Identity, local citizenship and a modest proposal

This post started its existence about a year ago. I had been involved in a project called Smart Cities. From my perspective, (interested in e-participation and IS security) there were two big questions that I came away with; I am still wondering how to find answers, so forgive the rambling…

The first question comes from the overlap of geography, identity and citizenship online – and how it relates to e-identity. That’s what this blog is about.

The second question came from the problems caused by a checklist approach to compliance with privacy law. That’ll be covered in a (probably much shorter) future blog.

Citizenship and e-identity

It’s a truism that geography doesn’t go away online, as demonstrated by the rise of hyperlocal media and the extensive work on local online empowerment by eparticipation practitioners. People like Catherine Howe have been thinking hard about what it means to create localised online spaces to “encourage people to act like citizens” and you could go worse than read her blogs on hypelocalismthis one in particular.

Now, I think many people feel that they belong to more than location. This raises the question: what does it mean to be a ‘citizen’ of a place (city) when you’re online? Can a location decide you are not a citizen?

It might be fairly easy to agree what it means to be a ‘citizen’ or a resident of a nation state, but it gets more difficult as the geography gets smaller and more local – particularly away from the big cities like London or Amsterdam. For instance, I live in Falkirk and commute to Edinburgh, but have connections with the Scottish Borders: Where do I belong to? Which of these places have a duty to take my opinion seriously or to deliver me an (online) public service? It’s not simply where I pay my local taxes is it?

So the questions: how can a city know if it’s dealing with a real person? How do we define who is entitled to participate in a local space, and to what extent. But first, a small technical diversion…

Entities, Identities and eId

Fundamentally, identity is understood in two ways. There’s the idea of identity that’s been around as long as we’ve been (self-consciously) people: social and psychological. Here physical location (hence citizenship), personality types and social context are central to understanding how and why people behave in the way they do. People are inherently very good at handling and understanding multiple social realities and roles (Goffman in the 1950-70s used a metaphor actors and audience members on multiple stages).

What happens when move to online electronic identity (eID)? In summary: engineers with their inhuman expectations of logic, consistency and clarity.

A nice description of the issues of translating between social identity and eID can be found in Alpar, Hoepman and Siljee (2011). They describe a clear structure that distinguishes how an entity (person) has multiple, online identities fulfilling multiple roles (which can switch to other people). Online identities can be transferred or shared too – right up to having responsibility for a minor, sharing login details for bank accounts, to creating and selling World of Warcraft characters. That is, a well constructed eID infrastructure allows for a many-to-many-to-many relationship between elements on all three levels.

A frequent problem is that the people defining eID systems seem to confuse identity and identifier, identity and role,  or the person and their online identities – and there is no space for the concept of actors and audience working together to perform social roles.

The designers of identification infrastructures often give an impression of wilfully ignoring the social and psychological reality of human identity, though there are honorable exceptions.

Identity and identity providers

When creating an eID infrastructure, core design decisions revolve around the relationship between two key functions: identify providers (IdPs in the jargon) and Relying Parties (RPs). IdPs are responsible for authorising an account within a security realm; An RP is the company or organisation that needs to check a user’s identity before carrying out an action.

As implied above, the battle is currently on to become the dominant identity provider. In the UK at least, the agenda is set by US internet corporations like Facebook and Google. Some people – such as David Birch – have argued that there is no reason why banks or mobile phone companies cannot do this, but this has not yet happened. Also, see David’s TEDX talk: Identity without a name for some important issues around how eID is currently managed.

(I think one of the reasons people feel so uncomfortable with the attempts by Facebook and Google to force people to have “one true identity”: they are conflating entity and identity.)

Are we doomed to rely on US-based corporations?

The problem in the UK at least is that central government is not trusted. Which – though understandable – is a shame. Government can be natural choice and other European countries are putting eID infrastructures in place (Estonia, Sweden, Germany for example) which ensures some level of democratic accountability at least.

One of the issues that both the former UK ID card programme and the American corporations rely on centralised not federated models: that is one big (vulnerable) database which holds all the information about individuals and their activities. In contrast has been the growth of online personal data stores & ID providers such as mydex, miicard which rely on a federated model.

A modest proposal: what about your friendly local library?

So, onto the wildly speculative part. Here are two assertions:

  • It seems logical that in the end, even in the UK, the state will have to take a role in guaranteeing the integrity and honesty of ID infrastructure, and perhaps even providing a trusted service itself.
  • There will be an ongoing draft towards federated identity infrastructures as the vulnerabilities of centralised databases become obvious through sundry attacks.

I started off by asking how to define who is entitled to participate in a local space, and to what extent.

I wonder if an extention to the existing library card procedures could hold part of the answer?

Public Libraries are almost by definition anchored to place, have a direct route to linking a real person to a claimed identity, and since they have no interest in holding more than basic information about you could act as a trusted federated Identity provider. And you can’t get much more local.

It wouldn’t take much to allow libraries to act as verifiers that you have a connection with a local community, and there’s no reasons why libraries should be interested in whether you’ve registered elsewhere.

Can you think of anyone else you would trust more? 🙂

Even more than usual, I look forward to hearing about where I should look to find out more on this area. 

Further reading:

This blog is an expansion on the points I tried to make during a “one minute madness” session at a recent research conference.

Advertisements

About Peter Cruickshank

Lecturer in the School of Computing and a member of the Centre for Social Informatics at Edinburgh Napier University, Scotland. Interested in information systems, learning, politics, society, security and where they intersect. My attempts at rounding out my character include food, cinema, running, history and, together with my lovely wife, bringing up a cat and a couple of kids.
This entry was posted in e-government, UK and tagged , , , , . Bookmark the permalink.

8 Responses to Identity, local citizenship and a modest proposal

  1. Lauren says:

    I can think of one reason that libraries would be interested in whether you were registered as a library user elsewhere – electronic resources and ebooks. If someone’s a member of multiple library authorities, there’s likely to be some degree of crossover with the resources available to them. Contracts with providers work based on calculations of the size of the population that the authority serves. The sensible option to me seems to be that ebooks and electronic databases etc. should be provided through a national service, but that’s well beyond the level that public libraries and the government are working at.

    I can imagine libraries becoming infinitely less trusted should they take on a (incredibly political) responsibility like ID card authentication. That’s based on the assumption that everyone will even *have* a local library to go to in the future.

  2. Thanks for your feedback Lauren – they’re fair points and I defer to your knowledge and experience!

    My main focus was finding a lightweight way to check whether someone has a local connection.

    This then led me to trying to think how the role of library branches could evolve… but I’m happy to accept this idea is a non-starter.

    If all a Library was doing was saying that you physically exist and have been to one of their branches – just to confirm you have a library card and so have a connection to the local area – would that still be an issue?

    Also as you imply, e-books might well end up taking the geography out of the relationship with libraries, for lending at least, so maybe this is another reason I’m looking in the wrong place?

    • PS Having just read your last blog post – I wonder if there could be a relationship to the “Eight Central Values of Librarianship” – particularly Equity of access and Democracv. Particularly if you think that one of the core things the internet is for is to give a route to democratic participation in how your local community is run.

  3. It sounds as though what you are thinking of is a lightweight Shibboleth implementation, with public libraries acting as the trusted Service Provider, as part of a new or existing Federation.

    Technically this should be a simple implementation, Lauren’s points regarding political implications are as always were the issues lie.

    Some library services do use National Entitlement Cards, (which are highly political) and are managed from a shared Scottish member database, so extending this is a possibility, there would have to be improved infrastructure, both with council IT and library systems.

    Access to resources which are based on size of population are another issue, and this is something which is crying out for shared procurement as they have in HE and in many of the Scandinavian countries.

    • Hi Lynne, thanks for that. I guess what I’m after is a lightweight & low risk way to (only) prove that you belong to an area.

      One scenario would be if a discussion/consultation website can pass Shibboleth a location and ask it to confirm whether the commenter comes from somewhere near there – no need to confirm name. That way the people running the consultation process would know how much weight to give the comment, while keeping the anonymity which is so important to consultation processes.

      Should be plausible?

  4. Hi Peter, you might be interested in my blog piece on Shibboleth and location: http://access.jiscinvolve.org/wp/wayrn2/. Obviously you could also simply refer to registered postcode if the question was more where do you live rather than where you acutally are.

    • Hi Nicole – Thanks for that – receiving comments like this reminds me why I (mostly) love the internet!

      The location assertion service looks really relevant – it wouldn’t be much of a stretch to give people who want to comment on a local participation website the option to be able to assert that they are physically (or live) quite close to what’s being talked about, and therefore should be taken a bit more seriously.

      Now to find someone building a participation system who is willing to try this out…

  5. This story has relevance: Survey Reveals Librarians Second Only to Doctors in Public’s Trust. It’s on the Society of Chief Librarians website, but still…

    Public Libraries Information Offer survey reveals that internet users trust library staff more than most other providers of online support and information. Internet users trust library staff more than most other providers of online support and information, and public library staff are second only to doctors in terms of the trust placed in them by seekers of information, according to an evaluation commissioned by the UK Society of Chief Librarians and supported and funded by Arts Council England.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s