Technological development has created the necessary environment, and market demand the imperative to establish a strong digital identity framework. In pursuing digital identity as a solution to a technical/economic problem, however, we are giving too little thought to the importance of the “softer” non-commercial aspects of identity. Now, before it’s too late, we need to address the foundation of identity: its features and characteristics. More than that we need to delve into the philosophical underpinnings of social identity. Clearly understanding its nature and limitations, we can examine some of the essential constraints and requirements for digital identity. Purposeful social identity is the result of external entities granting credentials attesting to and tying a unique set of identifying attributes to a unique person. Only a state has the power to register, grant, maintain, and enforce such credentials. This established identity-granting process fosters system integrity and a discrete 1:1 mapping of individuals to their respective identities. A complete identity per se has many layers, with each layer built outward from foundations within it, ultimately reducible to that core identity from which all others are derived. Various role identities may present the same structure and many of the attributes of a core identity, but they are subordinate or even ancillary to the core. The purpose of this paper is not to identify a business nor to propose solutions to digital identity challenges. Rather, the exploration of identity is purely for the sake of understanding and clarity, as many potential traps and obstacles become apparent in the full context and understanding of social identity.
Technological development has created the necessary environment, and market demand the imperative to establish a strong digital identity framework. The very nature of the electronic social world (detached, ambiguous, fast, binary) demands a robust solution for this rigid environment. Its sporadically progressive commercial development reflects our human need to know with whom we interact. While market players are rapidly creating digital identity solutions, their foundations and agendas tend to be short-sighted, reactive, and inconsistent with any philosophy of identity. The cause might be eagerness to solve a problem and stake a valuable commercial claim. Or, it could be unwarranted certainty in the underlying identity morphology and their ability to respond to the developing necessary and sufficient conditions for a proper identity program (i.e., hubris).
In pursuing digital identity as a solution to a technical/economic problem, we are giving too little thought to the importance of the “softer” non-commercial aspects of identity. This is most obvious and significant in the widespread, convenient assumption that anyone can create and destroy (digital) “identities” with the impunity of a Greek deity. Also, policies are being created and solutions pursued on the basis of immature thought about ownership of the identity, which cascades into uncertainty and battles about privacy and other ideological issues such as the primacy of the individual or the collective.
Now, before it’s too late, we need to address the foundation of identity: its features and characteristics. More than that we need to delve into the philosophical underpinnings of social identity. Clearly understanding its nature and limitations, we can examine some of the essential constraints and requirements for digital identity.
I. The Language of Identity
Perhaps the single-most significant progress inhibitor of digital identity development is language. Not only are incongruous notions created by disparate interpretation and use of specific descriptors, but these words are being used by different constituents in highly contextual senses that deny any possibility of accurate singular understanding. For instance, “digital identity” itself is used as a proxy for “single sign-on,” it describes data stores about a person, and is used indiscriminately for other loosely related ideas in the spirit of being au courant. All are probably correct – maybe even accurate – within limited specialty lexicons. To be fair, in the past year, much has been standardized. But, remaining multiple meanings continue to keep us at a distance from real breakthrough progress.
First we need to adopt a clear understanding of the language used to define and describe this idea space. Because our knowledge is (rapidly) developing, creating a purposeful, valid, and complete language in advance is unlikely and inefficient. And, arbitrarily assigning names won’t be of much help if we have not a clear definition of “digital identity” itself. Before defining digital identity, we ought to contemplate and understand what identity alone is and, more importantly, what it is not.
A good place to start refining definitions might be in clarifying the difference between the noun identity and the verb identify. They tend toward unity in purpose and meaning, but there is a crucial distinction. Attacking the second challenge first, identity, according to the Microsoft Word dictionary, is “the set of characteristics that somebody recognizes as belonging uniquely to himself or herself and constituting his or her individual personality for life.” For reasons that will become clear later, I would expand this definition to include those characteristics about somebody that others recognize as well. On the other hand, identify means “to recognize somebody or something and to be able to say who or what he, she, or it is.”
The act of identifying implies the existence of an identity. But often in the context of the digital world what we hear about identity (the noun) embodies more directly the notion of identify (the verb). That is, the (digital) identity is created for the express purpose of allowing that existing thing to be identified. This notion at once implies both the a priori existence of an “identity” to which a new digital identifier can be attached for subsequent identification, and the creation of an identity – albeit digital – de novo. These notions are at best incompatible and, in the fullest understanding of identity, mutually exclusive. That is, with particular reference to the last part of the definition of identity, specifying it to be “belonging uniquely to... and constituting his or her individual personality... for life” [italic mine], more than one identity for a given object means that object no longer has a unique identity. The importance of the inconsistency and omission can not be understated, as further exploration will bear out.
II. Identifying Actors
Many things for which the problem of foolproof proper identification is becoming critical can be identified digitally. Yet, while all sorts of objects can be digitally identified, the complexity of doing so varies dramatically between objects and people. It varies further by context. The task of developing a general solution could easily become near impossible. To make the challenge more manageable, there are compelling reasons for focusing on one problem only – at least initially.
What if we were restricted to addressing only the proper identification of humans and other “persons” as actors with legal capacity, capability, and will to act in cyberspace? Intuitively, we know this class must represent the highest degree of identification complexity. After all, while it is important to identify devices and things (and even physical spaces), these are possessions and do not act. Their passivity renders them easily and finally identifiable even as single units of a mass-produced product. Even to the extent that devices do act in some way, they have no free will to undertake such actions without external input. They are props and as such are, for all intents and purposes, transparent. Actors are not.
One obvious reason to be concerned with actors rather than devices rests in the notion of responsibility and liability. Only actors can be held responsible and liable for their actions, both morally and legally, and if responsibility and liability can not be assigned to some actor at some point in time, a commercial model for identity will have no value. Given that identity certainty is arguably a key limiting factor in the development of e-Business in the Web services model, it follows that sure identification of an actor for categorical assignment of responsibility and liability is essential to expand the Internet as a commercial transaction medium. Thus, only in the proper (digital) identification of the human actors does resolution of the digital identity issue add a quantum increase of value to the economy.[1]
III. The Nature of Identity
Clear comprehension of identity demands that we expand beyond simple dictionary definition and explore human identity as it exists practically in the world today. As noted earlier, the most important feature of an identity is its uniqueness. That uniqueness results from the combination of various specifically identifying characteristics. One intrinsically “owns” a few things about oneself, such as physical characteristics, and possesses a few, such as knowledge or skills. None of these by themselves, however, constitute an identity. They are characteristics: often unique and always inherent in the person. So, although they may be unique themselves, it is wrong to suggest that DNA or fingerprints or speech patterns are an identity. The DNA profile is an identifying characteristic; similarly, fingerprints and specific professional accreditations are not identities, but identifiers.
Identifying characteristics are given power as contributory parts of an identity only after they are recognized by others. Thus identity, for our purpose, does not inhere within us; it is a social construct and granted by others.[2] Moreover, a social identity is the product of one or more credentials that uniquely attribute a name and certain inherent and identifying characteristics to a single person. Acceptance of this bundle by others with whom one comes in contact is essential.
These credentials, which represent the specified bundle of characteristics constituting the identity, derive their authority from the acceptability and trustworthiness of the issuer and the issuance process. Obtaining trustworthy external validation of and credentials to verify a unique bundle of identifying characteristics is the process of creating an identity. A birth certificate, driver’s license, passport, and on through to a educational diploma and library card are credentials that attest to characteristics.
To digress briefly, it is worth noting that there is a significant distinction between a legal and a casual identity. The former is recognized in the socio-political sphere in which the vast majority of people live, particularly in the developed world. The latter predates formalized (read: legal) social structure and is what we might now find in the third world or in pre-conquest America. Such an identity is not legal per se, but rather derived from common acceptance by the social group itself. We are necessarily and practically concerned with the former.[3]
Practically, without a name one can not have a valid identity because we humans bind together the characteristics and credentials that result in an identity with a name. At some levels we accept a name and identity at face value, often because there is no purpose in the trouble to qualify it. But a name can be easily falsified. So when the stakes rise – say, there is responsibility or burden of liability – a credential from an acceptable issuer is required to substantiate and support the claim. But, in the West, who grants that name? Certainly the parents select the child’s name and give it casual effect by use and by communicating it to others. In practice, however, a state formally creates the identity. It gives the name legal force by officially granting and registering the name then publishing it for the world to know. A name change for any reason is given effect only by change to the government’s registry.[4]
IV. States Create Identities
Only a state, through its government structure, can grant an identity to an individual. No other body can, at the beginning of the 21st-century, create a legal identity. Any “identity” not created by a state is either not true and legal, or is concealing a core identity and is therefore false. For instance, while an enterprise may create a work “role” identity for a person, it ought to rely on and typically will demand proof of a proper core identity. Without a true core identity, enterprises can create only trivial role identities. Generally then, there must be an underlying true core identity onto which a role identity is grafted. The value of this method is that it practically ensures identity uniqueness. To all reasonable extents, notwithstanding process error and active fraud, it prevents multiplication of identities for a single individual: a problem in every respect from legal to psychological.
The proposition that purposeful social identity is the result of external entities granting credentials attesting to and tying a unique set of identifying attributes to a unique person, and that only a state has the power to register, grant, maintain, and enforce such credentials is acceptable because it reflects the system in place throughout the developed world today. The system has worldwide integrity by convention among nations. So, while it is possible to adopt another name and carry multiple credentials (e.g., passports), even using different names (e.g., a name in Chinese alongside a name in a romance language such as English), these are not credentials that are or could be untied from this single unique individual.[5] The credentials, though identifying the same individual by a different name and under the authority of different governments, point to a unique individual and are cross-referenced to one foundational attestation made at birth. It is only when a multiplicity of credentials is not cross-referenced to the same individual that system integrity is breached and illegal false identities appear. This is, of course, what we design to avoid.
The result of this established identity-granting process is system integrity and a discrete 1:1 mapping of individuals to their respective core identities. Deviations from this 1:1 mapping system are intolerable, as evidenced by the consistency of laws prohibiting and psycho-social mores inhibiting active duplicity of identity.
V. Facets of Identity
A complete identity per se has many layers, with each layer built outward from foundations within it, ultimately reducible to that core identity from which all others are derived. The core identity and its support documents are crucial to the full development of (digital) identity because they give the entire process and system integrity. The notion of a core identity is merely to separate the immutable aspects of the individual (e.g., time and place of birth, physical features, etc.) from those that are more readily and, in fact, likely to change over time, all of which are important to the fullness of an individual’s identity at any given time. Only the immutable “core” characteristics are, however, certain to always be tied to the individual and his/her identity.[6] But, what beyond the core?
What of the many other aspects of identity – or the other “identities” according to some – that we ourselves manifest and perpetuate or that others create for us? It is in the expanded bundle(s) of characteristics that there is greater colour and day-to-day purpose and value in identity. More danger too. Certainly, the larger identity context is more reflective of the world in which we live. But it is in this fullness of identity awareness that debates and misunderstandings arise and exist.
The most obvious example of role identity beyond the core, not including reputation which is fodder for a separate discussion, is the work role identity. This role presents complexities such as agency and whether/how it ought – in that context – to map to the individual’s underlying identity. Selecting it here as an example should not diminish the prevalence and necessity of other role identities such as those of parent, child, consumer, public figure, and so forth. Some argue that each of these is a defensibly valid identity on its own, related and equal to each and any other role identity.[7] They are not. While they may be equal amongst other role identities, the core identity if not primary and superior is, at a minimum, primus inter pares. Although these various role identities may present the same structure and many of the attributes of a core identity, they are in fact subordinate or even ancillary to the core. Moreover, in most cases, by legal requirement these role identities must be tied to the core identity in any event. For clarity we will refer to these particular role identities, such as they are, as personas.[8]
With the exception of the entirely fabricated (i.e., fraudulent), the persona is always but a single facet of the whole identity/person being identified. One uses persona to reveal only a small part of oneself for a specific purpose or to achieve a desired effect. Judicious use of persona is how concerns with privacy are practically addressed in the real world. Only information we wish to have seen for the purpose at hand by the parties involved is revealed. In a way this act of information manipulation creates what I would call transparent opacity. Simply: while all or most of the data that represent us – confidential or not – is transparently available somewhere, access to it is inhibited by our conscious dispersal of it rendering the information opaque and attempts at meaningful aggregation both difficult and costly. The Web has substantially negated the power and value of these constraints and protective measures.
In the sense that the (core) identity is real – that it is the inextricably singular legal representation of a unique individual, so is the persona artificial. Which is to say that the persona, in its many forms and of its many creations, is derivative or manufactured for a limited purpose. It reveals a mere part – perhaps even a misrepresented part – of an individual. Where an individual has only one identity, he/she can have a multitude of personas. Even that most famous multiple personality sufferer, Sybil, was a singular identity (physical manifestation) with multiple personas. More generally, every role we fill in our full lives may be different, but the person filling them is not. Thus the word role is highly appropriate for this description because a single actor may fill many roles; but to suggest that each role has the same value as the identity of the actor in that role at that time is absurd. Shakespeare captured it well in As You Like It:
All the world’s a stage,
And all the men and women merely players:
They have their exits and their entrances;
And one man in his time plays many parts, [italic mine]
The only shortcoming of this description is that most of us play several parts at the same time.
Under normal circumstances a persona is obviously derived from or related to the core identity. This is how personas are created and exist throughout the physical world. If and when there is a need or desire for subterfuge, however, a persona can be partially – or even completely – detached from the core identity. The individual behind the persona thus remains anonymous or perhaps pseudonomous. There are many both legitimate and nefarious reasons why one would do so. Whatever the reason, including a misguided sense of independence and freedom in anonymity, this feature of identity in the physical world will likely also be a requirement of the evolving virtual world.
These limited identities which I’ve referred to as personas are allowed to exist and perpetuate – proliferate even – in the real world for many reasons, not the least of which is that the risk in accepting them of others is limited and usually outweighed by the gains to be had from the interaction. For instance, a person who pays with cash anonymously or under a pseudonym does so to avoid personal connection to the transaction or to the product/service. The merchant gains enough in revenue (after adequately protecting for potential loss) to accept the little lie between them. The ability to choose which persona to reveal and whether to tie it to the core identity is a crucial feature of living. It is, without a doubt, one of the more important characteristics of the Web that has contributed to its rapid capture of territory in our cultural landscape. But a persona, implied or inferred in the social context, called a role or reputation, is not and can not be an identity in the proper sense.
VI. So What?
Identity is too important to address in the typically expedient, ad hoc approach of commercial endeavor. But that appears to be what is happening with “digital identity” development. The identity we are concerned with is the social identity as manifested digitally. So we are obliged to confront the issue holistically.
By understanding the idea of social identity from the philosophical roots up, we can see that digital identity as a variation can not be a system unto itself parallel to the formal identity system that exists in the physical world. By corollary, creating strong digital identity may be the catalyst for enhancing the robustness and value of the existing identity system to properly reflect how people of advanced nations live their lives today. When we have started from the beginning and improved the systemic integrity of the social identity system, we will be on our way toward a robust and valid digital identity system. It is, by all accounts, infeasible to do the reverse.
Identity validity depends on the strength and value of the attestation to the identity characteristics. We assure ourselves of an identity’s authority by relying on the entity providing the testamentary credentials that create it. Identity exists only insomuch as there is documentary evidence, and certainty of proper identification comes from correspondence between the physical person and the documents. It follows that if we are certain in the integrity of the issuer and the document creation process we can be satisfied with the validity of the identity.
Systemic integrity demands 1:1 mapping from physical person to social identity. This implies a rigorous process for “creating” identities for new people and proper, secure lifecycle management through to termination of the identity with the death of the person.[9] An identity system that works must recognize this essential factor as well as the persistent direct connection and relation between the core identity and the many subsidiary, partial personas represented in the real world. As inconsistent as it may seem at first glance, such a system must be designed to also allow for pseudonymous and anonymous persons as the circumstances require.
It is apparent that just as states are the de facto creators and issuers of identities today, they must be central to the preservation of the identity system as it moves into the virtual world. Only a state can ensure and enforce continued integrity of the system and the greatest degree of certainty in the essential 1:1 mapping of person to identity. Which is not for a minute to recommend government run national identity card programs and – more emphatically – direct government involvement in the issuance and use of day-to-day identity credentials (in digital format). There are sure to be imagined models that would incorporate both government and private sector participation. However, the infrastructural and regulatory heavy-lifting required to benefit society as a whole will only be undertaken by the state because the capital investment is too great and risky to be borne by the private sector alone. It is virtually the tragedy of the commons.
The purpose of this paper was not to identify a business nor to propose solutions to digital identity challenges. Rather, this exploration of identity was purely for the sake of understanding and clarity. Many potential traps and obstacles in the path toward development of a valid digital identity system become apparent in the full context and understanding of social identity. By way of example, individual digital identity programs can not presume immunity and isolation from the broader social identity systems that exist. To do so is to prepare the ground for an epidemic of multiple identities for single individuals. Solutions being proposed today, predominantly by technologists and commercial opportunists, may prove to be worse than the problems they attempt to resolve.
The next step, with this general perspective, will be to explore the fullness of identity, persona, and reputation within the context of information distribution and control. Such an exploration ought to bring us moderately closer to a practical and palatable solution framework.
Notes
[{]1] Some may argue that it is equally essential to identify inanimate objects and devices both for similar reasons and to ensure that they are not counterfeited. While there is merit, as exemplified by product serial numbers, the value is different and tangential to the requirement for specifying and addressing responsibility and liability in act.
[2] Of course, our purpose here is not to explore the individuation of the psyche and understand how we each produce a “self” in our own minds. While an interesting exploration and undoubtedly of some orthogonal import, we are concerned with “identity” in a social context.
[3] Necessarily because we live in a legally formalized social structure; practically because the social grouping have grown so large that casual identity is utterly impractical in the vast majority of contexts.
[4] It is true that a nick-name or alias is an identity element sanctified by neither church nor state. It is also not legal either, only a feature of a person’s identity – an attribute – added a posteriori.
[5] These are, of course, language not system issues. The discussion of language consistency and whether the two names, phonetically translated or otherwise, are different or merely different facets of the same thing is a concept best left to linguists. It is beyond the ken of this writer and paper.
[6] We recognize that the simple act of transferring the characteristic from the physical person to a separate document creates a system breach point. It is a systemic social constraint. Our goal must be to compensate for it by protecting the process.
[7] Notably, most who argue this way do not resolve the hierarchical relationship between core attributes and peripheral characteristics. Thus, they apparently do not consider nor even weigh the value in the 1:1 mapping between an individual, its a priori physical identity, and the various digital credentials.
[8] Others, notably Andre Durand, have stratified identities not dissimilarly into tiers. I’ve chosen to conceptually limit the distinction at this level to that between identity and persona. Introducing the notion of “my,” “our,” and “their” identity artificially, and, for our purposes, prematurely introduces commercial purpose and information control constraints. In a discussion of credentials and artifacts later in this series, I will introduce commercial purpose and information control/distribution then propose several layers of identity as represented by artifact. The reader should not connect my use of the word persona to the way it has been used by others, such as certain vendors, in this space.
[9] The identity exists in perpetuity; it becomes an immediately “provable” historic identity so as not to be misused.
