Identity and Its Evolution

Published in

Sphere Identity

5 min readMar 13, 2019

Identity is regarded as belonging distinctly to each human being. It is often interpreted as the use of legitimate identification documents such as passports, licences and birth certificates to validate one’s personhood. These days, the identity of an individual seems to be largely under the control of businesses and governments. We leave a digital trail of identities across online accounts and databases, and often forget about them. So, how can you call “your” identity truly yours?

What is Identity, anyway? Who controls it? The demand for the individual control of information is on the rise, but what stands in the way?

The numbers game

How many identities do you have? A basic misconception is that an individual can have only one. Identity is a set of attributes in a system. The “singleness” aspect is introduced as entity. You are one entity, one person, with many identities. A person, can have access to several systems and create a separate identity for each. Your Reddit account might contain only a username. Your Facebook profile could include the names of people you have met, your relationships, the places you have been and pieces of your history. You will have identities in government systems and in loyalty programmes; in bank accounts and airline tickets. Each of these has a different collection of your attributes. Each tells a different story about who you are. Entity is one; Identity is limitless.

So, you call yourself unique?

The purpose of Identity is also often misunderstood. We tell ourselves that our identity is what makes us unique but that is true only to a certain extent. Our identity makes it possible to distinguish our personal information from that of someone else, provided both exist in the same database. It makes us discernible from others in the virtual sense.

Suppose you are recording the dates of birth and names of a group of people into a database. To distinguish between two people in the database, only one attribute needs to be different. If John Smith and Zoe Smith were born on the 4th of March 1975, their identities are unique only because they can be distinguished by their first names. In another database, there might be other such Zoe Smiths, born on the 4th of March, 1975. Other attributes of the original Zoe Smith, such as her eye colour, passport number or place of birth, might tell her apart.

Identity is underrated

In many organisations, the field of Identity is shared between Privacy and Security. However, there are aspects of Identity which neither cover. Obviously, Privacy focuses on data being kept private and Security refers to the protection of that information. Identity, on the other hand, focuses on linking information to the correct person.

Suppose someone with a life-threatening injury is brought unconscious to the hospital by their friend. To treat the person, the hospital needs to know their name, date of birth and health insurance number — all of which the friend can access. The matter is urgent, so the fact that this information is private (Privacy), is irrelevant. The problem of information being disclosed without authorisation (Security) is also not relevant, because the person is in a critical condition. What’s important is the quick and accurate bridging of the personal information with the patient awaiting treatment.

Identity is often miscategorised as being part of Privacy and Security, which diminishes Identity’s all-important nature. Let us look at some of the systems that currently manage Identity and how these have been evolving.

Centralised Identity

Centralised identities are stored in a single database for verification purposes. Passports and Driver Licences, for example, are issued by a government agency. The relevant data is stored in that central location. Businesses also become repositories of Identity. Every time a new customer provides their information, the business’s Centralised Identity database grows.

This is as true digitally as it is physically. How many unique profiles and accounts have you created online? Each of these is a new digital identity, stored in databases. Just one database needs to be hacked for personal information to be accessed without authorisation. Centralised Identity is the dominant form of Identity management. It leaves consumers with fragmented identities in multiple accounts, concerned about their digital safety.

Federated Identity

Federated Identity allows people to use the same identity across multiple online accounts. The user stores their personal information on a central application and then shares it with other platforms, that may or may not store it. For example, using Facebook or Google to register for Spotify.

In these cases, the problem of fragmentation is solved — users have fewer identities to juggle around. However, the control of the federated identity of a user lies with the central authority that manages the database. User control of personal data does not come into the equation and the central database is still vulnerable to attack.

User-Centric Identity

User-Centric Identity products have been about user experience and how “central” the user feels to the Identity process. With the development of applications like OAuth and FIDO, users can register their identity and ensure its portability across organisations. It can still be kept or deleted by the business or government agency with which that identity was registered. User-control has not yet been achieved.

Self-Sovereign Identity

Self-Sovereign Identity empowers people to have control of their identity. In a fully Self-Sovereign Identity management platform, the user can easily revoke a business’s access to their information at any time. Think of how this applies in the physical world. Most people store “important” documents, such as passports, birth certificates and bank statements in drawers or safes at home. When they apply for a visa to travel to another country, they send their passport to the appropriate embassy, and it is eventually restored to the drawer. The physical version of their passport is, to some degree, a form of Self-Sovereign Identity. However, if they email a copy of it to the embassy, it could be stored on their database. The digital version of the passport is not in the owner’s control because copies can technically be shared without their consent.

Self-Sovereign Identity provides better control of consumer data than physical documents. If a consumer sends their information to a business through a truly Self-Sovereign platform, they can be confident that it will only be used in a way that they have previously authorised.

Identity is now entering the next stage of its evolution. However, Self-Sovereign Identity is in its infancy, so its competitors, namely Centralised and Federated Identity Management systems, still dominate. Due to this, current trends in data privacy regulation, technology and public opinion are in favour of restoring the control of information to individuals. Self-Sovereign Identity platforms are poised to provide people with that opportunity.