In this short paper we hope to sketch a framing of identity that may be perceived at first blush as 'slightly radical', but is relatively free of preconceptions, and therefore most useful for the design of new systems that establish identities. The central thesis of the framing is this: The natural lived human experience of identity is a fragmented one, and should be recognized and engaged with without (premature) recourse to the traditional notion of a 'unified self' located in a single legal person or human body.
An "identity", whose fundamental atoms are forever incomplete segments of varyingly-credible information, whether they be rows in remote databases or serial episodes retained in the memories of human witnesses, is ultimately an external construct subject to varying degrees of internalization (i.e., acknowledgement or assertion) by the observed subject. When someone announces an identity, whether it be in the form of a hash on a distributed network, an account registration on a centralized server, or a 'coming out' as some identity in some public forum, recognition (and future remembrance) of that identity by observers is, by tautology, the only kind of identity we can usefully speak about. An unannounced, unobserved identity is no identity at all, even if possibly latent as a self-concept.
In other words, we should view identities as possibly-connected segments (i.e., finite-length data) in a larger topology. This is neither a surprising nor novel notion, excepting this: we argue that disjoint (or connected!) segments, even if constituted by observations of a single human, should not be presumed to be part of a single identity unless all of the segments represent or contain commitments to that effect. Whether someone is just a completely different person in the sense of 'personality' in two different contexts, or whether a single human lives two completely separate lives under systems like those of Russia, where gender or sexual deviance is punished and stigmatized, these topologies of lived identity should be accurately represented (and therefore supported) and acknowledged.
Apparent plausibility of an identity should not be an issue: as hinted at in critiques leveled by a multitude of sources (including the EFF) at the "Real Name" policies of centralized arbiters, the only "real" identities are ones that are and continue to be asserted by their apparent subjects.
A wider view has a lot of potential for the future: Aral Balkan, among others, takes it further, arguing that laws should recognize that our selves and identities extend into our devices and should be subject to privacy protections on that basis. What kind of identities will result from future connections between human bodies and connected devices? Will governments, societies, or peers recognize the person that might result from a such a pairing?
In any case, a single human aggregate of DNA, mind, and physical affordances, whether inborn or provided by machines and infoelectronics, may, in any given situation, be one of a multiplex of identities, each with a (hopefully) obvious degree of personhood.
What we argue is this:
- No observer is ever possessed of 'complete' or exhaustive information about a pre-supposed subject, to which an identity is traditionally thought to point.
- All identities are in flux.
- The only identities that suffer no harm under the traditional norm of a unified "one person/identity, one human" are impossibly privileged.
- Ergo, the most compassionate, respectful, (and also error-free) approach over the lifetime of any observed identity is to grant it a due degree of personhood (or agency, if you prefer) on its own terms--no external unification.
In other words, any given identity can only be viewed as (observed) commitment to performance. The degree of that commitment (or series of commitments) and its fulfillment constitutes a measure of actualization of that identity, as well as an increase in reputation (in other words, authenticity in the sense of character as well as the more technical sense). We note that this jibes with both cryptographic views of identity as well as those offered up by gender theorists--it's as true for a git commit log as it is for a person identifying as a different gender.
Viewing identity this way, we argue, has some nice properties. It explicitly avoids conflating credentials, accounts, or the outputs of cryptographic operations with persons. It crystallizes definitions of privacy and security into technologically translatable forms that are relatively free of ideology: privacy becomes the protection of segments from unwanted linking--the segment of the HIV patient with the full-time employee, for example, or the whistleblower with the military personnel; security becomes the protection of individual segments themselves--a breach of security into a Facebook account might result in the appending of unwanted posts to that segment, while a breach of security into a financial segment like a bank account or cryptocurrency wallet results in some really undesirable transactions.
Most notably, in this view, attacks on identity (doxing, investigation, intrusion, etc.) become attacks on the integrity or accuracy of the network of these segments--at best a misrepresentation of that network, at worst, permanent harm to it (whether physical or otherwise). Since it's a network we all inhabit, we think that's bad for everyone. On the other side of the coin, this means that respect for and acknowledgment of identities is a social good in a human sense, and an affirmation of a distributed network in a technological sense--the only difference is protocol.
Privacy-respecting, secure (in the senses defined above) distributed systems are uniquely able to both accurately chart this experience, as well as empower us to foster or develop identities that have never been possible before. While this is great news from a technological standpoint, the same systems can certainly also be employed in a coercive manner. At worst, large-scale information systems, whether centralized databases with essentially unlimited storage or decentralized append-only structures, could near-permanently foreclose the disjoint, varied, and possibly contradictory nascent identities of masses of people going forward. (Imagine if a government ID system was coupled with an undeniable append-only log, fed by a ubiquitous surveillance system--then place it at different points in history.)
Examples of promising systems or protocols that specifically respect and acknowledge multiplexed identity (in practice if not in presentation):
- Tor (decoupling of location and traffic)
- Qubes OS (UX making fragmentation of use cases easy)
- Pond (petnames + deniability)
- OTR (theoretical deniability + forward security)
- Monero (untraceable transaction paths through ring signatures)
We need to explicitly consider use cases, definitions, and design guidelines for the subjects of threatened, minority, or radical identities at a level that admits of robust generalization, with the goal of ultimately including everyone in such a framework. Meeting the needs of persecuted individuals and classes at a given point in history is an essential achievement of human progress, but offers no guarantees of protection or recognition of future such identities as they arise--today's champions of the weak may well become the persecutors of a future generation.
As a starting point for discussion, then, we believe that this is the frame that new technologies of identity should be considered in.