Who am I?
Well, I don’t know about you, but I think I know who I am. I’m me.
Ah, but, perhaps the question uses the word ‘who’ as discriminator, as in “Which person of many am I, and what means can I provide to enable anyone to demonstrate this?”
Identity in 5 Minutes
Consider twins. We can’t identify people 100% based on appearance, but it’s pretty good. We can’t identify people by their names – not only are there many called ‘John Smith’, but knowing that one twin is John and the other is Jack doesn’t actually help you identify John. Having a name or ‘identifier’ doesn’t constitute identity, it’s the label you can attach to the identity once you’ve apprehended it.
What we are left with is the only thing guaranteed to be 100% unique, an individual’s experience (their mind and its memories). And we can only corroborate this by referring to those who have intersecting experiences, i.e. who have memories of encounters with the person to be identified.
However, corroboration remains hearsay. We can never be 100% certain, we can only be confident according to how well we trust the words of those we consult, and this can depend upon how well we know them, or how well those we know know them, etc.
We find that identity coincides with reputation.
We also find that identity/reputation is not something that the individual possesses. Their identitiy/reputation is something possessed collectively, in part, by everyone they have ever met.
In correspondence or online, appearances are rarely available. We therefore need to create artificial appearances, artificial names, and artificial recordings of meetings/transactions and appraisals thereof. From these we can create artificial identities and reputations. These needn’t correspond to human beings, i.e. humans can control multiple artificial identities, and some identities may be entirely controlled by computer, whether AI traders or dumb proxies.
Online, we don’t record our identities, we record our experiences of everyone we deal with.
Identity/reputation is extracted collectively, ad hoc.
The Identity Reputation Duality1
I think we should disintegrate everything back to first principles, which also means decentralised and distributed. Deconstruct ‘identity’ and all preconceived notions related to it (especially IT based ones). It’s probably best to rewind one’s perspective back to a preindustrialised era too – just to be safe.
Identity is reputation and, for convenience, an associated name.
Identity is something an individual entity possesses only as a consequence of the fact that they are inescapably distinct from any other individual, by dint of a distinct experience (interaction with other individuals). Even a cloned identity will immediately diverge into a distinct identity from its fellow clones.
An individual’s identity is not constructed by the individual, but is a product of their relationships with others. Thus if they partition their relationships they can obtain separated/multiple identities.
However, identity is dependent upon the individual’s memory/experience of their relationships with others, because it is only through corroboration by shared memories/experience that the identity is sustained. A ‘Stepford wife’ becomes detached from their identity despite retaining their name and appearance. However, the identity they lost has not been destroyed – it remains intact in the minds of those they knew.
Incidentally, because it is a more familiar term and is less jarring to our understanding of how identity operates in human society, I will sometimes use ‘individual’ even though ‘identity’ is generally more accurate. We just need to bear in mind that a 1:1:1 correspondence of human:individual:identity is just the familiar case, i.e. to at least keep at the back of our minds that an individual is not necessarily human, and may possess multiple identities.
An individual’s name is a disambiguator only from the perspective of each individual it encounters (has relations with). The name only needs explicit disambiguation if two or more individuals need frequent reference in the discussion of one or more other individuals who know them. If I know two John Smiths I may need to use “John Smith the deputy prime minister” and “John Smith my brother in law”, which is often rendered unnecessary through context. However, each John Smith may have no other relations that need such disambiguation (everyone else they know may be unaware of another John Smith). Names do not need to be universally unique.
The uniqueness of an identity does not come from its name, but from the identity’s uniqueness. It means the identity is amenable to a unique name, but it doesn’t depend upon one. A unique address saves time in delivery, but again, the ‘wrong’ John Smith will recognise cases of mistaken identity and can disambiguate upon such occasions.
So, when we pare it right back, we find that identity consists only of a set of shared memories of interactions. A unique-ish appearance that helps us associate an individual with a unique-ish name that we associate with a set of memories of previous interactions with that individual. We don’t even need the appearance – it’s just helpful. Given a typewritten letter and a name, we can corroborate the letter/name with our memories for that named individual. For people we know well or who are otherwise distinguishable by the nature or content of their writing, the name can often be omitted, and we can still recognise the identity of the author.
However, it is the nature of human beings that identity is difficult to impersonate if appearance is involved (disguise can be tricky), so we may readily authenticate identity on appearance alone, and only worry if what should be self corroborating shared memories fail to corroborate. A new Stepford Wife, despite initial acceptance of authenticity obtained through identical appearance, soon triggers ‘corroboration failure’ alarms in the minds of those who presumed the presence of the previous identity.
So, identity is first protected from impersonation by the difficulty of reproduction of appearance (including voice, mannerism, smell, etc.), but secondly protected by the difficulty of reproduction of memory (non-consensually).
Why do we care about impersonation? Because 1) we don’t know that impersonation is occurring, and 2) we don’t know the identity of the impersonator. If we don’t know that impersonation is occurring then any decisions that we may make dependent upon an identity (and their reputation) become invalid – likely to be highly divergent with the decisions we’d make were we aware of the true identity (invariably the impersonators’ precise intention).
If we knew that impersonation was occurring, we’d at least be able to avoid making incorrect decisions. And if we also knew the impersonator’s identity then we need only decide whether their intention is fraud, benign substitution or humour.
Benign substitution is where impersonation occurs with the consent of the original identity (perhaps unable to be present) – hopefully undetectably (with risk of detection). This may be dishonest, but at least no harm is intended. All decisions are likely to be safe where the impersonator can sufficiently replicate shared memories and convey new ones back to the original identity. This also assumes a situation in which the original identity’s body or other associated property is not required to be present (unless it too can be sufficiently emulated).
The reproducibility of identity requires knowledge of shared memories:
- obtaining them via records (diary)
- obtaining them directly (from discussions with one or more of those who possess them)
- continued company with the identity to be impersonated and/or others with which they share memories
Humans are thus careful where they keep their diaries and what they put in them. They also keep track of who knows them and their friends the best, and ensure they can trust those that are close to them. Corroboration can invariably be achieved through exhaustive search of shared memories that haven’t been written down. And unshared memories are 100% private – for humans – hence Deckard’s easy demonstration to Rachel of her replicant nature by describing some of her undisclosed, private memories (Blade Runner).
So, an individual doesn’t hold their identity so much as half of it, which is a means of corroborating it. The other half is held by everyone they’ve ever known. This also means that the individual’s identity could be recreated if everyone they’ve ever known could collaborate. Even so, the individual could retain a secret that might demonstrate their superior claim to the identity over that of an impostor.
But, I’ve said from the start that an identity comprises reputation. This is because identity is more than a set of shared memories. Identity is ‘who you are as a person’ – in the eyes of those who know you. Thus identity is also reputation, a set of shared memories of the quality and strength of relationships. Trustworthiness (reciprocal exposure of risk, etc.), reliability, punctuality, number and value of meetings, interactions, transactions, etc.
Identity in Practice
I think this is enough to begin to get a glimpse of how a distributed identity/reputation system might look.
- An identity is a closed list of names of other identities with which this identity has had one or more relations with in the past, and attributes associated with each relationship. This can be secured by the owner of the identity with a human memorable password (which must nevertheless, withstand dictionary attack).
- Identities are online (http/soap) or near-line (e-mail) autonomous, interactive entities.
- Each identity has a non-unique, human readable name, e.g. “Fred Bloggs”.
- Each identity has a unique ‘appearance’, e.g. a universally unique public key (only disclosed per encounter).
- Any identity can be asked if it recognises an identity’s name, and if so, whether they have the same appearance (without needing to exchange the public key).
- Any identity can be asked for its subjective measure of another identity’s reputation.
- Any identity can be asked to disclose one or more ‘well known’/reputable identities with which it has had a relationship (referees).
- When two identities interact for the first time they exchange a secret (appearances/public key’s are exchanged to do this) and each demonstrates to the other ownership of their appearance (knowledge of private key).
- Upon the formation of a relationship, identities may exchange contact details: primary and secondary online locations (web service URIs), with backup near-line locations (e-mail addresses).
- If identity X suspects A knows B, X can ask A to corroborate B’s identity by immediately interacting with B and confirming knowledge of the secret previously exchanged.
Identities DO NOT contain any private data beyond qualitative measures of interactions.
Identities can make no truth assertions concerning other identities, except whether they have evidence that the identity is authentic and that they have had a previous relationship.
Identity is not a matter of private data retention, or trusting others to exchange the identity’s private data. Keeping some relationships and transactions secret is a separate matter.
The reputation of an identity is held by others. An identity records subjective reputations of others.
By interacting with several identities that one knows it should be possible to gauge a less subjective measure of the reputation of an identity that one expects to have a relationship with.
An identity could maintain a cache of identities it has explored a relationship with, but ultimately decided against.
1 Closely based on my post to the ProjectVRM mailing list on 2nd July 2007.