPR. Namely, a complete lack of awareness that a data
>>> controller or data processor may also be the data subject. We ran into
>>> this in VRM conversations about personal data stores. The dominant
>>> paradigm assumes that, in essence, corporations have and control data
>>> about people and that people have certain rights in that situation. The
>>> world view remains firmly in the lens of our corporate overlords and how
>>> we protect the proletariat from their evils. In this world, like in ISO,
>>> "Identity" is something given to you, not something innately existing in
>>> the relationships that form social bonds.
>>>
>>> In short, *none* of these approaches to identity should be considered
>>> resolved or adequate. The primary drivers in the modern era have been
>>> corporations focused on securing their ability to profit from
>>> information.
>>> More recently, in the EU, the state has picked up its original charge in
>>> defining identity, acting as a force in the other direction, figuring
>>> out how
>>> to realize the EU constitutional right to privacy in the face of corporate
>>> data systems.
>>>
>>> [1] https://www.gsa.gov/portal/content/104256
>>> [2] https://en.wikipedia.org/wiki/Personally_identifiable_information
>>>
>>>
>>>>
>>>>     aligned with the W3C mental
>>>>     model of security by domain isolation as a response to things like
>>>>     cross-site scripting hacks.
>>>>
>>>>
>>>> I think you are confusing two separate issues, security vulnerabilities
>>>> and data sharing. The Same Origin Policy is there to stop hackers
>>>> linking systems that should not be linked, whereas FIM and token binding
>>>> etc. are there to ensure that data can be shared safely and securely.
>>>
>>> Yes. Linking systems that should not be linked is how privacy is
>>> violated.
>>> It feels comfortable to consider contextual integrity as a security
>>> problem.
>>> Thinking of it in this manner leads to whitewashing information sharing
>>> through consent ceremonies that users can't understand for uses that
>>> are unexpected. There is a consistent perspective that within a given
>>> domain, privacy and identity are the purview of the domain controller.
>>> This is baked into the mental model of isolated systems sharing specific
>>> bits of "identity" under controlled terms--with near complete disregard
>>> for both the downstream sharing and the systemic effects on privacy and
>>> identity. The framing is that "if we solve privacy and identity within
>>> our
>>> isolated contexts, we'll have done the right thing."  But fundamentally,
>>> privacy and identity are greater than any isolated context. This is the
>>> disconnect that, IMO, is the core architectural flaw in how most
>>> contemporary systems deal with privacy and identity.
>>>
>>>>
>>>>     If we want to make sure we don't undermine beneficial--or unwittingly
>>>>     enable undesired--aspects of real-world identity, we need to
>>>>     acknowledge
>>>>     that identity is inevitably more than the digital identity in
>>>>     any given system.
>>>>
>>>>
>>>> I think we all realise that. No one has been arguing for the opposite.
>>>
>>> The ISO standard itself defines identity as merely the attributes
>>> related to
>>> an entity in an ICT system. So arguing for the ISO standard argues for
>>> that opposite.
>>>
>>> --
>>>
>>> That's all for now. I think I've said more than enough. I've appreciated
>>> the thoughtful responses and hope I've stretched some mental models.
>>> It'd be great if the idea of treating identity functionally rather than
>>> compositionally resonates enough to help us avoid the delicious yet
>>> distracting rabbit holes of philosophical, cultural, and political
>>> identity.
>>>
>>> As Manu suggested, I'll bring my perspective to comments and suggestions
>>> in actual specification text. That's where I think we can most
>>> concretely see
>>> if anything I'm suggesting has merit.
>>>
>>> -j
>>>
>>> --
>>> Joe Andrieu, PMP
>>> joe@joeandrieu.com <mailto:joe@joeandrieu.com>
>>> +1(805)705-8651
>>> http://blog.joeandrieu.com
>>>
>>
>

Received on Friday, 2 June 2017 18:12:29 UTC