Reading the Tea Leaves

Identity: Starting with the Basics August 16, 2012

As I have danced with the issue of identity management in education over the years  it has amazed me the degree to which it is an amazingly complicated and subtle issue.  It seems obvious at first glance but quickly becomes obscured in a cloud of issues.  So, to begin this series, I will talk about the use case of identification.   What is it, what kind of identifiers can we use, and what are we identifying exactly.  Let me start by stating the problem space “identity management” needs to handle.

In the non-virtual world we have various ways of identifying.  I will classify them into two types: people, places and things we know, and people, places and things we do not yet know.  For ease of writing I will focus on people but this conversation will go almost identically in talking about places and things.

We identify people we know by markers we pull from memory.  We know what their facial features look like, how they move, their voice, their way of speaking, how they dress and present themselves, and sometimes we are prepped with those memories by the context and location we are interacting in.  If we meet someone “out of context” we will sometimes take longer to recognize them.   I once knew a young lady very well who always wore red-ALWAYS.  It had become a prime association for me with her.  One day I met her walking down the street and she was in a yellow blouse and a brown skirt and I literally did not recognize her until she smiled and addressed me.  These combinations of factors often become so ingrained we are not conscious that we are processing individual attributes and factors but rather we just “recognize” people, places, and things.

We identify people we don’t know very differently.   We also use outward attributes such as appearance, clothing, location, and context to “guess” and make assumptions about people we don’t know.  This primarily has an impact on trust.  To what degree do you trust a stranger.  If you are not revealing anything personal, or financial or anything that could be “used against you”, and they do not appear to be hostile, then trust does not matter.  In those cases you spend very little time processing the “identity”.  However that changes the moment you need to ask them to do something or they ask or demand that you do something.  Suddenly you begin actively processing their identity.  There are many strategies.

You  may trust them more because they look, sound, and dress like you do.  If they clearly come from your culture or social class.  If they are the same gender or race or NOT the same gender or race.  I am not saying any of these as political statements but rather as pointers to the human condition.   The context is very decisive in these kinds of instant assessments: if you bump into someone in a bad section of run down urban area you will go through a different assessment process than you meeting someone who looks just like you at a best friend’s party.

You may ask them for their name. You may ask them what they do, what is their role.  You may ask them what they need from you.  If it becomes formal you may ask to see their paperwork- their passport, or driver’s license, or work ID, or their warrant.  You may call someone you know who they claim to know, or you may call their boss or their organization.  You may call the police or some other third party authority to ensure they are who they say they are and you can trust them enough to interact with them.

All these escalations are a function of how intrusive or private the request is and how comfortable you feel receiving or giving information or services to this person.  There are no fixed rules.  Every person has their own thresholds around privacy, generosity, trust, and safety.

If we take this then into the virtual world we have the same issues but we do not (at least in many cases) have the same visual, auditory, and contextual triggers and data to use as in the real world.  So we must find replacements or stand-ins for those.

In the virtual world we use four primary ways of “recognizing” people:

1.  Usernames inside a particular context.  Examples of this are handles in a multi-player on-line game, Skype, Google Talk, a LinkedIn forum, a bulletin board.
2. Email addresses
3. Credit cards  These are  primarily person to application identification to allow access or approve execution of a service- like send this person this book, or allow this person to access this site , or add this person to pay this bill. This model can be and often is linked to number four below.
4. Authentication through log in utilizing some kinds of credentials.

These are the “faces” and “voices” of the virtual world.  As we begin to move more and more into rich media collaboration and communication it may more and more include faces, voices and bio-metrics as those but as of yet those are rare indeed.

So this post is designed to introduce the problem. In my next post I will discuss the actual structures used to identify things in this virtual work: GUIDs (Global  Unique Identifiers), Dot Notation taxonomy-based identifiers, URIs in all their incarnations, locally-assigned identifiers attached to records,  content-based derived identifiers, and paradata -based identifiers.  These make up the “formal paper work”, the passports, the drivers’ licenses, of the virtual world.

I will probably start in the next post to also talk about third-party authorities (ICANN, DNS servers, credit card companies, social network sites, and certificate issuers) but that may be post number three.

Please comment, ask questions, clarify, disagree, elucidate as you will.  I will post again in a few weeks.