The Laws of Identity and a Universal Identity System

I&#39d like to take a moment to look at what I&#39m trying to achieve with this exploration of the Laws of Identity.

I&#39ve pointed out already that our discussion here is not about the “philosophy of identity” – which is a compelling but entirely orthogonal pursuit.

Instead, I am trying to reveal the set of “objective” dynamics that will constrain the definition of an identity system capable of being widely enough accepted that it can enable distributed computing on a universal scale. I do not propose my laws as “moral imperatives”, but rather as explanations of dynamics which must be mastered to craft such a universal system.

For example, when we articulate the Law of Control, we do so because a system which does not put users in firm control of their own identity will – on day one or over time – be rejected by enough users that it cannot become a universal. The accordance of this law with my own sense of values is essentially irrelevant. Instead, the law represents a boundary defining what the universal identity system must look like – and must not look like – given the many social formations and cultures in which it must be able to operate.

I also say these laws are objective because they pre-exist our consciousness of them. For example, the Law of Fewest Parties predicted what aspects of several real life systems would succeed in spite of the fact that those building the systems were unaware of the law.

The Laws of Identity, taken together, establish many constraints on what a universal identity system can be. The emergent system must conform to all of the laws. Understanding this can help us eliminate a lot of doomed proposals before we waste too much time on them. The first big breakthrough is to understand these laws exist. The second breakthrough comes from daring to wrestle with what they are. In doing this we need to invent a vocabulary allowing us to communicate precisely about them.

I&#39ve been asked why I do not see the Law of Fewest Parties as a simple corollary of the Law of Control. I hope this ontological detour helps explain why. It is true that systems conforming to the Law of Control would reveal to their users that identity information is being shared with some irrelevant party. But the set of parties with whom sharing occurs represents its own boundary on the definition of what a successful system can be. In this sense it has its own content as a determining dynamic, and is a law, not a corollary.

Dave Kearns on Personal Directory

Responding to the Third Law, Dave Kearns asks Is it time for personal directory? He is clearly a long-time champion of this, as am I.

I&#39ve been spending quite a bit of time looking into Dave&#39s long history of serious pieces at NetworkWorldFusion. In terms of personal directory, he did a great series on SMBMeta (proposed by Dan Bricklin of VisiCalc and the seminal Dan Bricklin&#39s Demo Program).

I need to finish off the Laws of Identity but want to come back to this discussion. Dave has made some pretty Kearnesque comments on my investigation of the identity aspects of Bluetooth. Bad news: I&#39m going to come back to them – and not just Bluetooth, but all of wireless networking. But I hope I will get Dave interested too, because I think we can actually get these things fixed and brought into line with the Laws of Identity.


Nailing me

OK – my position must seem supercilious – for Craig says:

I didn&#39t miss the point. I nailed it. Passport was never–at least not until now–billed as an experiment. Passport was positioned as the future of Identity infrastructure. This so frightened the industry that a hasty alternative was financed and brought to life–behold–the Liberty Alliance.

Gee – Was I just rewriting history? Airbrush and all? Let me be more specific. I&#39m not talking about ‘billing’.

It was clear to me from day one that Passport was not going to become a universal identity system. But though I expressed my opinions inside Microsoft, I was not directly involved in the Passport or Hailstorm initiatives. In an innovative environment, you often have to go with the flow and let passionate people test their ideas. The testing includes – as you know only too well – positioning. Sometimes passionate people will be right, and sometimes they&#39ll be wrong.

So, I saw Passport as an experiment.

What is incredible is that others in the industry looked at all of this and – being as ignorant of the Third Law as were the very proponents of Passport – they had no understanding that objective factors would stem the tide of Passport for generalized identity purposes.

It is said that this is what gave rise to Liberty. I cede to your analysis here – though I know some of the good people involved and that there were some positive reasons for people to come together as well as negative ones.

Does this make it clearer?

Governor James says, “Strange -your feed hasn&#39t been updating in bloglines? I had no idea you had been so busy.” I moved my blog from RadioLand to Does anyone know if there is something wrong with the way I did the transition?

Meanwhile Craig Burton, who can&#39t resist a good line, writes:

You gotta love it when Kim goes off on passport and states a law that makes it obsolete for its supposed original purpose. Of course Kim is so diplomatic that you almost forget that what he is saying is that Passport failed. Further Passport will not be the basis of Microsoft&#39s Identity infrastructure.

I like the drama, but I fear Craig has missed on my main point. Which makes me think I mustn&#39t have been quite clear enough. So let me try again.

Microsoft put a lot of effort into an important identity experiment early in the Internet cycle. As is the case with many projects we undertake when creating new technology, Passport was successful at some things and unsuccessful at others. I try to show it was very successful when in line with the Third Law, and unsuccessful when not in line with it.

But my main point is that there has been an important “learning” here. And it will apply to everyone who wants to get involved with identity. This is full of implications for any party who tries to develop a business plan based on intervention in identity processes

Craig goes on to say:

Think of the implications of this new law. If Microsoft is going to participate in providing infrastructure that meets the criteria of the three laws, it will have to be willing to allow infrastructure that can operate sans Windows. Hmmmm. It could happen.

No. Not it could happen. It really really should happen.

As I promised Marc Canter, I want to see the big bang that will occur in software innovation shortly after we as an industry put in place a new distributed identity fabric open to all and fundamentally respectful of the people using it.

That is what I think the Web Services stack allows us to do – if we can rise to the occasion. Let&#39s do it.

Software that tries to intuit our identity…

I would like to hear more of Scott Lemon&#39s ideas about how philosophical thinkers can help us figure out ways we can write software that intuits – this is my word and perhaps it is too rhetorical – our identity decisions for us…

I&#39ve heard a number of people talk about intelligent policy engines capable of doing this type of thing, but so far, I haven&#39t seen one I would choose for my own personal use.

I certainly think you can have simplistic policy – configuration, really – that decides things like whether, having once decided to interact with an identity, you want to do so automatcially in the future.

And I can understand policies along the lines of, “Trust the identifying assertions of people recommended to me by Scott for access to my discussion papers”.

And I&#39ll even go along with, “Place items containing the words Viagra or Investment in the Spam folder”.

But in general I have become very suspicious of systems that purport to create policy that affects me without asking me for approval. One of the worst outcomes of such technology is that the user ends up living in a “magical system” – where decisions she doesn&#39t understand are constraining her experience. Our systems need to be translucent – we should be able to see into them and understand what is going on.

But I&#39m probably ranting. I&#39m sure Scott meant that an engine would put forward policy proposals and the user would be asked to approve or reject them.

Third Law of Identity

The Fewest Parties Law of Identity

Technical identity systems MUST be designed so the disclosure of identifying information is limited to parties having a necessary and justifiable place in a given identity relationship.

My own understanding of this law is one of the happy by-products of what I think of as my “Passport Aha”.

On the one hand, Passport has always been a system for authenticating to Microsoft&#39s “Internet properties”, and was immediately successful in this role.

On the other, it was positioned as an early identity service. Given my long-term interest in identity, I was personally skeptical about this broader use of Passport. It&#39s proponents argued that a centralized Internet service could act as an identity broker mediating between consumers and relying parties. They thought that life would be a lot easier (and more secure) if :

  1. consumers had a strong identity relationship with Passport ; and
  2. web sites started to use Passport identities to recognize their customers.

There were only two problems with the concept. The first was that web sites didn&#39t really want Passport mediating between them and their customers. And the second was that consumers didn&#39t see what Passport was doing there either.

Put in terms of the Third Law of Identity, beyond the perimeter of Microsoft&#39s own sites, few saw Passport&#39s presence in an identity relationship as being necessary or justifiable.

Some observers who are less than enraptured by Microsoft have explained this rejection of Passport by citing a widespread distrust of Microsoft. But I don&#39t subscribe to that explanation. There are, after all, a couple of hundred million active Passport accounts on any given day – the scale is amazing. But consumers use the accounts to access Hotmail and other properties owned by Microsoft – again, in accordance with the Third Law, where Microsoft&#39s participation in the identity relationship is necessary and justifiable.

I argue that all of us involved with identity should “listen up” to this experience and come to understand the Third Law.

For example, it is natural for governments to operate identity services. And it is natural for people to use government-issued identities when doing business with the government. But in my view, it will not be seen as “necessary and justifiable” to insert a government intermediary between family members seeking to verify identity or between a consumer and his hobby or vice. Thus the success of government-run identity systems will be determined by governments’ understanding of the Third Law.

The same is true of other identity providers. For now, I leave it as an exercise for the reader to explore the applicability of this law to various potential candidates for provision of identity.

Second Law of Identity

Second Law of Identity

Before we get to take a walk on the Norlin side, it&#39s time for the Second Law of Identity. And it&#39s simple enough:

The Minimal Disclosure Law of Identity

The solution which discloses the least identifying information is the most stable, long-term solution.

The thesis here is that the more identifying information is released, the more a solution invites abuse by rogue (and ultimately criminal) elements. We will return to a more rigorous discussion of these dynamics later in our conversation. For now, we will just point out that we are getting many reinforcing reports about the increasing professionalism and criminalization of identity attacks.

Let&#39s now go back to the case of Eric&#39s polycomm (by the way, I saw a ‘polycom’ at Bartell&#39s today ! – but luckily it only had a single “m”. I will try to get a photograph, though of course that might be dangerous…) If you missed out on the polycomm idea – which set the terms of reference for the current scenario exploration – please take a look at this.

The second law of identity tells us:

A solution in which the polycomm had to query my mobile phone for a social security number and then use this as a key for discovering the address of an all-knowing mp3 service would be much less stable than one which allowed the polycomm to query the mobile phone directly for the address of an all-knowing mp3 service.

But this latter would still be a relatively unstable service since it would need to be able to collect and potentially divulge all my music preferences.

The most stable solution would be one where the polycomm simply asked my anonymous (i.e. next generation) mobile phone what music selection “the anonymous I” would like to hear next.

In our example, the second law of identity applies as follows… (where “<” means “divulges less identifying information”)…

momentary anonymous listener preference < well-known individual music profile < citizen SSN

To consider potential economic value in these three cases:

Information linking my Citizen SSN to other identifying information is worth a lot. Protecting it is a complex and difficult long-term goal with continuously increasing associated costs, since this information will become an ongoing target of escalating professional attacks.

My full individual music profile – if systematic in the sense that computers can guarantee – has a potential (and therefore covetable) value for those marketing music.

But my “momentary anonymous listener preference” has no value to anyone but me.

Thus “momentary anonymnous listener preference” is a solution less likely to involve negative and anti-social side-effects than the other solutions.

And our law of identity is thus analogous to any prudent advice involving risk: minimize it.

If he walks like Eric, he is Eric

My discussion about the relationship between employees and employers seems to have moved Eric Norlin to drop his proposed amendment to the first law of identity… He still has questions, though, like “say my employer tracks my web surfing habits – do i have to explicitly hand that over? surely, my surfing tracks are an attribute of my identity”.

I hope the screenshot below will help convince him that again, the most natural (and defensible) way to organize things is for the employer to ask the employee for consent to track him. That&#39s what we do in these here parts, and it seems to work well enough. I guess if the employee doesn&#39t want to be tracked, he needs to ask for employment in a different department.

That said, I really like Eric&#39s invention of the term “identifiable walk” – though I draw different conclusions about it:

We all *do* things that can be abstracted that can be used to identify us — (this is the infamous tier 3 identity from andre&#39s article)….should we have control over ALL of those attributes? my gut says that would be impossible.

in fact, it may already be that way — we all have an identifiable “walk.” the TSA is testing programs that would use that to identify terrorist types. Should i have to give consent to that camera when i walk in the airport? or is my walking in the airport consent enough?

So now it&#39s on to discuss “Norlin&#39s Walk”.

Hard to argue

Craig Burton has been generously heaping kudos my way for aruging that a discussion of the philosophy of identity is orthogonal to the discussion we should have about the laws of identity. And I&#39m going to hold firmly to that direction, even though I received this titillating comment – probably more relevant to Scott Lemon&#39s Axioms – from David Rollow of CSG Systems.

Take a look at W. V. O. Quine&#39s essay “Two Dogmas of Empiricism” for relevant philosophical discussion about the most basic identity issues. If you understand it you will realize that the very idea of “axioms of identity” makes no sense. The “personal” identity discussion in philosophy is about things like persistence, sameness of tokens observed at different times, self-knowledge and self-identity, problems of no interest in the age of identity theft. The Quine essay is at a more fundamental level of discussion but it applies if you apply it.

Yes, the “it applies if you apply it” view of philosophy is hard to argue with, especially if you argue with it.