An Identity Problem — Part 3

Defining Digital Identity with Data

Richard Bergquist

Published in

Coinmonks

7 min readMay 2, 2018

This is part of a series of articles on digital identity. For those catching up you may want to start with part 1.

Digital identity is not a simple topic to define. If you ask a group of people what identity is, you will typically get as many answers are there are people. But we all have an inbuilt sense of self, an “us-ness”. We know by instinct when use of our identity feels right and when it feels intrusive. Simple dictionary terms such as “who someone is” may start well. But when we consider identity in the rapid evolving digital ecosystem then the sands start shifting based on perspective and usage making the straight simple road less apparent.

Given we live in a changing world with shifting sands it makes sense to look at identity in a series of perspectives that aims to future proof it. Identity is certainly not a one dimension problem. It concerns our data, what it means in a social context, how it relates to trust and also what identity means for other physical entities.

This post starts with one of the three definitions that I’ve found helpful.

Definition 1 : We Are Our Data

In a simplistic way digital identity can be viewed purely through the lens of data. It expresses the notion our digital identity is the information about us that accumulates over time. It is related to our history, experiences, achievements and interactions.

“Digital identity is the sum collection of information that belongs to an entity.”

This is a reasonably mechanical view of digital identity that is a collection of individual attributes that describe an entity.

Typically full knowledge of a digital identity data set is never used. Only a subset of the information of a digital identity is often used to determine trust and consequently define risk-levels in which the owner is allowed to participate in. While the total existing set of digital identity attributes is vast, they can be broadly categorised into three groups

Inherent attributes — Attributes that are intrinsic to an entity and are not defined by relationships to external entities. E.g. age, place of birth, fingerprints
Accumulated attributes — Attributes that are gathered or developed over time. These attributes may change multiple times or evolve throughout an entity’s lifespan. E.g. Academic record, health record, property ownership, financial status
Assigned attributes — Attributes that are attached to the entity, but are not related to its intrinsic nature. These attributes can change and generally are reflective of relationships that the entity holds with other bodies. E.g. Third party profiles (e.g. credit records, social graph), employer id, email address.

Data Points of Digital Identity

To illustrate the use of the above definition some examples are presented. They are shown to represent “data points” in an individual’s life. The examples sample the set of digital identity information associated with the individual, some which are inherent, accumulated or assigned.

— Identity Information at Birth

At birth you have an initial base set of identity information. At birth you obtain a birth certificate that documents your birth event and your parents. At this stage the richest component of an infant’s identity is their relationship to the parents and their identity effectively may be expressed under their parents. When traveling over a border an infant traditionally used to “travel on their parents passport”.

— Identity Information as a Child

As the individual grows their set of identity information expands. Represented below is the example identity of a school age student.

The graph of information starts to flourish, while retaining core information. Circles of relationships grow. Academic, health and government records are established. Likes, interests and dislikes are established.

— Identity Information as an Adult

The following image now illustrates how the set of information that represents an identity changes over time. Likes become dislikes. While a 5 year old likes a birthday party and dislikes going to bed, the opposite applies when you are 45. Interests come and go, playgrounds are replaced with adult pursuits, sports and hobbies. Relationships alter, expand and shrink. Property and wealth records accumulate.

A Sliding Window of our Claimed Information

From the above snapshots it clear our identity information is constantly evolving. Imagine a sliding window in time that provides a perspective on our information. By sliding that window left and right on a timescale the identity information is constantly morphing.

Identity information is a rich and dynamic set. The information that we “claim” for our identity can be quite changable on the timeline.

Who you are today only guides who you are tomorrow as a result of our actions and events.

Digital Identity and Us

The notion of a digital identity makes an appearance in the above graphs of information. While the identity information about ourselves flourishes, a digital equivalent also starts to grow. Arguably it could be in the first graph as at birth. However while our identity and digital identity complement the other, but they are not the same. Our identity relationships form a very rich web, while our digital identity represents a subset or pointers to our information.

The notion of a digital identity as a pointer to our physical one leads to its use as a credential.

A credential is a special piece of data about digital selves. While it is only a very small piece of information about our digital identity, it is used to provide, to some degree of confidence, that the presentation of the credential proves the identity of the possessor. Just as a key is a credential to unlock a car, a password, biometric or one-time-password from a token are credentials to unlock our identity when we transact online.

What is important to realise is the password is not our identity. Our identity is is much richer than a simple password.

Identity Theft — Really?

So what is “identity theft”? Lets think some consequences illegitimate access to one’s credentials. Which are considered “identity theft”?

1. “Somebody is using a fake passport using my information”: Yes — that’s identity theft.
2. “Somebody stole my Google account password and is accessing my gmail” : Yes — identity theft, but maybe not as bad as my passport.
3. “Someone found my keys and stole my car!”: No. That’s just car theft. Isn’t it ?

The first two definitely stand out as what we know as “identity theft”. But the last is just what we know as “car theft”. But all the above are just the result of stealing a credential about ourselves of some form. And the key (credential) and car still belongs to me. Is this notion of “identity theft” is a bit confusing?

Consider the complete graph of information belonging to an identity. It is not possible or feasibly to steal and misrepresent that entire set. Whatever is misrepresented (e.g. a password credential) to unlock an identity there is always more items that can be used to verify to whom identity belongs to.

Say someone stole your name, your address details and faked your driver license. However they cannot steal your all deep web of information in its entirely about you. Think of the graph of information in your relationships, and their relationships, so forth, and all their known identities.

If somebody steals your drivers licence they will not be able to walk into your family home, kiss your wife, ask your kids how school went, call your brother, eat dinner with your wife and go into your bed. I’d be willing to bet somebody would say something. Trusts and relationships between individuals form an extraordinary strong set of identity.

Stealing a passport or a password is not identity theft, its is really just “credential fraud” — to misrepresent the presenter as belonging to another set of identity information. Complete identity theft is impossible.

Concluding Definition 1 : We Are Our Data