A Bundle of Sticks?

Another way to think about the dual nature of identity is to ask, “Am I more than a set of attributes?” Property rights are often thought of as a bundle of sticks: each right is separable from the rest and has value independent of the rest. Similarly, identity is often considered a bundle of attributes, each with independent value. This is known in philosophy as bundle theory, originated by David Hume.

Bundle theory puts attributes into a collection without worrying about what ties them together. As an example, you might identify a plum as purple, spherical, 5 centimeters in diameter, and juicy. Critics of bundle theory question how these attributes can be known to be related without knowing the underlying substance—the thing itself.

Substance theory, on the other hand, holds that attributes are borne by “an entity which exists in such a way that it needs no other entity to exist,” according to our friend Descartes.² Substance theory gives rise to the idea of persistence in the philosophy of personal identity. People, organizations, and things persist through time. In one sense, you are the same person you were when you were 16. But in another, you are not. The thing that makes you the same person over your lifetime is substance. The thing that makes you different is the collection of ever-changing attributes you present to the outside world over time.

I’m no philosopher, but I believe both viewpoints are useful for understanding digital identity. For many practical purposes, viewing people, organizations, and things as bundles of attributes is good enough. This view is the assumption upon which the modern web is built. You log into different services and present a different bundle of attributes to each. There is no substance, at least in the digital sense, since the only thing tying them together is you—a decidedly nondigital entity.

This lack of a digital representation of you, that you alone control, is one of the themes I’ll return to several times in this book. At present, you are not digitally embodied—your digital existence depends on other entities. You have no digital substance to connect the various attributes you present online. I believe that digital identity systems must embody us and give us substance if we are to build a digital future where people can operationalize their online existence and maintain their dignity as autonomous human beings.

Identity Is Bigger Than You Think

At first blush, digital identity seems pretty simple: the service you’re building needs to know who the person at the other end of the connection is. Set up an account, give them a username and password, and let them log in. Collect any necessary attributes into a nice, tidy bundle and store them in the account. Job done.

I’ve seen plenty of examples of this kind of thinking over the 25 years I’ve been working on digital identity. I’ve succumbed to it myself. Years ago, every company offering an online service would start from this premise, build a simple identity system, and move on. Then they’d shake their heads as more and more of their development resources got sucked into solving the new problems that always seemed to crop up when the identity system couldn’t support some new feature.

Today, most companies buy their identity systems. Identity and access management (IAM) barely existed as a market category in 2005 but is now a multibillion-dollar industry. Yet digital identity is still growing, with new concepts, products, and services appearing seemingly daily.

The lesson? Identity is bigger and more complicated than you think. Throughout this book you will see examples of identity that go well beyond the traditional notions of login and access control. Privacy, trust, authenticity, confidentiality, federation, authentic data, identity for things, and identity ecosystems are a few of the areas this book discusses.

Identity is the foundation for all but the most trivial online services. Suppose a workflow that you’re building needs a signed attestation that certain work has been performed and includes the details about the work. The result is a secure, digital, machine-readable, auditable record of what’s occurred. The workflow requires that this attestation is authentic. How do you ensure that?

The document might be considered authentic if it’s signed by someone or something that’s been authenticated, if the cryptographic processes have the fidelity necessary to inspire confidence in the result, and if there’s some process that establishes the provenance of the document.³ Authentication, confidence, and provenance are all based on identity.

Beyond services, many documents we use every day have identity-related purposes. A movie ticket (an example I’ll use several times in this book) is an identity document that identifies the holder as someone entitled to a seat in a specific theater at a given time. Furthermore, it’s designed so that the ticket taker recognizes that it’s authentic.

What about an invoice? An invoice identifies a payment that’s being requested by a specific party for a specific service. It has an identifier and can be recognized as authentic because of the workflow it’s part of. An invoice identifies a transaction taking place inside a larger relationship.

These examples, and millions more, are all part of digital identity—yet they aren’t about logging into an account to retrieve some attributes. As you’ll learn in this book, however, they have much in common.

No Universal Identity Systems

Some people combine the mistaken assumption that identity is simple with the myopic view that identity is just about the process for tying legal identifiers to people. The result is a search for a universal identity solution. Universal identity systems are attractive because digital identity is hard and inconvenient. The siren song of a universal identity system calls developers and users alike with its promise to simplify online interactions, only to dash them upon the rocks of very real complexity.

Over the years, I’ve had many people pitch me that their product is a universal solution for digital identity because it provides the means to concretely tie a body (literally, through biometrics) to a legal identifier. While this can reduce fraud, identity systems that do this are almost always privacy disasters because they must collect lots of personal information to be universal. The result is a honeypot of personal information that hackers find too attractive to ignore. More worrisome, a single universal identifier provides the means for computers to correlate the activities of people across a large variety and type of systems, creating a universal dossier that allows governments and companies to surveil and even control them. Universal identifiers are a 20th-century technology that has no business being used in the digital age.

I hope that the examples from the last section have at least got you thinking about all the places that identity plays a role in your organization and, more importantly, your life. Because identity, in one form or another, is foundational to nearly every transaction, relationship, and interaction, identity systems are polymorphic (they have many forms). Consequently, universal systems, which, by definition, have a single form, always end up solving only some of the problems. Universal identity systems do not exist.

But all is not lost for those hoping for a better online identity experience, reduced fraud, and increased functionality. The internet provides a useful analogy. Think of all the ways messages are exchanged online: email, instant messaging, web pages, and video are just the more familiar ways that the internet facilitates the flow of messages between computers. But the internet is not a universal messaging system. Each of these message types has a different form and purpose. Rather, the internet is a system for building messaging systems on a common infrastructure. Similarly, protocols and standards can provide us with a system for building identity systems.

The Road Ahead

Learning digital identity requires that you understand important concepts and context, so you begin to think about identity holistically. Accordingly, the first part of this book deals with definitions of, problems concerning, and laws governing digital identity. Next you will learn about relationships, trust, privacy, and cryptography—concepts necessary for the discussions that follow.

The second part of this book describes the technologies, methodologies, and protocols necessary for digital identity. These include staples like naming, discovery, authentication, federation, and access control.

The third part of the book presents cryptographic identifiers, verifiable credentials, architectural patterns for digital identity systems, identity wallets and agents, and identity on the Internet of Things. We’ll compare solutions, using concepts we developed early on, and see how different architectures are used to build identity systems that support authentic data and trustworthy online relationships.

Finally, I’ll discuss policies and governance, two crucial concepts for building identity systems—and ecosystems—that work. I’ll conclude with a look at how the concepts, protocols, technologies, and architectures discussed in the book can provide a foundation for digital identity that enables lifelike online interactions in preparation for a digital future we can live with.