By Joe Andrieu
This is the second of a regular column on Identity for the People Centered Internet. In the first column, I introduced the idea of Functional Identity as a way for ordinary people to discuss identity, with this definition:
Identity is how we keep track of people and things, and in turn, how they keep track of us.
This article describes how we do that.
An identity system is a collection of tools and techniques used to keep track of people and things.
As individuals, we do this naturally, in our minds. We name things, then use names and distinguishing features to remember what we learn. We treat people differently based on their identity: treating our friends and family differently from strangers and known threats.
Organizations create processes, software, and services to achieve similar ends. These identity systems are best understood in terms of how they function, which is the same way that identity has worked since the dawn of civilization.
The goal of Functional Identity is to bridge the communication gap so business people, community leaders, and parents can talk with engineers and regulators, and together and we can make identity systems that work better for us all.
In the diagrams below, the blue boxes are nouns and the red ovals are verbs – the building blocks for describing identity systems.
We start with the simplest identity system, using three nouns and a verb:
- Subjects are entities—people or things—under consideration.
- Identifiers are labels which refer to entities. They are used to keep track of what we know about those entities.
- Attributes are what we know about people and things. They describe the state, appearance, or other qualities of an entity.
- Correlate means to associate attributes with particular entities, to associate what we know about someone with either an identifier in the system or a subject in question.
Identity systems correlate subjects with attributes in two ways. First, attributes are associated with identifiers referring to specific subjects, thus building a body of knowledge. Then, when we recognize a subject, we associate them with one or more identifiers and everything we know about those identifiers.
For example, consider visiting a local restaurant where your brother, Mike, has suggested you ask for his friend, Su, the chef, who went to the same school you did. The name “Su” is the identifier, and the fact that (1) she is a friend of Mike’s, (2) the chef of the restaurant, and (3) a schoolmate, are attributes you associate with “Su”. When you visit the restaurant and ask for “Su”, you mention to the person who comes out that your brother Mike sent you. Su’s reaction confirms that she knows Mike and that she is “Su”. Now you also know that this person, Su is the chef at this restaurant and that she went to your school. By correlating attributes (chef, friend, schoolmate) with the identifier (Su), you were able to establish a relationship with a person you just met (the subject). This is the essence of how identity systems work.
These terms apply equally to things other than people, such as organizations, pets, or places. We correlate new attributes with identifiers and vice-versa as we learn about subjects. When we recognize a person or thing we can apply everything we learned about them. In digital systems, this set of related attributes is sometimes referred as a digital identity or profile.
Input and Effect
We learn or acquire identity information over time, then apply what we’ve learned to various interactions, usually elsewhere.
- Acquire means to gather identity information for use by the system.
- Apply means to use identity information to affect change outside the identity system, typically to moderate an interaction of the subject with a related system.
Identity information might be acquired by observation or by importing from elsewhere. We may learn about someone by watching them, or we may learn through references, rumors, and reputation. Identity systems acquire new information throughout their operational life, just as we continue to learn about people throughout our lives.
Once acquired, identity information must be applied in a specific situation to have impact. If we know something about someone and no one ever acts on, nor shares, that information, it doesn’t affect the world. The way that identity information is applied tells us how an identity system affects our world.
For example, a website might apply the email associated with my account to allow me to reset my password or it may send me unwanted advertisements. The U.S. Transportation Security Administration (TSA) applies the information on its no-fly list to prevent those identified as potential threats from flying.
Making New Ideas
We gain new insights by considering both existing identity information and previously unrelated observations. Identity is more than just what we know about people and apply to our interactions. It’s also how we make judgments based on what we know, gaining insights into character, capabilities, and proclivities.
- Raw data are data which may or may not contain information relatable to a person or thing.
- Derived attributes are conclusions reached by reasoning over identity information. They are what we learn when we consider what we know about people and things.
- Reason means to evaluate existing identity information to generate new derived attributes.
Derived attributes are created by reasoning using raw data and known attributes. By applying reasoning on existing observations and related knowledge, we can gain insights that neither the subject nor the original author anticipated. Raw data such as search history, web browsing, and the time & location information captured by our phones, may contain identity-related information, even when that was neither the purpose nor the intention at the time of capture.
We reason using known attributes to derive new ones. For example, we calculate a person’s age based on the birthdate on their driver’s license to determine if they are old enough to drink legally. Credit companies evaluate recent income, past transactions, and projections of future income to set interest rates and make loan approvals. We remember how people treated us and alter our behavior in future interactions. If someone repeatedly breaks their word, we may stop depending on them.
Securing Identity Information
We go to great lengths to keep identity information secure.
- Secure means to restrict the creation and flow of identity information to the right people at the right time.
Sometimes we keep secrets to prevent information from reaching certain people. We do this with tools like encryption, access control, and minimal disclosure. Legal agreements between people, businesses, institutions, and governments specify appropriate use of certain information while laws, regulations, and the courts allow governments and institutions to oversee, monitor, and intervene in the capture and use of identity information. How identity systems secure certain information, and not others, defines how they preserve and respect privacy.
The right to keep private information private is often referred to as the right of privacy. Many people feel their privacy is threatened because so much information is shared over the Internet, in our workplaces, and through our devices. Information we share in different contexts (business, family, community, etc.) can leak unexpectedly and undesirably into other contexts. For example, the sick day we took for a medical procedure might lead to the human resources department learning about a life-threatening medical condition, resulting in reduced consideration for promotions and new opportunities. Preventing human resources from learning the nature of the procedure (a private matter) is one form of securing identity information to protect our future at the company.
It is very difficult as individuals to track of all the ways we are publicly or privately tracked. Information is shared on social media, tracked in Internet searches, monitored when using navigation software, and captured as we use our phones. The sheer magnitude and complexity of the information tracked and used means the average person is essentially incapable of making informed decisions to consent to appropriate use. Some people give up, divulging personal information without regard to consequences. Others opt-out, participating as little as possible in our digitally connected world.
We can learn—and teach others—how the concept of identity matters in our lives and the options we have for protecting ourselves, our families, and our businesses. For example, parents can learn how publicly shared photos of their children—and their friends’ children—can unwittingly expose them to pedophiles and human traffickers. Teachers and coaches can learn techniques for limiting the exposure of students’ and players’ information to inappropriate eyes. Small and large businesses can learn how indiscrete requests for simple information like phone numbers or addresses can lead to social engineering attacks and identity theft. A better understanding of identity can help all of us protect ourselves through better identity hygiene.
Bridging the Gap
The nouns and verbs above are grounded in the world of technology and may be unfamiliar for the average individual. More conversational synonyms are presented in the table below. Feel free to use either, depending on the audience.
People, places and things
This is the point of identity: those people, places, and things we recognize.
|Subject||Person||Someone under consideration. The subject of inquiry.|
These are the nouns of identity.
|Identifiers||Names||Refers to entities. Used to keep track of people and things.|
|Attributes||Statements||What we know about people and things. They describe the state, appearance, or other qualities of an entity.|
|Raw data||Observations||Data which may or may not contain correlatable information.|
|Derived attributes||Beliefs||Conclusions reached by reasoning over identity information. These are what we learn when we consider what we know about people and things.|
These are the verbs of identity.
|Acquire||Collect||Intake or generate identity information for use by the system.|
|Correlate||Relate||Associate attributes or observations with particular entities. We associate what we know about someone with either an identifier in the system or with a subject in question.|
|Reason||Reason||Evaluate existing identity information to generate new beliefs, expressed in attributes, captured in statements.|
|Apply||Apply||Use identity information in a system, typically to moderate interactions with known entities.|
|Secure||Protect||Restrict the creation and flow of identity information to the right people at the right time.|
For technologists: we assign identifiers to subjects. We collect raw data and correlate attributes to the subjects we track. We reason over raw data and attributes, to derive new attributes. We then apply this information to current and future interactions with subjects. We secure identity information to preserve privacy.
In more ordinary language: we give names to people. We collect observations and record statements relating those observations to people we know. We reason over these observations, statements, and beliefs to generate new beliefs. We then apply what we know and believe when dealing with those we recognize. We protect identity information to preserve privacy.
This is the vocabulary of Functional Identity, a way to discuss identity in terms of functionality: how it works and what it does for us.
Functional Identity focuses on how identity works. We avoid the psychological, cultural, political, and philosophical notions of identity. These notions are important, but they can also distract us from understanding the technical choices involved in building and using identity in today’s Internet-enabled world.
This focus on functionality may help clarify and improve your own conversations about identity.
How we keep track of people and things is not just a technical matter, it affects our lives. For many, identity is not a conceptual issue, it can literally be a matter of life and death.
In future articles, we’ll use this language of Functional Identity to describe how real-world identity systems are being built and how they enable a people-centered Internet.
Please take a moment and share this with your colleagues and friends, and let us know what you think. Comment below, or email me at mailto:[email protected].
This article also appears at http://blog.joeandrieu.com/2017/08/25/how-identity-can-enable-a-people-centered-internet