Contextual Identity

Originally posted on on July 16, 2010

We’ve been thinking and discussing, and then thinking some more, about both privacy and identity at Mozilla. So far we have generally been treating them as two separate sets of issues, but I’m beginning to wonder if there might be another way to think about this.

People have been trying various ways of addressing privacy concerns on the web. These approaches have generally consisted of mechanisms to permit a website and/or user to define and communicate a privacy policy in some digestible way, and then optionally negotiate some happy middle ground (or not). P3P was probably the most ambitious attempt to crack this nut, without much success. I won’t try to rehash these various proposals here nor speculate as to why each has so far largely failed.

Instead, lets try a different tack. What if privacy is really just an aspect of identity?

One hypothesis: people don’t have a single identity… in the real world, or online. Who you fundamentally represent yourself to be (in terms of name, accuracy of location, age, social-demographics, etc.) varies depending on the context. This is true whether you are interacting online with a bank vs. an online hobby forum vs. craigslist, and true whether you are interacting with your close family vs. coworkers vs. random strangers in the elevator.

In each of those scenarios, you are projecting a different “view” of your underlying self that you feel is appropriate for the given context. Even in situations of relatively equal trust and confidence, say with your parents vs. your significant other, you are sharing information on a fundamentally different basis in terms of how you are presenting it, how you want to be perceived and how much detail and honesty you are willing to provide, even when the topic is the same. In Plato’s Cave, we are putting on a unique shadow play for each audience. I’m sure there is a formal academic definition of this, but lacking that at the moment I’ll just call this the “contextual identity”.

The desire to be perceived in a certain way inherently includes a set of privacy expectations, or put another way, an individual’s implicit privacy policy in a given context. This is often where people run into privacy problems online, where either their expectation of their identity in a given context is not accurate (i.e. they are sharing way more, or very different types of, information than they desired to), or they are sharing it in a different context (i.e. embarrassing party photos are viewed by a potential employer).

So maybe its not a surprise that many social networks have ended up with privacy egg in their face. Part of the problem is that by presuming that users should have only a single, canonical identity on their network (and indeed, often the entire web), they lack the flexibility for individuals to express their various identities appropriately in different contexts.

So what if you could in fact maintain a set of identities, each reflecting accurately your desired identity in a given context? Then you could seamlessly interact with a wide range of services, from commenting on news sites in a relatively anonymous setting, to sharing health information with your family or doing online backing, each relatively confidential and trustworthy things, yet still fundamentally different. After all, your family shouldn’t necessarily know your current bank balance and conversely, your bank doesn’t need to know about your health.

Who would you trust with managing this set of identities, though? Your favorite social network? The problem with that is this trusted provider would need to be aware of the superset of your desired identities, which likely includes identities that are more sensitive than you’d be willing to share with said networks. Given social networks are relatively low in the grand heirarchy of trust (for me, anyway), they seem like poor receptacles for this degree of trust.

The best entity to trust with this information is, oddly enough, yourself. The ideal solution would be locally managed on the user’s system, but securely synchronized seamlessly to your devices. This model has some important positive characteristics.

For one, the entity atop of this hierarchy of trust is: you. Obviously you also need to trust the software you use, but that is the tremendous power of open source software. Since you can inspect the source code and build your own version of any open source package, you can actually trust its behavior. Something that is only possible for closed-source locally-installed software with immense skill and effort in reverse engineering… and mostly impossible for remotely hosted web apps.

The other reason is that because you control all these disparate identities, you can choose which of them can be associated with each other, and under what context. For example, I might be OK with my social network identity to be associated with my blogging identity, but I probably don’t want either to be aware of any of my banking identities.

Sounds great, right? Maybe… or maybe not. Either way, let me know! So what’s next, you ask?

Hmm, we’ll see. Stay tuned… 🙂