I hosted a session at the Internet Identity Workshop XXV based on my friend, Tim Bouma’s “Digital Identity: Six Degrees of Freedom“.
Tim proposes 6 Degrees of Identity Freedom:
- Freedom of Credential — I should have the ability to use whatever credential (login, etc.) that ensures that I am in control.
- Freedom of Identity Data — I should have the ability to decide what identity information to use to identify myself.
- Freedom of Authorities — I should have the ability to choose which authorities (or lack thereof) I require to vouch for me on my behalf.
- Freedom of Disclosure — I should be able to decide which identity information (or subset of information) I give to others.
- Freedom of Consent — I should be able to decide how and when my identity information can be used, including the ability to fully revoke its use, if so be.
- Freedom from Control — I should have full agency over the decisions relating to the above in the identity system I choose to use.
Tim closes with the idea that I likely won’t have total freedom on all of these dimensions. The point of this is that there is a conscious starting point created.
My premise for the discussion was that there is a continuum in each dimension. Depending on my use case I may have the freedoms I want but likely not in all dimensions.
Example: I am paying cash for lunch at a taco truck. I have most of the freedoms under my control, but if a purchase is in USD, my Freedom of Authority has been picked for me – and I need to be ok with that or walk from the transaction (no taco for me).
Some further reading was recommended during the fairly well attended session:
- Reference to a “Relationship Layer of Web” document that I can’t find.
- Bob Gellman’s short history of FIPP. https://bobgellman.com/rg-docs/rg-FIPshistory.pdf
We bounced through multiple use cases and the 6 degrees concept held up quite well other than some relatively fine, and partly pedantic, disagreement. For my use Tim’s 6 Degrees are a great starting point.
The use cases that we floated ranged:
- Making a purchase from Amazon of something like a book. In theory very little freedom is lost here – Identity Data is currently constrained but that may be a relic of how things have always been done. Amazon creates the Credential.
- Making a purchase from a vendor of a food product. There are needs to potentially share more information here in the event that there is an urgent need to contact the end user (e.g. food contamination issue).
- Creating a bank account on a simple KYC basis.
Further I wanted to understand if the dimensions withstood debate. They did.