- From: David Chadwick <D.W.Chadwick@kent.ac.uk>
- Date: Fri, 2 Jun 2017 22:23:02 +0100
- To: public-credentials@w3.org
On 02/06/2017 19:17, Joe Andrieu wrote:
> On Fri, Jun 2, 2017, at 05:37 AM, David Chadwick wrote:
>> So I strongly believe that we identify entities in order to authorise
>> actions by them or on them (depending upon whether they are the subject
>> or object of the action).
>>
>> I would be pleased to hear from anyone who can specify a purpose of
>> identity/identification that does not involve authorisation.
>
> I think your notion of "authorize" would be more commonly regarded as
> acting on. I would go further and use the term apply.
or we could say, make a decision.
>
> In the common meaning of authorize, I could certainly identify and learn
> about an individual and then act on that understanding in situations
> that do not have that individual as an object or subject.
Agreed. But you are still using the identity information of a third
party to decide upon your course of action. So my general principle
still stands, since your decisions are based on this identity
information and would be different without that identity information.
>
> For example, I may learn of a serial killer in my neighborhood and
> without identifying that as a reason, reschedule an event that was to
> occur locally to a far away location. While I am acting on the
> information associated with a given identity, I'm not authorizing
> anything with respect to the serial killer. He/she remains completely
> unidentified in my subsequent actions and communications and I haven't
> authorized any actions directly related impacting them. Your broadened
> sense of authorize ("by my brain"), probably would be challenging
In this situation, your brain is a decision engine (aka PDP) and
enforcement point (aka PEP), and given the identity information you use
that to decide your actions.
>
> In the sessions I ran at RWoT and IIW, we came up with the following
> terms (iterated once more in this email):
>
> Identity information is identifiers, observations, statements, and insights.
>
> What we do with that information is collect, relate, reason, and apply.
>
> Identifiers are information whose purpose is to correlate entities
> across interactions and contexts.
> Observations are raw data which may be correlatable to one or more entities.
> Statements are assertions about entities, that is, attributes:
> observations and insights related to an entity.
> Insights are inferences about entities based on reasoning over
> observations and statements.
>
> Collect means to acquire and retain.
> Relate means to correlate observations and insights with particular
> entities, making statements
> Reason means to analyze known information to discover new insights
> Apply means to moderate or trigger actions based on known identity
> information
>
> The goal was to work through the functional notion of identity and
> discover the nouns and verbs in terms that would be accessible to soccer
> moms and CEOs and yet rigorous enough for technologists.
Good work, thanks for the info.
regards
David
>
> Both workshops significantly expanded on my initial idea that identity
> information is identifiers & attributes, and what we do is collect,
> correlate, and apply. I welcome suggestions for improving these. This
> thread has already improved the language, including an awareness that
> the application of identity information may not touch directly on the
> subject entity. Actually, you can see the original IIW notes
> here: http://iiw.idcommons.net/1F/_Functional_Identity, in case you're
> curious which of the above terminology is fresh this iteration.
>
> -j
>
> Original post:
> On Fri, Jun 2, 2017, at 05:37 AM, David Chadwick wrote:
>> My take on identity (or more properly the process of identifying an
>> entity) is that it is needed by everyone and everything for the
>> functional purpose of authorisation, which is the most generic of all
>> functions. It encapsulates all possible actions, including tracking
>> (from Joe's narrower definition). All actions need to be
>> authorised/controlled, thus they need to identify the actors.
>>
>> I identify you to decide whether I want to have or continue a
>> relationship with you (and not with someone else).
>>
>> Governments identify us to decide if we allowed to be citizens, drive
>> cars, have health care etc.
>>
>> Web services identify us to provide us with a service.
>>
>> I am hard pushed to find any use of 'identity' that does not have
>> authorisation as the base requirement.
>>
>> Examples that you might think are not related to authorisation, are
>> identifying celebrities, identifying inanimate objects, identifying
>> criminals from mug shots. Looking at each one of these in more detail:
>>
>> I identify celebrities to decide whether I want to follow them, read
>> about them, or ignore them etc. Each of my actions require
>> authorisation, (by my brain) and thus I need to identify who is the
>> person in the magazine to decide whether to read further about them or
>> turn the page and ignore them.
>>
>> I identify inanimate objects to decide whether to ignore them, pick them
>> up, switch them on etc. If I cannot identify one object from another
>> then I cannot decide what to do with it (i.e. an access control
>> decision).
>>
>> I see a picture of a criminal on a police wanted poster. I identify him
>> to decide whether to phone the police or not when I see a stranger
>> walking down the street who may or may not match the mugshot.
>>
>> So I strongly believe that we identify entities in order to authorise
>> actions by them or on them (depending upon whether they are the subject
>> or object of the action).
>>
>> I would be pleased to hear from anyone who can specify a purpose of
>> identity/identification that does not involve authorisation.
>>
>> regards
>>
>> David
>>
>> On 02/06/2017 11:07, Henry Story wrote:
>>
>> If you favor a functional answer then you are not far from also coming
>> to see
>> the relevance of a logical one, and also of a pragmatic one.
>>
>> The relations between functions and types is made clear in the "new"
>> foundational maths called Homotopy Type Theory. (The key book is
>> online
>> here https://homotopytypetheory.org/ and even compilable from github
>> if you want the latest version with all the corrections. The first two
>> chapters
>> are very readable for someone with computing experience.)
>>
>> This is a built on type theory, which takes functions as the basic
>> entity relating types.
>> But where other maths assume identity problems to be relatively
>> easy, HoTT
>> develops this into the core of the theory. To specify a type of an
>> object is to specify
>> ways of finding when two objects of that type are identical.
>>
>> This is constructive mathematics so in their examples they mostly use
>> mathematical
>> objects. I think one can move to thinking about physical objects
>> if one
>> starts
>> with the space of all possibilities and things of various types in
>> that
>> space.
>>
>> The intuition one should take back from HoTT is that types require a
>> specification
>> of the identity of an object, so that one can specify when two things
>> are equal.
>> Eg, two sets are equal if they contain the same elements.
>>
>> When is a ship the same from one moment to the next, is by the way not
>> a problem without pragmatic consequences. If identity of a person were
>> a material one then eating a burger would be a way to get out of a
>> murder
>> charge. To understand people as processes that keep their identity
>> through
>> change is important for contracts to work, to also be able to
>> pardon people
>> ("he is now a changed man"), etc... I think it is this thought of
>> identity in change
>> that gets people hung up, as they keep thinking what is it that
>> remains the
>> same from instant to instant - they think of the essence of
>> something as
>> another
>> thing that is always there, and so they start looking for the soul
>> as a
>> physical entity.
>> In constructive mathematics one can name a type by showing how to
>> construct elements
>> of it. With object in physical space other criteria may be needed
>> which
>> are more
>> likely to latch on for natural kinds, how the things themselves
>> function, how they
>> evolved, how they survived, etc...
>>
>> So yes, we can be functional. If a human person is a process then for
>> example it is a
>> certain type of process, a biological one, that starts at a
>> certain time
>> and goes
>> through a huge number of transformation. As I pointed out one can
>> choose
>> other
>> types to identify a person: a citizen perhaps would allow aliens from
>> other planets to be citizens and so could not be reduced to
>> humans. One
>> can then have a
>> partial map from citizens to humans. Good modeling here would
>> require that
>> one notice that a person can be the citizen of more than one
>> nation and
>> indeed even change citizenship.
>>
>> As a human being is a process that interacts with other processes
>> there will
>> be an infinite number of ways of identifying it indirectly, though
>> causal relations
>> it has with any other number of things, from being the person who
>> created a
>> document at a time to being the person who helped save someone's life.
>>
>> In description logic (and hence in OWL and RDF) one can describe types
>> by their relations to other types, and individual by relations
>> between them
>> and other things. So we slowly end up at the semantic web if we
>> want to
>> think about this in relation to the global information system that the
>> web is.
>>
>> As for your comments on identity being completely in the head, that
>> is the private language fallacy that Wittgenstein spent a lot of time
>> analyzing and dismantling in his "Philosophical Investigations".
>> Language
>> is by nature not private, or else all communication would be
>> impossible.
>> Language is also by nature one that requires that those playing the
>> game of talking and listening abide by the logical consequences of
>> what they
>> say (see "Between Saying and Doing - Towards an Analytic Pragmatism"
>> by Robert B. Brandom
>> https://global.oup.com/academic/product/between-saying-and-doing-9780199542871
>> )
>>
>> This means of course being able to bring different propositions
>> together, combining
>> them and being able to arrive at conclusions. Ie. merging propositions
>> and reasoning
>> is the nature of a linguistic system. If one needs to limit who can
>> read some information there
>> are other ways to do that: such as access control or legal
>> requirements
>> on usage
>> of information.
>>
>> Now to come back to the Lana Wachowski, director of The Matrix,
>> talk on
>> Identity, Privacy and Anonymity here
>> https://youtu.be/crHHycz7T_c?t=317
>>
>> What Lana Wachowski is against is subdivision of Humans into two
>> exclusive
>> types, and the assignation of strict roles to those types. That is
>> clearly a modelling
>> error, a simplification that is easy to do, but that does not capture
>> reality correctly
>> and so leaves people deaf to the problem of those who don't fit the
>> categories.
>>
>> But that is not an argument against types, just one against a
>> particular
>> set of
>> types, and a particular set of distinctions. She does make the point
>> well that
>> anonymity is then very useful - though what she means is not
>> anonymity but
>> pseudonymity, as her hairdresser for example has no difficulty
>> identifying her,
>> and knew a lot about her, except that she was the director of the
>> Matrix. She was
>> able to live a life where people did not know the relation between one
>> aspect of
>> her life and the other. Of course there is no way she could completely
>> control
>> the leakage of information (as we know from how much has been
>> leaked through
>> Wikileaks).
>>
>> So my conclusions:
>> • language is for communication (but that does not mean one has to
>> shout everything off the rooftop)
>> • types come with identity criterion (when are two things in that type
>> the same thing? With abstract
>> objects from Maths this may be part of the structure of the thing,
>> with physical objets it may
>> actually be discovered later)
>> • the open world assumption that is part of the web allows the same
>> objet to have an indefinite
>> number of names, and also to be described using anonymous nodes. It
>> is the relation between
>> things that count.
>>
>> I could also argue that anonymity is not the only good in the system.
>> Pure anonymity makes
>> discussion impossible. If I can't tell that I am speaking with the
>> same
>> person between sentences
>> then I cannot even have a reasoned discussion. Pseudonymity allows one
>> to re-indentify someone
>> over time which allows for a conversation to take place.
>> Information by
>> its nature is about relations.
>> Think about functions as a specific type of relation.
>>
>> Henry
>>
>>
>>
>> On 2 Jun 2017, at 09:54, Joe Andrieu <joe@joeandrieu.com
>> <mailto:joe@joeandrieu.com>
>> <mailto:joe@joeandrieu.com>> wrote:
>>
>> For what it's worth, I fear I've triggered the tar pit that
>> many of
>> us were trying to avoid.
>>
>> My initial request was simply to avoid demonizing identity and
>> instead
>> be rigorous when we use the term. That begs the question of
>> what such
>> rigor would mean, which, inevitably, triggers the impassioned
>> arguments.
>>
>> I did not provide a definition. Instead I laid a framework for
>> distinguishing
>> between two different, valid ways for engineers to approach
>> identity:
>> (a) compositionally--identity as the collection of attributes
>> related
>> to an
>> entity
>> (b) functionally--identity based on how it works and how we use it
>>
>> I will shortly provide a definition, but I want to ground the
>> thread
>> in my
>> belief that, as engineers, these are the two productive ways
>> to view
>> identity when the goal is to designing and building identity
>> systems.
>> (Or, in our case, to design systems that impact identity.)
>>
>> There are other ways to view identity: political, cultural,
>> psychological, even meta-physical perspectives. These are the root
>> of many of the impassioned arguments. They are important. Not just
>> valid. IMPORTANT. However, while they may drive important
>> trade-offs
>> in design decisions--in the WHY of any given system
>> choice--they do not
>> help one communicate or understand HOW an identity systems works.
>>
>> Historically, we--meaning engineers--have treated identity
>> compositionally,
>> as if it were a thing that we could represent in attributes.
>> Attributes that
>> could be stored, shared, protected, regulated. This is defined
>> explicitly
>> in the ISO standard.
>>
>> My assertion is that treating identity this way is the root of
>> many
>> problems
>> in today's identity systems, and that thinking about how identity
>> functions
>> may be a more fruitful path forward.
>>
>> The definition I'm going to present may not be the best one,
>> but it is
>> one
>> based on its function. I'd love to hear other suggested functional
>> definitions.
>> I am sure there is room for improvement.
>>
>> But I also know, not only from my own experience, but from the
>> empirical
>> and academic record that designing systems based on how they
>> should
>> function--rather than simply modeling the data the system
>> contains--is
>> a legitimate and productive way to approach complex system design.
>>
>> I think it provides a better approach than limiting the
>> definition to
>> the static notion of attributes. You can disagree with me on
>> that and
>> still
>> work with me to define a common framework for thinking about
>> identity functionally. If there were a viable identity system,
>> **both**
>> definitions
>> should hold merit. I argue the compositional model is
>> incomplete. I ask
>> you to indulge me and help define a functional model, then we can
>> compare which teaches us more about how such systems can be and
>> eventually should be built.
>>
>> FWIW, I don't expect to do this work **within** the VCWG or
>> even the
>> community group. I'll be writing and publishing elsewhere.
>> I'll share
>> that work as it occurs in case it might prove helpful.
>>
>> Here's my definition of Identity:
>>
>> Identity is how we keep track of people and things and, in
>> turn how they
>> keep track of us.
>>
>> That’s it. We learn people’s names, we observe them and hear
>> gossip
>> and consume media. We then apply that sense of who they are to our
>> dealings with them. Others do the same in return.
>>
>> In ICT systems, we assign identifiers, we accumulate
>> observations, we
>> correlate those observations with entities, we make
>> conclusions based
>> on those observations and we apply those conclusions in
>> interactions
>> with those same entities.
>>
>> In other contexts, we give people name tags, we share business
>> cards,
>> and we wear bracelets. All to facilitate keeping track of each
>> other.
>>
>> This simple definition is surprisingly provocative. It triggers
>> associations
>> with Big Brother and the surveillance state. It brings up
>> ideas about
>> embedded chips and tattooed serial numbers. It conjures fears of
>> government or corporations constantly tracking what we do.
>>
>> Which is ok, because, in fact, those are the most feared abuses of
>> identity. It’s important to realize when we talk about
>> identity that
>> we are
>> always talking about how we keep track of people. It is
>> important to
>> understand how identity systems limit or avoid (a) tracking
>> EVERYTHING about (b) everyone and sharing that with (c) anyone.
>>
>> What functional identity doesn't do is attempt to define what
>> identity
>> **is**; it focuses on what it does for us and how we use it.
>>
>> Organizations and people are going to use identity to keep
>> track of
>> people and things no matter what we do. Fixating on sets of
>> attributes
>> ignores the ways that we use identity information, whereas
>> focusing on
>> the function of identity affords significant visibility into both
>> potential
>> harms and techniques for enhancing or limiting that functionality.
>>
>> In contrast, attributes themselves aren't harmful (they are inert
>> data) and
>> not only have we shown they are almost impossible to contain, we
>> know that the correlation of identities across contexts can
>> occur based
>> on so many different observations that even if we could
>> contain a specific
>> set of attributes, we still could not prevent
>> re-identification even in
>> "anonymized" data sets. In short: even the most rigorous attribute
>> management system cannot prevent undesired identification.
>> Conclusion:
>> identity **must** be more than just the attributes in an ICT
>> system related
>> to an entity.
>>
>> This is at the core of my motivation to move beyond
>> attributes. Clearly
>> our identities can be compromised even with the most thorough
>> attention paid to protecting attributes. Attributes simply are
>> not enough
>> to capture the scope of identity.
>>
>> As I described in the subjective notion of identity, not only
>> can we not
>> adequately record the subjective sense of, for example, "Joe
>> Andrieu"
>> in the minds of everyone who knows me, there is no way to control
>> those subjective notions nor a way to prevent people from
>> using those
>> notions in their considerations of how to deal with me. So even if
>> we could magically conceptualize the platonic form of forms that
>> collectively represents "Joe Andrieu" we still would be
>> lacking any
>> understanding about how that notion functions: how it is used
>> by actual
>> people. And it is in that use that harms occur.
>>
>> To respond to a few anchoring bits amidst the thread without
>> slight to the other thoughtful comments:
>>
>> On Thu, Jun 1, 2017, at 11:59 AM, Henry Story wrote:
>>
>> Yes, it looks like Joe's definition is one of what makes a
>> thing the
>> thing it is.
>>
>> On 1 Jun 2017, at 20:08, Steven Rowat
>> <steven_rowat@sunshine.net
>> <mailto:steven_rowat@sunshine.net>
>> <mailto:steven_rowat@sunshine.net>> wrote:
>>
>> On 2017-06-01 9:06 AM, Joe Andrieu wrote:
>>
>> Identity is innately
>> trans-system. Any given "digital identity" may not
>> be, but our real
>> world "identity" absolutely is. By its very
>> nature. We have an identity
>> completely independent of any system or authority.
>>
>>
>> This I suppose is behind Heraclitus statement that
>> "You could not step twice into the same river."
>>
>> It is also the old question of how much change one can make to
>> something and it still
>> be the same thing, as the old paradox of Theseus Ship
>> makes clear
>> https://www.wikiwand.com/en/Ship_of_Theseus
>>
>>
>> Actually, I think the functional definition makes the question of
>> Theseus's
>> ship moot. That question is grounded in the compositional
>> notion that
>> the identity of "Theseus's ship" is initially based on the
>> components
>> of his initial ship. A functional definition would ask whether
>> or not
>> the ship
>> in question was recognized as the same ship throughout its
>> tenure. If the
>> current ship is recognized as the same ship, then,
>> functionally, it
>> has the
>> identity of "Theseus's ship". Whether or not is **is** the
>> same ship is
>> philosophical and not relevant to engineering and identity system.
>>
>> From what I understand, the basis for Steven Rowat's argument
>> about
>> "essences" follows that same compositional notion. The
>> functional model
>> doesn't care. If a person is recognized as an individual, then
>> as long as
>> the recognition holds, they have that identity. Whether or not
>> they **are**
>> in fact that person is a meta-physical, psychological, or
>> philosophical
>> question, which I'm intentionally taking off the table so we
>> engineers
>> can
>> figure out what we are trying to build together.
>>
>> On 1 Jun 2017, at 11:08 AM, Steven Rowat
>> <steven_rowat@sunshine.net
>> <mailto:steven_rowat@sunshine.net>
>> <mailto:steven_rowat@sunshine.net>> wrote:
>>
>> I believe Joe and Henry are talking past each other in
>> a fundamental
>> way that might be a good example of the tar-pit that
>> Manu likes to
>> talk of.
>>
>>
>> Yes. And I apologize for the distraction. Hopefully we can get
>> this
>> out of
>> our systems and let the list get back to technical discussions in
>> short order.
>>
>> Joe's position (in my words, using Henry's terminology)
>> I believe Joe is most concerned with the fact that a
>> given thing
>> (person) is unique in the world. And that any
>> collection of labels
>> that relate to that person is part of an assumed
>> superset relating to
>> them, and "Identity" is the whole superset. How much
>> of the superset
>> we see at one time varies, but it exists because the
>> person exists.
>>
>>
>> I'm not sure I care about uniqueness. I don't think that's
>> actually
>> relevant for a
>> functional model of identity. Certainly, identities can become
>> confused. Such
>> is the fodder for much comedy throughout literature and media. I
>> wouldn't say
>> that such confusion--or ambiguity if the identity is simply
>> limited in
>> its specificity--
>> means we aren't dealing with identity.
>>
>> I will also say that while the superset could conceptually be
>> constructed in an
>> all-knowing thought experiment, any essential identity ultimately
>> resides in
>> the minds' eyes of the beholders who recognize a thing. What's
>> in my
>> head is
>> inevitably different than what is in someone else's, even if
>> we both
>> are aware of
>> all the attributes ever recorded in any ICT system.
>>
>> Hence, while we could discuss the uber-set of all such mental
>> notions,
>> it is not
>> clear that would ever be a superset of which some of us share
>> subsets, as
>> much as a collection of distinct notions. To get philosophical, we
>> can't even
>> know if your sense of "red" is the same as mine; it would seem
>> unlikely that
>> we could ever know if your sense of me is the same as anyone
>> else's.
>>
>>
>> On Thu, Jun 1, 2017, at 12:16 PM, David Chadwick wrote:
>>
>> On 01/06/2017 17:06, Joe Andrieu wrote:
>>
>> On Thu, Jun 1, 2017, at 12:44 AM, David Chadwick wrote:
>>
>> On 01/06/2017 07:48, Joe Andrieu wrote:
>>
>> If we mean "digital identity", then say it. Don't
>> confuse it with
>> "identity".
>>
>> The objections to "identity" are often because of
>> conflation of
>> the two.
>> We discuss A when we mean B. We discuss "identity" when
>> what we
>> really
>> mean is "the isolated domain-specific digital identity
>> that only
>> applies
>> to this particular ICT system".
>>
>>
>> Ok, but I prefer to use the term identity information when
>> referring to
>> the information held about a person in an information
>> system. If the IS
>> is physical and paper based, then the identity information
>> will be held
>> in paper files. If the IS is an ICT system, then it will
>> indeed be
>> digital identity information that is stored there.
>>
>>
>> I like the term "identity information". That's much clearer than
>> referring
>> to a collection of attributes as someone's identity.
>>
>> But I have never moved this discussion in the direction of
>> talking about
>> a single isolated ICT system, so I am not sure where you
>> got that idea
>> from. I said 'any and every ICT system'.
>>
>>
>> The ISO standard does:
>>
>> An identity is the information used to represent an entity in an
>> ICT system.
>>
>>
>> It certainly does not say that identity is cross-system.
>>
>> That would, IMO, be much more rigorous to say either:
>> "A digital identity is the information used to represent an
>> entity in
>> an ICT system."
>>
>> Or "Identity information is used to represent an entity in an
>> ICT system."
>>
>> However, our "real" identities are fundamentally external to
>> any ICT
>> system.
>> I am "Joe Andrieu" whether it is in an ICT system or not.
>>
>>
>> The problem is that these digital identities don't stay
>> isolated.
>>
>>
>> Of course they dont. Who said they did? Federated identity
>> management
>> has always been about sharing digital identity information.
>>
>>
>> And yet, the ISO definition of "identity" is anchored in "an ICT
>> system". The
>> whole point of federation is to match the identity information
>> in one
>> system
>> with the identity information in another. The nature of the
>> problem is
>> that
>> these are **distinct** sets of identity information, distinct
>> digital
>> identities, for
>> which some sense of equivalence is sought. That equivalence
>> becomes
>> a shared sense of identity--and it almost never includes a
>> transference of all
>> related attributes. Even the ISO "identity" of a system isn't
>> transferred during
>> federation. Some subset of identifying information is. And
>> yet, that
>> shared
>> sense of identity will still never match the entirety of any given
>> individual's
>> identity. The ISO definition conflates the shared sense of
>> identity,
>> the ineffable subjective collective sense of identity, and the
>> identity information
>> in an ICT system when it refers to this last item as
>> "identity". This
>> is the problem.
>>
>>
>> Similarly, rights and privileges tied to our real
>> identities are
>> often
>> ignored
>> or dismantled because *in a given system* it didn't seem
>> relevant
>> to the engineers who designed and built it. Identity is
>> innately
>> trans-system. Any given "digital identity" may not be,
>> but our real
>> world "identity" absolutely is. By its very nature. We
>> have an
>> identity
>> completely independent of any system or authority.
>>
>>
>> Your last sentence conflicts with your other sentences in
>> 'Identity
>> Crisis' in which you state 'identity is an emergent
>> phenomenon that does
>> not have an existence independent of the observer'
>>
>> So which is it? Is identity completely independent or
>> rather does not
>> have an existence independently?
>>
>>
>> I can see how that is confusing. However, both are accurate.
>>
>> Identity exists in the minds of observers, which is independent of
>> any authority. No single observer has the authority to decide
>> their
>> version of my identity is authoritative, except to themselves,
>> which
>> really is just a matter of the sovereignty of our own minds.
>> Even **I**
>> don't have that authority. This was actually one of my rants
>> against
>> many early testimonies about the awesome power of self-sovereign
>> identities. Nobody controls anyone else's subjective state.
>> We can
>> influence, but that state is innately independent of outside
>> authority.
>>
>> I dont think I know anyone who regards identity
>> information as being
>> specific to a single ICT system. Certainly everyone in the
>> FIM world
>> knows that identity information is meant for sharing. And
>> people in the
>> privacy world know that PII is allowed to be shared
>> providing it stays
>> within the rules. The GDPR is there to ensure the rules
>> are obeyed,
>> otherwise unscrupulous data controllers would share it in
>> ways it was
>> never intended for. Even the VC work does not believe in
>> the full and
>> free sharing of PII, rather it should be under the control
>> of the
>> holder. So there is no conflict between ISO, GDPR and VC
>> work as far as
>> I can see.
>>
>>
>> On the contrary, identity information need not EVER be shared.
>> It is
>> not **meant** to be shared. It is meant to provide a given
>> system with
>> the information it needs to customize services in relation to
>> a given
>> entity.
>> Not even ISO presumes that identity information is designed to
>> be shared.
>> That's a privacy nightmare.
>>
>> In a federated system, yes, fundamentally, identity
>> information is being
>> shared, but that is what makes federation federation, NOT what
>> makes
>> identity information identity information. And when an
>> individual's
>> identity
>> is treated as if it is entirely defined by the attributes in
>> the system,
>> we have fundamentally compromised human dignity by subjugating
>> individuals to the tyranny of the data. Believe me, I've spent
>> six months
>> in Amazonian purgatory because the database was in error about my
>> identity. No matter what Amazon thought, my **identity** was
>> fundamentally
>> **not** what was captured by their set of attributes.
>>
>> There is a growing awareness that PII is an insufficiently
>> defined set to
>> rigorously regulate anything. Even the GSA says "it requires a
>> case-by-case
>> assessment of the specific risk that an individual can be
>> identified."
>> [1]
>> There isn't even agreement as to what the acronym stands for. [2]
>>
>> Unfortunately GDPR is too young to discern its true strengths and
>> weaknesses. However, there are known flaws of the OECD
>> privacy principles which helped inform EU privacy law and I
>> expect are
>> still lingering in GDPR. Namely, a complete lack of awareness
>> that a data
>> controller or data processor may also be the data subject. We
>> ran into
>> this in VRM conversations about personal data stores. The dominant
>> paradigm assumes that, in essence, corporations have and
>> control data
>> about people and that people have certain rights in that
>> situation. The
>> world view remains firmly in the lens of our corporate
>> overlords and how
>> we protect the proletariat from their evils. In this world,
>> like in ISO,
>> "Identity" is something given to you, not something innately
>> existing in
>> the relationships that form social bonds.
>>
>> In short, **none** of these approaches to identity should be
>> considered
>> resolved or adequate. The primary drivers in the modern era
>> have been
>> corporations focused on securing their ability to profit from
>> information.
>> More recently, in the EU, the state has picked up its original
>> charge in
>> defining identity, acting as a force in the other direction,
>> figuring
>> out how
>> to realize the EU constitutional right to privacy in the face
>> of corporate
>> data systems.
>>
>> [1] https://www.gsa.gov/portal/content/104256
>> [2]
>> https://en.wikipedia.org/wiki/Personally_identifiable_information
>>
>>
>>
>> aligned with the W3C mental
>> model of security by domain isolation as a response to
>> things like
>> cross-site scripting hacks.
>>
>>
>> I think you are confusing two separate issues, security
>> vulnerabilities
>> and data sharing. The Same Origin Policy is there to stop
>> hackers
>> linking systems that should not be linked, whereas FIM and
>> token binding
>> etc. are there to ensure that data can be shared safely
>> and securely.
>>
>>
>> Yes. Linking systems that should not be linked is how privacy is
>> violated.
>> It feels comfortable to consider contextual integrity as a
>> security
>> problem.
>> Thinking of it in this manner leads to whitewashing
>> information sharing
>> through consent ceremonies that users can't understand for
>> uses that
>> are unexpected. There is a consistent perspective that within
>> a given
>> domain, privacy and identity are the purview of the domain
>> controller.
>> This is baked into the mental model of isolated systems
>> sharing specific
>> bits of "identity" under controlled terms--with near complete
>> disregard
>> for both the downstream sharing and the systemic effects on
>> privacy and
>> identity. The framing is that "if we solve privacy and
>> identity within
>> our
>> isolated contexts, we'll have done the right thing." But
>> fundamentally,
>> privacy and identity are greater than any isolated context.
>> This is the
>> disconnect that, IMO, is the core architectural flaw in how most
>> contemporary systems deal with privacy and identity.
>>
>>
>> If we want to make sure we don't undermine
>> beneficial--or unwittingly
>> enable undesired--aspects of real-world identity, we need to
>> acknowledge
>> that identity is inevitably more than the digital
>> identity in
>> any given system.
>>
>>
>> I think we all realise that. No one has been arguing for
>> the opposite.
>>
>>
>> The ISO standard itself defines identity as merely the attributes
>> related to
>> an entity in an ICT system. So arguing for the ISO standard
>> argues for
>> that opposite.
>>
>> --
>>
>> That's all for now. I think I've said more than enough. I've
>> appreciated
>> the thoughtful responses and hope I've stretched some mental
>> models.
>> It'd be great if the idea of treating identity functionally
>> rather than
>> compositionally resonates enough to help us avoid the
>> delicious yet
>> distracting rabbit holes of philosophical, cultural, and political
>> identity.
>>
>> As Manu suggested, I'll bring my perspective to comments and
>> suggestions
>> in actual specification text. That's where I think we can most
>> concretely see
>> if anything I'm suggesting has merit.
>>
>> -j
>>
>> --
>> Joe Andrieu, PMP
>> joe@joeandrieu.com <mailto:joe@joeandrieu.com>
>> <mailto:joe@joeandrieu.com>
>> +1(805)705-8651
>> http://blog.joeandrieu.com
>>
>>
>>
>
> --
> Joe Andrieu, PMP
> joe@legendaryrequirements.com
> <mailto:joe@legendaryrequirements.com>
> LEGENDARY REQUIREMENTS
> +1(805)705-8651
> Do what matters.
> http://legendaryrequirements.com
> <http://www.legendaryrequirements.com>
>
>
Received on Friday, 2 June 2017 21:23:40 UTC