Thursday, June 15, 2006

User Identity: Relationships and Trust

I ran into this entry on Identity - Management and trust[Discovering Identity - Mark Dixon] which took me on the following thought sequence. Please note this rambling is more of a tomato/TomATo discussion so if you have some thing better to do skip this one.
Identity and Relationship
Identity, the way I see it, is about perceptions that a acknowledging entity has of the identity entity. First of all, an identity can not exist without a relationship. This relationship can be between you and any other entity (which can be person, group, corporation, etc.) or even yourself. But this raises a question well did you not miss the entity itself. Shouldn't there be an identity of entity itself which exist all by itself? Yes, the existence of the entity itself is necessary either in past (a star that has turned in to a black hole), present or in future (various elements in periodic tables that were identified but not discovered until later) but it not sufficient for the identity. Unless there is no need to identify the entity, the identity can not come in to existence. And the requirement for identifying the entity itself would mean that then exists another entity which is interested in acknowledging the existence (and hence the identity) of the entity. (I know most of you are thinking "What was that!") Sorry could not find a better way to explain the idea. I was thinking of coming up with a few examples but most of them I thought were a rehash of the idea of "If a tree falls down in the woods and no one is around to hear it - does the sound have an identity?"
Another approach of looking at this idea of relationship dependent identity (this is where I would like to thank the "upnishad" to help me build an "identity philosophy" ;) ) is to assume that identity itself is an ever existing ethereal "thing" which manifest itself in different forms (which is what we actually refer to as an identity for practical purpose) specific to a given relationship. This would mean that a person can have an identity of John Doe in the context of his relationship with his friend and an identity of number 123-45-6789 in the context of his relationship with his government and so on.
Identity Attributes / Description
So after we have identified the entity in the context of a relationship, the next thing that is comes into play is attribute / description of the identity. Understanding of identity's tangible or intangible attributes is result of various interactions that acknowledging entity is having with various entities (besides the identity entity) and perceptions built as a result of those interactions. The tangible attributes are attributes that can be measured or quantified. Now the measurement or quantification can either be performed by acknowledging entity itself (for example height, finger prints, psychological profile test, etc.) [direct attributes], received from another "trusted" entity (like name from driver's license, credit score from credit agency) [indirect attributes] or computed based on values of one or more direct, indirect or computed attributes (risk level of a client for mortgage application) [computed attribute]. Please note that this is the first time we have talked about trust in this monologue. Also note that the trust we talked about is between acknowledging entity and 3rd entity and NOT between identity entity and 3rd party. Which brings us to another point that I wanted to bring out i.e. identity is not built on trust. Trust becomes important only when it is not possible for the acknowledging entity to measure or quantify the attributes that it needs for the identity entity. Let's apply it to a web based banking transaction. Since the bank does not have a mean to measure the attributes to correctly identify the person who wants to do the transaction, it has to trust a computer (3rd entity) to provide the measured attributes that it needs to identify the identity entity. Now based on this chain of thought (I am not sure where I went wrong with my logic), I inferred that the explicit trust relationship is between bank and computer and NOT between person (identity entity) and the computer (3rd entity) or between person (identity entity) and the bank (acknowledging entity) or viceversa. Identity and Trust
In the previous section we talked about the how the concept of indirect attribute brings in the concept of explicit trust i.e. the trust that two entities have between each other. Now trust is (like identity) needs a relationship to exist. In this cynical world most of the people will see trust always in the context of the identity and transaction (i.e. entity A trusts entity B because entity A can identify entity B and its risk level attribute in the given transaction context is low) rather than another attribute of relationship ( i.e. entity A has a relationship with entity B for no apparent reason). Still assuming that trust is based on relationship we can think about reflexively (entity trusts itself), binary (if entity A trusts entity B then viceversa is true) and transitivity (if identity entity trusts acknowledging entity and acknowledging entity trusts 3rd entity then identity entity trust third entity) of trust between entity. Well based on our experiences we can say that none of these property is exhibited automatically by trust (probably reflexively in case of most of people :) ). But still in this world we try to build these properties on the trust through laws, contracts and past experiences, etc.
Now if we start looking at how the 3rd entity actually get the attribute that was available to acknowledging entity, we see that as a part of another relationship, that the user had with an entity, the identity for the user was established. This identity then was shared by the acknowledging entity with the 3rd entity. This means that the 3rd entity starts to build a perception about the the identity entity even though there was no explicit relationship between identity entity and 3rd entity. Lets call this relationship an implicit relationship. Given how quickly number of these relationships can increase, it would be really important to think about how these implicit relationships can be controlled (well most of the business solve it by asking their customer explicitly about their preferences).
User-centric Identity Management
So, to summarize
  • Identity is the perception that an acknowledging entity about the identity entity
  • Identity attributes can be direct, indirect or computed.
  • Trust comes into play only when acknowledging entity can not measure the attributes of the identity entity.
  • Trust can have reflexively (by default for most people anyway), binary and transitivity property built into it based on laws, contracts and past experiences.
  • Relationship itself can be either explicit (as in case of identity entity and acknowledging entity) or implicit (as in case of identity entity and 3rd entity that receive identity attributes from acknowledging entity).
So, based on the discussion itself, I see that if the users need to get control over their identity across all of their relationships, the following needs to happen
  • Identity entity should know and be able to track all their explicit relationships and attributes (Guess that is something that users will have to do unless there is some automated process to do that)
  • Acknowledging entity needs to tell identity entity about all their trusted relationship with all 3rd entities (as discussed in context above) and the indirect attributes they accept from these 3rd entities.
  • Acknowleging entity need to tell identity entity about all their trusted relationship with 3rd entities (as discussed in context above) and the direct attributes they provide to these 3rd entites.
  • The 3rd entity need to ensure that all their relationships with regards to attribute that they distribute or accept from other entities must be available either on per identity entity basis or in general.
Now this is not happening any time sooner so the next best thing is to ensure that all the data is masked before they are shared with other 3rd party. This without a proper data masking standard would defeat the whole idea of sharing the data (unless it is for consolidated analysis) or would it?
Till we solve these issues, I do not see the User centric identity being a reality. I see some vendor initiated client side identity management products who are trying to solve these issues using technology. But without a support from all the stakeholders (like frameworks and standards to share identity data between business, business themselves and laws or guidelines around these) I do not see anything like this taking off. I remember having a conversation last year in May in context of one of the vendors around the drivers for user-centric identity software and only possible driver that we could see was either law makers passing laws around this or some decisions in court based on the lawsuits on behalf of people who lose their identity data.
If you have reached this line would love to hear your thoughts.

No comments: