Everyone & Everything
When we think about identity and identification we generally tend to think about people. Sometimes we think about companies, but most of the time regulators, lawmakers and the public tend to think about people. However, people are actually a rather small subset of the general category of “thing that will need to be identified in the always-on and always-connected world of future”.
Instead of just thinking about people and companies then, we need a bigger picture to help us to formulate digital identity concepts in context. A simple way to do this, sufficient for our purposes, is to begin by dividing the universe into two categories: things that exist and things that don’t exist.
Things that exist are things like me, my toaster and my cat. Easy.
Things that don’t exist need a little more explanation. In his book “Sapiens — A Brief History of Humankind”, the historian Yuval Noah Harari talks about the cognitive revolution, which he defines as the point as which “history declared its independence from biology” because human beings gained the ability to think about things that do not exist, such as Citibank. He writes that
“Corporations do not exist in nature any more than Catholicism or human rights. These are stories. Lawyers are shamen who tell stranger tales”.
Indeed, limited liability corporations are, I agree, one of our species’ most ingenious inventions. They are an important example of the things that don’t exist that will need identities, but there are others. Artificial intelligences, for example.
If my conception of the future reputation economy is even approximately right then, as we shall see, the ability to recognise all of these things (that is, things that do exist and things that don’t exist), to form relationships with them and produce communicable reputations from these relationships generates a workable paradigm. We can then use this paradigm to think clearly about problems and to communicate effectively to create practical solutions.
We can subdivide these basic categories further to give us a useful working framework to refine our thinking.
Things That Exist
Things that exist can quite easily be subdivided into things that are living of things that are not living. I need an identity and so does my toaster.. Thing is that our living can quite easily be subdivided into people and everything else, with the possible exceptions of virus is which are a sort of grey area that we can skip over the purposes of this discussion. I need an identity and so does my cat.
Things That Don’t Exist
Things that don’t exist can quite easily be divided, building on the distinction noted earlier, into things that are legal constructs and things that are not legal constructs. Thus, in my head at least, there is a distinction between the identity of the company, an identity that can take part in contracts and transactions, and the identity of an “smart” “contract” which is something entirely different. I can certainly imagine a future in which certain kinds of artificial intelligences are given legal personhood and the ability to form contracts but I cannot imagine a future in which (as was proposed to the legislature of Malta) the same status is afforded apps on a block chain. That really is a discussion for another day though.
It is clear that these different kinds of identities must be able to interoperate. My online identity should be able to recognise your company’s online identity. My toaster should be able to recognise authorised users. I should be out a delegate to my vet the ability to. I should be able to understand the reputation of a financial services wealth management AI and give consent frit to access my bank account.
For this to happen there has to be trust frameworks that these identities can work with him. There doesn’t have to be one trust framework, and that may well be a weakness in some of my previous thinking on the topic. Within a framework, they may be very many different kinds of identities but the framework will establish the standards and mechanisms for interoperability. Should I be able to login to create an account with British Airways using my bank identity? Probably yes. Should I be able to login and create a bank account using my British Airways identity? Probably not.
In some countries and in some cultures the idea of having a single trust framework and a single identity within that framework is seen as being the natural way forward because, apartment the house, it is the simplest and cheapest way to proceed. But for a variety of reasons I am wholly unconvinced that this is the right way forward in general and it’s certainly not the right way forward for the UK. We need a much more sophisticated infrastructure to simultaneously deliver goals for previously, security, practicality and cost effectiveness.
An Identity Paradigm
I think we can get there and the way to start on a roadmap to take us from here to there is the three domain identity (3DID) model that sets out the concepts of identification, authentication and authorisation as well as the relationships between them.
This model actually has a long history. I first began to conceptualise digital identity as less of an abstract concept and more specifically as the connection between mundane and virtual identities a couple of decades ago. In 2007 this appeared in a simple form in a book that I edited, “Digital Identity Management”. Over the years, along with my colleagues at Consult Hyperion, I expanded and enhanced the model to ensure it remained congruent with emerging global standards and that it grew in its capacity to facilitate effective communication between different groups of stakeholders to enable them to develop strategies for identity for the world that is evolving rather than the world be leaving behind (this is why, for example, I will repeatedly draw a distinction between the implementation of digital identity and the digitisation of analogue identity). With these factors in mind then let’s begin to lay out the model and explore its implications.