Defining Digital Identity — Part One
Most digital identity problems are identity-in-database problems and the current crop of self-sovereign identity projects don’t solve them.
There is no consensus about what constitutes a “digital identity”. A digital identity can be as simple as the username and password pair you use to access a site. It can be as broad as your complete history of on-line behaviour, together with the facts and the attributes inferred from it.
Popular info site whatis.com, for example, says “A digital identity is the body of information about an individual, organization or electronic device that exists online” — a definition that is clearly at the all-inclusive end of the definition continuum. The International Organization for Standardization, doesn’t go quite so far, but still broadly defines identity as the “set of attributes related to an entity” (ISO/IEC 24760–1). Identity management application providers on the other hand — and there are hundreds of them — talk as if it’s much simpler
In the brave new world of blockchain, the nascent “self-sovereign identity” players are in the “provide access” camp, but typically supplant your username and password with a pair of certificates — then seek to attach a few attributes using formal attestations.
None of these perceptions of digital identity is wrong, but the lack of a concise, easily-understood definition of what constitutes a digital identity is a problem nonetheless. So confused is the dialog on digital identity that some commentators are even claiming that identity doesn’t matter and should be treated as irrelevant.
We humans, however, need our concepts and labels. And without a clear statement — a definition — we can’t isolate what problems are properly “digital identity” problems, or assess the degree to which new solutions and technologies might solve these problems.
This series of articles seeks to a provide such a definition, and in the process will show that many identity technologies — including the current crop of “self-sovereign identity” darlings — are poor solutions to the problems of identity.
What IS Identity?
As my old high school debating coach used to say — “If you’re going to start an argument you need to understand the rules, and the rules are defined by the Oxford Dictionary”.
The Oxford defines identity as “The fact of being who or what a person or thing is.” This discussion is about people, so let’s make that “The fact of being who a person is.” We should note now that this is not “The fact of being who a person wants to be seen as.” or “The fact of being who a person is — minus the bits they don’t want other people to know.”
This definition is dictionary talk, so it’s written in the third person, but that’s a useful observation nonetheless, because my identity construct, whatever it is, is not for me — I already know who I am. It’s a construct for how others see and represent me. My identity is not for my benefit — it’s so others can place me and understand me within their universe and then act accordingly.
If we look at identity from this perspective it suddenly becomes clear why current digital-world identity constructs and services fail to solve a great many digital and real-world problems. The assumption that our identity is actually ours — is false.
How Did We Get Here?
The evolution of digital identity is the story of two different journeys along two different, but converging routes
Proof Identities
As we touched on earlier, control of access to public and private digital services gave rise to the concept of a digital identity. For the purposes of this discussion, we’ll refer to this access-focused construct as a “Proof Identity”.
As services became more sophisticated, simple sign-on with a basic set of access rights wasn’t enough. Fine-grained access required that the service know more about us — and these attributes were typically used to support more sophisticated access strategies such as RBAC (role-based).
Exposure to such services usually occurred in an organisational setting, so there was a natural tendency towards centralization of access control. Centralization created the need for broader, more complex access strategies which required even more knowledge about the user.
Centralization of control is an efficient strategy that unburdens both the administrator and the user, so it’s no surprise that the strategy was adopted in the more public infrastructure that is the internet. Today, we see such centralization in the form of, for example, “sign in with Facebook” or “sign in with Google”.
Database Identities
Our second journey begins with the need to record something about us in a database. The first use of our name in a database might have been by government or a bank, but within a decade or two every organisation we dealt with had one or more records carrying our personal information. Let’s call this a “Database Identity”
So critical are these records to the operation of such organisations that they could not provide service to us or transact with us without them. What’s more, they know that the key to providing great service is to make that service personal, and they can’t make it personal if they don’t know anything about us. This provides an incentive to collect as much useful information as they can. The most extreme example of this is Facebook, which carries a comprehensive Database Identity for more than two billion of us.
Convergence and Opportunism
These two paths converged when we started populating databases ourselves (e.g into social media services) and when otherwise private organisations started providing customer and patient portals that gave us access to their database. At about the same time, governments started insisting that we have rights to not only see the information an organisation carried about us, but to exercise some control over it.
At this point, our Proof Identities and our Database Identities became linked.
With this convergence came new problems and new opportunities. Proof Identity product and service vendors — as default custodians of the term “identity” — promptly seized the conversation and took ownership of these opportunities.
Where were the database vendors and service providers? We were too busy chasing scale, speed, analytics and chanting the mantra “big data”. Database protection hasn’t moved significantly since last century. It’s still an infrastructure level discussion about firewalls, intrusion detection, hardened servers, external threat assessments… Protection for an individual identity record? There aren’t even words for it in the database security lexicon.
Data Data Data
That’s a tragedy, because most identity problems are identity-in-database problems. Identity theft happens when data is stolen from a database. Anti-Money-Laundering is the process of tracking people and transaction in databases. Criminals and terrorists won’t track themselves for you with their self-sovereign identity — you need to track them in a database. Finding or joining your medical records means working with databases.
Even problems that have a ”proof” component also rely on a Database Identity: Safe peer-to-peer commerce is made safe when the proven identity is connected to the thing being sold — which is in a database. Electronic voting is made possible when your Proof Identity is connected with your electoral role database identity. Decentralized social networks become possible when Proof Identities are connected by a database of relationships.
Proof Identities do have the power to solve many problems. Most such problems, however, have at least two parties. Peer-to-peer blockchain transactions between the two billion “unbanked”, for example, require that they both have compatible Proof Identities — which is unlikely to be usual any time soon. So those transactions won’t happen — unless, of course, you’re happy for one of the parties to be looked-up in a database.
These, and many other observations are why the TrigID project is building a database of identities. Public, safe, universal and managed by consensus. The first initiative of its kind.
Plainly, any useful definition of digital identity needs to address Proof Identity and Database Identity concepts. In Part Two, I’ll propose one — and we’ll also examine how that definition is going to help us to solve today’s identity-related problems.
