#SSI101: An overview of non-human identities
Having just defined identity by the most commonplace of human examples and one technological example which lays bare many of the differences, now might be a good time to dwell on the wide variety of non-human identities and the ways their particular needs can be crucially important to business, to society, and to the future of our economy. In a word, “non-human identity” is Spherity’s specialty, and having collectively invested decades in studying these cases which others might consider niche or theoretical, we are particularly proud of our expertise in this field. We feel there is a kind of Metcalfe’s Law to the importance of non-human identity: with each new connected device, the number of possible connections grows geometrically, and thus the value and complexity of the network. But with that complexity comes new vulnerabilities and attack surfaces, increasing the urgency of secure identity for each connected thing.
Machines and electronic devices are the most obvious starting point, since the consensus among analysts of contemporary manufacturing is that the coming decades will see essentially all manufacturing transition intentionally to “Industry 4.0” methods: manufacturing processes will grow dense with data and rich in machine-to-machine interactions. The trade name for the hordes of data-producing devices making this possible is the “Internet of Things” (IoT), and this name makes clear that each of those specific things will need to have a strong, precise identity, protected from both local and remote attacks on the integrity of their identity and their data. Without certainty about the identity of each data-producing thing, that data will not be worth very much!
In the world of industrial IoT, people often joke that “smart things” (electronic devices with network connectivity built in) are only half the data that is needed for Industry 4.0: even more difficult to identify cheaply and at scale are the many lightweight, networked sensors that continuously measure and monitor “dumb things,” like inert raw materials, the integrity of load-bearing walls, environmental conditions, and other decidedly non-data producing objects. These kinds of sensors are usually relatively low-cost, low-security devices tasked with producing important data about other low-cost, low-security things that are impossible or infeasible to connect, digitize, or even securely identify. Thus, not only high-complexity, safety-monitoring equipment but almost any data-producing device can end up sending dangerous data if its identity is compromised, which is why much of the market-leading investment on device identity has been in the military and high-value manufacturing sectors, where the worst case scenario is very important.
Within the category of smart things, some are smarter than others: automobiles and other personal mobility vehicles are leading the charge towards a world full of highly smart and complex data-producing things, and they are years ahead of most manufacturing sectors in their investment and planning for vehicle identity. This refers not just to upgrading the “serial numbers” of today to create standards for “smart serial numbers”, but also to many of the sensors, devices, and third-party components within a car. Not only do sensors and components need strong identification for their data to be reliable, but their identification must be as reliable as that of the rest of the car for its data to be associated with the whole car’s identity. (For “smart serial numbers” and other innovations in automotive identity, see our forthcoming automotive deep-dives in our SSI201 series.)
In addition to counting many automotive concerns as clients, Spherity is also proud to be a core member of an international blockchain mobility consortium called MOBI. This group works to align the data needs and agendas of manufacturers, regulators, transit planners, and other stakeholders towards the creation of open standards for vehicle identity that can transform not just the automotive industry but mobility itself. If factories are going to be transformed by tidal waves of new forms of data and analysis of that data, imagine how different mobility will be in our day-to-day lives a decade or two from now. If the right actors can get their hands on the right data at the right time, we might even expect that mobility future to be more “load-balanced,” more sustainable, and more equitable. (More on this in a future post for our SSI301 series.)
Not all data-producing machines are physical machines, though — algorithms, in particular machine-learning algorithms and other “autonomous” entities that exist within software that produces original and sensitive data, must also be identified securely and reliably. Many of the security mechanisms that can be built into hardware do not help limit the identity risk of an algorithm, creating a much higher threshold for version control and cybersecurity in the production, management and execution of these critical and resource-intensive forms of software. These are also [very] smart things that need ironclad identity for their data to be useful, and for their outputs to be traceable.
Algorithms are not the only smart, autonomous thing that does not exist in the physical world. Legal persons, organizations, companies, and other legal entities produce data and act in the world according to unpredictable governance mechanisms much like algorithms do. But unlike algorithms, they exist in legal language and bank accounts rather than in software code, which makes them a little harder to fingerprint, identify, and trace across their many iterations and transformations. Unlike individual pieces of software, however, legal entities are traditionally registered with a central government authority, making the basic facts of their “identity” semi-public and stable, even if financial and personnel records are held much more privately.
Within an organization, many business processes that treat these private, proprietary stores of data might need to be accessed outside the company in a specific context, without making those sensitive internal pieces of information semi-public or risking their being intercepted. Nowadays, there are few options available in most cases, other than the two extremes of onboarding an outside person or organization on the one hand, or handing over information that can then be taken outside of its specific context. Identity within organizations, i.e. identity for business processes, automates the selective disclosure of, for example, personnel data, which would be very risky to handle in a conventional framework of all-or-nothing access to data. Even if the personnel data is fully anonymized or only shared in an extremely secure, controlled, limited context, this kind of data-sharing can bring immense accountability, trust, and security to business or regulatory processes. (Expect deep-dives to come that look into “re-usable” or portable credentialing in the SSI201 and into GDPR’s concept of “scoping data-sharing to purpose” in the SSI301 series.)
At Spherity, we do not specialize in any one or two of these non-human identities, but in architecting and integrating systems that handle as many of them as needed to create new forms of value and new business processes that scale. Our SSI201 blog posts will detail the specific data needs of a given kind of non-human identity or of the various non-human identities of a given industry or sector, like energy, circular manufacturing, smart manufacturing, etc.
But returning to the tour of core concepts in our 101 series, we can turn now to a sometimes misleading political metaphor for data control mechanisms: self-sovereignty.
