Identity or Persona?


This post is by P.T. Ong from Random Thoughts on Digital Identity


Click here to view on the original site: Original Post




I recently posted to the idworkshop list some thoughts on the terms Identity vs Persona. But I've just noticed a strong bias expressed by two bloggers whose opinions I respect: Timothy Grayson and Dave Kearns.

Both have been very clear in their statement that each person has exactly one identity in the following articles:
o Piling on: "The importance of [the word] identity"
o Piling on 2: "The Importance of Identity" Online and off
o Crying in the wilderness, again.

They both prefer the classical (philosophical) definition of identity -- identity is the thing that is you. So, by definition, one person can only have one identity. (BTW, Tim, I don't think your identity goes away when you die -- but perhaps that's not what you meant.) The other "identities" that people are talking about are actually personas.

While I agree with both Tim and Dave in their desires to be precise in discussions, I do think the train has left the station on how the word identity is understood. By popular usage, folks such as Phil Winley and Esther Dyson (as pointed out by Tim and Dave) use the term identity imprecisely to mean persona. Frankly, I think the term identity is so overused in both technical and pop culture that it has been rendered not-very-useful for technical discussions -- it might actually be a source of confusion. I would suggest, when we need more exact terms, we should use words with less cultural burden -- like persona; and, we need to find a word/phrase to refer to these unique things that are people (and objects) -- perhaps entity.


PS. I'm still swamped with work, so my postings will be haphazard, at best.



Date: Fri, 23 Sep 2005 14:36:59 -0700
To: idworkshop@googlegroups.com
From: "P.T. Ong" <p.t.ong@onghome.com>
Subject: Re: persona/identity

Strangely enough, I was just doing a systems design / object decomposition exercise last week, and decided to ditch "digital identity" and use "digital persona" instead; specifically because the phrase avoids the broader meanings of "identity" ... like "sense of self", "roots".

I think it's easier to understand "my persona for Acme Bank" than "my identity for Acme Bank". The term "persona" is less personal, so the user is more able to disassociate himself from the "persona" -- as it should be...

Getting more philosophical, I might never really know your true identity, but I can always use personas to point to the entity that is you.

Also, the discussion on anonymity gets easier. People can get confused when we talk about "anonymous identities" as the phrase is, superficially, a contradiction in terms -- "identity" might imply the lack of anonymity because it is tied closely with "sense of self". (http://blog.onghome.com/2005/03/strong-identities-can-be-anonymous.htm)

In the real world, words have associated meaning, connotations, emotional baggage, etc.; and it's confusing to the rest of the world (and to us too) when we technical folks try to use them in ways that conflict (or is in dissonance) with their commonplace uses.

pt

PS. I do realize that marketing-wise, it's too late to move from the use of "identity".


At 08:39 AM 9/23/2005, Dave Kearns wrote:
>From: "Luke Razzell" <luke@i-together.net>
>>
>> My dramatherapist girlfriend, Charla, pointed out to
>> me that "persona" is from the Greek for "mask":
>>
>
>That's where the usage came from. The "persona" in a Greek play
>represented the "role" that the actor was playing. Which, in today's
>usage (as opposed to, say, the arcane world of 1999) really confuses
>the issues of identity, persona and role.
>
>In fact, what we're calling "digital identity" used to be referred
>to as "digital persona"
>(http://www.networkworld.com/columnists/2000/1106kearns.html) (And I
>still have the outline of a book I wanted to write with that title.
>Until a biometrics company came along and took the name.)
>
>At the time, the few people involved in "digital identity"
>deliberately chose the term "digital persona" so as not to confuse
>people with the "I" word. From the discussion we've had here, it
>does seem that the confusion still rages. So I can heartily agree
>with Luke when he says:
>
>> In this way, deprecating "digital identity" in favour of the
>> synonymous "persona" helps to disambiguate the discussion:
>> we are left with comparisons of "personas" and "identities"
>> rather than the supremely confusing "digital identities" and
>>"identities"!
>>
>
>-dave


Update (Oct 1, 2005):
I forgot to cross-reference Luke Razzell's post on Persona and identity (http://www.i-together.net/weaverluke/2005/09/persona-and-identity.html).

Update (Oct 8, 2005):
Here are a few more follow-on posts on the topic:
o Timothy Grayson, The living language of identity
o Phil Windley, On the Word 'Identity'
o Johannes Ernst, Phil Windley puts his finger on why defining "Digital Identity" is hard

Identity or Persona?


This post is by P.T. Ong from Random Thoughts on Digital Identity


Click here to view on the original site: Original Post




I recently posted to the idworkshop list some thoughts on the terms Identity vs Persona. But I've just noticed a strong bias expressed by two bloggers whose opinions I respect: Timothy Grayson and Dave Kearns.

Both have been very clear in their statement that each person has exactly one identity in the following articles:
o Piling on: "The importance of [the word] identity"
o Piling on 2: "The Importance of Identity" Online and off
o Crying in the wilderness, again.

They both prefer the classical (philosophical) definition of identity -- identity is the thing that is you. So, by definition, one person can only have one identity. (BTW, Tim, I don't think your identity goes away when you die -- but perhaps that's not what you meant.) The other "identities" that people are talking about are actually personas.

While I agree with both Tim and Dave in their desires to be precise in discussions, I do think the train has left the station on how the word identity is understood. By popular usage, folks such as Phil Winley and Esther Dyson (as pointed out by Tim and Dave) use the term identity imprecisely to mean persona. Frankly, I think the term identity is so overused in both technical and pop culture that it has been rendered not-very-useful for technical discussions -- it might actually be a source of confusion. I would suggest, when we need more exact terms, we should use words with less cultural burden -- like persona; and, we need to find a word/phrase to refer to these unique things that are people (and objects) -- perhaps entity.


PS. I'm still swamped with work, so my postings will be haphazard, at best.



Date: Fri, 23 Sep 2005 14:36:59 -0700
To: idworkshop@googlegroups.com
From: "P.T. Ong" <p.t.ong@onghome.com>
Subject: Re: persona/identity

Strangely enough, I was just doing a systems design / object decomposition exercise last week, and decided to ditch "digital identity" and use "digital persona" instead; specifically because the phrase avoids the broader meanings of "identity" ... like "sense of self", "roots".

I think it's easier to understand "my persona for Acme Bank" than "my identity for Acme Bank". The term "persona" is less personal, so the user is more able to disassociate himself from the "persona" -- as it should be...

Getting more philosophical, I might never really know your true identity, but I can always use personas to point to the entity that is you.

Also, the discussion on anonymity gets easier. People can get confused when we talk about "anonymous identities" as the phrase is, superficially, a contradiction in terms -- "identity" might imply the lack of anonymity because it is tied closely with "sense of self". (http://blog.onghome.com/2005/03/strong-identities-can-be-anonymous.htm)

In the real world, words have associated meaning, connotations, emotional baggage, etc.; and it's confusing to the rest of the world (and to us too) when we technical folks try to use them in ways that conflict (or is in dissonance) with their commonplace uses.

pt

PS. I do realize that marketing-wise, it's too late to move from the use of "identity".


At 08:39 AM 9/23/2005, Dave Kearns wrote:
>From: "Luke Razzell" <luke@i-together.net>
>>
>> My dramatherapist girlfriend, Charla, pointed out to
>> me that "persona" is from the Greek for "mask":
>>
>
>That's where the usage came from. The "persona" in a Greek play
>represented the "role" that the actor was playing. Which, in today's
>usage (as opposed to, say, the arcane world of 1999) really confuses
>the issues of identity, persona and role.
>
>In fact, what we're calling "digital identity" used to be referred
>to as "digital persona"
>(http://www.networkworld.com/columnists/2000/1106kearns.html) (And I
>still have the outline of a book I wanted to write with that title.
>Until a biometrics company came along and took the name.)
>
>At the time, the few people involved in "digital identity"
>deliberately chose the term "digital persona" so as not to confuse
>people with the "I" word. From the discussion we've had here, it
>does seem that the confusion still rages. So I can heartily agree
>with Luke when he says:
>
>> In this way, deprecating "digital identity" in favour of the
>> synonymous "persona" helps to disambiguate the discussion:
>> we are left with comparisons of "personas" and "identities"
>> rather than the supremely confusing "digital identities" and
>>"identities"!
>>
>
>-dave


Update (Oct 1, 2005):
I forgot to cross-reference Luke Razzell's post on Persona and identity (http://www.i-together.net/weaverluke/2005/09/persona-and-identity.html).

Update (Oct 8, 2005):
Here are a few more follow-on posts on the topic:
o Timothy Grayson, The living language of identity
o Phil Windley, On the Word 'Identity'
o Johannes Ernst, Phil Windley puts his finger on why defining "Digital Identity" is hard

Stupid Users?!


This post is by P.T. Ong from Random Thoughts on Digital Identity


Click here to view on the original site: Original Post




Valerie Steeves has just posted an article about he observations at the World Summit on the Information Society meeting on cybersecurity. She expressed concern about how a certain European delegate said, "It’s the stupid users. If we could just get them to use the technology properly, then we wouldn’t have a problem."

I've been reading Tom Peter's recent book(let) on Design. When talking about technology (and every tool we use was at some point "technology"), we tend to blame the user when problems come up. In reality, most of these problems are becuase the technology was not designed for the parameters of human capability.

For example, as I like to say, there is an impedence mismatch between digital security requirements and human brains. Specifically, human brains are not configured to remember and precisely reproduce many sequences of complex symbols -- so we should not be surprised when we discover that passwords (managed by humans) are one of the weakest links in computer security.

Valerie went on to talk about how people use the need for security as a way to justify compromising privacy of end-users. I agree. It is all too tempting to "solve" problems using brute force.

Stupid Users?!


This post is by P.T. Ong from Random Thoughts on Digital Identity


Click here to view on the original site: Original Post




Valerie Steeves has just posted an article about he observations at the World Summit on the Information Society meeting on cybersecurity. She expressed concern about how a certain European delegate said, "It’s the stupid users. If we could just get them to use the technology properly, then we wouldn’t have a problem."

I've been reading Tom Peter's recent book(let) on Design. When talking about technology (and every tool we use was at some point "technology"), we tend to blame the user when problems come up. In reality, most of these problems are becuase the technology was not designed for the parameters of human capability.

For example, as I like to say, there is an impedence mismatch between digital security requirements and human brains. Specifically, human brains are not configured to remember and precisely reproduce many sequences of complex symbols -- so we should not be surprised when we discover that passwords (managed by humans) are one of the weakest links in computer security.

Valerie went on to talk about how people use the need for security as a way to justify compromising privacy of end-users. I agree. It is all too tempting to "solve" problems using brute force.

Humans as Smart Cards


This post is by P.T. Ong from Random Thoughts on Digital Identity


Click here to view on the original site: Original Post




Valery pointed to a great quote in the “Network Security – Private Communication in a Public World” by Kaufman, Perlman and Speciener, Prentice Hall 1995 ISBN 0-13-061466-1.
Humans are incapable of securely storing high-quality cryptographic keys, and they have unacceptable speed and accuracy when performing cryptographic operations. (They are also large, expensive to maintain, difficult to manage, and they pollute environment. It is astonishing that these devices continue to be manufactured and deployed. But they are sufficiently pervasive that we must design our protocols around their limitations.)
The way I talk about it is that there is an impedence mismatch between the human brain and digital security requirements.

Humans as Smart Cards


This post is by P.T. Ong from Random Thoughts on Digital Identity


Click here to view on the original site: Original Post




Valery pointed to a great quote in the “Network Security – Private Communication in a Public World” by Kaufman, Perlman and Speciener, Prentice Hall 1995 ISBN 0-13-061466-1.
Humans are incapable of securely storing high-quality cryptographic keys, and they have unacceptable speed and accuracy when performing cryptographic operations. (They are also large, expensive to maintain, difficult to manage, and they pollute environment. It is astonishing that these devices continue to be manufactured and deployed. But they are sufficiently pervasive that we must design our protocols around their limitations.)
The way I talk about it is that there is an impedence mismatch between the human brain and digital security requirements.

Identity and Privacy in Security


This post is by P.T. Ong from Random Thoughts on Digital Identity


Click here to view on the original site: Original Post




As I reread my post on the problems with RFID passports (http://blog.onghome.com/2005/04/sanity-around-rfid-passports.htm), it occurred to me that there is a more fundamental observation that needs to be made here...

When designing security systems based on strong authentication and identities, privacy is an important dimension to consider. The US State Department thought we could have better security by introducing strong(er) digital identities in passport via RFID tags. They forgot (or didn't realize) that without privacy considerations, the strong identity could be used, perhaps lethally, against the identity owner.

This reinforces my belief in the importance of privacy (and the works of individuals like Stefan Brands) to ensure the digital identity systems we build are actually usable.

Identity and Privacy in Security


This post is by P.T. Ong from Random Thoughts on Digital Identity


Click here to view on the original site: Original Post




As I reread my post on the problems with RFID passports (http://blog.onghome.com/2005/04/sanity-around-rfid-passports.htm), it occurred to me that there is a more fundamental observation that needs to be made here...

When designing security systems based on strong authentication and identities, privacy is an important dimension to consider. The US State Department thought we could have better security by introducing strong(er) digital identities in passport via RFID tags. They forgot (or didn't realize) that without privacy considerations, the strong identity could be used, perhaps lethally, against the identity owner.

This reinforces my belief in the importance of privacy (and the works of individuals like Stefan Brands) to ensure the digital identity systems we build are actually usable.

InfoCard is Not the Identity Metasystem


This post is by P.T. Ong from Random Thoughts on Digital Identity


Click here to view on the original site: Original Post




Noted. Just been catching up on the chatter on InfoCard.

Most notable is the point that Johannes Ernst, Doc Searls and Dave Kearns are making that Microsoft's InfoCard is not the identity metasystem. At best, it is a component of the metasystem.

o Johannes Ernst, More on the relationship between InfoCard and the Identity Metasystem.
o Doc Searls, Distinguishing between the Identity Metasystem and InfoCard.
o Dave Kearns, Identity metamagic.
o Johannes Ernst, What might an "Identity Meta-System" be?.
o Doc Searls, Some questions about the Identity Metasystem.

See Also
o P.T. Ong, More on InfoCards.

InfoCard is Not the Identity Metasystem


This post is by P.T. Ong from Random Thoughts on Digital Identity


Click here to view on the original site: Original Post




Noted. Just been catching up on the chatter on InfoCard.

Most notable is the point that Johannes Ernst, Doc Searls and Dave Kearns are making that Microsoft's InfoCard is not the identity metasystem. At best, it is a component of the metasystem.

o Johannes Ernst, More on the relationship between InfoCard and the Identity Metasystem.
o Doc Searls, Distinguishing between the Identity Metasystem and InfoCard.
o Dave Kearns, Identity metamagic.
o Johannes Ernst, What might an "Identity Meta-System" be?.
o Doc Searls, Some questions about the Identity Metasystem.

See Also
o P.T. Ong, More on InfoCards.

Long-Lived Software


This post is by P.T. Ong from Random Thoughts on Digital Identity


Click here to view on the original site: Original Post




Been busy with work. Still am... but I did have some time to do some reading and thinking about the nature of systems we build.

To date, most of the software we build do not last very long. Heck, most movies have longer lifespans than most software. The people at the Long Now (www.longnow.com) suggest that we should think about the long term impact of the systems and constructs that we create. The net is here to stay, and because the shorter-term thinking of the builders of parts of the net (e.g. IP address spaces), we are stuck with significant limitations.

Dan Bricklin has written about long-term engineering as it applies to software (http://www.bricklin.com/200yearsoftware.htm, http://www.planetpdf.com/forumarchive/6.03.200YearSoftware.pdf). Bricklin emphasizes fact that the structure and culture of a typical prepackaged software company is not attuned to the needs of societal infrastructure software. He proposes that software engineers should learn from civil engineering.

As we embark on designing what could be the future of a permanent fixture in cyberspace -- the identity infrastructure -- we should be cognizant of the long-term impact of our actions and designs.

Long-Lived Software


This post is by P.T. Ong from Random Thoughts on Digital Identity


Click here to view on the original site: Original Post




Been busy with work. Still am... but I did have some time to do some reading and thinking about the nature of systems we build.

To date, most of the software we build do not last very long. Heck, most movies have longer lifespans than most software. The people at the Long Now (www.longnow.com) suggest that we should think about the long term impact of the systems and constructs that we create. The net is here to stay, and because the shorter-term thinking of the builders of parts of the net (e.g. IP address spaces), we are stuck with significant limitations.

Dan Bricklin has written about long-term engineering as it applies to software (http://www.bricklin.com/200yearsoftware.htm, http://www.planetpdf.com/forumarchive/6.03.200YearSoftware.pdf). Bricklin emphasizes fact that the structure and culture of a typical prepackaged software company is not attuned to the needs of societal infrastructure software. He proposes that software engineers should learn from civil engineering.

As we embark on designing what could be the future of a permanent fixture in cyberspace -- the identity infrastructure -- we should be cognizant of the long-term impact of our actions and designs.

One Level of Indirection


This post is by P.T. Ong from Random Thoughts on Digital Identity


Click here to view on the original site: Original Post




A claim I heard a while ago is that every problem in computer science can be solved by adding a level of indirection.

Upon a closer reading of Stephen DownesAuthentication and Identification, I realized he gets into a bit of a spot with his approach, and has to redefine what most of us would accept as authentication to self-identification...
It is common at this juncture to confuse an identity claim with authentication. For example, the presentation of a bank card (a token) to a bank machine, combined with an assertion (the keying of a PIN), is often taken to constitute a type of authentication. However, it is not; it is nothing more than the claim to be a certain person.
Many of us would rather refer to the above process as the authentication of the account holder’s identity to the bank machine with a bank card (what you have) and the PIN (what you know), as opposed to self-identification of the account holder to the bank machine.

Because Downes does not separate an entity from its identity (or identities), authenticating an identity is equivalent to self-identification of an entity. So, to Downes, if you authenticate an identity (or self-identify, in his terminology), you lose any control and privacy—hence the need to (somewhat awkwardly) differentiate self-identification from authentication. The point I made in an earlier post (Strong Identities Can Be Anonymous) is that an entity does not have to be bound to its identity. This level of indirection allows for anonymous identities, and addresses most of the privacy and control concerns Downes raises in his article.

Update (November 12, 2007)
Joe Long tells me it was Jim Grey who said that any programming problem can be solved by adding one level of indirection and that any performance problem can be solved by removing one level of indirection. (I should do some research on this.)

One Level of Indirection


This post is by P.T. Ong from Random Thoughts on Digital Identity


Click here to view on the original site: Original Post




A claim I heard a while ago is that every problem in computer science can be solved by adding a level of indirection.

Upon a closer reading of Stephen DownesAuthentication and Identification, I realized he gets into a bit of a spot with his approach, and has to redefine what most of us would accept as authentication to self-identification...
It is common at this juncture to confuse an identity claim with authentication. For example, the presentation of a bank card (a token) to a bank machine, combined with an assertion (the keying of a PIN), is often taken to constitute a type of authentication. However, it is not; it is nothing more than the claim to be a certain person.
Many of us would rather refer to the above process as the authentication of the account holder’s identity to the bank machine with a bank card (what you have) and the PIN (what you know), as opposed to self-identification of the account holder to the bank machine.

Because Downes does not separate an entity from its identity (or identities), authenticating an identity is equivalent to self-identification of an entity. So, to Downes, if you authenticate an identity (or self-identify, in his terminology), you lose any control and privacy—hence the need to (somewhat awkwardly) differentiate self-identification from authentication. The point I made in an earlier post (Strong Identities Can Be Anonymous) is that an entity does not have to be bound to its identity. This level of indirection allows for anonymous identities, and addresses most of the privacy and control concerns Downes raises in his article.

Update (November 12, 2007)
Joe Long tells me it was Jim Grey who said that any programming problem can be solved by adding one level of indirection and that any performance problem can be solved by removing one level of indirection. (I should do some research on this.)

The Life and Limb Problem


This post is by P.T. Ong from Random Thoughts on Digital Identity


Click here to view on the original site: Original Post




I had earlier written about the three problems with using biometrics as authenticators:
  • The Technology Problem
  • The Social Acceptability Problem
  • The Clonability Problem
I'm adding one more:
  • The Life and Limb Problem
This problem with biometrics became clear to me with a report by Jonathan Kent, Malaysia car thieves steal finger, on the BBC News. The problem with some (not all) biometric metrics is that we are measuring some aspect of a body part that is not (painlessly) detachable from the rest of the body. When identity theft is to be commited on systems with biometric locks, physical violence is a very real and possibly easiest option for the criminals.

The Life and Limb Problem


This post is by P.T. Ong from Random Thoughts on Digital Identity


Click here to view on the original site: Original Post




I had earlier written about the three problems with using biometrics as authenticators:
  • The Technology Problem
  • The Social Acceptability Problem
  • The Clonability Problem
I'm adding one more:
  • The Life and Limb Problem
This problem with biometrics became clear to me with a report by Jonathan Kent, Malaysia car thieves steal finger, on the BBC News. The problem with some (not all) biometric metrics is that we are measuring some aspect of a body part that is not (painlessly) detachable from the rest of the body. When identity theft is to be commited on systems with biometric locks, physical violence is a very real and possibly easiest option for the criminals.