- From: David Chadwick <D.W.Chadwick@kent.ac.uk>
- Date: Fri, 2 Jun 2017 22:30:50 +0100
- To: christoph@christophdorn.com
- Cc: public-credentials@w3.org
On 02/06/2017 19:11, Christoph Dorn wrote: > > On June 2, 2017 05:58:30 am PDT, "David Chadwick" > <D.W.Chadwick@kent.ac.uk> wrote: > >> My take on identity (or more properly the process of identifying an >> entity) is that it is needed by everyone and everything for the >> functional purpose of authorisation, which is the most generic of all >> functions. It encapsulates all possible actions, including tracking >> (from Joe's narrower definition). All actions need to be >> authorised/controlled, thus they need to identify the actors. >> >> I identify you to decide whether I want to have or continue a >> relationship with you (and not with someone else). > > > The "functional" point of view being at the "root" seems to be > consistent with Jordan Peterson's psychological perspective on Relevance > Conception: Does something Help, Hinder or is it Irrelevant? > > Quick overview: https://www.youtube.com/watch?v=bZXJ_6B07NY Very good. I think we could all sometimes do with a dose of framing and relevance to keep us on track with what we are trying to achieve with VCs. regards David > > Christoph > > >> >> Governments identify us to decide if we allowed to be citizens, drive >> cars, have health care etc. >> >> Web services identify us to provide us with a service. >> >> I am hard pushed to find any use of 'identity' that does not have >> authorisation as the base requirement. >> >> Examples that you might think are not related to authorisation, are >> identifying celebrities, identifying inanimate objects, identifying >> criminals from mug shots. Looking at each one of these in more detail: >> >> I identify celebrities to decide whether I want to follow them, read >> about them, or ignore them etc. Each of my actions require >> authorisation, (by my brain) and thus I need to identify who is the >> person in the magazine to decide whether to read further about them or >> turn the page and ignore them. >> >> I identify inanimate objects to decide whether to ignore them, pick them >> up, switch them on etc. If I cannot identify one object from another >> then I cannot decide what to do with it (i.e. an access control >> decision). >> >> I see a picture of a criminal on a police wanted poster. I identify him >> to decide whether to phone the police or not when I see a stranger >> walking down the street who may or may not match the mugshot. >> >> So I strongly believe that we identify entities in order to authorise >> actions by them or on them (depending upon whether they are the subject >> or object of the action). >> >> I would be pleased to hear from anyone who can specify a purpose of >> identity/identification that does not involve authorisation. >> >> regards >> >> David >> >> On 02/06/2017 11:07, Henry Story wrote: >>> If you favor a functional answer then you are not far from also coming >>> to see >>> the relevance of a logical one, and also of a pragmatic one. The >>> relations between functions and types is made clear in the "new" >>> foundational maths called Homotopy Type Theory. (The key book is online >>> here https://homotopytypetheory.org/ and even compilable from github >>> if you want the latest version with all the corrections. The first two >>> chapters >>> are very readable for someone with computing experience.) >>> >>> This is a built on type theory, which takes functions as the basic >>> entity relating types. But where other maths assume identity problems >>> to be relatively easy, HoTT develops this into the core of the >>> theory. To specify a type of an >>> object is to specify >>> ways of finding when two objects of that type are identical. This is >>> constructive mathematics so in their examples they mostly use >>> mathematical objects. I think one can move to thinking about physical >>> objects if one >>> starts >>> with the space of all possibilities and things of various types in that >>> space. >>> >>> The intuition one should take back from HoTT is that types require a >>> specification >>> of the identity of an object, so that one can specify when two things >>> are equal. >>> Eg, two sets are equal if they contain the same elements. >>> >>> When is a ship the same from one moment to the next, is by the way not >>> a problem without pragmatic consequences. If identity of a person >>> were a material one then eating a burger would be a way to get out of >>> a murder >>> charge. To understand people as processes that keep their identity >>> through >>> change is important for contracts to work, to also be able to pardon >>> people ("he is now a changed man"), etc... I think it is this thought of >>> identity in change >>> that gets people hung up, as they keep thinking what is it that >>> remains the >>> same from instant to instant - they think of the essence of something as >>> another thing that is always there, and so they start looking for the >>> soul as a >>> physical entity. >>> In constructive mathematics one can name a type by showing how to >>> construct elements >>> of it. With object in physical space other criteria may be needed which >>> are more >>> likely to latch on for natural kinds, how the things themselves >>> function, how they >>> evolved, how they survived, etc... >>> >>> So yes, we can be functional. If a human person is a process then for >>> example it is a certain type of process, a biological one, that >>> starts at a certain time >>> and goes >>> through a huge number of transformation. As I pointed out one can choose >>> other types to identify a person: a citizen perhaps would allow >>> aliens from other planets to be citizens and so could not be reduced >>> to humans. One >>> can then have a partial map from citizens to humans. Good modeling >>> here would require that one notice that a person can be the citizen >>> of more than one nation and indeed even change citizenship. >>> >>> As a human being is a process that interacts with other processes >>> there will >>> be an infinite number of ways of identifying it indirectly, though >>> causal relations >>> it has with any other number of things, from being the person who >>> created a >>> document at a time to being the person who helped save someone's life. >>> >>> In description logic (and hence in OWL and RDF) one can describe types >>> by their relations to other types, and individual by relations >>> between them >>> and other things. So we slowly end up at the semantic web if we want >>> to think about this in relation to the global information system that >>> the >>> web is. >>> >>> As for your comments on identity being completely in the head, that >>> is the private language fallacy that Wittgenstein spent a lot of time >>> analyzing and dismantling in his "Philosophical Investigations". >>> Language >>> is by nature not private, or else all communication would be impossible. >>> Language is also by nature one that requires that those playing the >>> game of talking and listening abide by the logical consequences of >>> what they >>> say (see "Between Saying and Doing - Towards an Analytic Pragmatism" >>> by Robert B. Brandom >>> >>> https://global.oup.com/academic/product/between-saying-and-doing-9780199542871 >>> ) >>> >>> This means of course being able to bring different propositions >>> together, combining >>> them and being able to arrive at conclusions. Ie. merging propositions >>> and reasoning is the nature of a linguistic system. If one needs to >>> limit who can >>> read some information there >>> are other ways to do that: such as access control or legal requirements >>> on usage of information. >>> >>> Now to come back to the Lana Wachowski, director of The Matrix, talk >>> on Identity, Privacy and Anonymity here >>> https://youtu.be/crHHycz7T_c?t=317 >>> >>> What Lana Wachowski is against is subdivision of Humans into two >>> exclusive types, and the assignation of strict roles to those types. >>> That is >>> clearly a modelling >>> error, a simplification that is easy to do, but that does not capture >>> reality correctly >>> and so leaves people deaf to the problem of those who don't fit the >>> categories. >>> >>> But that is not an argument against types, just one against a particular >>> set of >>> types, and a particular set of distinctions. She does make the point >>> well that >>> anonymity is then very useful - though what she means is not >>> anonymity but >>> pseudonymity, as her hairdresser for example has no difficulty >>> identifying her, >>> and knew a lot about her, except that she was the director of the >>> Matrix. She was >>> able to live a life where people did not know the relation between one >>> aspect of >>> her life and the other. Of course there is no way she could completely >>> control >>> the leakage of information (as we know from how much has been leaked >>> through >>> Wikileaks). >>> >>> So my conclusions: >>> • language is for communication (but that does not mean one has to >>> shout everything off the rooftop) >>> • types come with identity criterion (when are two things in that type >>> the same thing? With abstract >>> objects from Maths this may be part of the structure of the thing, >>> with physical objets it may actually be discovered later) >>> • the open world assumption that is part of the web allows the same >>> objet to have an indefinite number of names, and also to be >>> described using anonymous nodes. It >>> is the relation between >>> things that count. >>> >>> I could also argue that anonymity is not the only good in the system. >>> Pure anonymity makes >>> discussion impossible. If I can't tell that I am speaking with the same >>> person between sentences >>> then I cannot even have a reasoned discussion. Pseudonymity allows one >>> to re-indentify someone >>> over time which allows for a conversation to take place. Information by >>> its nature is about relations. >>> Think about functions as a specific type of relation. >>> >>> Henry >>> >>> >>> >>>> On 2 Jun 2017, at 09:54, Joe Andrieu <joe@joeandrieu.com >>>> <mailto:joe@joeandrieu.com>> wrote: >>>> >>>> For what it's worth, I fear I've triggered the tar pit that many of >>>> us were trying to avoid. >>>> >>>> My initial request was simply to avoid demonizing identity and instead >>>> be rigorous when we use the term. That begs the question of what such >>>> rigor would mean, which, inevitably, triggers the impassioned >>>> arguments. >>>> >>>> I did not provide a definition. Instead I laid a framework for >>>> distinguishing >>>> between two different, valid ways for engineers to approach identity: >>>> (a) compositionally--identity as the collection of attributes related >>>> to an >>>> entity >>>> (b) functionally--identity based on how it works and how we use it >>>> >>>> I will shortly provide a definition, but I want to ground the thread >>>> in my >>>> belief that, as engineers, these are the two productive ways to view >>>> identity when the goal is to designing and building identity systems. >>>> (Or, in our case, to design systems that impact identity.) >>>> >>>> There are other ways to view identity: political, cultural, >>>> psychological, even meta-physical perspectives. These are the root >>>> of many of the impassioned arguments. They are important. Not just >>>> valid. IMPORTANT. However, while they may drive important trade-offs >>>> in design decisions--in the WHY of any given system choice--they do not >>>> help one communicate or understand HOW an identity systems works. >>>> >>>> Historically, we--meaning engineers--have treated identity >>>> compositionally, >>>> as if it were a thing that we could represent in attributes. >>>> Attributes that >>>> could be stored, shared, protected, regulated. This is defined >>>> explicitly >>>> in the ISO standard. >>>> >>>> My assertion is that treating identity this way is the root of many >>>> problems in today's identity systems, and that thinking about how >>>> identity >>>> functions >>>> may be a more fruitful path forward. >>>> >>>> The definition I'm going to present may not be the best one, but it is >>>> one based on its function. I'd love to hear other suggested functional >>>> definitions. >>>> I am sure there is room for improvement. >>>> >>>> But I also know, not only from my own experience, but from the >>>> empirical >>>> and academic record that designing systems based on how they should >>>> function--rather than simply modeling the data the system >>>> contains--is a legitimate and productive way to approach complex >>>> system design. >>>> >>>> I think it provides a better approach than limiting the definition >>>> to the static notion of attributes. You can disagree with me on that >>>> and >>>> still >>>> work with me to define a common framework for thinking about >>>> identity functionally. If there were a viable identity system, *both* >>>> definitions >>>> should hold merit. I argue the compositional model is incomplete. I ask >>>> you to indulge me and help define a functional model, then we can >>>> compare which teaches us more about how such systems can be and >>>> eventually should be built. >>>> >>>> FWIW, I don't expect to do this work *within* the VCWG or even the >>>> community group. I'll be writing and publishing elsewhere. I'll >>>> share that work as it occurs in case it might prove helpful. >>>> >>>> Here's my definition of Identity: >>>> >>>> Identity is how we keep track of people and things and, in turn how >>>> they >>>> keep track of us. >>>> >>>> That’s it. We learn people’s names, we observe them and hear gossip >>>> and consume media. We then apply that sense of who they are to our >>>> dealings with them. Others do the same in return. >>>> >>>> In ICT systems, we assign identifiers, we accumulate observations, we >>>> correlate those observations with entities, we make conclusions based >>>> on those observations and we apply those conclusions in interactions >>>> with those same entities. >>>> >>>> In other contexts, we give people name tags, we share business cards, >>>> and we wear bracelets. All to facilitate keeping track of each other. >>>> >>>> This simple definition is surprisingly provocative. It triggers >>>> associations >>>> with Big Brother and the surveillance state. It brings up ideas about >>>> embedded chips and tattooed serial numbers. It conjures fears of >>>> government or corporations constantly tracking what we do. >>>> >>>> Which is ok, because, in fact, those are the most feared abuses of >>>> identity. It’s important to realize when we talk about identity that >>>> we are >>>> always talking about how we keep track of people. It is important to >>>> understand how identity systems limit or avoid (a) tracking >>>> EVERYTHING about (b) everyone and sharing that with (c) anyone. >>>> >>>> What functional identity doesn't do is attempt to define what >>>> identity *is*; it focuses on what it does for us and how we use it. >>>> >>>> Organizations and people are going to use identity to keep track of >>>> people and things no matter what we do. Fixating on sets of attributes >>>> ignores the ways that we use identity information, whereas focusing on >>>> the function of identity affords significant visibility into both >>>> potential >>>> harms and techniques for enhancing or limiting that functionality. >>>> >>>> In contrast, attributes themselves aren't harmful (they are inert >>>> data) and >>>> not only have we shown they are almost impossible to contain, we >>>> know that the correlation of identities across contexts can occur based >>>> on so many different observations that even if we could contain a >>>> specific >>>> set of attributes, we still could not prevent re-identification even in >>>> "anonymized" data sets. In short: even the most rigorous attribute >>>> management system cannot prevent undesired identification. Conclusion: >>>> identity *must* be more than just the attributes in an ICT system >>>> related >>>> to an entity. This is at the core of my motivation to move beyond >>>> attributes. Clearly >>>> our identities can be compromised even with the most thorough >>>> attention paid to protecting attributes. Attributes simply are not >>>> enough >>>> to capture the scope of identity. >>>> >>>> As I described in the subjective notion of identity, not only can we >>>> not >>>> adequately record the subjective sense of, for example, "Joe Andrieu" >>>> in the minds of everyone who knows me, there is no way to control >>>> those subjective notions nor a way to prevent people from using those >>>> notions in their considerations of how to deal with me. So even if >>>> we could magically conceptualize the platonic form of forms that >>>> collectively represents "Joe Andrieu" we still would be lacking any >>>> understanding about how that notion functions: how it is used by actual >>>> people. And it is in that use that harms occur. >>>> >>>> To respond to a few anchoring bits amidst the thread without >>>> slight to the other thoughtful comments: >>>> >>>> On Thu, Jun 1, 2017, at 11:59 AM, Henry Story wrote: >>>>> Yes, it looks like Joe's definition is one of what makes a thing the >>>>> thing it is. >>>>> >>>>>> On 1 Jun 2017, at 20:08, Steven Rowat <steven_rowat@sunshine.net >>>>>> <mailto:steven_rowat@sunshine.net>> wrote: >>>>>> >>>>>> On 2017-06-01 9:06 AM, Joe Andrieu wrote: >>>>>>> Identity is innately >>>>>>> trans-system. Any given "digital identity" may not be, but our real >>>>>>> world "identity" absolutely is. By its very nature. We have an >>>>>>> identity >>>>>>> completely independent of any system or authority. >>>>> >>>>> This I suppose is behind Heraclitus statement that "You could not >>>>> step twice into the same river." >>>>> >>>>> It is also the old question of how much change one can make to >>>>> something and it still be the same thing, as the old paradox of >>>>> Theseus Ship makes clear https://www.wikiwand.com/en/Ship_of_Theseus >>>> >>>> Actually, I think the functional definition makes the question of >>>> Theseus's >>>> ship moot. That question is grounded in the compositional notion that >>>> the identity of "Theseus's ship" is initially based on the components >>>> of his initial ship. A functional definition would ask whether or not >>>> the ship >>>> in question was recognized as the same ship throughout its tenure. >>>> If the current ship is recognized as the same ship, then, >>>> functionally, it >>>> has the >>>> identity of "Theseus's ship". Whether or not is *is* the same ship is >>>> philosophical and not relevant to engineering and identity system. >>>> >>>> From what I understand, the basis for Steven Rowat's argument about >>>> "essences" follows that same compositional notion. The functional model >>>> doesn't care. If a person is recognized as an individual, then as >>>> long as >>>> the recognition holds, they have that identity. Whether or not they >>>> *are* >>>> in fact that person is a meta-physical, psychological, or philosophical >>>> question, which I'm intentionally taking off the table so we engineers >>>> can >>>> figure out what we are trying to build together. >>>> >>>>>> On 1 Jun 2017, at 11:08 AM, Steven Rowat <steven_rowat@sunshine.net >>>>>> <mailto:steven_rowat@sunshine.net>> wrote: >>>>>> >>>>>> I believe Joe and Henry are talking past each other in a fundamental >>>>>> way that might be a good example of the tar-pit that Manu likes to >>>>>> talk of. >>>> >>>> Yes. And I apologize for the distraction. Hopefully we can get this >>>> out of >>>> our systems and let the list get back to technical discussions in >>>> short order. >>>> >>>>>> Joe's position (in my words, using Henry's terminology) >>>>>> I believe Joe is most concerned with the fact that a given thing >>>>>> (person) is unique in the world. And that any collection of labels >>>>>> that relate to that person is part of an assumed superset relating to >>>>>> them, and "Identity" is the whole superset. How much of the superset >>>>>> we see at one time varies, but it exists because the person exists. >>>> >>>> I'm not sure I care about uniqueness. I don't think that's actually >>>> relevant for a >>>> functional model of identity. Certainly, identities can become >>>> confused. Such >>>> is the fodder for much comedy throughout literature and media. I >>>> wouldn't say >>>> that such confusion--or ambiguity if the identity is simply limited in >>>> its specificity-- >>>> means we aren't dealing with identity. >>>> >>>> I will also say that while the superset could conceptually be >>>> constructed in an >>>> all-knowing thought experiment, any essential identity ultimately >>>> resides in >>>> the minds' eyes of the beholders who recognize a thing. What's in my >>>> head is inevitably different than what is in someone else's, even if >>>> we both >>>> are aware of >>>> all the attributes ever recorded in any ICT system. >>>> >>>> Hence, while we could discuss the uber-set of all such mental notions, >>>> it is not >>>> clear that would ever be a superset of which some of us share >>>> subsets, as >>>> much as a collection of distinct notions. To get philosophical, we >>>> can't even >>>> know if your sense of "red" is the same as mine; it would seem >>>> unlikely that >>>> we could ever know if your sense of me is the same as anyone else's. >>>> >>>> >>>> On Thu, Jun 1, 2017, at 12:16 PM, David Chadwick wrote: >>>>> On 01/06/2017 17:06, Joe Andrieu wrote: >>>>> >>>>> On Thu, Jun 1, 2017, at 12:44 AM, David Chadwick wrote: >>>>> >>>>> On 01/06/2017 07:48, Joe Andrieu wrote: >>>>> >>>>> If we mean "digital identity", then say it. Don't confuse it with >>>>> "identity". >>>>> >>>>> The objections to "identity" are often because of conflation of >>>>> the two. >>>>> We discuss A when we mean B. We discuss "identity" when what we >>>>> really >>>>> mean is "the isolated domain-specific digital identity that only >>>>> applies >>>>> to this particular ICT system". >>>>> >>>>> >>>>> Ok, but I prefer to use the term identity information when >>>>> referring to >>>>> the information held about a person in an information system. If >>>>> the IS >>>>> is physical and paper based, then the identity information will be >>>>> held >>>>> in paper files. If the IS is an ICT system, then it will indeed be >>>>> digital identity information that is stored there. >>>> >>>> I like the term "identity information". That's much clearer than >>>> referring >>>> to a collection of attributes as someone's identity. >>>> >>>>> But I have never moved this discussion in the direction of talking >>>>> about >>>>> a single isolated ICT system, so I am not sure where you got that idea >>>>> from. I said 'any and every ICT system'. >>>> >>>> The ISO standard does: >>>> >>>> An identity is the information used to represent an entity in an >>>> ICT system. >>>> >>>> >>>> It certainly does not say that identity is cross-system. >>>> >>>> That would, IMO, be much more rigorous to say either: >>>> "A digital identity is the information used to represent an entity in >>>> an ICT system." >>>> >>>> Or "Identity information is used to represent an entity in an ICT >>>> system." >>>> >>>> However, our "real" identities are fundamentally external to any ICT >>>> system. I am "Joe Andrieu" whether it is in an ICT system or not. >>>> >>>>> >>>>> The problem is that these digital identities don't stay isolated. >>>>> >>>>> >>>>> Of course they dont. Who said they did? Federated identity management >>>>> has always been about sharing digital identity information. >>>> >>>> And yet, the ISO definition of "identity" is anchored in "an ICT >>>> system". The >>>> whole point of federation is to match the identity information in one >>>> system with the identity information in another. The nature of the >>>> problem is >>>> that >>>> these are *distinct* sets of identity information, distinct digital >>>> identities, for >>>> which some sense of equivalence is sought. That equivalence becomes >>>> a shared sense of identity--and it almost never includes a >>>> transference of all >>>> related attributes. Even the ISO "identity" of a system isn't >>>> transferred during >>>> federation. Some subset of identifying information is. And yet, that >>>> shared >>>> sense of identity will still never match the entirety of any given >>>> individual's >>>> identity. The ISO definition conflates the shared sense of identity, >>>> the ineffable subjective collective sense of identity, and the >>>> identity information >>>> in an ICT system when it refers to this last item as "identity". This >>>> is the problem. >>>> >>>>> >>>>> Similarly, rights and privileges tied to our real identities are >>>>> often >>>>> ignored >>>>> or dismantled because *in a given system* it didn't seem relevant >>>>> to the engineers who designed and built it. Identity is innately >>>>> trans-system. Any given "digital identity" may not be, but our >>>>> real >>>>> world "identity" absolutely is. By its very nature. We have an >>>>> identity >>>>> completely independent of any system or authority. >>>>> >>>>> >>>>> Your last sentence conflicts with your other sentences in 'Identity >>>>> Crisis' in which you state 'identity is an emergent phenomenon that >>>>> does >>>>> not have an existence independent of the observer' >>>>> >>>>> So which is it? Is identity completely independent or rather does not >>>>> have an existence independently? >>>> >>>> I can see how that is confusing. However, both are accurate. >>>> >>>> Identity exists in the minds of observers, which is independent of >>>> any authority. No single observer has the authority to decide their >>>> version of my identity is authoritative, except to themselves, which >>>> really is just a matter of the sovereignty of our own minds. Even *I* >>>> don't have that authority. This was actually one of my rants against >>>> many early testimonies about the awesome power of self-sovereign >>>> identities. Nobody controls anyone else's subjective state. We can >>>> influence, but that state is innately independent of outside authority. >>>> >>>>> I dont think I know anyone who regards identity information as being >>>>> specific to a single ICT system. Certainly everyone in the FIM world >>>>> knows that identity information is meant for sharing. And people in >>>>> the >>>>> privacy world know that PII is allowed to be shared providing it stays >>>>> within the rules. The GDPR is there to ensure the rules are obeyed, >>>>> otherwise unscrupulous data controllers would share it in ways it was >>>>> never intended for. Even the VC work does not believe in the full and >>>>> free sharing of PII, rather it should be under the control of the >>>>> holder. So there is no conflict between ISO, GDPR and VC work as >>>>> far as >>>>> I can see. >>>> >>>> On the contrary, identity information need not EVER be shared. It is >>>> not *meant* to be shared. It is meant to provide a given system with >>>> the information it needs to customize services in relation to a given >>>> entity. >>>> Not even ISO presumes that identity information is designed to be >>>> shared. >>>> That's a privacy nightmare. >>>> >>>> In a federated system, yes, fundamentally, identity information is >>>> being >>>> shared, but that is what makes federation federation, NOT what makes >>>> identity information identity information. And when an individual's >>>> identity is treated as if it is entirely defined by the attributes >>>> in the system, >>>> we have fundamentally compromised human dignity by subjugating >>>> individuals to the tyranny of the data. Believe me, I've spent six >>>> months >>>> in Amazonian purgatory because the database was in error about my >>>> identity. No matter what Amazon thought, my *identity* was >>>> fundamentally >>>> *not* what was captured by their set of attributes. >>>> >>>> There is a growing awareness that PII is an insufficiently defined >>>> set to rigorously regulate anything. Even the GSA says "it requires a >>>> case-by-case >>>> assessment of the specific risk that an individual can be identified." >>>> [1] >>>> There isn't even agreement as to what the acronym stands for. [2] >>>> >>>> Unfortunately GDPR is too young to discern its true strengths and >>>> weaknesses. However, there are known flaws of the OECD >>>> privacy principles which helped inform EU privacy law and I expect are >>>> still lingering in GDPR. Namely, a complete lack of awareness that a >>>> data >>>> controller or data processor may also be the data subject. We ran into >>>> this in VRM conversations about personal data stores. The dominant >>>> paradigm assumes that, in essence, corporations have and control data >>>> about people and that people have certain rights in that situation. The >>>> world view remains firmly in the lens of our corporate overlords and >>>> how >>>> we protect the proletariat from their evils. In this world, like in >>>> ISO, >>>> "Identity" is something given to you, not something innately >>>> existing in >>>> the relationships that form social bonds. >>>> >>>> In short, *none* of these approaches to identity should be considered >>>> resolved or adequate. The primary drivers in the modern era have been >>>> corporations focused on securing their ability to profit from >>>> information. >>>> More recently, in the EU, the state has picked up its original >>>> charge in >>>> defining identity, acting as a force in the other direction, figuring >>>> out how >>>> to realize the EU constitutional right to privacy in the face of >>>> corporate >>>> data systems. >>>> >>>> [1] https://www.gsa.gov/portal/content/104256 >>>> [2] https://en.wikipedia.org/wiki/Personally_identifiable_information >>>> >>>> >>>>> >>>>> aligned with the W3C mental >>>>> model of security by domain isolation as a response to things like >>>>> cross-site scripting hacks. >>>>> >>>>> >>>>> I think you are confusing two separate issues, security >>>>> vulnerabilities >>>>> and data sharing. The Same Origin Policy is there to stop hackers >>>>> linking systems that should not be linked, whereas FIM and token >>>>> binding >>>>> etc. are there to ensure that data can be shared safely and securely. >>>> >>>> Yes. Linking systems that should not be linked is how privacy is >>>> violated. >>>> It feels comfortable to consider contextual integrity as a security >>>> problem. >>>> Thinking of it in this manner leads to whitewashing information sharing >>>> through consent ceremonies that users can't understand for uses that >>>> are unexpected. There is a consistent perspective that within a given >>>> domain, privacy and identity are the purview of the domain controller. >>>> This is baked into the mental model of isolated systems sharing >>>> specific >>>> bits of "identity" under controlled terms--with near complete disregard >>>> for both the downstream sharing and the systemic effects on privacy and >>>> identity. The framing is that "if we solve privacy and identity within >>>> our >>>> isolated contexts, we'll have done the right thing." But >>>> fundamentally, >>>> privacy and identity are greater than any isolated context. This is the >>>> disconnect that, IMO, is the core architectural flaw in how most >>>> contemporary systems deal with privacy and identity. >>>> >>>>> >>>>> If we want to make sure we don't undermine beneficial--or >>>>> unwittingly >>>>> enable undesired--aspects of real-world identity, we need to >>>>> acknowledge >>>>> that identity is inevitably more than the digital identity in >>>>> any given system. >>>>> >>>>> >>>>> I think we all realise that. No one has been arguing for the opposite. >>>> >>>> The ISO standard itself defines identity as merely the attributes >>>> related to >>>> an entity in an ICT system. So arguing for the ISO standard argues for >>>> that opposite. >>>> >>>> -- >>>> >>>> That's all for now. I think I've said more than enough. I've >>>> appreciated >>>> the thoughtful responses and hope I've stretched some mental models. >>>> It'd be great if the idea of treating identity functionally rather than >>>> compositionally resonates enough to help us avoid the delicious yet >>>> distracting rabbit holes of philosophical, cultural, and political >>>> identity. >>>> >>>> As Manu suggested, I'll bring my perspective to comments and >>>> suggestions >>>> in actual specification text. That's where I think we can most >>>> concretely see >>>> if anything I'm suggesting has merit. >>>> >>>> -j >>>> >>>> -- >>>> Joe Andrieu, PMP >>>> joe@joeandrieu.com <mailto:joe@joeandrieu.com> >>>> +1(805)705-8651 >>>> http://blog.joeandrieu.com >>>> >>> >> > >
Received on Friday, 2 June 2017 21:31:28 UTC