Identity discussions require agreed fundamental terms. We lack such fundamentals, so currently we lack coherent discussion. I mean it – we lack the very basic concepts and hence this is why this newsletter is required.
We have a lot of esoteric generalizations – does anyone want to discuss ‘trust’ or ‘consent’ for a week or month or year… Such scenarios are not uncommon in the ICT industry that often sells vapourware.
So in these newsletter I aim to redress this problem and my starting point is real-world situations of the parties involved in Identity and the places of Identity. Now this might not appear to be radical, but I promise you that my straightforward approach is not the norm!
But first, read this
Organizations own our identity profiles. And the privacy laws, that most countries have, give the individual rights over that information and the holders obligations of care.
QED. That is how it is.
Decades of human rights development has morphed into individual rights which has help drive a preoccupation in the Identity world with something called self sovereignty. This is a noble concept but it is not the current reality of Identity.
Organizations own identity, individuals have rights over identity, and organizations have obligations for identity. This will become important in the next paragraph!
Parties
The parties to Identity processes are:
people – individuals like you and me
organizations – companies, government departments, clubs etc
For an Identity process to be meaningful, the number of parties must be two or more. I consider 2-party and 3-party transactions only. While transactions may exist with 4 or more parties, they are rare and adequately covered by considering 3-party transactions.
2-party transactions
2-party transactions involve a person and an organization. Here are two examples:
An individual has an account with a bank and an individual has a relationship with a theatre. In the first, a person does a transaction, such as check balance. In the second, a person creates and updates a profile that generates reminders to up-coming performances.
These 2-party transactions look mundane, and they are, and they are prevalent - we use 2-party transactions every day. They are likely to be 99% of all identity processes performed.
3-party transactions
3-party transactions involve a person and two entities. Here are two examples:
In the first, example, a person is using a credential from the Health Department to prove their Covid status to gain into a café. In the second, a customer of a co-operative is purchasing from a ‘participating merchant’ co-operative account. In both examples, the third parties (the café and merchant) do not know the person.
And so?
Well please note two things. Firstly, these identity processes are inherently difficult! There is nothing easy about authenticating an individual who you do not know and have no information about.
Secondly, while 2-party transactions are prevalent, 3-party transactions may be quite important in the future. The Covid example is clear. Other examples of 3-party transactions, such as ‘know your customer’ transactions are becoming ubiquitous. As we become more connected and develop more complex relationships, 3-party identity will become an essential transaction within society.
There is quite a lot in these simple diagrams.
Place
Not surprising, the place that transactions happen is fundamental to Identity, and requires some clear distinctions:
environment - where parties transact (in-person, on-telephone, and on-line)
channel - communication methods we use to interact (verbal, visual, and digital)
A transaction will occur in one environment, say on-line, and may use a number of channels such as a web-interface and a smartphone.
Environment is where it is all happening. It is the primary medium for communication. It has three principle varieties, in-person, on-telephone, and on-line, and each has its own unique characteristics, limitations, and challenges.
This is important. Identity is used in three fundamentally different environments. It is not so surprising that identity is difficult and underdeveloped.
Payments, mentioned in a previous newsletter, has similar complexity to Identity in this respect, but the seemingly historical accident of credit card risk mitigation (i.e. someone pays extra) makes them useable in multiple environments. Identity is not that lucky!
Summary
The two dimensions I have defined, number of parties and environments, are not the standard topics of discussion with the world of Digital Identity which has, naturally, an on-line bias. Given the planet’s history with Covid, this is surprising as in-person is clearly important!
What I am writing about in these newsletters is Identity in all its forms and if one is considering Identity holistically, you need some framework to consider all alternatives.
This is what I have created and I’ll use this framework in the next newsletter to show some examples of the Identity and to critique current implementations. It should be relatively easy to guess what the answer is!
Regards
Alan