[OpenID] What does "identity" MEAN?

[Jack Cleaver]

SitG Admin wrote:

> I'm trying to imagine a world without identity, and what my mind 
> would do trying to wrap itself around the concept of someone trying 
> to sell me the idea of identity. I don't mean lacking the ability to
>  distinguish ourselves from other entities as separate individuals, I
>  mean the idea of knowing who other people *are*. To relate this to 
> OpenID, let's step back a moment from the idea of accounts *at all* -
>  think of the internet as just one giant bulletin board, where anyone
>  can leave notes anywhere.

You've articulated the question well; but then you've dropped it, and
fallen back to discussing the identity of blog-posters again.

Identity in a world of physical people you have met, people can talk to
in person, is a kind of baseline. Knowing "who someone is" in such a
context means knowing what they look like, how they talk, what they
believe, where they live, and what they do for a living. In theory, one
might be acquainted with a person in that kind of way, and still be
deceived about their identity; for example, they might be a secret mole,
operating under deep cover for a foreign power. But personal
acquaintance still seems to be the best kind of identity you could ask for.

A second kind of "identity" has developed, whereby one is known by one's
token. Originally this was one's mark or signature; appended to a
handwritten letter (or to some other sample of one's handwriting) it was
a fair indication that the signed content was one's own work, or at
least that one assented to its meaning. This was extended to the
expression of assent by means of signatures on cheques and contracts, so
that the identifier consisted *only* of the autograph; and at this
juncture the strength of the identifier is seen to have become pretty
questionable (signatures are quite easy to forge, particularly if one is
handling them in bulk, as banks do).

So now those who would use our identity to compel our compliance with
our obligations are seeking stronger tokens. My autograph alone is no
longer any good for opening a bank account; I must also produce a
passport or a driving licence, some recent payslips, and some number of
utility bills. To obtain the passport or driving licence, I must now
subject myself to a retinal scan. The bank hopes by this means to have
at least some of the knowledge of me that someone who knew me personally
used to have - where I live and work, principally.

What does this accumulation of evidence achieve? I think it achieves a
kind of consistency; the result is a collection of identity tokens that
purport with various degrees of credibility to be attached to a
single individual. Essentially, the bank knows (or hopes they know)
where to find me. They don't know how trustworthy I am, and certainly
they can't distinguish me from someone completely different, who happens
to have obtained control over my tokens. If I present myself in person
at my bank without my various tokens, I am not recognised. So in fact
they *don't* know the individual, even though they might (think they)
want to; they only really have enough information to mitigate the risks
of lending me money.

For "bank" you might want to substitute "state". A century ago, the
majority of people had precious little interaction with the agencies of
the state; the state, in turn, had little knowledge of its citizens and
visitors. Borders were much more porous, and few people had bank
accounts. Beyond the realm of personal acquaintance, identity didn't
mean very much. The UK government wishes to issue us all with tokens
that incorporate retinal scans, medical records, autographs,
photographs, and PINs, and doubtless they hope that we will present
these tokens every time we do anything interesting, so that they can
"know" us in some sense. At the same time, marketers hope to know us by
building a profile of our economic activities; loyalty cards, RFID
chips, cookies and the like are deployed on a massive scale in order to
develop an identity to which we have not consented at all.

So here we are in the internet age; a good part of our interactions with
others are now conducted remotely, with people who have never met us,
and who will never be acquainted with us through physical meeting. That
strong concept of identity, the concept based on personal acquaintance,
has gone, to all intents and purposes. Instead, we must settle for an
identity that is built around utility. If I make a contract with
someone, what do I need to know about them? Ultimately I might want to
know how to find their physical person, so that I can drag them into
court; more usefully, I might want to obtain references (e.g. an eBay
feedback score). What if I was considering employing someone on (say) an
open-source project? I might want to search the net for evidence of
their participation in other projects; their eBay feedback would
probably not interest me. And suppose I was evaluating some remarks on a
blog, where the author was prognosticating about (e.g.) politics? I
think I might not be interested in their reputation either as a coder or
as a trader; instead I might want to know whether they had a record of
disseminating propaganda and bullshit. Another scenario: I am engaged in
a (legitimate) plot to overthrow the elected government - perhaps by
revealing certain secrets about prominent figures. My fellow plotters
would be known to me by personal acquaintance. I would probably want to
know that my correspondence was secret, and that my correspondents were
indeed the acquaintances I believed them to be. A PGP key exchanged in
person might serve my purposes; their goverment-issued ID card would
probably not be useful to me.

In each of these scenarios, I think the type of token I would require,
so that I was confident that I knew who I was dealing with, would be
different. In only one of these cases would I require confidence that
was equivalent to that of personal acquaintance.

My point is that in this new world, identity is instrumental; it is what
you want to use it for that determines what kind of identity you need to
obtain. It is certainly not the case that a single identity should serve
all these purposes; on the contrary, it is clear that the form of
identity that satisfies my government is *not* the identity that my
fellow conspirators require, and the form required by my bankers is
different from the form required by a marketer.

In short, we manifestly possess multiple identities nowadays, and they
are largely if not wholly disjoint (that is: it doesn't usually matter
whether my various identities belong to one person or several).

Hey, I'm sorry; this long tract bears only a loose relationship with the
topic of OpenID. I've written it because a lot of comment here seems to
be predicated on the notion that my identity is unique; it isn't, it
doesn't need to be, and it isn't possible to make it so.

-- 
Jack.