Generative identity — beyond self-sovereignty

RESEARCH

INTERPERSONAL DATA

IDENTITY

Generative identity — beyond self-sovereignty

By Philip Sheldrake

September 02, 2019

With thanks to those who commented on draft versions: Matthew Schutte, Jonathan Donner, Martin Etzrodt, Andrei Sambra, Mihai Alisie. Hero image generated from the original image by Ryan Alexander.


I’m going to outline three ways to think about digital identity to help move the conversation forward in line with the AKASHA Foundation’s purpose. I’m not claiming any neat taxonomy per se, just exploring very different degrees of nuance with radically distinct implications.

  1. Relating to how personal and group identity is manifest online, naively
  2. Relating to how personal and group identity is manifest online, expertly
  3. Relating to how we might employ digital technologies to transform society’s accommodations of and approaches to identity, generatively.

Naively

It seems from observation alone that quite a few technologists work in this mode, excited to be bringing pre-digital bureaucratized identity into the digital age.

Telegram Passport is an exemplar of the naive unfortunately, a service allowing you to upload your “real-life ID” just the once so you may offer up such documentation more easily in the future as and when required by third-party services. Simple? Yes. Convenient? Undoubtedly. With dire emergent consequences? Quite possibly.

“Your papers, please” is a cultural metaphor for living in a police state, and Telegram technologists are diligently removing the systemic frictions of the pre-digital era to assist your compliance, misguidedly assuming that friction is something that should always be eliminated I suppose.

You may be tempted to dismiss such a concern … But I decide when to present my ID!

Well not quite. Consider the Barnes Paradox whereby individuals transgress their own privacy preferences just to get to the stuff a click away. We’ve all done it. Moreover, each of us is just one of very many agents in the constant emergent reformation of societal structures; in other words, many if not most of your fellow citizens would have to exercise similar discipline. Still confident?

The only way to feel positive when it comes to naive digital identity is by assuming lawmakers will step in to constrain the types of entities that may request ID in such a manner, and to constrain the corresponding purposes too. Such a license to operate would be cryptographically provable by the requesting party.

But please do not rely on this to ease your mind as you write more naive code. Under the influence of the false dichotomy of privacy .v. security, or guided by similarly naive understanding of identity, governments appear too frequently to be pulling in the wrong direction here. India’s Aadhaar is a case in point. This alarmingly-naive, government-funded invention was intended to be entirely voluntary, but to opt-out now is to effectively opt-out of living in the country; an example of the structuration I referenced above.

The thought put into Aadhaar’s goals, design and consequences has been and remains woefully inadequate.

Naive innovation represents an inordinate and perilous transformation of the ilk explored in mid-twentieth century dystopian novels. In other words, people will die if its application is not controlled. But controlling it will also lead to exclusion, persecution, and deaths depending on the dogma of those in power at the time. (See India’s hunt for “illegal immigrants” is aimed at Muslims.) As I note in my webinar for the Self-Sovereign Identity Meetup, engineering the facility for inclusion cannot but also enable exclusion.

Brevity is my only reason for limiting the examples here to Telegram and Aadhaar. They are not too unusual in their naivety, unfortunately. Just use your preferred search engine to look up “KYC-as-a-service” and “e-KYC” for example and challenge yourself to find a service that limits its application to legally-necessitated situations, or one that doesn’t use legal terms and conditions to curtail hackers’ freedom to find flaws in its system.

If this has sparked your deeper interest, Dissent on Aadhaar 1 is perhaps the definitive read on Aadhaar’s architectural flaws, its erosion of civil liberties, undermining of the democratic process, negative impact on welfare programmes, and pivotal role in the formation of a surveillance state. Separately, Kaliya Young explores how Aadhaar differs from the US Social Security System2 and concludes: “there tends to be insufficient consideration of the ways in which the proposed solutions that use Aadhaar might create risks for those individuals and institutions it intends to serve.”

Expertly

Identity experts are semantic pedantic — their professional focus is distinction after all. I adopt Jonathan Donner’s recommendation3 to distinguish the terms “identity”, “identification”, and “ID”. Identity “implies a kind of multidimensional social location of an individual relative to other people and institutions around him or her.” Identification is a claims verification process, and ID is an artifact, traditionally tangible, that “supports a claim or signals that identification might be possible.”

In other words, identity ≠ identification ≠ ID. Any and every conversation in which participants recognize this distinction is massively more productive. And there’s another phrase …

Self-sovereign identity (SSI)

SSI is the current state of the art. The concept and term emerged in 2016 having morphed from “sovereign source authority” in 2012. Here is an extract from Devon Loffreto’s argument for such sovereignty4:

Society is an Agreement. It is made by and between Individuals. Within any Society, Individuals have an established Right to an “identity”, and to all of the benefits and responsibilities of some form of “Nationally Sovereign Structure” of governance and administration. Sovereign Source Authority (SSA) refers to the actual default design parameter of Human identity, prior to the “registration” process used to inaugurate participation in Society.

The motivation here is valid at least, evidenced in the analysis of the conditions by which totalitarianism took hold in Europe in the 1930s and early 40s5:

The stateless and the minorities … had no governments to represent and to protect them. … The very phrase ‘human rights’ became for all concerned — victims, persecutors, and onlookers alike — the evidence of hopeless idealism or fumbling feeble-minded hypocrisy.

When only states are sovereign, the individual rendered stateless has no rights. This is unacceptable and led to the Universal Declaration of Human Rights in 1948 and more recently to the inclusion under the Sustainable Development Goals of the target to ensure everyone has a legal identity by 20306.

We are also moved by the motivations for such a target and recognise that there are choices to be made of how best to achieve it, and indeed to define precisely what it is. Is it to serve only in tightly specified legal or humanitarian contexts for example? If so, who gets to decide? And who gets to decide who gets to decide?7 We must remain cognizant that efficient identity related bureaucracy was also fatal in the 1940s8. It was easier to find people to murder in jurisdictions in which legal identity worked well. On which point, the minimum qualification of an expert in this field must be historical awareness and dedication to not repeating its tragedies.

I’m not going to offer an introduction to SSI nor the corresponding deliberations by various communities, not least Rebooting the Web of Trust, Internet Identity Workshop, Identity Foundation, ID2020, and Good ID. Rather, the following resources are excellent introductions if you need to jump off here.

Given that I will be taking aim at the founding principles, I will just tip my hat to The Laws of Identity 9 from 2005. As Kim Cameron explained at the time10, the word “laws” was adopted in the scientific sense of hypotheses about the world — resulting from observation — which can be tested and are thus disprovable. The influence of these laws on the SSI principles is plain, not least user control.

The transition to SSI from the prior state of play (described succinctly by Christopher Allen in the first link in the list above) represents a substantial and most welcome breakthrough, but my focus here is its fatal flaws — some of its ‘laws’ don’t stand the test — and where we might go beyond SSI.

Not how the world works

The Rebooting Web of Trust community adopts what it describes as a functional approach to identity:

Identity is how we recognize, remember, and ultimately respond to specific people and things.

It’s a multidimensional social location of an individual relative to others, and clearly contextual. We might recognise faces, voices, gaits, fingerprints, irises, handwriting, usernames, email addresses, PINs, cookies, cryptographic keys or the mathematical proofs of their application, etc. We might remember by close personal association, by faint to robust recollection, by paper record, by database and algorithm. And our responses will be influenced by our interpretation of the associated archived information and the current informational context.

The definition emphasizes the observer rather than the observed, the recognizer rather than the recognized. Identity is in the eye of the beholder11. It’s social.

On the other hand, the term SSI denotes that identity emanates from the individual in question under that individual’s control — after all, to be sovereign means to possess the supreme or ultimate power, and control is both a formative law and founding principle here. SSI is then individualistic, atomistic, and definitely not reliant on anything social.

But how could this reflect reality? How could this be possible when I have minority influence over others’ recognizing me as best they might, remembering me as they so desire, and responding to me as they see fit? I may attempt to minimize information disclosure, and I may have some recourse under law to effectively reverse previous disclosures, but while that is all well and good in the name of privacy, identities still form in the eyes of the beholders beyond my control. Timothy Ruff puts it tentatively12:

… connections, relationships, and third-party issued credentials are not entirely self-sovereign, nor should they be. They represent (at least) two-sided relationships, and the other party to the relationship has some degree of control, too.

I’m more blunt, and perhaps the easiest explanation is one of reductio ad absurdum.

Imagine if you will that I am self-sovereign. Imagine that I exercise my self-sovereignty fully in the only direction afforded me — i.e. I refuse any facility that others might wield to recognize, remember and respond to me. (For the more technical reader here, I might take full advantage of pairwise pseudonymity with efficient zero-knowledge proofs and ‘tumblers’ that obfuscate my true service endpoints13.)

I am now maxing my self-sovereignty.

Is this then the ultimate identity power play? Should you then consider me to be in full control of my identity? In short no, of course not, for who then is left to make the distinction? What is it I’m now supposedly controlling? I am left with no identity at all.

Identity cannot be self-sovereign by the functional definition.

This could be a straightforward case of poor word choice — I’m not the first to make that observation14 — but this goes deeper than the label. This contradiction, this impossibility, is set up from the underlying principles.

A quote from the anthropologist, social scientist, and cyberneticist Gregory Bateson springs to mind15:

The major problems in the world are the result of the difference between how nature works and the way people think.

Phil Windley has observed such a tension, up to a point16:

Many people hear sovereign and think “sovereign means the individual has complete control.” Not really. As Scott David pointed out, “declaring yourself king of a deserted island isn’t very useful.”

Sovereignty is about relationships and boundaries. … Sovereignty defines a boundary, within which the sovereign has complete control and outside of which the sovereign relates to others within established rules and norms.

I argue from the perspectives of complexity science and sociology (not unrelated of course) that not only are many of the SSI principles false — they don’t reflect how the world works — but even this attempt at reconciliation entails clean boundary lines that simply don’t exist. But Windley concludes:

The beauty of sovereignty isn’t complete and total control, but rather balance of power that leads to negotiations about the nature of the relationships between various entities in the system.

This isn’t sovereignty, or the “beauty of sovereignty”. By my reading, Windley suspects that identity isn’t about sovereignty at all.

And last year, when learning to become a certified Warm Data Lab host, I found a kindred spirit in Matthew Schutte who had already critiqued the SSI principles17. I won’t take on every principle here — just four should do the job, starting in each case with a quote from Matthew’s critique and contributing my own notes.

SSI principle: Existence. Users must have an independent existence.

This is the first false assumption: The belief in an identity as an object. The perception of an “I” is a heuristic that simplifies information processing and decision making, but it is not an underlying reality that we should be anchoring Identity processes to — at least not in total.

I dislike the reference to “users” in this principle. Rather, let’s talk about human beings i.e. recognise our full potential and dignity in ways not necessarily triggered let alone encouraged by the word “users.”

Furthermore, and as I’ve written before, the I and the we are not really separable. Neither the individual nor the collectivity can be or become without the other, an assertion recognised by structuration theory in sociology. The theory, dominant in its field, moves away from treating the individual (agent) and society (structure) as separate, paired elements, to considering the two as interdependent, no longer separate or opposed18:

the structural properties of social systems are both medium and outcome of the practices they recursively organize.

Comprehending such complexity requires some shifts in thinking, including:

  • Away from the reductionism of ‘parts and wholes’ towards the simultaneity of a thing being both a part and a whole (holonic philosophy)
  • Away from a focus on the agents (nodes, things, groups) towards a focus on the relationships (the edges, dynamics, liminality, interdependencies), per Actor-Network theory, and ultimately in my view to rhizomes19 and agencement20 — the continuous and unending flux of assembling and reassembling.

Unlike SSI, these appear to correspond to how identity works in the world. I acknowledge of course that the law has a concept of identity for narrowly-bounded legal applications, but that’s the point — narrowly-bounded — and heuristic to boot, to quote Matthew Schutte. In the countries I’m most familiar with, in Western Europe and North America, there is no need to reference a legal identity to grab a cab, buy a bagel, meet-up with a mate, borrow a book, play in the park, or do a friend a favour. We act around group norms, simultaneously affecting their perceived loci and boundaries, telling and enacting different stories to ourselves and others, and playing different parts with different people in different contexts, all of which are identity related without our necessarily thinking or believing them as such, and all of which would be alien to the designer of a legal ID system. (I explore identity narratives later.)

Or to put it another way, designing for ‘proof of personhood’ to engineer sybil resistance is critical in some contexts of course, but only a minority of identity contexts. It would be harmful in other contexts. (See Verifying identity as a social intersection.)

SSI principle: Control. Users must control their identity.

This assumes that 1) “identities” are a static referent, 2) identities are maintained at a system wide scale. These claims align with past attempts at identity administration architectures, but don’t map to the actual functioning of identity in the real world.

I would argue that: 1) claims are all that exist, 2) these claims can be thought of as signals that are “published” (sent) by some actors and “received” (sensed) by others. After receipt, the recipient bears the burden of prioritizing and interpreting the signals that they have sensed. There are complex adaptive system dynamics in play here that lead to a differentiation in the sensitivities of various actors.

Thanks Matthew.

Control is wholly inappropriate in the context of identity because it is a logical impossibility. But that’s not to advocate or resign ourselves to the binary opposite. Far from it. Anthony Giddens, the progenitor of structuration theory, has something to add here21:

Agency refers not to the intentions people have in doing things but to their capability of doing those things in the first place. … To be able to ‘act otherwise’ means being able to intervene in the world, or to refrain from such intervention, with the effect of influencing a specific process or state of affairs.

As I’ve noted before, agency (in co-evolving structure) entails a negotiation in and with the world that the word “control” denies. Identities form and reform (and expire) in the course of individuals exercising or not exercising agency, all the while sending and receiving signals to use Matthew’s words. We can strive to enhance agency, perhaps spread it around a bit more evenly, but to frame identity in terms of control is to promise something that cannot be delivered.

In a related email discussion, Elizabeth Renieris notes22:

The GDPR is a classic example of a law that is being misinterpreted by the SSI community as having to do with individual control. Notice how the core GDPR principles (lawfulness, fairness & transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity & confidentiality, and accountability) do NOT include control. In fact, the only notion of “control” in the GDPR stems from the concept of “controllership” which is a quasi-fiduciary obligation of data controllers to adhere to these core principles, to protect the personal data of data subjects, and to accept certain procedural requirements, etc. Yes, individual data subject rights provide a degree of control over data already shared but those rights are calibrated to exist within a meta-structure designed to remedy some of the asymmetries between individual data subjects & organizational controllers (where the emphasis is on controllers who are in a position to act responsibly and give effect to rights).

SSI principle: Access. Users must have access to their own data.

Again, though noble in intent, this does not map to reality. If I see you slap a child, that impression gets “written” on my brain. You don’t have access to it. … These private channels of impression, interpretation and communication are critically important, and yet do not lend themselves to the type of “user centric” identity scheme being proposed here.

To have unimpeded access is to have control, which cannot work when one appreciates that so-called personal data and identity are reciprocally defining and co-constitutive (more on which later). The use of “their own” here invokes the idea that data be treated as property (if only perhaps for lack of imagination). I have written at some length on the impracticality and immorality of total access to / control over / ownership of personal data23 and I won’t repeat that here. I will however invite you to use the expressions “data about me” and “data about us” rather than “my data” and “our data” to avoid any implication of ownership.

Matthew doesn’t address the digitalization of associated processes, but I do below.

SSI principle: Persistence. Identities must be long-lived.

… builds upon the same flawed framework of “an Identity is an object” and “Identity objects will be managed at system scale rather than by individual observers.” These are fatal flaws that do not map to how signals, agents, interpretation and steering operate in complex adaptive systems.

We can choose not to willingly pull our previous interactions into the present relationship. However, we are incapable of preventing others from attempting to correlate our past with our present — or to prevent them entirely from taking steps to improve the likelihood that our present interaction will be discoverable by those who interact with us in the future

There are ways in which we can pressure others to reduce the level of such sharing that occurs, but these are primarily through the mechanism of social pressures, not technical limitations of the infrastructure we make use of.

Identity doesn’t come with persistence as a defining characteristic. I have yet to find a similar ‘law’ in the corpus of sociology, cultural studies, or psychology; the opposite in fact. Law is the only discipline that necessarily bureaucratizes birth and death with some urgency to connect the two, and has been narrowly constrained in application as noted.

Of course, digital technologies have effectively given some observers superhuman powers of recognizing, remembering, and responding. While developers of SSI related technologies might design to attenuate such powers, such intention doesn’t justify the terminology of “self-sovereignty” or its founding principles. Fundamentally, superhuman technologies are established, around which societal norms have formed and will continue to form, as Marshall McLuhan famously observed. In the context here, this leaves only the law as the basis to trim those super powers in the name of enduring social norms, and in practice it is more the (corporate) observer that extends or accommodates technology in seeking legal compliance than it is any technology of purely self-sovereign origin having the desired effect.

Generatively

I have discussed how personal and group identity is manifest online, both naively and expertly. Now I’m going to explore how we might employ digital technologies to transform society’s accommodations of and approaches to identity, generatively.

I have never attempted to engineer self-sovereign identity. I am then no SSI expert. I invest my time working out how we might wield digital technologies to nurture the full potential of human beings, realizing intelligences that would otherwise remain hidden, and creating regenerative cultures and systems24. In the context here, my focus can be called Generative identity.

It’s not an easy domain to communicate, so I welcome any interest you might have in conversation and collaboration.

My use of generative relates to a desired state beyond sustainability25:

  • Sustainable — aiming not to leave anything in worse state (i.e. it’s "less bad"26)
  • Restorative — doing things to assist the evolution of natural sub-systems
  • Regenerative — participating as nature; co-evolution of the whole system.

It also relates to Jonathan Zittrain’s use in technological terms27:

Generativity denotes a technology’s overall capacity to produce unprompted change driven by large, varied, and uncoordinated audiences… Generativity is a function of a technology’s capacity for leverage across a range of tasks, adaptability to a range of different tasks, ease of mastery, and accessibility.

Generativity may be designed into a digital architecture "through loose couplings across layers whereby innovations can spring up independently at any layer, leading to cascading effects on other layers."28

The book Designing Regenerative Cultures 29 opens with this Albert Einstein quote:

If I had an hour to solve a problem and my life depended on the solution, I would spend the first 55 minutes determining the proper question to ask, for once I know the proper question, I could solve the problem in less than five minutes.

Generative identity is most definitely in the “determining the proper question to ask” phase. Let’s start with the question — what do we mean by “self”?

The narrative self

Marya Schechtman argues that we each maintain numerous narratives in multiple contexts that evolve reflexively with our interactions30:

the complexity of selves is to be found in the multiple perspectives on our lives that we negotiate in living them, a complexity best understood in narrative terms.

The title of an article by Daniel Dennett31 puts it succinctly: Why Everyone is a Novelist.

Richard Sorabji notes that Schechtman stresses the continuing and interacting nature of an individual’s activities — "talking, listening, walking, acting, having beliefs, desires, goals, intentions, thinking, being inconsistent, and vacillating."32 The narratives are mostly accretive, but may also on occasion undergo sharp change.

Identities are formed through narrative. Narratives are informed by interactions with others. Interactions are modulated by identities. In other words, there are no absolutes here. Nothing is concrete. Everything is agencement. An individual is an agencement with her narratives. A group is an agencement of individuals and distinct and shared and conflicting narratives.

Michel Callon connects these arrangings and organizings to the very potential to act and interact33.

[Agency] can neither be contained in a human being nor localized in the institutions, norms, values, and discursive or symbolic systems assumed to produce effects on individuals. Action, including its reflexive dimension that produces meaning, takes place in hybrid collectives comprising human beings as well as material and technical devices, texts, etc.

Please continue reading here. :arrow_heading_down: