Wednesday, January 25, 2006

fyi On The Absurdity of "Owning One's Identity"


Pointers to Bob and Phil:

Pointers from Jim:
First off, I want to point out that Bob Blakley is a very smart, intellectually stimulating, articulate, funny, and funnily pedantic individual (yes, I’m comfortable with “funnily,” and I urge you to get with the program as well). He was one of my absolute favorite speakers during the years in which I attended and (there’s rumor to the effect that I) spoke at, helped organize, and nagged external speakers to get their slides in shape for Burton Group’s Catalyst conference. (That would mean I was once employed by Burton Group, wouldn’t it? Wouldn’t it?) Bob will kill me for this observation, but I always perceived him as one part Dick Cavett, one part Mr. Peabody (the bespectacled, professorial canine with the Wayback Machine on the old Jay Ward cartoon). Close your eyes and listen to Bob talk: “Yes, Sherman, today we’re going to travel back to 500 B.C. to see if Romulus and Remus indeed built Rome in a day.”

All of which silliness is (believe it or not, Sherman) my segue into Bob’s blog discussion “On The Absurdity of ‘Owning One's Identity.” Bob was commenting on Kim Cameron’s “First Law of Identity,” to wit: “Technical identity systems must only reveal information identifying a user with the user's consent.” Bob interprets this “law” (he rips Kim a new one for calling this a “law,” but so have I, previously, so there’s no point piling on the poor man) as an assertion that people “own their own identity” and, hence, can control how that identity is used/abused by others. And Bob then proceeds to rip the stuffings out of this presumption as well.

Blakley argues that each of us has two types of identity (is this an exhaustive categorization, Bob?):
  • One’s reputation: This is the story, he says, that others tell about you, and you can’t own it. You can’t even control it, because you can’t stop people from observing you, taking your picture, or talking about you, or stalking you so they can take your picture. Well, maybe you can get a restraining order in the latter case. But you see his point.
  • One’s self-image: This is the story you tell about yourself. Presumably, you own it too. But you can’t force people to feel as kindly toward you as you feel toward yourself. Anyway, it’s always about you, isn’t it? Enough, already.
Bob has a great reputation—I’ve shared with you my story of Bob (which, of course, I used to work in the chief theme, which is the story of Jim). He’s a great thinker, but he sort of beats the analysis of this issue into the ground in his blogpost.

Still, his bottom line is important: We can’t really stop people from spreading stories about us—our reputation. And we can’t get them to necessarily buy into our stories about ourselves—our conceit. Nobody needs or asks our consent to use/abuse our identity in any of these ways. And there’s no way, short of superfreaky occult mind control, that we can monitor and enforce how everybody in the world feels about us all the time. And we can’t (and perhaps shouldn’t) control how/when/whether they use our reputation (attributes of our identity, filtered through the lens of their own perception of us and our character, motives, etc.) in going about their business.

Ergo, says Blakley, it’s unrealistic for Kim Cameron and his minions to require that “technical identity systems …only reveal information identifying a user with the user's consent.” And I agree with Bob on this: If I had to explicitly authorize every instance of disclosure of some scrap of my personal information that’s being held/controlled by some other party, I’d have 10,000 authorization-seeking e-mails in my inbox every morning, as opposed to the current, more manageable 7,000.

But rewind the Wayback Machine back several paragraphs, and look at Bob’s definition of “reputation” again: the story that others tell about you. Is that really what reputation is? It seems to miss the mark by being too inclusive. If someone writes my biography (story of my life), is the final product my “reputation”? If someone simply compiles a timeline of key dates in my life (the story of my life), is this dry recitation of documented facts my “reputation”? Of course not.

Now, roll back the Wayback Machine to November 27, 2005, and look down the scroll of this blog to the “imho identity privacy reputation” posting midway through the Abhilasha thread. Proving that no one out-pedantics Jim Kobielus, I shall now proceed to quote myself at length:

“Reputation isn’t an identity, credential, permission, or role. It isn’t exactly an attribute, in the same sense that, say, your birth date or hair color are attributes. And it isn't something you claim any privacy protection over--it's the exact opposite: the court of public opinion over which you have no sovereignty and little direct control.

”In the IdM context, reputation is more of an assurance or trust level—an evaluation of the extent to which someone is worthwhile to know and associate with. Assurance generally refers to the degree of confidence that a relying party can have when accepting a password, certificate, token, assertion, claim, or other credential that is associated with a particular identity. Fundamentally, assurance is the confidence that someone else is reasonably safe to do business with. Assurance serves the relying party, allowing them to strongly verify the authenticity and validity of others’ identities, attributes, credentials, and assertions. It provides the relying party with the information they need to determine whether to refrain from, closely monitor, and/or repudiate online interactions in which such verification is lacking. It also gives the relying party the confidence that, if adverse consequences result from doing business with someone, the responsible parties can be pinpointed effectively so that appropriate legal, business, and other remedies can be pursued.”

”Reputation is relying parties’ evaluation of our reliability, of their liabilities, and of the degree to which associating with us makes them ill at ease. Appearances are assurances, for good or ill.”

Me again, back to this evening, January 25, 2006, to point out an important truth: Reputation isn’t an attribute of our identity, and it isn’t a story, really. It’s simply an assurance, confidence, or comfort level in which others regard our identity. It’s a vague, qualitative, holistic, often semi-conscious impression, calculated somewhere in the reptilian mind that has descended to us down through the ages. Quoting myself again:

“Relying parties—-the ultimate policy decision and enforcement points in any interaction—-need many levels of assurance if they’re going to do business with us. They gather assertions and data from many IdM “authorities” (authentication authorities, attribute authorities, etc.) before rendering their evaluations and opening their kimonos. They—-the relying parties—-make reputation evaluations based on information fed in from trusted authorities, from their own experiences with us, from whatever reputation-relevant data they can google across the vast field of received opinion and public record.”

Reputation is a computed halo—positive or negative--around our socially contextualized identities.

Which is my segue, believe it or not, for introducing my first mention of Phil Windley into my blog. In his recent blogpost “Algorithmic Authorizations,” Phil asks a great question: “Can anyone think of other examples besides credit scoring where authorization to access a resource is computed instead of being looked up in a table?”

Sure. Reputation is a score computed by relying parties in order to determine whether or not to authorize the reputed party to access resources such as jobs, communities, romantic encounters, time of day, etc.

Reputation is an assurance that someone is worth our while.