thoughts and observations of a privacy, security and internet researcher, activist, and policy advisor

Saturday, October 21, 2006

Identity and Relations, or: yet another interesting law

The Burton group is cooking up something really interesting. A new entry in their identity blog says that
the overarching goal isn’t to issue everyone an ID, but rather to promote relationship, community, collaboration, and interaction.
So, instead of focusing on the identity of single persons and its management, they are working on the relationship. They try to
develop laws of relation. Our focus is on the connection or the network, rather than on the end points.
The first law (as in natural observed law, not moral obligation) they came up with is the
Law of Relational Symmetry: The party in control of the terms of a relationship controls the relationship and, in the absence of symmetrical countervailing controls, will eventually exploit the other participants.

This resembles something very common in the social sciences, which deal with social relationships in their manyfold forms and functions. Political science for example distinguishes between different forms of power. You can have decision power in a specific setting and situation, but you can also have structural power by controlling the setting and situation - who is admitted, what is on the agenda, in which order do people speak or vote? (For a good overview see Frank Baumgartner's encyclopedia entry on political agendas.)

Coming more or less from there, they develop a nice critique of the hip idea of "user-centric identity management":
user-centric identity (as currently constituted) doesn’t achieve symmetry in person-to-organization relationships, and so such relationships will continue to drift toward exploitive results.
The question then is:
Why should a person be required to submit personal information to the relationship at all? Doing so puts a person at tremendous risk, while organizations divulge very little sensitive information in return.
While I follow the Burton folks until here, I don't share their conclusion at all. What do we learn from this empirical law if we want to make the world a better place? They suggest to level the playing field by granting the same legal rights that corporations have to persons, and end with the odd concept of "Limited Liability Persona". I don't think this would address the problem. If you have less liability as a person, how on earth would this keep organizations and corporations from abusing your personal identity information? I would put it exactly the other way around and increase the liability of corporations instead.

But in general, the problem is much deeper. The fact that large and functionally differentiated societies have to rely on abstract and formal (or as Max Weber said: bureaucratic) organizations will always maintain this asymmetry. (And it is not only based on the way the identities are defined in the relationship, but also on the relationship itself: A consumer-shop relationship is different from an employee-company relationship.) The individual is in a structurally weaker position than the organization. To make sure the latter does not overly exploit this asymmetry, societies have developed laws: For consumer protection, labour relations, the right to strike, telecom regulation and so on. The one organization that has basically unlimited liability (and has to jump in in cases of large damage even if it's nature's or other organizations' fault) of course is the state. The way to ensure the state does not exploit its strength against the citizens' will is simple: By voting and elections.

Turning this discussion back to user-centric identity again, a way of improving the relationship here would be having the users vote about the way they want to have the identity systems designed. While this is not really feasable in practice, the users' perspectives should at least be involved somehow. This argument is founded in the normative theory of legitimacy: If Microsoft and the others succeed, the identiy meta-system currently developing for the internet will be a global standard. Because of network effects, there will be no real choice (or "exit" option) for the users anymore once the standard is established. You will be able to choose between different products, but you will not be able to choose the standard they implement - just as is the case with TCP/IP or GSM. Therefore, the way the standard is defined - substantially and procedurally - is relevant. Political science has recently started to look into standard-setting organizations from this perspective of normative theory, and Larry Lessig's book on code as the law of cyberspace is also making this point.

On another level, it is about the two faces of power again: It's one thing to be able to raise your voice in a global process that defines a technical standard for identity management, but it is another thing to be able to say if you want any standard at all. The latter question has never really been discussed for the internet, but the fierce political struggle over introducing ID cards in the UK shows that we can't take for granted that everybody wants an identity infrastructure in the first place.

Update: Can anyone tell me who wrote the Burton Group blog entry? My feed reader tells me it was posted by Gerry Gebel, but the entry itself says Mike Neuenschwander. I want to credit the right person here (even if it obviously was the outcome of a collaborative thinking process).
Update II: It was Mike Neuenschwander.


Blogger bob blakley said...

Ralf, the entry was written by Mike Neuenschwander; currently Gerry posts all the entries on our team blog in order to simplify administration. But credit goes to Mike for the text and to Mike and Lori Rowland for the idea.

25/11/06 17:58


Post a Comment

Links to this post:

Create a Link

<< Home