#SSI101: Identities & Identifiers
Where SSI starts — This is the first glossary entry from our #SSI101 series
[See the Table of Contents for an explanation of the series.]
Identity is a deceptively familiar word, yet one which proves quite hard to define precisely in the software world. It is even harder to define in the broader, physical and social world, so I would like to start there. Because everything has an identity, the word “identity” cannot be much more specific than the word “thing”. The etymology doesn’t help much: “identitas” is a late-medieval combination of the Latin word for “same” and the Latin suffix for “-ness.” This “sameness” refers to the stability and unity of something that stays the same, which, if you stop to think about it a little, is everything and every thing. For the most part, two kinds of sameness make something “a thing”:
- sameness across time, i.e., you being the same person all of your life, or a mountain staying put, etc. We often call this “persistence” in software design.
- sameness across many different instances or specimens of one stable category, i.e., the sameness that makes all humans human beyond their individual traits or biographies, or all ducks ducks, etc. In software, this might be called a “class” (and each specimen an “instance”).
One of these two samenesses, or some combination of the two, is what people mean when they refer to the “identity” of anything. Part of why this paragraph is so hard to write and so frustrating to read, is that I have just described essentially every concept in every language. If I may repeat myself for emphasis, everything has an identity, even if that identity doesn’t do much functionally or conceptually.
These two kinds of sameness are also what you look for and trace when you try to “identify” a thing, i.e., to deduce or decide the identity of a person or thing when it is unknown. Typically, you only need to identify a thing if you do not know its “identifier”: the name, address, label, icon, serial number, or other meaningful piece of information that tells you what you need to know about the identity of that thing. When you do not have an identifier that is meaningful to you, this forces you to do the identifying yourself, which can be a lot of work. Wild mushrooms are a good example: only people who enjoy doing extra mental work teach themselves the complex process of identifying edible mushrooms in the wild; the rest of the world is happy limiting themselves to restaurant mushrooms and grocery-store mushrooms, or avoiding fungi altogether.
It can be hard to grasp power when speaking at such an abstract level, but “identifiers,” and whoever or whatever provides the missing context needed to make them meaningful, are powerful players in the real world, and we are helpless without them. For the same reasons, identifiers (and whoever controls registries of identifiers) are very powerful in the world of communications. Stop and think about the power relations at work when your phone rings: various “Caller ID” systems on modern telephones do everything they can to query public and private registries in milliseconds for some identifier that may help you decide whom you are talking to, how much you can trust them when they identify themselves, and how to talk to them.
But returning to the software world more specifically, things have historically worked very differently than in the worlds of mushrooms or phone numbers. A person’s “identity” has typically referred not to a property inherent in the person, but to a container for that person’s data stored in the servers and information systems of an organization with which they interact, like a bank or a hospital. These all-powerful identities are often called “identity providers,” which says a lot about how software has redistributed power in the world and changed how people see themselves.
Every time someone visits a bank or a hospital, they prove themselves to be the same person about whom lots of data is stored, then that file is accessed by the relevant authorities, and then the person interacts long enough with the organization to add a little more data to that file, which stays in the hands of the organization. The file can be requested and passed on to other parties, at the discretion of the “identity provider,” but fundamentally they live on servers in the control of the identity provider, and from there can be analyzed at will by the provider, or even mined, sold, breached, or worse. If public opinion is growing increasingly dissatisfied with this state of affairs, one key cause of that might be that the public has not been presented with many substantial alternatives in the relatively short history of software.
All of this, both within software and without, may sound fairly specific and well-defined when the examples are human identities and their data, but it gets a lot more fuzzy when you realize how many non-human things also exist in a stable and defined way in the modern world. Increasingly, these non-human things communicate with us through channels designed for human language and identity, and thus we can shift our thinking about them a little by referring to their identities as non-human identities. Much like unfamiliar humans, unfamiliar things have to be “identified” before interacting with them, or the definitively re-identified before trusting them in high-stakes contexts.
A doorbell camera is a potent, if slightly sensational, example of how important the identity of an inanimate object can be. Let’s imagine that you have installed a digital camera to watch your front door remotely while traveling, but after an uneventful few weeks, the video feed starts sending you uncomfortable and implausible information about who goes through your door while you are away. You might study the footage and start to wonder: how certain am I that these images really come from the exact same camera I installed? Did these things happen at the same time the camera claims to have recorded them? How would I know if the camera was modified, hacked, or impersonated by someone intruding in my home, physically or virtually? The data is only as reliable as the camera itself, and your certainty of the identity of the camera, and the channel bringing you that data, which is three different ways of saying the identity of the camera.
Hopefully these example makes clear how non-human identities, processes of non-human identificiation, and access controls to identified devices like cameras can be so important. At Spherity, we spend a lot of time thinking about how non-human identity systems can be as sophisticated and as powerful as human identity systems. Since it is such a core topic for us, let us turn now to a deeper dive into non-human identities in particular before going further into the basics of SSI.
