The unbearable lightness of identity
The word “identity” has proven an invaluable marketing mnemonic over the last few years for the identity management market. Back when the market went by the name “directory services,” anyone who bothered to ask got the impression I sold yellow pages ads for a living. Those days are over! “Identity” has taken our craft mainstream. There are now about a hundred companies that make their home (or second or third home) in this multi-billion-dollar market space. Here’s how far it’s come: A few days ago, my pre-teen son enthusiastically showed me his new student ID card. It had a nice picture of him on it and all kinds of information about him. It looked cool. It had a digital part, too. He can use it to get lunch, log in at computer labs, and (for all I know) to get discounts at shopping malls. Thanks to a reportedly under-funded public school system and the word “identity,” my son now has some inkling of what I do all day.
But the word “identity” has always bothered me as a description for this market. From what I can tell, people associate the word identity with intensely personal, if nebulous ideals. But in the tech world, identity is little more than an ID (and some attributes—had to add that in for the identity purists out there). So when I think of my son being raised on the reductionist idea that his identity is something handed to him on a wallet-sized gizmo, it evokes for me images of the existential plight of mankind in a post-modern, Kafka-esque society (for a visual description of what I mean, see the movie Brazil; or you could read Kafka). Yes, of course we can build better, more efficient identity systems. We can do a lot to improve the comfort of the populations that identity systems manage. But the paranoid side of me wonders whether in so doing we are blissfully refining the machinery that will eventually enslave us (and the cinematic reference this time is “Cube”).
Of course, identity systems don’t enslave people—people do. But let’s not sugar coat it, either: the machinery of identity systems is intensely apersonal; it is an instrument of social control. Now, don’t get me wrong, I’m a big fan of social control: it’s like self-control on a societal scale. The issue is how we go about it. The stylistic choice we make as a society in apportioning rights and resources has direct causal effects on the quality of our lives.
Just what kind of relationship requires the issuance of IDs, anyway? Doesn’t it feel a bit unnatural? Interpersonal relationships generally don’t rely on IDs: I haven’t issued smart cards to any of my friends (yet). My mother frequently couldn’t remember her kids’ names; and we generally just called her “mom” (a role!). So why do IDs exist at all? Well, IDs are the artifacts of human interaction with impersonal institutions and devices, such as corporations, governments, and computers. They’re for use in systems that don’t have natural instincts or personal relationships. They’re also used in large populations, because the scale of the community challenges the cognitive limits of most mortals.
Accordingly, identity management vendors have catered to the corporate market. And perhaps within the limited context of a single business such mechanisms have limited range (like conventional weapons). But when projected onto society as a whole, the domain-centric presumption that identity systems encapsulate gives “identity” a Hobbesian-Orwellian flavor.
So it’s time we take a step back and reassess what we’re trying to accomplish with identity systems—or I should say identification systems. I’ve always believed that the technologies we now (disingenuously) refer to as identity systems are tools for supporting communities. Here’s how I put it in 2001:
Directory services [or in today’s jargon, identity systems] are information structures designed to mitigate the cognitive costs associated with community membership and to help coordinate behavior among community members. The directory [identity system] is any such cultural cognitive artifact, regardless of the type of technology the artifact employs.
Admittedly, it’s a bit stuffy. Still, the idea is that the overarching goal isn’t to issue everyone an ID, but rather to promote relationship, community, collaboration, and interaction.
I admire the ambitiousness of Kim Cameron’s Laws of Identity. Characterizing seemingly random phenomena as a set of predictable outcomes resulting from willful actions is an essential step toward progress in any space. Such laws allow enable us to model the efficacy of the systems we create before inflicting them on humanity. But identity isn’t the proper locus of our attention as technologists. Identification systems aren’t sufficiently featured to promote relationship, community, collaboration, and interaction among participants (and in some cases they detract from those goals).
Laws of Relation
At Burton Group we’re taking the concept to the next level, to develop laws of relation. Our focus is on the connection or the network, rather than on the end points. Embedded in this idea is also the proposition that a relationship is a thing of value—a property that has an existence and bears characteristics distinguishable from the participants in it. Relationships are also (inescapably) shared properties, subject to the social dynamics typical of common pool resources (CPRs).
One aspect of relation that we’ve focused on lately at Burton Group is the idea of symmetry in relations. It’s the notion that optimal relationships have a high degree of symmetry in actors’ control over key aspects of the relation. We touched on this topic in our research on Internet communities and at Catalyst. Bob Blakley (now with Burton Group, but an IBM employee at the time) also presented directly on this concept at Catalyst North America in July.
We’re now beginning to publicly formalize our thinking on the subject. In this post, I’ll take a stab at what I’m calling the Law of Relational Symmetry (which, to be more accurate, is really just a postulate at this point). Note that I’m using law here in the context of natural observed law, not as a legal or moral construct.
Law of Relational Symmetry
The party in control of the terms of a relationship controls the relationship and, in the absence of symmetrical countervailing controls, will eventually exploit the other participants.
By “terms” I mean the rights and empowerments over the property or resource in question—in this case, the relationship itself. With relationships, exclusive ownership is almost unimaginable. Rather, participants share usage rights, such as the right to set rules (for interaction and penalty) and the right to enter or leave the relationship.
An imbalanced distribution of such rights entitles the party wielding the greater power to exploit the others. Murphy’s law tells us that if exploitation can happen, it will. In asymmetrical relationships, exploitation even happens inadvertently, because it’s an outcome of the structure of the relationship and not entirely the result of pernicious intent of the controlling party. The law simply predicts the outcome of asymmetrical relationships. The law doesn’t favor symmetrical relationships or forbid asymmetrical relations—in fact, the Law of Relational Symmetry predicts exploitation will result in all but the most carefully balanced relationships.
But the law also suggests that relationships are more difficult to exploit when parties’ leverage over the relation is balanced. Like the yin-yang symbol, symmetry doesn’t imply mirrored equality. Balance isn’t necessarily achieved by giving both parties the same rights. Rather, in symmetrical relationships, parties find it difficult to move unilaterally in matters affecting the relationship. In short, symmetrical and asymmetrical are both sustainable forms of relationships, but only symmetrical relationships offer balanced outcomes for participants.
Implications of the Law of Relational Symmetry for Identity Systems
The Law of Relational Symmetry suggests that most contemporary identity systems are asymmetrical and therefore exploitive in nature. With today’s products, the party that owns the identity system is in control of almost all of the terms. For example, the provider sets up the parameters for your name in the relationship (whether DKF3498 or BGates1), the characteristics of your password (six letters, case sensitive, but no special characters), and the challenge questions (mother’s maiden name or favorite pet’s name). This situation is partly a matter of limitations in the technology, but is also an extension of a larger social issue. That is, in most cases, when natural persons form relationships with employers, retailers, or other legal organizations, the natural persons have few rights in the relationship. The organization also controls the legal contract governing the relationship. Typically, persons have the right to exit (by quitting a job or not buying a product or service—which are basically Hobson’s choices), with most other parameters are in the control of the organization. (This is the topic of an excellent book by James Coleman called “The Asymmetric Society”. Also see the bit about “Coercion” in Bob Blakley’s post On The Absurdity of Owning One’s Identity.)
The user-centric identity movement aspires to grant people greater leverage in relationships with organizations by apportioning users a degree of control over the use of personal information. It is of course a worthy cause and will improve many relationships; however, user-centric identity (as currently constituted) doesn’t achieve symmetry in person-to-organization relationships, and so such relationships will continue to drift toward exploitive results. Although the name suggests that users would be in control of the relation, user-centric technologies provide only incremental empowerment to natural persons, because organizations retain significant rights over the nature of the relationship.
Achieving parity in person-to-organization relations (for those interested in achieving it) requires a change in the playing field—not just a few bolt on features to existing identification systems. Much more disruptive inventions are required to establish symmetry in person-to-organization relationships. Why should a person be required to submit personal information to the relationship at all? Doing so puts a person at tremendous risk, while organizations divulge very little sensitive information in return. And, to attack the heart of the problem, why don’t people (referred to as “users” by organizations) have the same legal rights as corporations?
My belief is that the only way to create symmetry in person-to-organization relationships is by granting persons similar legal status as corporate boards (an interesting reversal, since corporations are in many instances viewed as persons in the law). We’ve floated the concept of “Limited Liability Persona” in a few public forms (for example, see Jamie Lewis’ presentation at Digital ID World and Lori Rowland’s July TeleBriefing). The phrase encapsulates the idea very well—it provides legal status and protection for people, similar to a Limited Liability Company. However, “LLP” is already in use to mean Limited Liability Partnership, so we’re working out the name, but in a future blog post we’ll spell out the concept in detail.
[posted by Mike Neuenschwander]