Jul 19, 2016 in Guest Blogs, Members by DIACC

What are Digital Identities?

what-is-IDToday we present an article submitted by DIACC guest blogger Patrick Cormier, VP of Business Development and Sales at Notarius.  DIACC member guest bloggers share their unique insights and expertise. Guest blogger articles do not represent a formal opinion of the DIACC. This guest blog is shared under the Creative Commons BY-ND terms. (texte français)

What are Digital Identities?

Patrick Cormier

At DIACC and IdentityNorth, strong claims are made that digital identities will unlock considerable growth and innovation in the Canadian economy. The far-reaching ramifications of that assertion beg the question: What are digital identities? Can you explain in simple terms what digital identities are or even answer the question “What is an identity?” Take a moment… Stop… Try putting your thoughts into a clear definition.

If you can’t come up with a definition or remain unsure, don’t feel bad! In recent years, I have asked that question routinely and have never got a simple, concise and precise answer, although there are some online references such as The Field Guide to Identity by Identity Woman (Kaliya “Identity Woman” Young [formerly Hamlin]) that are great references when exploring the multifaceted aspects of identity.

So, plainly put, I am motivated to define digital identities in a simple and straightforward manner because absent a common semantic ground on digital identities it would be more challenging to unlock economic growth and innovation that can be unlocked with robust digital identities.

What is Identity?

Simply put, an identity is a representation of who you claim to be and who you are. A digital identity is an electronic representation that claim. And finally, a trusted digital identity is a representation of you that can be relied on with confidence for high value transactions such as signing a contract or applying for a passport.

Identity is at the core of the authenticity of social interactions and the integrity of business processes. Identity is the starting point of any relationship, trust and confidence in ongoing interactions between individuals, organizations, and government. Identity is also dependent on context. Within an identity context, it is critical to be able to distinguish individuals from one another so that services can be delivered to the right individual.

A person’s Identity can be subjective or objective. The set of psychological and physiological properties that make me and you unique as we perceive ourselves is subjective identity. It is a mental construct allowing us to relate to one another while retaining our distinctiveness. That is all I have to say about subjective identity because I am primarily interested in the objective identity of a person: a social convention that binds identifiers and attributes to persons. Let’s deconstruct that definition to see how it holds.

A social convention: if you are the sole survivor of the Mars One mission and live alone on Mars without communication to Earth, identity – your name for example – becomes meaningless because you cease to relate to others. When people relate to others in society, in a group or online, they need to refer to one another, hence the social convention of assigning names to infants when they are born. The convention is social because its primary function is to allow persons (both physical and organizations) to relate to one another. It has more the flavour of a convention because some group members may refer to one another using identifiers appropriate to the context, i.e. usernames on a web site or the children of a family calling the father of a family Dad.

An identifier is a pointer that points towards a specific person. An identifier may be unique in a defined system, for example, a Social Insurance Number (SIN) in Canada. Two persons should never possess the same SIN. Although an identifier is intended for a specific person, it may in fact not be unique, for example, my name “Patrick Cormier” is shared by a lot of people. It may not even be related to real-world social convention (my online alias could be Fidel5351). Given this, some types of  identifiers (such as our names or aliases) may not be unique in a given context and may point at more than one person. Other examples of identifiers: SIN/SSN, driving licence numbers, employee numbers…  I will tackle a little later the need to uniquely identify persons in a given system.

An attribute is a property likely to be shared by many persons. Attributes can be professional (e.g. Lawyer, CPA, engineer, architect). Attributes can also be affiliations (e.g. employee of a company, alumni member), physical characteristics (e.g. eye colour, sex, height), etc.. Finally, attributes can also be in relation to corporate persons, like size (e.g. “Small & Medium Businesses”).

A person may be a physical or corporate person – any entity with standing in court. A person here is not a concept – it literally is a physical person (or organization). For greater clarity, I am not referring to marketing persona – generic roles.

Binding an identifier or attribute to a person generally implies that the person must have a way to legitimately claim the identifier or attribute. In addition to claims and in some contexts, binding may also imply that an identifier or attribute be legitimately associated with a person in the absence of a claim.

Binding is the action of reliably recording the relationship between a set of identifiers or attributes and the person. In modern societies, for identifiers, this is often made possible by the possession of state-issued documents such as a certificate of birth and, later, driving licences and passports. People also claim identifiers and attributes using community recognition (when a lot of other persons agree the claim is legitimate) and using Knowledge-Based Authentication (KBA). The premise underlying KBA – that only the person corresponding to an identifier would logically know the answers to specific questions – is losing credibility because of past massive data breaches. Finally, identifiers and attributes may also be assigned to persons without any claims intervening.

An identity is therefore a social convention that binds identifiers and attributes to persons. From this definition and above explanations, we can draw the following inferences:

  • We each possess at least as many identities as we possess identifiers. On a web site, my digital identity might be solely known as “Fidel5351” to others in the web site – Fidel5351 is my identity on that website.
  • Some identities are legal because they are issued and/or recognized by the State. Such identities can hold property and sue or be sued in courts. In the context of economic growth fueled by the Digital Economy, legal digital identities are crucial.
  • Some contexts may require a composite identity, or set of identities, to be joined. This happens when several identities are simultaneously claimed to complete a transaction, sign a document or create an identity which uniquely defines a person in a specified context or system. For brevity, composite identities are often called contextual identities or even identities.
  • A contextual identity is a set of identity attributes that is used to distinguish a particular person within an identity context. While identity attributes such as name and date of birth, may identify an individual, these attributes are usually not sufficient to distinguish a person within a large population (such as a province or country), an artificial identifier is assigned that is used solely for the purpose of providing uniqueness and points to specific person. For example, “Patrick Cormier” and my driving licence, taken together, uniquely point to me (no other person may claim both my name and driving licence number) to create an identity which is effective in ensuring that two Patrick Cormier can be safely distinguished from one another.
  • To distinguish an identity from one another, another method consists in including attributes in the identity. For example, if I were the only lawyer in Quebec named “Patrick Cormier”, then my identity “Patrick Cormier” together with the two attributes “lawyer” and “Quebec” would uniquely point to me. Alas, there is another lawyer Patrick Cormier, so another attribute or identifier would need to be added to distinguish us.
  • The need for composite identities and attribute-supported identities is contextual. To sue in court, you would need to do so under your State-issued name and provide your address, minimally. To obtain provincial health services, you need to provide both your name and provincial health coverage number. To publish a post on a blog, you may only need a validated pseudonym, i.e. a username associated with an email.

The above inferences are just some of the inferences that should be clarified before considering what are digital identities. Digital identities are technological conventions that bind digital identifiers and attributes to persons. They necessarily exist in the technological realm. Digital identities can come in the following flavours:

  • Self-asserted digital identities are claims, created and used without external validation or verification of their veracity. One example is an Adobe self-sign digital certificate. I can create such a certificate under any name of my choosing. Similarly, I can associate a name of my choosing with a gmail account and be known to my correspondents under that name. Obviously, such claims are not optimal in contexts of legal or commercial transactions.
  • Verified digital identities are digital identities for which the identifiers (and perhaps the attributes) have been verified by one or more third party, but not necessarily trusted third parties. In other words, some third party has validated that the owner of the digital identity may legitimately claim the identifiers and attributes.To the extent you trust the third party and understand the validation method, you would trust the veracity of the claimed identity and attributes. For example, if you understand that signing digital certificates issued by Certificate Authority X and if you deem acceptable the issuance process of their certificates, you would trust the veracity of the claimed identity and its attributes.
  • Trusted digital identities exist when conditions, or conformance criteria,  set by a Trust Framework are met in providing a digital identity. By way of example, DIACC is currently developing a Trust Framework for Canadian Digital Identities. On the other hand, a Trust Framework can be as simple as, for example, the explicit recognition by a governmental authority that Certificate Authority X digital identities and signatures may be relied upon for the purpose of conducting transaction Y with the government. To be exact, Trust Frameworks should be really thought of as Accountability Frameworks – see The Trouble with Trust, & the case for Accountability Frameworks for NSTIC. Also, I should clarify here the semantic distinction between objective and subjective trust. The term”trust”, by ordinary definition, is subjective – it is an opinion about the reliability (an objectively perceived quality) of someone or something. Here, when I define the term “trusted digital identities”, I mean objectively trusted, that is, digital identities that meet objective criteria set forth in a Trust Framework should be called “trusted digital identities”. Of course, anyone relying on a so-called “trusted digital identity” may make the personal choice of not trusting (subjectively) that identity. However, despite that semantic distinction, I think it is worthwhile to define objectively the term trusted digital identity to specifically refer to those identities that comply with the conditions set in a trust framework.

To the question “what are digital identities”, one can also complete the answer by referencing the purpose they serve. A digital identity is intended to be a legally equivalent alternative to presenting yourself in-person with paper documents. A digital identity is intended to ensure that a specific person is at the other end of a transaction or at the origin of a signed document, for example, digital identities can be used to sign birth certificates, passports, University transcripts and diplomas, contracts, engineering drawings and plans, affidavits… Any document requiring proof of its origin weeks, months or even decades later.

Canada’s economy is fuelled by millions of transactions completed and documents signed every day. Now, imagine a world in which, over time, all these transactions and signatures could be completed digitally, legally and reliably. Imagine that for each transaction completed and document signed digitally, considerable savings have been realized because you can finally dispense with in-person appearances and paper processes inefficiencies. Imagine the range of new commercial activity that could be unlocked because the online market is a worldwide market as opposed to doing business locally.

Digital identities can, and will, unlock a modern, forward-looking and technologically advanced society. It is up to us to build the required trust frameworks to make this vision a reality. Get involved in DIACC now and attend IdentityNORTH next year!