Contextual Identity

We’ve been thinking and discussing, and then thinking some more, about both privacy and identity at Mozilla. So far we have generally been treating them as two separate sets of issues, but I’m beginning to wonder if there might be another way to think about this.

People have been trying various ways of addressing privacy concerns on the web. These approaches have generally consisted of mechanisms to permit a website and/or user to define and communicate a privacy policy in some digestible way, and then optionally negotiate some happy middle ground (or not). P3P was probably the most ambitious attempt to crack this nut, without much success. I won’t try to rehash these various proposals here nor speculate as to why each has so far largely failed.

Instead, lets try a different tack. What if privacy is really just an aspect of identity?

One hypothesis: people don’t have a single identity… in the real world, or online. Who you fundamentally represent yourself to be (in terms of name, accuracy of location, age, social-demographics, etc.) varies depending on the context. This is true whether you are interacting online with a bank vs. an online hobby forum vs. craigslist, and true whether you are interacting with your close family vs. coworkers vs. random strangers in the elevator.

In each of those scenarios, you are projecting a different “view” of your underlying self that you feel is appropriate for the given context. Even in situations of relatively equal trust and confidence, say with your parents vs. your significant other, you are sharing information on a fundamentally different basis in terms of how you are presenting it, how you want to be perceived and how much detail and honesty you are willing to provide, even when the topic is the same. In Plato’s Cave, we are putting on a unique shadow play for each audience. I’m sure there is a formal academic definition of this, but lacking that at the moment I’ll just call this the “contextual identity”.

The desire to be perceived in a certain way inherently includes a set of privacy expectations, or put another way, an individual’s implicit privacy policy in a given context. This is often where people run into privacy problems online, where either their expectation of their identity in a given context is not accurate (i.e. they are sharing way more, or very different types of, information than they desired to), or they are sharing it in a different context (i.e. embarrassing party photos are viewed by a potential employer).

So maybe its not a surprise that many social networks have ended up with privacy egg in their face. Part of the problem is that by presuming that users should have only a single, canonical identity on their network (and indeed, often the entire web), they lack the flexibility for individuals to express their various identities appropriately in different contexts.

So what if you could in fact maintain a set of identities, each reflecting accurately your desired identity in a given context? Then you could seamlessly interact with a wide range of services, from commenting on news sites in a relatively anonymous setting, to sharing health information with your family or doing online backing, each relatively confidential and trustworthy things, yet still fundamentally different. After all, your family shouldn’t necessarily know your current bank balance and conversely, your bank doesn’t need to know about your health.

Who would you trust with managing this set of identities, though? Your favorite social network? The problem with that is this trusted provider would need to be aware of the superset of your desired identities, which likely includes identities that are more sensitive than you’d be willing to share with said networks. Given social networks are relatively low in the grand heirarchy of trust (for me, anyway), they seem like poor receptacles for this degree of trust.

The best entity to trust with this information is, oddly enough, yourself. The ideal solution would be locally managed on the user’s system, but securely synchronized seamlessly to your devices. This model has some important positive characteristics.

For one, the entity atop of this hierarchy of trust is: you. Obviously you also need to trust the software you use, but that is the tremendous power of open source software. Since you can inspect the source code and build your own version of any open source package, you can actually trust its behavior. Something that is only possible for closed-source locally-installed software with immense skill and effort in reverse engineering… and mostly impossible for remotely hosted web apps.

The other reason is that because you control all these disparate identities, you can choose which of them can be associated with each other, and under what context. For example, I might be OK with my social network identity to be associated with my blogging identity, but I probably don’t want either to be aware of any of my banking identities.

Sounds great, right? Maybe… or maybe not. Either way, let me know! So what’s next, you ask?

Hmm, we’ll see. Stay tuned… :)

18 comments

  1. @jens

    I don’t think this problem is really about SAML, at least, SAML is the tip of the iceberg. I would love to see ECP Profile support in FF, but this really isn’t about SAML. I don’t really every want to share my email with random application. I want to limit what random app A can leak to random app B without server side mediation.

    The extent to which this could be about SAML. I would be nice for SAML implementors to have in browser support for SAML and perhaps a better cookie choices. It would might be nice for implementors to set an ‘security label’ on a cookie or alternately set a human readable metadata for a cookies and let the browser know what kind of cookie it is ‘like say a login cookie’ or a ‘discovery cookie’ or ‘a preferences cookie’ and allows browser UI to offer sensible options for ‘login cookies’ (like say autorenew global session x minutes before expiration or expire all login cookies from all domains or from domain X, etc)

    Again its not about SAML IMO, its about cross realm data and the inadequacy of cookies

  2. This is one of the reason I have used fluid.app (a site-specific browser implementation based off safari) in the past. The part I was never able to get to my satisfaction was to cause following links to open some key sites in a SSB automatically when followed in my main browser.

    What I really want, is something very close to what I think where you are going for…

    1) I’d like to be able to have multiple containers for all site data (cookies, fbo-es. etc..)

    2) I’d like some site to be rendered in one context no
    matter how I got there (if I’ve made the context sticky).

    3) I’d like to have sites that use flash or any plugin that violates the cross-realm data protections to flag a site as ‘exposing data across realms’. Really I want a version of flash that works through canvas and can not have more access to the desktop or UI than allows normal html and js.

    4) Opening a second instance of site in a different context might be nice but not required.

    5) I’d like to be able to (manually) share/broker some cookies across different contexts. This is nice for things like SSO cookies, discovery cookies, social media … but right now these things are suck as the lack of control and security a user is given.

    6) The last thing that missing (IMO) is a secure visual path. I’d like to have form and chrome UI elements ‘watermarked’ so I know the realm they pertain to…
    If I only got one watermark per container that would still be better than now … but I’d really like to set some realms with their own watermark.

  3. You might also want to take a look at SAML for authentication, and CARML for specifying attribute requirements (I must say I don’t no much about CARML except that it exists).

    I must say that I don’t really like the Liberty Alliance mechanism of SSO through an identity provider – why not just assert your identity yourself? At least there should be a notion of that in the Liberty specs …

  4. [i]“Part of the problem is that by presuming that users should have only a single, canonical identity on their network (and indeed, often the entire web), they lack the flexibility for individuals to express their various identities appropriately in different contexts.”[/i]

    In every community in which I have ever lived, everyone implicitly expected me to identify myself by just one set of names consisting of “my” first name, middle name, and family surname. When I was 21, I left the area where my parents and siblings lived and took up residence in a far away city. For ten years, I introduced myself “as” my middle name, although I continued to use my family surname and, on some occasions, first name as well. Then, in the same city, but among a different circle of acquaintances, I began using my first name, and I have continued to use it in all ordinary contexts since then. (It isn’t the one that I’ve used as my name for this message.)

    Of course, almost all such introductions occurred during in-the-flesh face-to-face encounters. Most of the people with whom I communicate on the Internet have never “met” me nor have I “met” them. There are many people, enterprises and organizations with which I have interacted on the Internet without using my “actual” name(s).

    Nonetheless, all banks, lenders, merchants, and other enterprises with whom I do business (money changes hands), and all public organizations with which I am associated, ordinarily expect and assume that the names which I use, for example, “to establish an account”, are in fact recorded on “my” birth certificate, which the doctor sent to a government agency of the State in which I was born, shortly after that event.

    It is only natural that they would want, if not also expect and assume, that whatever name(s) I choose to use on the Internet are also recorded on that birth certificate. However, there are plenty of “hidden” enterprises who, with neither my factual knowledge nor my explicit consent, are intent upon collecting data about my activities and interactions with various web sites, and, of course, associating it with that particular set of names. They really have no respect for my desire to deny that data to them.

    Indeed, I perceive their activities as crimes that should be forbidden and penalized by law! Of course, there is legislation now pending in the US House of Representatives which, in true Republican fashion, seeks to legalize the status quo, at least.

    Everyone should try to live without such an “identity”, especially a Social Security Number (and card) sometime. For a couple of years I did that, traveling and working as a traditional hobo (often riding freight trains). Living under an assumed name(s) has its good points, but I cannot recall many of them.

    One thing that I learned during those two years is that governmental agencies were the most concerned that I be “identified” and “identifiable”. Most criminals use aliases. The constitution of the State of California explicitly permits a person to assume any name that they choose, provided that it is not done to commit fraud, to avoid repayment of a debt or the payment of a judgment, or to evade arrest and/or prosecution for a crime. But even the State of California was and is quite concerned with having on record a “valid” identity for each resident with whom it comes into contact.

    If you want to prevent violations of privacy, then you must restrict the collection and analysis of identifying data. Without the association of data with a natural person, the data has a limited value.

  5. I was wondering about OpenID, and found this to be related to your article: http://evan.prodromou.name/OpenID_Privacy_Concerns

  6. The persona of “Dohn Joe”, anonymous comment poster should also not be traceable to his other personas ;- )

  7. Hi Lucas,

    This is an age old topic in psychology and has been explored in detail by Dr. Carl Jung:
    http://helpingpsychology.com/jungian-theory-of-the-persona

    Managing multiple personas is not that difficult from a user perspective – simply create and use different accounts for each one. It’s actually too much effort for the average joe. The advantage to identity management and social network services recognizing this is streamlining your management of these such that it becomes easy for the majority of users to do it.

    The way I see it, it should model real life. When you put in your “personal information” there should be a different set for each persona based on who that persona interacts with. For example “Dave Simpson, MCSE” has a list of contacts, photos, etc… which reinforce this persona of the IT professional. This should not cross over into “The Davester”, Friday night party animal or “Davey Duke of York”, actor extraordinaire at the Medieval Carnival! However, this should not prevent the person holding all these personas from conveniently chatting, tagging, poking, gaming, blogging and participating in all those other activities conveniently. For SURE he should be able to do the reading bits (checking messages, reading blogs, looking at high scores or levels, looking at pictures, watching videos, etc…) from ALL of his contacts/sources under a single login/account!

  8. The approach is very nice. How the people think about other people? I have as many identity as many people I have on the contact list, or a bit more precise: maybe less, different identities only for groups of the people I know. For my family I’m the computer genius, but for my IT colleagues I’m the best father, or I could also have a girlfriend who does not even know that I have a child…

    That means my identity, if I like to make it similar to the real world, does not based on one consistent data set. Rather I have many independent identities. Naturally there are some connections in between, eg. my name (if I’m not a spy with many names…).

    This leads to the need if change of social network registration that I should be able to change my *whole* profile for any group of my acquaintances. It would be rather tiring to maintain, in out head it “runs” obviously faster, on the “core hardware”…. But this is the correct representation of our real “contextual identity”.

    So, change the soc. networks! And we will see, if we dare to define even our unconscious contradictions in the cyberspace. I’m skeptic to that, but psychologically it would be a extremely interesting possibility.

  9. Lucas: Interesting article, thank you! I could not get hold of my own assumption of “one person = one identity” when I was thinking about identity. I probably did not progress in that area because I was unaware of this assumption and thus was unable to question it. Probably an easy but incorrect way to think about identity.

    OTOH I agree with Andreas. That was more or less what I wanted to write as well. I am an open source advocate and developer, but the part — (from your article, Lucas) “but that is the tremendous power of open source software … and mostly impossible for remotely hosted web apps” — looks more like a valid statement promoting open source ideals and OSS security facts than being of relevance to the overall post’s message. I don’t say it’s wrong, it’s just not relevant, as the only difference is the degree and object of your trust. Read on…

    About: (your reply to Andreas) “Yes, vendor trust is important too. But the point is not that each individual would do their own thorough code review, but that a lot of people in the community already do so.”

    – Firstly, Andreas mentioned trusting, as an option, “e.g. an independent third-party that is able to inspect the software”, which includes the community in my eyes, thus covering your concern.

    – Secondly, if you trust the community instead of the vendor, the only difference is the object (in quality and quantity) of your trust! You have to trust *someone*, and if you are an OSS developer who looked at 100% all of his system’s source code, you still have to trust someone — yourself. So I’m just reiterating your message about “trusting yourself” here :)

    About: trusting “the community” — it is difficult to point at “the community” to define this kind of trust formally. Each OSS project differs greatly from the next — regarding intent, size, locality, quality, structure, activity, and what have you. We are back to trusting a vendor — Microsoft, Apache Foundation, Oracle, Mozilla Labs, Linus The Benevolent — independently of a software’s license. We even need to trust the respective means of software distribution, e.g. the project’s website and its administration, as you often end up running a package’s (included) installation procedures as root and there are the rare but regular OSS project server compromises. Yes, you can compare MD5 (or SHA512 or whatever) checksums, but then, you have to trust MD5. Or you have to trust a package signing procedure and a public key infrastructure / web of trust.

    And when you are speaking of identity, why not *extend* it to software vendors as well and apply trust to identities in the context of software development and/or review? I think it should scale in degrees of granularity as well. As an example, say “I trust the source code reviews of developer X”. That developer would then mark, not whole software packages, but e.g. individual code lines, either explicitly by tagging them, or implicitly by merely reading through them actively (maybe determined by a heuristic) and not leaving a big fat “BUG” marker.

    I am very interested on your thoughts about my comment.

  10. Very interesting post and valuable enquiry to be in. Thinking people as diamonds with many facets that change in different light, then, yes I hear your point. Add into the equation public and private facets, the public face and the private view… adds another dimension to the complex holograph involving the internet. Yes, it’s an open and valid enquiry to be in.

  11. Privacy is physical. It is a mistake to believe it is an ability to control what others say about you, to bind them to discretion.

    Multiple virtual identities are a solution if you wish to have multiple sets of relationships and compartmentalise the knowledge concerning each identity and their relations (each identity being isolated from each other, yet each identity having the same master).

    See Ideating Identity.

  12. Many, many moons ago in Internet time, Yahoo! let you set up different “profiles” associated with your Yahoo email address/account. One practical application of that is that you could join various Yahoo Groups with different profiles and not, as far as I can recall, be linked back to each other.

    It’s a shame forward-thinking ideas like this didn’t catch on more widely; perhaps if they had, there would be a lot less egg on the faces of today’s popular communication websites. :P

  13. Being able to disclose only as much of your identity as you desire to is certainly desirable. But with a
    self-administered solution the only thing anyone else
    could ever rely on from an identity is that it is
    consistent.

    That is, whomever you really are, you have the same passphrase you had two weeks ago — but I really
    don’t know anything else about you.

    A system that allowed third parties to attest to
    specifically volunteered information would be even
    more useful. For example, my credit card company could validate that yes, I was a customer, I had a US mailing address and I was over 18 — all without revealing anything more that I didn’t want disclosed.

  14. Lucas Adamski

    Jens: Regarding CardSpace, yes I am aware of that model and I’m not trying to claim any originality in the concept of having an authentication model that supports a wide range of identities. My main point is that we should consider whether privacy should really be treated as an aspect of identity, rather than as an independent problem to be fixed by tweaking browser defaults, addons, etc.

    Andreas: Yes, vendor trust is important too. But the point is not that each individual would do their own thorough code review, but that a lot of people in the community already do so. The trustworthiness of any crypto system is fundamentally proportional to the amount of scrutiny it has received, IMHO.

  15. Andreas Wuest

    Lucas, I like your thinking a lot. But then I read the paragraph about inspecting the software a user is running.

    Although true, it is intractable for most people. Even if you are a software developer, it is simply not possible to inspect e.g. the whole Firefox codebase yourself within any reasonable time-frame.

    Which means that either individuals will continue to have to trust the vendor, or delegate the inspection of the software to someone else they trust.

    I think that you should continue to develop your ideas, but with the assumption that individuals will have to trust the vendors, or e.g. an independent third-party that is able to inspect the software. This trust might be stronger for open source products, since they are easier to inspect in terms of availability of the source code. But I personally would not like to see a scheme where the burden of proving the trustworthiness of the software a user is running is put on the user itself.

  16. Well said Lucus. As social networks are getting more and more prevalent many of us are getting friends requests from people like managers or mother-in-laws which would be rude to refuse but effectively limit our ability to post anything that is even a little risqué.

    A this specific problem can only be dealt with by the social networks however if mechanisms on browsers provided slick functionality to aid this identity crisis then the hope is that customers would expect social network integration and social networks that wanted to remain popular would deliver.

    From a browser perspective Firefox has always supported multiple profiles which could be used to help support different identities but currently the functionality is hidden and requires a browser restart. The ‘Private Browsing’ functionality is also relevant because this is close to an anonymous identity. Maybe being able to easily be able to switch between various modes seamlessly would be a step forward.

    Rj

  17. [...] This post was mentioned on Twitter by Mozilla News, barlog だいすけ. barlog だいすけ said: In Security » Blog Archive » Contextual Identity http://blog.mozilla.org/ladamski/2010/07/contextual-identity/ [...]

  18. Have you looked at CardSpace? As far as I know, it allows to choose the attributes you want to disclose (in form of “cards”).