Model and terminology
Carl Ellison's use of a notation to capture the relativistic aspects of identity reminded me of a paper I wrote a couple of years ago that went very much along the same lines.
I presented it to my friend David Vaskevitch, who is a CTO at Microsoft. He liked and understood the ideas, but made a great number of quite funny jokes at my expense about my introduction of greek symbols into the conversation.
A few months later we had a meeting with Bill Gates where Bill, as is typical of him, began to drill deeply into our technology proposals. Within minutes he was posing questions which were related precisely to the problem of identity and “relativity”. Someone piped up that we needed Kim's greek equations. I said that David had made me throw them out. Bill said, “Why did he do that – I love equations.” And so on we forged!
I think Carl's use of english language characters may be a big step forward. But here is how I put it at the time:
The problem of representing people digitally is sufficiently complicated that we require a model and terminology in order to describe and solve it.The model in Figure 1 decomposes the problem into three components of representation.
·Alpha (the first in a series) is the object’s representation of itself – for example, a person’s representation of himself.
·Theta ( somewhere in the middle of a series) is the representation of the object by a third party, derived at least in part from an alpha, but not conclusive.
·Omega (the last in a series) is the representation selected by an observer.This is based on zero or more alphas and zero or more thetas, and may be persisted as a new theta that can be consumed in constructing other omegas
The model can be expressed symbolically as Omega = Phi (Alpha, Theta), where Phi () is some function of alpha and theta where either alpha or theta can be null.A given phi is one of a set of many possible functions, most of which have conventionally been performed manually using organizational policies.
For the masochistically inclined, I have posted some more of this document here – with greek characters that actually work.
Good news from Carl
Meanwhile, Carl's response to yesterday's posting means we are converging some more:
You're right, Kim. I was talking about O's view of P rather than P's view of P (which is as close as I can get to P's real identity). I hadn't been thinking of a person who selects different views of him- or her-self to disclose to different people or in different situations. That's something some people do (I know – almost everybody) so we had better pay attention to it and its effects.
Carl Ellison, who is a really interesting person from security space, has started to blog. I've already done some identity interviews with him, and I'll be posting those when I get to the laws to which they pertain. For years Carl worked at Intel. Amongst many other contributions, he was one of the inventors of SPKI (Simple Public Key Infrastructure) – a technology we'll be looking at going forward. Carl now works at Microsoft.
Carl's first comment on the Laws was that the First Law is really a law of privacy, not identity. I disagree – here's why.
To think about identity, you have to think about a system of identity. There really can be no identity outside of the system through which it is defined. The Laws of Identity are – in my view – the laws that make a sustainable system possible. And the Law of Control defines the most fundamental of those requirements. It is true that the effect of the Law of Control is to allow the parties to an identity relationship to achieve privacy. But it is a law of identity just the same.
In a recent post Carl attempts a rigorous definition of identity that is in line with the thinking of SPKI:
I define the identity of person P as being a function not I(P) but rather I(P,O,t) – the identity of P from the point of view of observer O at time t.
This relies on one of the definitions of identity: “The quality or condition of being the same as something else.”
In particular, in this case, the two things that are to be established as the same are:
1. characteristics C about P that O observes at time t
2. O's memories M at time t of P (built over a period of time)
These two sets of information are not matched exactly. O may remember P at an earlier time before P's hair turned white and that characteristic is not to be observed again.
Rather, those two sets of information are compared to find matches and non-matches. As long as the matches constitute enough entropy to rule out all other P’ in the world, then O can conclude that s/he knows the identity of P — assuming the non-matches do not rule out P.
So, if set-intersect(C,M) has enough entropy to specify P uniquely over the entire universe and set-intersect(C,anti(M)) is empty (or can be discounted), then identity has been established. [I'm not completely comfortable with the handling of anti(M) and welcome refinements, while I keep thinking about how to fix this formulation.]
This is great thinking. I really like his understanding of the role of memory, the use of a notation for viewpoint and the concept of an intersection set. But there is a flaw – which I hope is just terminology. I(P,O,t) is not the Identity of P, but rather O's view of the identity of P. P emits an identity (and is capable of releasing more than one), and O views it, evaluates it, remembers it We need to separate the perception of something from the thing itself. The finger pointing at the moon is not the moon.
Carl has spent a long time trying to show people what to him is obvious: that O's view of P is what matters to O (as opposed to the assertions of traditional PKI). But let's not dismiss the role of the subject in selecting her identity and choosing what to reveal – which is equally important to the system as a whole. You cannot deal with half of this question. Oh yeah: I call the set-intersect (C,M) “recognition”.
Scott Mace has posted his interview with Owen Davis, President of Identity Commons.
I found a new page that lists all of Scott Mace's interviews in the “Opening Move” series – including those done at the 2004 Digital ID World Conference. Speaking of which, IT Conversations is supposed to be posting all the presentations from the Digital ID World Conference – but only one session seems to be up so far.
James Governor wins “most passionate feedback” award with this endorsement (I think it's an endorsement) of the Second Law:
rogue elements? the bloody Corporations are rogue elements. they have to start taking responsibility for their identity bulemia. they swallow all this information and then go puke it out afterwards. the fraud happens in the toilet bowl. if they didnt stuff themselves with information they have no *right* to ask for, and certainly not to insist on, then fraud and identity theft would be way harder. rogue elements? rogue elephants more like.
Jamie Lewis is coming back on the air real soon now. That will be fun. Unfortunately his day job has been getting to him.
To help me frame the Laws of Identity in a practical way, I took on a scenario presented to me by Eric Norlin and began to drill into it to expose the technology issues it presented in terms of identity. Part of this scenario involved using a bluetooth connection between a Polycomm and a Bluetooth phone.
I knew virtually nothing about Bluetooth at that point, and so had to learn. I studied the Bluetooth web site, and then approached Noel Anderson, a Program Manager in Networking at Microsoft. He was kind enough to give me an introductory tutorial about Bluetooth identity issues which I recorded as an Identity Interview with Noel Anderson. I found Noel fascinating, and Craig Burton thought our discussion was interesting enough to transcribe some of it: In particular, I thought Noel's example of an “identity bomb” taught us a lot about the underlying technology issues:
When we were writing the paper we wanted to catch attention so we came up with the idea of the Bluetooth bomb. Every Bluetooth device has a 48—bit unique ID number, which is possible to either query for directly or in a broadcast mode. So we came up with the concept of a low power Bluetooth device which was attached to a weapon that was querying for a particular device ID so that when the target cell phone or PDA or another Bluetooth device came into range it would activate the [bomb] device.
Noel told me that things were being done to fix the protocols. But I was initially more interested in Bluetooth as an example of how privacy issues affect identity, and didn't immediately tune into the details of the fixes.
Then Mike Foley, who is the organizer of the special interest group that is fixing these problems, contacted me. I offered to interview him so everyone could learn about what his organization was doing. As he began to tell me about the work that is going on to fix the identity problems, I was not only relieved, but amazed at how the fixes themselves demonstrated the dynamics of the Laws of Identity hard at work. Bluetooth having been out of conformance with the Laws, concerns about the marketplace motivated its technologists to fix the technology.
When Mike talks about the water that has flowed under the bridge of privacy since Bluetooth was first envisaged in the late 1990s, you really get a feeling for how there are objective factors shaping the emergence of identity technology. And his discussion of how identifiers work (in conjunction with what we learned from Noel) teaches us a lot about the relationship between identifiers and privacy.
So here's the Identity Interview with Mike Foley as an mp3 (22 minutes). It's really fun when we are talking about the Fourth Law of Identity… Mike also invites those of us who are serious about identity to join the SIG.
By the way, I plan to publish a series of Identity Interviews to accompany the blog, so this will become a regular feature.
Phil Windley (who dares to venture forth with the brave slogan “Organizations get the IT they deserve...”) has done an interesting posting on the first three laws plus a law of symmetry. I was heartened that he really got what I was trying to say about objective dynamics and the requirements of the universal identity system.
I'm going to leave the great questions he poses for later in this discussion for fear of running off madly in all directions at once.
I got together recently with Mike Foley of the Bluetooth Special Interest Group to talk about changes currently being proposed to the core Bluetooth protocol – changes which will enhance it in terms of privacy. Mike also told me about the process for making further enhancements over the next few years.
I recorded the discussion so others could share what I was learning. I was fascinated to hear Mike talk concretely about how the understanding of privacy requirements has changed since the early days of Bluetooth. I really believe Bluetooth is a crucible for the industry in this sense – we are seing the same evolution in many other areas, minus – perhaps – the urgency. We also discuss the Fourth Law of Identity and Mike is not only interested but I think understands it deeply because of the wide experience of his consortium.
I should have all this ready to post tomorrow – and hope everyone (including a certain DK) will take a listen. I found the whole thing very energizing.
The Law of Directed Identity
A universal identity system MUST support both “omnidirectional” identifiers for use by public entities and “unidirectional” identifiers for use by private entities, thus facilitating discovery while preventing unnecessary release of correlation handles.
Technical identity is always asserted with respect to some other identity or set of identities. To make an analogy with the physical world, we can say identity is a vector, not a scalar. One special “set of identities” is that of all other identities. Other important sets exist (for example, the identies in an enterprise, some arbitrary domain, or in a peer group).
Entities that are public can have identitifiers that are invariant and well-known. These identifiers can be thought of as beacons, emitting identity to anyone who shows up – and thus being in essence “omnidirectional” (they are willing to reveal their existence to the set of all other identities).
A corporate web site with a well-known URL and public key certificate is a good example of such a public entity. There is no advantage – and in fact a great disadvantage – in changing such a public URL. It is fine for any visitor to the site to examine the public key certificate. It is similarly acceptable that everyone knows the site is there: its existence is public.
A second example of such a public entity is the “polycomm” which looms large in the scenario we chose as a backdrop to the present discussion. The polycomm sits in a conference room in an enterprise. Visitors to the conference room can see the polycomm and it offers digital services by advertising itself to those who come near it. In the thinking outlined here, it has an omni-directional identity.
On the other hand, a consumer visiting a corporate web site is able to use the identity beacon of that site to decide whether she wants to establish a relationship with it. Her system can then set up a “unidirectional” identity relation with the site by selecting a key for use with that site and no other. A unidirectional identity relation with a different site would involve fabricating a completely unrelated key. Because of this there is no handle emitted by conformant identity system technology that can be shared between sites to track or profile her activities and preferences.
Similarly, when entering a conference room furnished with a polycomm, the omnidirectional identity beacon of that polycomm can be used by the owner of a cell phone to decide whether she wants to interact with it. If she does, a short-lived “unidirectional” identity relation can be created between the cell phone and the polycomm – and used to disclose a single music preference without associating that preference with any long-lived identity whatsoever.
It is immediately evident that Bluetooth and other wireless technologies have not so far been conformant with the fourth law. This explains the privacy issues innovators in these areas are currently wrestling with. And it will be obvious to some that public key certificates have been extremely successful to the extent they were used in conformance with the fourth law (public applications). By the same token, they were dismal failures in areas where they were not conformant. We will return to these issues in more detail.
Eric talks about SXIP as Passport redux. I think Dick Hardt, the CEO of SXIP Networks, would have something to say about that. Seems to me the SXIP folks have learned a lot more from Passport than Eric lets on. I don't believe they hold identity information or do authentication directly. They are a registry combined with a browser redirection technology, pointing to a user's identity provider and thus adroitly avoiding the very pitfall articulated in the Third Law. They call themselves the first “distributed public identity network”.
While checking out the link to Dick Hardt above, I saw his interesting posting on the Second Law (somehow I had missed this) and the statement that he was intuitively aware of this law when developing SXIP. I'm sure he was also “intuitively aware” of the third law. I think his comment on the various meanings of discrimination is a propos:
This got me thinking that the basis of identity is to enable discrimination. I then realized that the negative, emotional response to universal IDs is a fear of unjustified or undesired discrimination through data correlation. Racism and sexism being the more evocative “isms”. We can “blame” the movie (or book for older people )* 1984 for surfacing this as a fear of the future.
I want to understand SXIP more deeply. Maybe Dick will help me set it up on my blog for those who are SXIP enabled… That would certainly help me understand it better.
Eric Norin of Ping Identity admits he thinks that Passport was a damn fine idea, but people wouldn't accept it because of the microsoft stigma.
I'm at a loss as to how to move the conversation forward here. There are somewhere near 200 million active Passport accounts (unused accounts are swept out, so these numbers represent actual usage). People clearly accept Passport… for dealing with MSN in conformance with the Third Law. “Microsoft stigma” doesn't seem to play much of a role here…
Eric thinks Passport's problems can be explained by bad marketing. I can't even think about the marketing issues, because I think there is something much deeper going on: Passport was very successful when in accordance with the Third Law, and unsuccessful when it was not.