MIT Media Lab
Thesis document [pdf]
Chapter 8: SecureId: An Identity Management Application
[images currently missing]
In order to address the issues involved in identity management, i designed and constructed SecureId, a prototype for considering how people would manage their digital presence. My intention was to design the type of tool an individual would need in order to properly present themselves by controlling facets of their identity, associating data with those facets and controlling the access to them. Although a redesign of underlying architecture would be ideal for providing such tools, i focused on what would be possible on top of existing architectures. In the process of designing this system, i started exposing the challenges of digital identity management.
In this chapter, i introduce the project and discuss the ideas of the prototype through a series of screenshots and mockups. Although this project allowed me to explore what it means to have digital identity management, it also revealed the weaknesses of my system and the problem as a whole. For example, the lack of embodiment in digital interactions requires a level of explicit management that is far more complicated than the natural management that people take for granted in the physical world. In order to treat the concerns that SecureId raises, i integrate the problems that i encountered into this discussion. Finally, i discuss what is needed in order to properly address identity management.
In order to effectively manage one's identity, users must be aware of their presentation, the contexts in which they want to share information and have the ability to control which people can gain access to their personal data. In order to give users this control, SecureId focuses on three primary conceptual ideas - identity awareness, facet control and knowledge-based security. Combined, these three represent some of the crucial components that people use when managing identity on a daily basis. Thus, before discussing what SecureId does, i refresh the reader of these relevant ideas.
As was discussed in Chapter 5, self-awareness of one's identity and presentation is crucial for managing oneself in a public space. In the physical world, individuals embody the agent that presents them to the public and thus they are both able to convey information comfortably and present a wide range of identity features. Not only does the body convey biological characteristics such as age, but people are also able adorn it with fashion articles that convey other aspects of their identity. In addition to what is written on the body, people are able to maneuver comfortably, presenting nuanced details about themselves through their facial expressions and body language. Online, this information must be explicitly articulated, yet most people are terrible at doing so.
Based on the memory of previous interactions, the individual also has a sense of what previous knowledge has been shared. Online, information travels in different paths and an individual is not always certain of what data is available to the other person during their interaction. Previous interactions have produced logs of data that are far more accessible than the ephemeral conversations of the past.
Identity management requires the awareness of both what the individual is presenting and what previous information has been shared. In other words, people must have a sense of what they are presenting to others. Personal awareness is one of the founding needs for contextualizing social interaction.
People negotiate their presentation based on different facets of their personality. These facets are often associated with different roles or contexts in which people engage with others. For example, graduate student is one facet of my identity. Given this facet, i interact with some people based on this role and give away certain data about myself to anyone who knows this facet of me. In my daily life, i use this facet of my identity whenever i enter my laboratory or whenever i present myself at a conference. Yet, in the digital arena, contextualizing this facet of my identity is not as simple. I may have my email address and website associated with my role as a graduate student, but they can be easily combined with the other facets of my identity. As was discussed in Chapter 3, facets can be collapsed online and thus people must negotiate new mechanisms for contextualizing the facets that they present.
Identity management requires the ability to properly understand the immediate context and harness the appropriate facet to present an acceptable face for a given situation. Thus, people need the ability to manage their facets as a way of managing their identity.
Although some social signals are assumed to be universal, people also present coded signals that are only intended for those who understand their underlying meaning. By having such knowledge, the viewer gains more information about the presenter. Coded signals that are only intended for limited audiences are particularly common amongst subcultures (Hebdige 1991/1979), but they are a powerful way in which people manage their identity information in public.
Fashion presents the most frequent place where such coded signals can be found. For example, someone may wear a T-shirt with a symbol associated with a particular musician, such as a Grateful Dead bear. If the viewer does not know what that symbol represents, it becomes meaningless and is just seen as another T-shirt. Yet, if the viewer can associate the bear symbol with the Grateful Dead culture, they can make assumptions about the music and subculture interests of the T-shirt owner.
Such signaling is particularly common for people who fear potential risks for revealing their participation in particular subcultures, such as those who are considered sexual deviants. Throughout history, a wide variety of symbols have been used in to indicate one's sexuality and sexual desires, including pinky rings, earrings in the right ear, green carnations, pink triangles, and rainbows (Pink Zone 2002). In addition to these simple markers, an extensive set of meanings has developed around the use of handkerchiefs (de Moor 1997). Known as hanky codes, the color and placement of simple handkerchiefs are used by members of the BDSM community to indicate the type of sexual play that is desired. While these various markers are easily recognizable by other queer individuals, the majority of the population is not aware of the coded meanings. Thus, the symbols provide a perfect set of knowledge-based identity markers.
In the digital world, fashion markers are much more challenging. Although fashion can be seen across homepages (Chiou 2000) and in the profiles that people present, those presentations do not offer the fluidity of clothing. Unlike their physical counterparts, digital fashion markers are focused on presentation, not sharing. While someone might see your Grateful Dead homepage, you cannot tell that the person observing your website is also the owner of a Grateful Dead homepage. Without that shared knowledge, the markers do not begin a shared experience unless the observer chooses to initiate a conversation.
Identity management capitalizes on shared knowledge. By utilizing shared knowledge, people can put forward a facet that will only be seen by those who relate to it. As such, people have to do less management because the markers manage themselves.
Based on the conceptual issues discussed above, i designed SecureId so that users could explore what identity management means in a digital environment. Although an ideal interface would allow users to ubiquitously manage their digital identity in the same fashion as their physical one, this is not currently possible. With the lack of bodies comes the challenge of managing otherwise natural presentations in a space that requires explicit behaviors. Thus, i chose to give users an interface that gave them the control while simultaneously forcing them to consider how unnatural such management is in the current digital realm. The prototype of SecureId was built so that users could feel the difficulty in explicitly managing the identity data that they take for granted everyday.
When designing SecureId, i focused on the three conceptual components discussed above. While it would be preferable for the data to be gathered as people interact, the prototype asks people to produce their own data. When using SecureId, users can add any type of data about themselves and they can control the level of knowledge necessary for someone to access it. The interface also provides feedback to the users about who can gain access, what facets exist and what information they contain.
What follows is a series of screenshots and mock-ups produced as our example character Gaia uses the system. In order to introduce the interface, i discuss the images and the interactions that Gaia experiences when using the system. The system is comprised of three main sections: creating one's profile, creating one's facets, and interacting with the data and others.
Upon initializing SecureId, Gaia is asked to login and create a profile. The purpose of the Profile Set-up is to create a set of public and comparable information about an individual. It is this information that is used by the system to see Gaia and relate her to others.
Figure 8-1. In the Profile Set-Up, Gaia is given a list of potential profile fields to create. The only mandatory one is the Public Name, which is how others see her in the system. In this shot, Gaia has selected to make a new Email Address. She fills in the address and then chooses one of the images on the right based on the level of privacy that she seeks.
Gaia can choose to fill out as much or as little in her profile as she wishes. For each item in her profile, she must choose one of three different types of privacy: 1) public; 2) searchable & comparable; 3) comparable. Profile data that is public can be seen by anyone who sees Gaia. Data that is searchable can be found if someone searches for this information. Thus, if Gaia makes this searchable, anyone who looks for this email address can find Gaia's profile. Finally, something is comparable if is can be seen by the comparison system. Thus, if Gaia chooses comparable for this email address, anyone who accepts people who are also part of brown.edu will see her. Data that is searchable is also comparable. All data put into the profile system must be at least comparable.
By creating comparable data, she can position herself in relation to others and start constructing the facets of her identity that fit. While people share the digital space with many others, it is hard to ascertain who is out there and who might have something in common. Just as two people with Grateful Dead T-shirts might recognize one another and initiate a conversation, having data that can be compared to others within the system gives users a point of interest on which to potentially connect. Likewise, it allows for people who have something in common to be initially linked. For example, when Gaia lists her email association with Brown University, she can be linked to Brown and thus everyone who is also associated with the university. It is in Gaia's best interest to put as much information here as possible, as others use this data to pass their comparison tests.
Figure 8-2. When Gaia's profile is complete, it appears as a set of icons that represent the different information she has given to the system. At the bottom, there is a panel that indicates all of the public data, for her awareness. It is this data that anyone who finds her or has access to her via comparable databits can see. Thus, the Profile Set-up reminds her that this data is accessible.In the Interests section, Gaia was able to choose predefined interests as well as choose her own. Likewise, her Bio is simply a selection of statements that Gaia assocites with. In her case, she chose an Albert Einstein quote, but she could have chosen anything.
Most of the initial profile data only reflects one aspect of a person's identity - specifically, who they are as a unique individual and how they can be located. This data is not personal, but simply one mechanism to systematically differentiate people within an organized society. These are the types of data that one typically finds on a business card. Had i added income and sex, this would look like a standard profile collected by marketing companies. Certainly, they say something about an individual, but what they say is not a complete picture, and certainly not the personal identity that an individual tends to self-construct. Yet, what is that picture?
The system also allows the user to add interests and a bio, but that is also quite artificial and difficult to ascertain. Given a person's website, we might be able to systematically derive more meaning about the person, but the majority of people either do not have homepages or use their homepages to present a professional image. Perhaps a picture might present more of the subtle details about a person, but what is an appropriate image for the world?
The Profile Set-up made me realize that ascertaining information about an individual is quite difficult. When someone walks through a room, they do not need to state their identities at the door; people perceive them immediately. Having to do so online is quite disconcerting, yet it is difficult to start managing one's identity digitally without any notion of who an individual is. Ideally, this section would not require a systematic approach by the individual. Instead, the Profile Set-up should be derived from all of the information that an individual does present online with this section being appropriate for editing. For example, one's email and instant messaging addresses can be found on an individual's system. Perhaps a more appropriate set-up should attempt to learn from the user's system and present them with what it finds, allowing them to alter the level of privacy that any data has.
Based on what Gaia constructs in her profile, she is offered a series of potential facets to create. In SecureId, the facets are holders of information and data about the individual. Just as people maintain facets of their identity in their head, they are asked to articulate those facets in this digital environment. As facets relate to certain roles or associations that the individual maintains, they also operate as the context from which the individual presents aspects of themselves.
Figure 8-3. Based on the interests and associates that Gaia presented as she was setting up her profile, she is asked to create a set of potential facets. Each comparable databit - email addresss, area code, zipcode, occupation, interests, bio keywords, etc. - is considered by the system for potential comparisons to others. This list is determined based on the ones that the system recognizes as comparable. She does not need to choose any of these facets as she can always create facets later; this selection list is just to give her a sense of what she can create immediately.
Figure 8-4. When Gaia chooses to create a Brown University facet, she is given a simple interface to edit associated information. The color determines how the facet appears in her world. The public label indicates how the facet is seen by others who might be trying to gain access while the private label is for her own consideration. By default, a Comparison knowledge item is created, where the comparison is *@*brown.edu. Thus, anyone with a brown.edu email address passes the comparison knowledge. In this image, Gaia is making the facet even more secure by adding an additional Multi-Choice Question/Answer knowledge bit. Associated Data / People are filled in as people interact with this facet; data appears here if Gaia chooses to edit this facet after use.
The facet creation stage allows Gaia to initiate facets based on the comparable data. When she chooses to create a facet, she is given initial information based on what the system has derived. For example, the Public Label is automatically created, as is a Comparison knowledge bit. Gaia can accept these defaults or make her own. She may delete the Comparison knowledge bit if she does not want anyone to gain access by comparison. If she chooses to add additional knowledge bits, the individual must be able to answer all of them to gain access. There are three different types of knowledge in this system: comparison, open question/answer, and multiple-choice.
Comparison Knowledge is done through regular expression matching. Thus, the system suggests a comparison to make. As noted above, a sample comparison might be email=*@*brown.edu. The prototype assumes that if someone adds an email address, it is a confirmed email address and thus anyone with a Brown address should be able to gain access. Comparisons are based on any of the information in the profiles.
Open Question/Answer Knowledge is also done through regular expression matching. The user can create a question and when someone answers it, the answer is compared against the answer(s) that are associated with the knowledge. When someone creates the question, they can put multiple possible answers so as to make answering easier.
Multiple-Choice Knowledge is simply done through a set of checkmarks. When someone creates a multiple-choice question, they choose which is the correct answer. When someone tries to get past that knowledge bit, they must also choose the same answer.
These three types of knowledge protect the facets. As an individual is creating the facets, they may choose to have as many questions as they wish. Thus, when someone is trying to get access to the facet, they must be able to answer all of the questions and have a profile that matches whatever comparisons are called upon.
Knowledge is an interesting way of protecting information, yet to do so online is cumbersome. While the comparison mechanism is quite useful, it requires the profile data to be accessible and complete. The two question/answer mechanisms force the user to explicitly state what they know and for the owner of the facets to figure out appropriate questions to guard the information. Digital knowledge is not nearly as unconsciously shared online as its offline equivalent; thus, it fails to provide the same level of value for assessing people.
After creating a profile and initializing different facets, Gaia enters the SecureId worldview. Within the worldview, Gaia is able to see the landscape of her facets, who has access to different facets, and what information she shares within the different facets. From this space, she can also manage her world and explore other people's shared information. As such, this space acts as both a mirror, reflecting Gaia's self back to her, as well as a portal into other people's shared data.
Figure 8-5. Over time, Gaia's world reveals lots of shared information and people; this is the view of her world that she sees. In this image, Gaia is maintaing seven different facets, where some facets have shared people and information. The Co-Op facet requires access to the Brown facet for its existence to even be visible. Data that exists outside of a facet is public data while data in a facet is only accessible to people who have passed the knowledge requirements posed to gain access. When Gaia highlights an icon, the information about that icon is displayed. The icons represent different types of data; the people represent those who have gained access to Gaia's facets. People who see Gaia or that she sees who do not have access to particular facets are shown in the bottom pane.
The worldview is a place for Gaia to adjust the presentation that she wants to give. The style for this interface draws from Viégas' work on Collections (1997), which is interested in designing an interface for people to manage collections of their information. In her work, Viégas was interested in defining different clusters of access to data and giving the user an interface to maintain access to these clusters. Facets operate as different groups where their knowledge structures their access lists. Gaia can create new facets and define the data that exists in them. When Gaia creates a new facet, she is given an interface similar to that in Figure A2-4. After she creates the facet, it is placed on her worldview for her manipulation. She can enlarge it and move it to be placed where she sees fit.
Figure 8-6. In SecureId, the user can choose what the different data represents. It can be pointers to information, or information itself. In the prototype, data is entirely text, but images and other media could be added. An icon can be chosen to represent the information.Similar to facets, when Gaia creates new data it is placed on the screen for her to move or alter. Gaia can place new databits in any of the facets or in the public region. By double clicking on a databit, she can adjust its properties.
Data and people associated with a given facet stay associated with it upon movement or manipulation. Data can be removed from a given facet but the only way to remove people is to alter the knowledge locks that function as the guards for a given facet. When the user changes the knowledge bits, all people are dispelled from the facet. Not only does the worldview function as the interface for Gaia to see her own data and who has access to it, but it is also from here that she can seek others. By clicking on a person that has gained access to her data, she can peek into their data. Likewise, she can search for a person based on known information. Both create a mechanism for her to gain access to others' facets.
Figure 8-7. After searching for firstname.lastname@example.org, Gaia is given access to Da Kool Kid's public data and facets. As she knows this person as Damien, she is able to add a private note to remind herself of what she knows. She is automatically given access to their shared Brown facet, which includes all of the files and bio information that she can see in the first section. There are also a list of Public Facets to which Gaia has not already gained access. By selecting this, she is given a list of facets from which to choose. Since she knows Damien through their favorite musician, she decides to gain access to that facet. Here, she is given 2 different questions that she must answer in order to gain access.Once she gains access, more data is added to the profile she sees of Da Kool Kid. By selecting these icons, she can gain access to their data.
Just as Gaia can gain access to others' data, they can gain access to hers. They also see the public facets that she puts forward. When someone searches for Gaia and finds her, they see the public names for the facets from which they are not automatically exempt due to incompatible comparisons. Facets that are protected by comparisons that the user does not match are not accessible even for sight. Thus, if BioTech and Youth Help are protected by such comparisons, the user will see Gaia's possible facets as Goa Trance, Family, Queer and Brown. They will not see the Co-Op facet because they must first have access to the Brown facet before that is made visible. Those with such access would see that as a possible public facet. When Gaia creates the names of her public facets, she must do so with care. Because they are explicitly named, they are made public. Thus, if she calls the Queer facet by such a name, its existence in a public list will reveal her participation in such a culture, which may not be what she wants.
When users attempt to gain access to a particular facet, they are only given one opportunity. Without such a limitation, anyone could gain access to any multiple-choice facet with a few tries. When the owner changes the facet's protection, those denied may try again. Likewise, the owner can explicitly place someone in one of their facets, thereby automating the access.
Discussion and critique
The interface designed for SecureId is clumsy at best. Users have to articulate detailed information to even proceed to use it. Gaining access to the facets of their friends requires a level of explicit sophistication that is cumbersome and problematic. Designing appropriate knowledge questions is challenging and users have difficulty accurately answering others' questions. Knowledge-based security is a desirable alternative to explicit access lists, but negotiating it is not similar to its physical counterpart. Likewise, organizing one's data is never easy, even if it can be easily placed into a given facet.
The explicit manner in which people must present and their identity is neither ubiquitous for presenters nor fulfilling for observers. Aside from data about themselves, people do not know how to present their identity. The subtleties of presentation are lost in such an explicit system and thus people are resigned to exist simply as a product of their output. Verbally and systematically articulating one's identity is quite challenging. People do not know how to present themselves from an external perspective; they simply know how to perform themselves from within their bodies. In order to present oneself online, one must step outside of one's body and describe oneself in a meaningful manner; this is not something that most people are fluent at doing.
Articulating one's identity and facets is quite disconcerting, as it requires a level of consciousness about one's interactions that most people do not maintain. Additionally, it restricts the types of identity information that people can present as most components of identity are subtle and not part of what someone would consciously record. Identity information is not simply the construction of an individual's notion of self, but the relationship between the individual and the viewer. When the subject distills their identity into language, the viewer is not given the depth of information necessary to draw their own conclusions. Thus, explicit identity presentation also limits the viewer as they are once again receiving coarse data. The conscious control of information is cumbersome and limiting.
While the explicit nature with which one must articulate one's identity is a fundamental weakness of SecureId, the system does reveal the mental processes with which one normally construct social interactions. People are aware of what they are presenting to others offline, yet this type of information is often obscured online. Although it is often unconscious, individuals do have a notion of associating people with particular facets of their identity and assigning particular bits of information with those facets. SecureId requires that the individual be conscious about these practices. This consciousness, while irritating, provides a level of awareness that is not normally available.
Although the interaction paradigm for SecureId is fundamentally problematic for identity management, the results of such a system provide for some interesting reflections. First, it provides a level of awareness about identity management that most people do not consider. By having to articulate oneself, one has to consider what it means to present oneself as an individual. By having to distill one's identity into language, awareness is encouraged; at the same time, identity management can simply resort to data management about personal data.
Just as Viégas recognized in Collections, management of data is a challenging problem that is worth pursuing, as people want to control their collections of data and present it differently at different times. As identity presentation online is done through data presentation, some of same complications and advantages apply. Most notably, the facets that people maintain are quite similar to the situations in which people share different collections. Consider using a similar system as the access point to someone's website. Rather than being given the public page, the user is given a page associated with the knowledge that the individual has based on the facets to which they have access. Thus, family members are given a homepage that is filled with family photos while those who know the individual on a professional level are given a website filled with a resume of previous work. The different homepages share both data about the individual and present their identity as a whole. Identity presentation can be done through situational facet-based data presentation.
Such an example is the type of goal that we must strive towards. While a tool such as SecureId can provide a manual mechanism for conveying information about oneself, it is too cumbersome to ever be useful. In order to be effective, a non-invasive design must be developed whereby people can manage their information without having to articulate it. It should provide feedback to the users and allow them to navigate with the least amount of effort possible. Explicit questions are not a desirable approach, but neither are explicit lists of who can gain access to a given set of information. While a knowledge-based approach is interesting in concept, implementing it online requires deeper thought. The approach that i took in SecureId is problematic simply because it is so restraining for users, both in articulating the questions and answering them. Instead, the system should learn from the user's practice, perhaps using the clustering work developed in Social Network Fragments to determine what facets exist and who should gain access to them.
In order for an identity management tool to be valuable, it must ease the amount of effort that an individual must invest rather than increase it. The system must develop an awareness of the individual and those with whom they interact. Not only should it automatically generate the data for such a system, but it should also begin to learn which people should gain access to what based on how the individual interacts with them and in what apparent contexts. The system should make guesses that simply allow the user to alter the assumptions.
At the same time, this still restricts the user to presenting data to convey identity. Unfortunately, this is a current limitation of digital social interactions. Conversations and impressions happen through text. Thus, identity management is derived from that text. This limits both what can be conveyed and what can be perceived, which inevitably makes identity management much more difficult.
In developing the prototype of SecureId, i realized that identity management tools highlight the fundamental differences between physical and digital social interactions. That which is so natural offline requires explicit consideration online. Yet, to do so is unnatural. Not only is the unnatural element cumbersome, but it also limits the channels that people can use to present themselves. Developing a proper identity management system not only requires a deep consideration of how people can interact with the data that they use to present themselves, but how the digital environment can aid people in conveying subtle information in a meaningful way.
While the ideas in this chapter and those embedded in the construction of SecureId address some of what is needed and challenging about developing identity management tools, they are only embryonic. Much is needed before identity management can be comfortably done online. It requires a level of ubiquity that is not currently available, nor designed. Explicit management provides new complications that affect the ways in which people interact with one another, thereby impacting all forms of identity presentation. Thus, the explicit nature of SecureId introduced new challenges that obfuscated the intended goal. The byproducts of digital interaction are even more heavily highlighted in identity management tools, as i have learned from my mistakes with SecureId. Thus, this chapter serves to articulate some of the issues that must be addressed in developing a more appropriate tool, but it does not provide the complete framework that one needs. An appropriate system must not only provide awareness but also make management easier, even if it will never be as natural as in the physical world. Yet, to design an interface that allows people to manage their identity comfortably is a challenge for future research.