The identity problem

Robin Wilton (@futureidentity) has been wrestling with identity issues for longer than I have, and deeper in the trenches. It is from one of those — IGF2012 (The Internet Governance Forum for Sustainable Human and Economic Development) — that he issued a deep and thoughtful post today on the topic of identity. His central distinction:

2. So let me describe two ways of looking at digital identity. I’ll describe the first one and then contrast its characteristics with the second. The first, I’ll call the Classic model. It is based on:

– Single authoritative source
– Credential
– Authentication
– Binary (Y or N)
– Level of assurance and a chain of trust, both of which can be formalised into procedures and assigned liability models (retroactive).
The second is what I’ll call the Emerging model. It looks like this:
– Multiple, low-assurance sources
– Attributes
– Authorisation
– Contextual and adaptive
– A web of trust, notions of mutable reputation, and quantifiable mainly in terms of risk management (predictive).

The Classic model is “fundamentally retrospective,” he writes; and

The Emerging model is future-facing. It is much more dynamic, and it is also completely compatible with anonymous authorisation. But it alters our conception of identity and trust, and relies on immature disciplines such as reputation management and contextual authorisation.

This is correct and astute. It also lays out much to be feared if we stick with either one. So I weighed in at his post with a long comment from a VRM perspective:

The reason “your digital identity” is not “close to being a reflection of your personal identity” is that you are a “user” on the Web and not a sovereign and independent human being.

The reason you are a user and not a human being on the Web is that in 1995 we settled on a model called “client-server” in which every server carried responsibility for authentication and pretty much everything else. You, as an individual, were just a user. It is not a coincidence that only two industries call individual human beings “users.” The other is drugs.

Nothing substantive has yet been built toward independence for individuals on the client side. We remain dependent variables rather than independent ones — a situation that has not changed in the seventeen years since. Client-server has become calf-cow, where users are the calves and sites are the cows. (More here.)

Both the classic and the emergent models you describe rely on cows. Neither allows the user to perform as an independent individual. Neither attempts to fix the problem of identity from the individual’s side.

Truly fixing identity is un-done work. Some companies and development efforts listed in the ProjectVRM wiki are working on it. Every six months it also comes up at Internet Identity Workshops ( But it’s a hard problem, akin to solving personal transportation with better railroads.

What we need online are the digital equivalents of cars and bicycles: personal transportation. Remember the “information superhighway” — this communications path on which you would “drive”? The idea was that each browser was a personal vehicle on which we “surfed” from place to place. Think of the literal meanings of drive, browse and surf. They are what independent human beings do. When all we do is “use,” we are dependent. Simple as that.

This is why the browser morphed from a car or a surfboard into a shopping cart that gets re-skinned with every commercial site it “uses.” At each site the user iis known in ways exclusive to the site, over which the individual has little control, except to opt out of the site and its systems. Add Twitter or Facebook login to the mix, and you just have more, and bigger, cows involved.

The burden of subordination to each of us is hundreds of different login/password combinations and acceptance of one-sided “agreements” offered by each site or service we use, on a take-it-or-leave-it basis. The “agreements” are ones we never read because they are written by and for lawyers, and are built to offload as much risk and liability as possible to users, along with minimized control over the user’s “experience.”

So there is much more to fix here than identity alone. But identity is the oldest challenge, and perhaps still the largest one.

I  hope it helps. I also want to tip my hat toward Devon Loffreto, aka Moxy Tongue and @EnzionXavier, who writes posts such as this one. It is to Devon that I owe the adjective sovereign for what matters most about personal identity. I also owe much to Walt Whitman, who writes,

The spotted hawk swoops by and accuses me.
He complains of my gab and my loitering.

I too am not a bit tamed. I too am untranslatable.
I sound my barbaric yawp over the roofs of the world.

To mix metaphors one more time, we have ceased being hawks, or inspired by them.

If now is not the time to fly, when will we?

[Later…] Crosbie Fitch has also been a helpful influence. His is the first comment below.





  1. Crosbie Fitch

    I tried to point people in the right direction here:

    Unfortunately, truly distributed identity is still regarded as either crazy or unprofitable (a synonym for crazy).

  2. Stephen Wilson

    I’m afraid you may be overloading the idea of identity. The core reason why there are inconsistencies in (and profusion of) identities across different contexts is that “identity “is not some discrete thing possessed by the individual, but instead it’s actually a proxy for the relationship that you have with an “identity provider” – usually some central party authoritative over a certain domain or circle. Call it a cow if you will but I think it’s a bit pejorative. Different circles have their own ways of knowing people, determined locally as part of a risk management process. The reason why the cows set the rules is they bear most of the risk.

    I reckon we should distinguish (a) the Impressed identities we have given to us and specified by service providers, and (b) the Expressed identities we can curate for ourselves in the more social settings.

    Identity is metaphorical. This is deep in the Laws of Identity which defined digital identity as a set of claims. I seriously think we would do well to forget “identity” and instead focus on how we can do a better job of forming digital relationships with improved exchange of claims information.

    More at

  3. Doc Searls

    Thanks, Stephen.

    Your position here has mostly been mine for the last few years. But I waffle on it. ProjectVRM participants such as Crosbie Fitch and Devon Loffreto have been persuasive toward respecting what Devon calls “sovereign” identity. So I invite them (and anybody) to weigh in on behalf of that.

    Meanwhile the problem with the calf-cow model, for us as users and customers, is too many cows, each with their own circles, each of which has its own ways of identifying us, and using their our-namespace-not-yours leverage to limit and control the means for interacting with them.

    I believe it is possible to prove that free customers are more valuable than captive ones without solving identity issues first. But I also believe putting identity on the back burner, or leaving it all up to “providers” is a concession too far.

    Or so it seems to me by the window of a chilly Wendy’s in rural New Hampshire on a Sunday evening. (Next stops: Boston, New York, San Jose…)

  4. Stephen Wilson

    If each Digital Identity is not a thing at all but actually a proxy for a relationship, then it rather levels the notion of “sovereignty”. Each Identity is a two way street. Do any of us really have an effective say in how a bank goes about knowing us? Let’s not read too much into the “identities” bestowed on us by banks, governments, employers, doctors … they’re all mere handles. We each need sovereignty over our natural person for sure, but our Digital Identities are different. To push for more self-determination over the way that banks and other service providers know us is to ask for radical changes to the way they do business. It’s easier said than done.

    More at

  5. Fred Fisher

    @Crosby, Stephen, and Doc – We are making distributed identity a reality:
    We see identity and the connection as synonymous – every connection between two peers has a unique identity in each direction. Connections are by default strongly anonymous with no dependence on a metasystem such as IP addresses or certificates. Once established, information can be granted to a connection that may or may not include personally identifying information. We provide a set of protocols that allow social networks to self assemble and support validation of claims forming a reputation network we call the Web of Provenance.

    The first instantiation of our technology goes live early next year as a b2b application with We are completing an individual version prototype and have secured seed funding to build the beta and more. We are seeking quality engagement from interested parties, so please feel free to visit us at – you will find contact info there.

Leave a Reply

Your email address will not be published. Required fields are marked *

© 2023 ProjectVRM

Theme by Anders NorenUp ↑