An Identity Problem — Part 2
A Short History
This is part of a series of articles on digital identity. For those catching up you may want to start with part 1.
The use of identity, is no digital revelation. Identity is as old as human society. It’s intrinsic to us as individuals and the way we interact with others, and we use it subconsciously throughout our daily interactions.
Tribal Identity
In ancient days of human society, where bands of people lived in tribes and villages, having an early sense of identity was important. We needed to know who our leader was, who had skills in the various traits of survival, who held the tribal lore and wisdom, who knew the best locations for gathering and planting, who held the best skills for healing, who held the best knowledge of animals and plants, who knew how to best construct tools and weapons.
In any group of humans, there will always be those who are more naturally adept at one skill in particular. One can imagine people’s identities and family names forming around the skills they became authorities upon. Think of all the surnames we carry today that hint at the specialities our ancestors might have had; Baker, Blacksmith, Butcher, Cook, Fisher, Hunter, Trapper, Tailor, Thatcher, Sawyer, Plumber, Potter, Wright.
Not only did we need to know our respective internal tribal identities we also had to apply identity to those we could distinguish that did not belong to our tribe. Was this person friend or foe? How did they act and dress? Where did they come from? How should I respond to them — run in fear or embrace them? Knowledge of a foreign person’s identity was key to whether we would open our village gates to let them enter or bar the gates to force them away.
Identity became a thread so woven into our social fabric that we practiced it subconsciously and routinely in our daily actions. As an innate skill we scarcely knew we were doing it, just like breathing. If we walked into a gathering of people that we identified as near family we knew we could act easily and with familiarity of those around us. Our bearing, language and manners would ease and we would be free with the views and information we would exchange. Inversely, if we met a foreign traveler on a road bearing strength and arms, our bearing and language would be more formal and we would be cleverly guarded in the information we offered to this new stranger.
We use identity just as so now when those around us are family members verses a formal business environment.
Identity Meets Paper and the Institution
Fast forward the affairs of human progress. Imagine an early industrial society of England in the 19th century. Society had grown well beyond the confines of the small village numbering the hundreds and everyone knew each other. Townships burgeoned into thriving cities numbering millions and were full of human enterprise.
In this setting, identity is even more paramount. Gone is a time where everybody living in a village knew each other. In an industrial city, society relies on bookkeeping and record of fact for management of identity. For example the ownership of land and property are now an important part of human affairs and are subject to record keeping. The ownership of land was part of a person’s identity record. This was recorded by deeds to transfer property ownership from one party to another and the ownership of land title documentation; and was of course a paper record that linked people’s identity to land ownership.
The periods around the 19th century and earlier must have been a wonderful time for bookkeepers. They kept paper records for everything. Lists for births, deaths, marriages, jail sentences, court records, shipping and crews and deportation to penal colonies. The list would be endless, all of which the identity of citizens was woven through. However because paper is easy to forge, and as an example, it gives you access to title of land, then it becomes an attractive target. So the early use of credentials came into play. Papers were signed as an analogue form of authentication. Letters were sealed with wax using a stamp with a personal coat of arms — an analogue form of message integrity using an identification emblem.
From Paper to Digital
In the early 1990’s the internet went from confined academic circles to having a mainstream social presence. Gone were the days where a person’s social sphere was limited to their township or village. People were communicating and developing social graphs that were spanning the world. But the internet came with no identity layer in its fundamental design; everyone was intrinsically anonymous.
At first the internet was a basic data publish and push model. People published web sites and people went to read them; similar to a book. It didn’t take long for people to realise the internet was far more useful. People began to digitally transact with banks, trading sites, and e-commerce. Then through the use of social media, began to establish and share their own personality on the web. Essentially under the brand of “Web2.0” the use of the internet was now a two-way connection between entities and contained highly valuable transactions.
With such mainstream social use of the internet and transactions that were intrinsically valuable (be it financial or social reputation), the need to control a digital identity about ourselves become paramount. While we were accustomed to traditional paper based models for using identity, on the web, these became ineffective.
Identity Today
Identity needs a digital equivalent to move into an online society.
Yet in making this transition we have ended up in a situation where our digital identities have been fragmented, copied and generally proliferated over a range of systems in a chaotic state. Think about all the various copies of your identity held by government, utilities, retail organisations. Let alone all the various web presences we manage.
Identity proofing is still often paper based, cumbersome and requiring in-person presentation to verifying parties. Think about the last time you opened an account at a new bank.
Compounding the situation, once our identity is established within an organistion we have only variable levels of control over the stewardship of our data. Privacy regulations may provide good controls in countries that provide them (for organisations that do follow them), but giving your identity information to organisations outside those jurisdictions is the digital wild west.
Pain points include:
- Inability to manage personal data — once identity information is spread over global organisations the owner has very little knowledge or control where there data is and how its being used.
- Consent in Sharing of Personal Data — Following on from above there may be little control and consent how data is shared between organisations, making control of personal information impossible.
- Identity Proliferation and Reconciliation — As identity information is copied and propagated between systems there is no single source of truth. When a person’s information changes the copies held are out of date. This may result issues on lack of trust in identity information.
- Service Exclusion — People who have no officially recognised source identity documents are often excluded from access to social or financial services.
- Passwords, passwords — Many organisations that hold our identity information require their own passwords. This results in a profusion of passwords to manage, or insecure reuse. However this situation is had improved with identity federation techniques (e.g. login with a social identity provider).
- Expensive Proofing Processes — Organisations such as banks must operate expensive and often inefficient KYC (know your customer) processes to meet regulatory compliance.
- Expensive Data Regulations — In response governments introduce identity regulations. These can differ from state to states and are expensive to implement and even more expensive to violate. E.g. GDPR.
Clearly there are some major concerns in translating physical identity into a digital one. In the engineering of identity systems it turns out to be deceptively easy to ignore the human and cultural elements and get it plain wrong. Sometimes so wrong it can feel plain creepy.
Given the current state it is useful to go back to first principles and understand what digitial identity really is.
