Technical versus Social

Archie Reed is a well known guy from HP in the enterprise identity space. Here's a post he did a while ago on the first four laws:

These seem well focused on the individual, however the laws so far ignore some of the fundamental requirements for establishing identity, being able to challenge the system and so forth. I will try to add to the discourse.

I am drawn to this discussion because there is an core of privacy management in each of these laws and I am keen to promote better privacy management in private and public organizations. Having spent many years living and working outside the US I am continually amazed at the freedom with which many US companies (and individuals) utilize what I feel should be private information for the purposes of marketing and solicitation. This is constantly reinforced by companies that require me to “opt-out” of marketing efforts (and other nefarious things), rather than choosing to “opt-in” is one example that shows the laws of identity as defined are idealistic and not aligned with business thinking (certainly in the US).

The challenge is the classic battle between business and security, or the principles of open vs. least access.

Worse, the exchange of private information is already occurring today, where organizations are gathering and exchanging information about individuals, based on unclear usage models and privacy policies. This is not something that identity management technology can easily deal with, and the overall business processes again become the focus of the discussion, not the “Technical” aspects that Kim is focused on… more specifically, Kim's ideal laws are not aligned with the real world – as much as many of us would like them to be!

On a related note, Phil Windley adds his comments to the mix at Laws of Identity and Symmetric Relationship Treatment

I believe that much of our talk about identity, and about privacy, is confounded by our collective myopia concerning relationships, or data about how identities are linked. When we look at it from just one side, we're likely to mistakenly build systems that asymmetrically protect relationship data. These systems are inherently unfair and thus prone to controversy. So, I'll add something that I think needs to be in Kim's laws:

  • Treat Relationship Data SymmetricallyRelationship records (i.e. records that link one or more parties) MUST be treated symmetrically for the identity system to be fair.

I do not believe this is correct.

What is missing in both these threads is context, both in terms of the conversation and the assumptions made about how identity data is used. In fact, Phil's examples allude to context, but miss the follow-through in logic when Phil talks about how a transaction is _jointly owned_. The reality is that while the transaction may be jointly owned, there are different expectations, policies and ultimately “context” for each party of the transaction similar to any supply chain model. Specifically the challenge I see is that jointly owned does not translate to common expectations or understanding – that being another one of the challenges.

Phil talks about the need for both parties to be treated symmetrically, essentially basing their usage on the same principles. This is not the way the real world works, nor is it a reasonable expectation. What is real-world is that context defines how these relationships work, and context is different for each party. While it may make sense for B2B type trusts to be symmetrical, it is not the same for a B2C, C2C, B2E or any other X2Y type of trust. That relationship is only one part of the context. Other data points that improve and clarify the context include the data each party has on the other, including how the relationship was created, who has agreed to what and for how long (e.g. terms of usage, privacy policies, customer service agreements), social conventions and expectations . My point here is that while there are numerous technical aspects to the relationships, there are also many parts of the relationship based on agreements, expectations and experiences, something rarely captured in identity management systems.

So I would say that what is really missing is the political or social aspects of identity. Kim talks a great deal about technology, however as anyone involved in identity knows, identity management is one of those disciplines where technology is less then half the challenge – we can argue what the percentages are later…

Published by

Kim Cameron

Work on identity.