There has been an idea bouncing around tech circles for a while now. It’s about online identity and how we should return control of it to individuals.Right now, a lot of our digital identity is controlled by large corporations who profit enormously from that control. For reasons of fairness, privacy, and control, there’s an argument from the EU and others to take control from these large corps and give it back to individuals.

Trust and preference

When we’re talking about identity here we’re really talking about two different things, which are often confused in this debate.One is about trust: are you who you say you are. This is important for accessing everything from email and social networks to bank accounts and government services. A trusted online identity is a vital component for many digital services, with different levels of verification required for different tiers of service.The other is about preference. Based on who you are, what you have viewed and consumed, and the behaviour of those in your network, what might you want to consume in the future. This is the information that is so valuable to brands and retailers, and hence to the social networks.The argument for repatriating control of this preference information to individuals has been criticised for being somewhat ‘Ayn Rand-ian’. It is characterised as being all about the preference information: “Put property rights on that data and allow it to be traded. Free markets solve everything etc.”

Beyond commercialisation

There would be a lot of merit to this criticism but for two things. Firstly, the trade in this preference data has already been commercialised. Right now the rightful owners of this data are excluded from the market, profiting from it not at all and without any meaningful control over its use. Free markets may not solve everything, but a free market is infinitely better than the current one which is rigged against the consumer.Secondly, the financial capital bound up in preference data is inextricably linked to the social capital that creates the trust in our identity. The 'me' that posts and shares is the same 'me' that votes and banks, and the same 'me' that shops and clicks. Separating the three across the myriad ways that we log in and out of payment engines, social networks, shopping sites and more is near impossible. The various threads may not form a totally coherent whole but they nonetheless represent a single, if fuzzy, me.The argument that I should control this social aspect of my online identity has nothing to do with commercial gain. It’s a simple principle of human rights.Personally, I think there’s a valid argument to me made that we should be the ones to profit from choosing to share our own preference data. But the real argument for repatriating identity to individuals is that we should have the right to control who we are and how we present ourselves, whatever the domain.

Identity theft made the news again today. Will future identity controls enable us to better protect ourselves? Without limiting expression?

Blame the Victim

Crime prevention is often a matter of telling potential victims to limit their exposure. The message is similar, whether the threat is mugging, rape, or identity theft. This doesn’t sit right with me. Should we force the majority to change their behaviour because a few people may take advantage?This advice seems based on the assumption that the recommended steps are zero cost. They are not, in many cases.To limit the utility of a gadget for fear of using it is one thing, though we should not underestimate the effect of that fear. To propose that women change how they dress and act, and where they go and when is quite another.On these grounds, it is always with some hesitation that I sit in radio studios handing out advice when the latest reports appear about growing online security threats. Like this morning. The latest report from Cifas, showing dramatic rises in identity theft, fuelled in part by the range of information we now share online.Should I tell people to lock down their privacy settings? To view every email as a potential phishing attack? I’m worried about reinforcing the view, held particularly in some demographics, that the Internet is an inherently dangerous place. That by venturing there, they are inviting attack.Where I try to settle is on some form of balance. As I put it this morning, it’s about locking your front door, not putting bars across all your windows. Put your privacy settings to a sensible minimum, but don’t retreat from all the wonder that online interactions can bring.

Future Identity

Part of the problem is that the definition and validation of identity is such a tricky thing. For the most part it is defined by the jigsaw of personal information. Information that we all — still — find ourselves entering into forms on a frequent basis. Name, address, date of birth etc. Because we still define identity this way, assemble enough pieces of the jigsaw and someone can pretend to be you.Could our future identity be better protected and controlled?Certainly some start-ups are doing interesting things with encryption and blockchain. Controlling access to different services with digital keys, sometimes combined with hardware factors or biometrics. But the setup of these identities still seems to come down to a jigsaw of pieces. Validating that you have control of social networks in your name, for example.Perhaps we cannot get away from this. Identity is a complex thing. Perhaps the only way to define it reliably is to assemble a unique jigsaw for each person. The trick is not then how we identify each other but how we protect that identity and prevent it being misused.

Challenges to Success

The challenge here is one of fragmentation. What if every service now tries to hold a super-validated identity for its users. Already there are many different people tackling this problem. Can any one service — or even a small group — build up the levels of trust and oversight by users needed to ensure that fake identities cannot exist in parallel with real, just on different platforms?There’s also an issue of access. Imagine if instead of a credit score, you have a trust score predicated on how many different ways you can validate your identity — access to social networks, banking, credit, bills, location etc. Imagine this trust score becomes an integral part of accessing finance products or — and this doesn’t seem too far fetched in the current political climate — government services.Before we even get into the evolving definitions of gender and the mass diversification of culture, the very mechanisms by which we hold and control our identities are going to go through rapid change in the next few years. Will we get greater protection against theft and impersonation from future identity controls? Will they enable us to balance access and security?Right now it is unclear. Historically criminals have usually found a way. Block one vector and they find another. But perhaps with these new technologies we can improve the balance between defence and expression of our future identity.