Sunday, November 27, 2005

imho identity privacy reputation


A basic holler in light and syrup: rahB

Holistic attestation:
Reputation is one of those words that creep me out. As an identity management (IdM) construct, it’s even vaguer than role (which I recently, October 20, in this blog, defined as “an identity in its full governance context”).

Reputation feels anti-governance, hence unfair. It feels oppressive. It’s the collective mass of received opinion, good and ill, weighing down on a particular identity. It feels like a court where the judge, jury, prosecuting attorney, jailer, and lord high executioner are phantoms, never showing their faces, but making their collective force felt at every turn. It feels like outer appearances, not inner character, ruling our lives.

Reputation is one part prejudice—-as in pride and prejudice—-as in the oppressive mass of received opinion that unfairly pins the victim into a mean, narrow, constrained existence—-as in always having to defend yourself against whoever whatever wherever whenever. Reputation as a collective weapon in the service of conformity and mediocrity.

Reputation is another part consequence—-as in never being able to live down or escape the past—-as in everybody everywhere keeping a collective dossier on your every activity—-as in never being able to start over with a clean slate.

Reputation isn’t an identity, credential, permission, or role. It isn’t exactly an attribute, in the same sense that, say, your birth date or hair color are attributes. And it isn't something you claim any privacy protection over--it's the exact opposite: the court of public opinion over which you have no sovereignty and little direct control.

In the IdM context, reputation is more of an assurance or trust level—an evaluation of the extent to which someone is worthwhile to know and associate with. Here’s the definition of assurance from my forthcoming essay, “Federated E-Business Assurance: the Policy-Driven Basis for Trusted Collaboration” (the essay, which I co-authored with Rob Sherwood, will be included in a book of security visionary thinking to be published by Homeland Defense Media:

“Assurance…generally refers to the degree of confidence that a relying party can have when accepting a password, certificate, token, assertion, claim, or other credential that is associated with a particular identity. Fundamentally, assurance is the confidence that someone else is reasonably safe to do business with. Assurance serves the relying party, allowing them to strongly verify the authenticity and validity of others’ identities, attributes, credentials, and assertions. It provides the relying party with the information they need to determine whether to refrain from, closely monitor, and/or repudiate online interactions in which such verification is lacking. It also gives the relying party the confidence that, if adverse consequences result from doing business with someone, the responsible parties can be pinpointed effectively so that appropriate legal, business, and other remedies can be pursued.”

Reputation is relying parties’ evaluation of our reliability, of their liabilities, and of the degree to which associating with us makes them ill at ease. Appearances are assurances, for good or ill.

Relying parties—-the ultimate policy decision and enforcement points in any interaction—-need many levels of assurance if they’re going to do business with us. They gather assertions and data from many IdM “authorities” (authentication authorities, attribute authorities, etc.) before rendering their evaluations and opening their kimonos. They—-the relying parties—-make reputation evaluations based on information fed in from trusted authorities, from their own experiences with us, from whatever reputation-relevant data they can google across the vast field of received opinion and public record.

Who, if anyone, are the "reputation authorities"? What, if anything, is a "reputation assertion"? How can we--the identified reputed parties--have any assurance that our reputation isn't determined by the collective malice of bad people who mean to distort and destroy us? How can we be sure that a balanced, fair evaluation of our reputation rises above the din and confusion? Who/what, if anything, is our public reputation (PR) agent/advocate in a world of free-floating ungovernable reputation?

This topic leaves me queasy. Reputation still comes down to appearances, no matter how you approach it. It comes down to spin. Tell the spinning to stop. I'm about to hurl.