This post started its existence about a year ago. I had been involved in a project called Smart Cities. From my perspective, (interested in e-participation and IS security) there were two big questions that I came away with; I am still wondering how to find answers, so forgive the rambling…
The first question comes from the overlap of geography, identity and citizenship online – and how it relates to e-identity. That’s what this blog is about.
The second question came from the problems caused by a checklist approach to compliance with privacy law. That’ll be covered in a (probably much shorter) future blog.
Citizenship and e-identity
It’s a truism that geography doesn’t go away online, as demonstrated by the rise of hyperlocal media and the extensive work on local online empowerment by eparticipation practitioners. People like Catherine Howe have been thinking hard about what it means to create localised online spaces to “encourage people to act like citizens” and you could go worse than read her blogs on hypelocalism – this one in particular.
Now, I think many people feel that they belong to more than location. This raises the question: what does it mean to be a ‘citizen’ of a place (city) when you’re online? Can a location decide you are not a citizen?
It might be fairly easy to agree what it means to be a ‘citizen’ or a resident of a nation state, but it gets more difficult as the geography gets smaller and more local – particularly away from the big cities like London or Amsterdam. For instance, I live in Falkirk and commute to Edinburgh, but have connections with the Scottish Borders: Where do I belong to? Which of these places have a duty to take my opinion seriously or to deliver me an (online) public service? It’s not simply where I pay my local taxes is it?
So the questions: how can a city know if it’s dealing with a real person? How do we define who is entitled to participate in a local space, and to what extent. But first, a small technical diversion…
Entities, Identities and eId
Fundamentally, identity is understood in two ways. There’s the idea of identity that’s been around as long as we’ve been (self-consciously) people: social and psychological. Here physical location (hence citizenship), personality types and social context are central to understanding how and why people behave in the way they do. People are inherently very good at handling and understanding multiple social realities and roles (Goffman in the 1950-70s used a metaphor actors and audience members on multiple stages).
What happens when move to online electronic identity (eID)? In summary: engineers with their inhuman expectations of logic, consistency and clarity.
A nice description of the issues of translating between social identity and eID can be found in Alpar, Hoepman and Siljee (2011). They describe a clear structure that distinguishes how an entity (person) has multiple, online identities fulfilling multiple roles (which can switch to other people). Online identities can be transferred or shared too – right up to having responsibility for a minor, sharing login details for bank accounts, to creating and selling World of Warcraft characters. That is, a well constructed eID infrastructure allows for a many-to-many-to-many relationship between elements on all three levels.
A frequent problem is that the people defining eID systems seem to confuse identity and identifier, identity and role, or the person and their online identities – and there is no space for the concept of actors and audience working together to perform social roles.
The designers of identification infrastructures often give an impression of wilfully ignoring the social and psychological reality of human identity, though there are honorable exceptions.
Identity and identity providers
When creating an eID infrastructure, core design decisions revolve around the relationship between two key functions: identify providers (IdPs in the jargon) and Relying Parties (RPs). IdPs are responsible for authorising an account within a security realm; An RP is the company or organisation that needs to check a user’s identity before carrying out an action.
As implied above, the battle is currently on to become the dominant identity provider. In the UK at least, the agenda is set by US internet corporations like Facebook and Google. Some people – such as David Birch – have argued that there is no reason why banks or mobile phone companies cannot do this, but this has not yet happened. Also, see David’s TEDX talk: Identity without a name for some important issues around how eID is currently managed.
(I think one of the reasons people feel so uncomfortable with the attempts by Facebook and Google to force people to have “one true identity”: they are conflating entity and identity.)
Are we doomed to rely on US-based corporations?
The problem in the UK at least is that central government is not trusted. Which – though understandable – is a shame. Government can be natural choice and other European countries are putting eID infrastructures in place (Estonia, Sweden, Germany for example) which ensures some level of democratic accountability at least.
One of the issues that both the former UK ID card programme and the American corporations rely on centralised not federated models: that is one big (vulnerable) database which holds all the information about individuals and their activities. In contrast has been the growth of online personal data stores & ID providers such as mydex, miicard which rely on a federated model.
A modest proposal: what about your friendly local library?
So, onto the wildly speculative part. Here are two assertions:
- It seems logical that in the end, even in the UK, the state will have to take a role in guaranteeing the integrity and honesty of ID infrastructure, and perhaps even providing a trusted service itself.
- There will be an ongoing draft towards federated identity infrastructures as the vulnerabilities of centralised databases become obvious through sundry attacks.
I started off by asking how to define who is entitled to participate in a local space, and to what extent.
Public Libraries are almost by definition anchored to place, have a direct route to linking a real person to a claimed identity, and since they have no interest in holding more than basic information about you could act as a trusted federated Identity provider. And you can’t get much more local.
It wouldn’t take much to allow libraries to act as verifiers that you have a connection with a local community, and there’s no reasons why libraries should be interested in whether you’ve registered elsewhere.
Can you think of anyone else you would trust more? 🙂
Even more than usual, I look forward to hearing about where I should look to find out more on this area.
- Gergely Alpár, Jaap-Henk Hoepman, Johanneke Siljee: The Identity Crisis. Security, Privacy and Usability Issues in Identity Management CoRR abs/1101.0427: (2011)
- David Birch: Identity without a name. Top TED talk that brings out the paradoxes around e-identity.
This blog is an expansion on the points I tried to make during a “one minute madness” session at a recent research conference.