Whom Do You Trust to Manage Your Identity Assets?

Posted Thursday, July 19, 2012 in Online, Mobile & IT by Peter Horne

My recent article about online identity, “How to Think about Privacy and Managing Your Online Identity” discussed the fact that we don’t own our identities, as they are simply identifiers inside processes that we don’t control. My proposition was that because we can’t control the processes that control our identities, we only have limited scope for control. Basically, we can choose what processes we enter, and, once in them, we can choose what we do; but, other than that, we have no control. So we just have to be judicious about what we choose to reveal about ourselves.

We Need an Alternative Concept to "Identity"

But is that all that we can do? I think the answer is in two parts. The first part is that, at this point in time, that is all we are able to do, and the second part is that we are accepting that this is the way the online world works. But what if we change the way we think about identity - will we change what we accept? If we change what we accept, will the way we have to operate online change with it?

The problem with "identity" is that it is ethereal, and we cannot measure or manage it. We need to define identity in a way that is concrete, measurable, and something that has intrinsic value that is worth defending.

Who Grants You Authority (or Authorization) to Do Something?

My recent work has been on implementing authorities in a distributed financial services application. And I mean really distributed. It’s not just a few servers and clients – it’s a mash-up model with financial data moving across clients, custodian banks, and our own firm’s data center. It’s complicated. We have some large clients that don’t want to communicate with anyone external, and some smaller firms that want us to do everything. It’s only one framework, and so I have been spending a lot of time thinking about authority – who can do what with what piece of information.

Bear with me for a moment to explain my thinking process. I distilled authority down to a few simple concepts – identity, entitlements, and authority. Identity is who is doing something, entitlements are what you can do, and authority is validation of identity and entitlements. Furthermore, you can break down the actions of entitlement to request, grant & revoke, and the actions of authority to assert, accept, and reject.

The model works on paper – but as I was implementing it, I found that identity, authority, and entitlement keep ending up looking like the same object. And then it dawned on me; they are all the same – they are what I now call an “asset.”

Identity, Entitlements, and Authority Are Assets!

Being present, what you do, and being trustworthy are assets. If you keep an inventory of the assets a user owns, you can say what assets a user needs to own to perform a function or do a transaction. You may also need an asset to grant an asset, remove an asset, change an asset, etc.

So if you drop the concept of identity, rights, and authorities as being separate concepts and combine then together as assets, you change the conversation. If “identity” is an asset, if “authority” is an asset, and if an “entitlement” to do something is an asset – how are we deploying our assets? And are others stealing our assets?

Managing my Digital Identity Assets

If my identity in a group of friends is an asset, how should I deploy and protect that asset? If my authority to approve the existence of relationship is an asset, how should I deploy and protect that asset? And, if my entitlement to express an opinion or ask a question is an asset, how should I deploy and protect that asset?

The answer is that we want to use our assets profitably and protect them from being misappropriated or misused.

Do You Trust Google and Facebook to be Your Asset Managers?

Ok, now lets look at Facebook and Google as asset managers – what do we get in return for parking our assets in their system? The answer is that they are misappropriating and misusing them. They are taking our assets and turning them into their product that they sell without our really understanding of what it is that they are doing. Just ask the music and movie industries about how much asset value is destroyed when digital assets are taken and used outside the terms of licensed or fair use.

If we view our identity as an asset, then we can fairly view Google and Facebook as the Napster’s of the identity world; they are taking our digital assets and not giving us fair value for them and distributing them to places we would not allow if they asked for our permission.

Next: Assessing the Performance of Your Asset Managers
So now that we are talking about assets, we can talk about asset manager performance, asset manager regulation, and risk management. That is what I am going to ponder next – how do we quantify digital asset value, asset manager performance, and risk management? Maybe if we can put some numbers on these, we can change the identity conversation and put some pressure on the managers and the companies that they pass our assets on to!

What do you think?



1 comment

  • warsir
    Warren Sirota on October 28, 2012 at 12:35 p.m.
    The concept of "identity" seems obvious, mundane at first blush. Peter Horne's thought-provoking constructs around it that really do need to be considered...by all. Most important here (I think) is Identity as an asset. And I don't like the way Google, Facebook (you won't find me there) and the rest are absconding with people's assets for financial gain. I suppose one can think of it as leaving personal property laying on a street corner where it becomes "finder's keeper's." That said, people need to take more responsibility over this particular asset. As Pogo said, "We have met the enemy and he is us."
You must be a member to comment. Sign in or create a free account.