My Digital Identity
In this address to the 2008 e-Portfolio Conference I consider the sorts of questions that might be asked about a student’s identity in an e-portfolio system and the factors that inform the answers to those questions. Rather than being answered with a simple physical presence, as we might have expected in the past, the question of identity in a digital space requires a complex answer, taking into account a person’s past and future states, as well as his or her motivations, desires and expectations. Accordingly, an identity is best thought of as a distributed profile, written by multiple authors and considering multiple questions, rather than a single fixed point on which attributes may be assigned.
Questions, Answers and Technology
One way to enquire about e-portfolios is to consider the questions raised by them. Consider, for example, some of the central questions on the subject of e-portfolios that center on identity. What is the self? What is the person? What are the capacities, the competencies of the person?
As Heidegger argues, any time there is a question, there are things that come with that question. (Heidegger, 1962) The first of these is that the thing that we’re inquiring about: whether it’s a nature, a capacity, ability, or skill. The second is the thing that we are asking that question of, “that which is interrogated.” We assume that we are asking the questions of the student, for example, but in fact, when we’re working with things like digital identities and digital portfolios our inquiry isn’t of the student, but of the body of work that we take to be representative of the student. And third, there’s always a presupposition when we make an inquiry of any sort about the sort of thing that we might get in response. If we ask for grades, we’ll get grades back. If we ask for capacities, we’ll get capacities back.
All of these things interplay in the nature of our enquiry. To see this, consider the technology that we’re dealing with. To borrow some comments from Helen Barrett, who cites Gary Brown, one aspect of e-portfolio technology is a shift from the idea that a learner takes a course from a particular institution or that a learner has a particular source or a particular authority that is teaching them or representing the state of the world to them. (Grush, 2008) More and more learning is happening online and, according to Brown, 50 percent of students are studying from multiple sources, multiple institutions, often at the same time. So the very idea that any system like a learning management system or an e-portfolio system as something that is created and managed by the institution seems in a way seriously misguided. If people are taking things from multiple institutions, then if we have an application that is a single point of reference for their learning, then that application must be of multi-institutional.
E-portfolios involve distributed content. That is to say content that is located not in one place on the World Wide Web, not in one place on the internet, but rather in multiple locations. If you think about even your own web presence now, you have a Facebook account, where you keep your contacts; you have Google Docs, where you keep your essays; you have a Flickr account, where you keep your photos; a YouTube account, where you’ve uploaded your videos and your friends’ videos and stuff from TV. You have your website, your blogs, and all of the rest. These things are spread out across the internet and the whole idea of distributive profile is getting a picture of all of those things that are spread out all over the internet and thinking of them as one thing.
And these things allow people to collaborate and to communicate with each other, to form communities of users. For example, here is the widely cited diagram of a personal learning environment diagram that was actually created before anybody came up to the term personal learning environment (so it says ‘future VLE’ in there instead). It’s authored by Scott Wilson:
(Wilson, 2005) There have been numerous variations of this diagram since, but the original is sufficient to demonstrate the distributive nature of the concept. Wilson describes links to 43 Things for your task list, Flickr for your photos, Live Journal for your blogging posting, et cetera. And what makes the PLE the PLE is the way that communications takes place from entity to entity to entity. Thus Wilson describes the various protocols – RSS, FOAF, Atom – these sites use to communicate with each other.
So e-portfolios built using these - these representations of the self that are out there in the world - are not simply static artifacts. They are actually conversations – series of questions and answers - that you have with the rest of the world. That’s the kind of technology, the kind technological environment that we’re looking at.
What We Think About Identity
In this environment, then, what can we say about identity? It seems that with the use of digital communications, the question of identity changes. Identity used to be ontological problem. It used to be a question about being. If you wanted to establish an identity, you would produce a body. That was identity: one person, one body. But on the internet we have a situation where we have identities without bodies. We might think that this doesn’t make sense, but it does, if we think about identity the way we think about it in everyday ordinary life.
What is the common conception of identity? As Heidegger notes, we’re born, we live, we die in time. And we have a certain presence in space. Heidegger should have called it “being (or space) in time.” (Arisaka, 1996) So we take up space. Some of us take up more space than others, but our identity does not begin and end there. We have a corpus, we have a body, but our identity is much more than just that. For example, Heidegger has a lot to say about the way the past plays a role in our identity. The past shapes who we are.
Think about two people with two identical properties? Two hockey playerers may have the property of having ‘scored 32 goals’, say. For one player, that’s a great achievement, the peak of his career. But for another player, it’s his career in decline. He’s going to have to retire now. The present is informed by the past; what we understand of the present entity is informed by that entity’s past states. And there’s also the future, what one could be. Our potential also defines who we are, in a certain sense. Our identity, in any sense of the word, is not merely a defined by a physical presence in an instant of time. Our identity spans dimensions, from past to future. And therefore, extends beyond the merely immediately physical.
Our identity extends beyond mere physical dimensionality in space as well. For example, in addition to the physical, we have what we might call, for lack of a better word, the ‘inner’, which can be contrasted with ‘the outer’, which is the rest of the world. We have not just our physical body and any physical extensions of the body – our reach, our property, our influence – that we might find in the outer world, but also our mental state – our hopes and dreams and habits and predilections. A change in the purely mental may quite rightly prompt us to say “He’s not the same person.”
And so what happens when we’re establishing identity, and particularly when we’re talking about identity on the internet, is that we’re talking about the projections of this self from here to these four dimensions (past and future, outer and inner).
That’s why it’s so difficult to make assertions about identity, particular when those assertions include assertions about the capacities or the competencies of the person. We have these divisions, not only between past and future, but also between, on the one hand, the things that we do in the world (actions), and on the other hand, the things that we think about the world (reflections). And the reason this is relevant is because a question of identity, a question of understanding what this person is, isn’t simply a point by point picking out of this sort of thing. It involves inferences and relations between the various aspects of identity. This inference is not straightforward; it is multidimensional and complex. (Blunden, 1996)
(Aside: Proponents of standardized testing haven’t accounted for this adequately. The problem is that testing measures only one dimension of something that is very complex. Consider Charles Ungerleider, who says things like, “The utility of CRLSAs for improving student achievement depends on the capacity for investigating relations among variables over which the system exercises control or is capable of exercising control.” (Ungerleider, 2003) This creates a very limited, very simple point of view, since most of what accounts for a student’s learning is outside the control of the evaluators. When we’re talking identity, we’re talking about the full scope of an identity, but when we’re talking about measuring – that is, trying to find causal relationships between variables – we are typically we’re talking about one dimension about it. And thus, if we represent it as the whole of an identity, misrepresenting it.)
Asking Questions About Identity
And so the study of identity has changed. If we go back to the world of Descartes it consisted of questions like “Who am I, what is my nature, what is my essential nature?” (Descartes, 1996) Today, questions of identities become (maybe it has to do with our bar culture and IDing yourself) how you can prove who you are to someone else. And notice the way the question has changed. Notice the way the asker of the question has changed. Notice the way the entity to which the question is being put has changed. It used to be that to identify yourself was very simple. You just stepped forward and the guard at the gate would recognize you. You just made a barrel, and people could see you know how to make barrels. Now, there’s no such way of doing that. You can’t stand forward and be recognized. You can’t simply demonstrate your skill or capacity. And so what was never questioned is now the central question.
It is important when questioning assertions of identity to draw out two distinct concepts. The first of these is identification - sometimes known as self identification - which is my assertion that I am a certain person. The second is authentication, which is the verification (presumably by a third party) that I am who I say I am. (Downes, 2005)
Identification is really kind of soft verification. It is us, asking of ourselves, who we are. Who am I? It’s essential to our being. When a person becomes amnesiac and they lose their memory, their first question is, “who am I?” As opposed to, “What is the capital of France?” Who they are: That’s what they want to know. And importantly my sense of self, my sense of identity defends crucially on my remembering who I am. And in a certain way, remembering what my aptitudes are. You cannot have identity in time without identity in history. Self-identification is self-memory.
I have different ways of describing who I am, and each different way I describe who I am corresponds to a different way of thinking about myself. I have a name. But my name is not sufficient to identify me. It is also the name of a restaurant critic in Melbourne, Australia. It is also the name of a political candidate in Nova Scotia, Canada. It is also the name of the cognitive psychologist who works at Utah. It is also the name of a football player in England. I need something more specific.
In identity there is a presumption of uniqueness and in order to establish uniqueness you need multiple naming systems. Some of them are more or less permanent, like your social security number. Others are transient and less permanent, such as your school number, phone number, PIN, and the like. The problem is that there are too many numbers. Nobody can remember them all. So we carry tokens with us – our credit cards, our bank cards, and the like. And that way we don’t need to remember all of these numbers. We just refer to the token.
It’s kind of funny; right? My tokens tell me who I am. If I didn’t have my tokens - if I didn’t have things that are external to me - I wouldn’t know who I am, because I wouldn’t be able to name myself.
What about authentication? How do I prove to someone that I am who I say I am? First of all, I have to know who I am. There is no authentication without identification. There’s no way I can prove to you that I am who I say I am unless I can say to myself I am who I am.
The Failure of Authentication
Consider the two major cases of identity claims that are made in context of authentication: where self-identification is accurate, and where it is not. First of all, I am Pete when I am Pete. It’s an accurate or correct identity claim, and if that’s the case everything’s fine and we don’t need to worry. The problematic chases when I say I am Pete when in fact I am not Pete, I am someone else. How do I prove that I am or am not Pete? If I can’t present the body I’m going to present the token. And if it’s a case of online authentication, I’m going to present a digital token, something like a password or a PIN or something like that.
But there is nothing inherently in the token that establishes the authenticity of my identity claim. A PIN is just a PIN. Only when a PIN is seen or used in a certain context is that an identity claim. There’s nothing in the PIN itself. Think about the example of the bank machine. I give my card, which is the physical token, and my pin number, which is the digital token, to my wife and I say, “Go get me a hundred dollars.” She goes to the bank presents the card, presents the ID number, gets a hundred dollars. There’s nothing inherent in the presentation of the card and the ID number that establishes that that person is who they claim to be.
So there’s nothing in the claim itself that prevents it from being a false claim. This is very important, because what is means is in the end no system of authentication ever succeeds. This is the conclusion of the famous Microsoft Darknet paper. (Peter Biddle, 2002) By ‘succeeds’ I mean establishing to a sufficient degree of certainty that my claim to be Pete is in fact true. Now, the standard will vary, but we can take very stringent standards and very loose standards, the result ends up the same.
Consider how we authenticate. Typically we rely on the testimony of a third party. Look at my tokens again – one is authenticated by the bank, another is authenticated by the government, another is authenticated by Costco. But how do they know I am who I am? Well, typically I went to them and said, “I am so and so” and maybe presented to them some other tokens. When you have a case of testimony from a third party, you basically created the same problem, but another iteration down, particularly in an online environment. Where now instead of proving I am who I am to the one place, I’m proving that I am who I am to another place, and using that proof to establish my proof here. There are all kinds of ways of misrepresenting myself. And even then even if I have proved to the satisfaction of someone that I am who I am, if I give my cards to somebody or if somebody steals my cards, and my pin numbers, they can still claim to be me even if they are not me.
The problem is essentially there is no token that is unique to me and that I can’t share - other than my own body, which I can’t share by definition. There is no token that I can present that is establishes that I am the young shadow of the doubt. It just does not exist.
The typical response is to propose some sort of biometric system, that is, to use a property of the body to establish identity. But the body – and other proxies, such as your computer, your telephone, like your mobile phone, the chip in your computer - can still all in some way be shared. The theme of many gruesome movies is that they cut the guy’s hand or they gouge out the guy’s eye in order to fool a biometric system. Biometrics depends on some kind of signature, and that signature is presumed to be unique to the body that carries that signature. But since it’s a signature, since it’s a type of sign, and not the actual entire body itself, it can always be spoofed.
This is especially the case if I am the person who is doing the spoofing. We typically think of false claims where somebody is claiming to be me, but what if I am me, but I want somebody else to be me? Suppose my thumbprint opens that door; I’ll unlock the door, and then I’ll send you through it. I’ve defeated the biometrics because I, the owner of the token (my thumb), used it to deceive. This is exactly what comes up in examinations and testing, when it’s in my interest to have someone who is not me write the test.
Trust and Motivation
Identity and authentication depends on motivation. They depend on me not wanting somebody else to self-identify as me. That’s why bank cards work. Bank cards work not because they’re super duper security – they are basically a simple password system, no more secure in a certain sense than a website – but because of my desire not to have the entire world able to withdraw funds from my bank account. Even biometrics depend on the bearer’s motivation to keep the lock secure, on me not wanting somebody else to be able to successfully pose as me.
In fact, when we talk about trust, our idea of trust is exactly backwards from the way it should be. We typically talk about trust in terms of authentication, in terms of whether I can prove my identity to someone else’s satisfaction. (Crocker, 2008) But what we should be talking about is whether I can trust the resource provider. Can this system establish to my own satisfaction that - I and only I - can establish that I am who I am? Are my identity assertions in this system uniquely my own?
This issue becomes especially evident when we look at the wider sense of identity, when we think of identity not just as a name or a number but rather as the complex set dimensions described at the beginning of this paper. If identity is not just a name, but rather, a four-dimensional array of properties, then the task becomes one of my being able to ensure that the properties – or at least, descriptions of those properties – are uniquely my own. And it is indeed this question of trust is brought forward in very sharp relief on the internet of today. Governments share our data. Companies share our data. Other people share our data.
Sometimes people impersonate these agencies in order to steal our data. Sometimes they simply sign legal agreements, or acquire the company, in order to obtain the data. Every year, thousands of people are victims of identity theft. (Canada, 2008) When agencies impersonate the entities that we can trust in order to steal our identities and use them for their own purposes, we lose the assurance that our identity claims are uniquely our own. We lose the assurance that claims made about us are true. And it is arguably this, rather than authentication, that the barrier to identity creation on the web today.
We need to establish a system whereby a person owns his or her own identity, where the projections that this person makes out to the world are verifiably, to the satisfaction of the person (not an external agency) reliably the property of that person. Or in pragmatic technical terms, if a blog post out there on my account has my name on it, it had better be something that I wrote and not something that has been put there in place of something that I wrote. We see that all the time people attempting to steal blog accounts in order to insert spam. This is exactly an instance of the sort of trust that we need to be able to establish: me being able to establish that my content, and not spam content, will go on my blogs, will be delivered using my email address, will represent my work, or my competences.
So identity needs to be understood from the perspective of our objectives, needs to be understood from the perspective of potentials of actions that we want to take, needs to be understood from the perspective of, as Terry Anderson says, how I manage my own presence. (Terry Anderson, 2001) How I manage who I am out there on the internet.
The way this is currently being done in practice on the internet is through a system called OpenID. (OpenID, 2007) In OpenID, a person’s identity is essentially a website and people verify this identity by putting something on the website. This is how Technorati verifies ownership of web logs. Somebody a signs up for Technorati and Technorati gives them unique token. They log in and put that token on their blog. Thus, they have proven that they own the website in question. (Technorati, 2005) OpenID works in the same way, except that the process is automatic. Instead of a name and a password, I give a website URL, and I’m redirected, with a token, to that URL. Some software on my website accepts the token and sends me back to the original website, which checks my URL for an instance of the token.
OpenID is not a system of authentication. Indeed, that was the subject of criticisms. (Johnson, 2007) You are not proving to Yahoo that you are whoever you say you are. You are proving to Yahoo only that you control this website. So there’s no presumption of uniqueness. There’s no presumption of a physical body. The only thing that there is a presumption of is that you control this site. It’s self identification. It works because you are motivated to maintain your own identity. This is not some trusted authority. This is not some identity provider or registry system. There is no registry system at all. This is you. This is your projection of your digital identity on the web. And your motivation is your desire to maintain the integrity of the content on these sites you maintain, your desire to maintain control and ownership of them.
Identity and Resources
Let’s take some of these concepts and apply them to e-portfolios, to the way we attempting to describe resources. So here is a resource. It is out here in the world somewhere. And the question is how do we describe this resource? We need to be able to describe this resource in the case of the portfolios because this is the expression of one’s external self, the token that we are going to use in order to show that we have a competence or whatever, whatever. But the way we typically think of describing these resources is through metadata, and the presumption here is that this metadata will be in accurate or true description of this resource. The big problem is metadata lies. Just as a token does not establish identity, metadata does not establish content. The sign signifies, but does not verify, the entity.
People lie in their metadata. If you looking at learning object metadata you see a perfect example of it. One of the fields in learning object metadata is “interactivity”, and it turns out they all are highly interactive. Even plain text web pages are all interactive. Everything in the world is interactive. According to metadata.
What we want to think about now are the different types of metadata that are attached to different types of resources. For any given resource there will be different types of metadata: bibliographical, technical, classification, et cetera. Think for example of a photograph versus a video. A video has a runtime in seconds, 43 seconds say. A photo does not. And it doesn’t even make sense to think of a photograph of having a certain runtime. So different metadata attaches to different types of objects.
What we think we know about that type of object is expressed by the metadata that we apply to it. Essentially in this sort of world there are three kinds of metadata. (Downes, Resource Profiles, 2004)
First party metadata is that created by the author of a resource. First party metadata is typically bibliographical metadata describing the author, the creation date, the location, and the like. It may also include rights metadata. And it includes technical metadata specific to the type of resource being described.
Second party metadata is metadata created by the user, or through the use, of a resource. It might be, for example, an evaluative metadata, containing the sort of criticism we would never see in first party metadata. Second party metadata may thus seem to be more accurate. But not necessarily; people lie about other people’s stuff too. Second party metadata is best thought of as usage metadata: who used it, when it was used, in what context it was used, what people said about it, and such.
Third party metadata is metadata created by people who neither created nor used the resource, by people who are describing it or classifying it for some purpose. “This is a resource about physics,” says the bibliographical association of America. “This is a resource that is appropriate for our students,” says the Latter Day Saints Association of America.
As these different types of metadata get produced by different people we get what might be called a profile of the resource composed of that metadata.
So what does this have to do with identity?
Exactly the same thing happens for people. If you think about it, think about the lifecycle of a resource or the lifecycle of a person it comes down to the same thing. You were born. I was born. When I came into this world I had very little metadata. I had almost none, in fact. I had a birth date, and I had a location of birth. A little while later I began to accumulate more metadata. I got named. That didn’t happen until after it took a few days. And then as time goes by I accumulate more metadata. I get grades in school. I have a brush with the law. I joined Boy Scouts. All of these things produce metadata, and this metadata is stored in different places. Some of the metadata is with the school. Some of the metadata is with the police service. Some of the metadata is with the university. It’s distributed all over the place.
So the idea of generating a resource profile – the idea of creating an identity, whether for a person or a resource - is pooling this metadata together. A person persists through time and space, projects through time and space. In the same way, and for much the same reasons, resources also persist and project through time and space. Different people with different needs and different perspectives may pool different bits of information, from different sources. A prospective romantic partner will be interested in different properties of an individual than will a prospective employer.
And thus, we return to Heidegger. Because no matter how we think of portfolios and identity, we need a more nuanced understanding of the three basic questions he describes.
First, we need to consider carefully what we are asking about. If we ask for something simple and one-dimensional – a grade, say, or a token – then that is what we will receive in response. But a person’s identity – and the picture of their skills and capacities, their motivations and their attitudes – is more complex, consisting of properties that extend well beyond the merely physically present.
Second, we need to consider who we are asking. This is not simply a matter of which person we are asking. It also depends on the attitude of the person to the question. Even something as simple as personal identification depends on the willingness of the person to cooperate, on there being an appropriate motivation to perform, and on their trust in you. And even then, we want to ask different kinds of questions of different individuals.
And third, we need to consider who is asking the question – what they can see and cannot see, what they want and do not want, what they expect and do not expect. There is not and cannot be a single view, a single story, on any given person, because the person is not just the thing that you see in front of you. We must understand that what we ask is not what defines the person in question, that we can at best achieve an approximation of an identity that is inherently compex.
Arisaka, Y. (1996). Spatiality, Temporality, and the Problem of Foundation in Being and Time. Philosophy Today , 40 (1), 36-46.
Blunden, R. (1996). The Mind Dependency of Vocational Skills. Journal of Vocational Education & Training , 48 (2), 167-188.
Canada, P. C. (2008, April 15). Identity Theft: What it is and what you can do about it. Retrieved August 1, 2008, from Office of the Privacy Commissioner of Canada: http://www.privcom.gc.ca/fs-fi/02_05_d_10_e.asp
Crocker, D. (2008, March). Trust in Email Begins with Authentication. Retrieved August 1, 2008, from Messaging Anti-Abuse Working Group (MAAWG): http://www.maawg.org/about/publishedDocuments/MAAWG_Email_Authentication_Paper.pdf
Descartes, R. (1996). Meditations on First Philosophy. (J. Cottingham, Trans.) cambridge: Cambridge University Press.
Downes, S. (2005). Authentication and Identification. International Journal of Instructional Technology and Distance Learning . http://www.itdl.org/Journal/Oct_05/article01.htm
Downes, S. (2004). Resource Profiles. Journal of Interactive Media in Education , 5. http://www-jime.open.ac.uk/2004/5/downes-2004-5-disc-t.html
Grush, M. (2008, February 27). The Future of Web 2.0: An interview with WSU's Gary Brown. Campus Technology .
Heidegger, M. (1962). Being and Time. (J. Macquarrie, & E. Robinson, Trans.) Oxford: Basil Blackwell.
Johnson, M. (2007, february 23). The OpenID Buzz: The good and the bad. Retrieved August 1, 2008, from Techzoogle: http://techzoogle.com/the-openid-buzz-the-good-and-the-bad/
OpenID. (2007). Retrieved August 1, 2008, from OpenID: http://openid.net/
O'Reilly, T. (2005, September 30). What Is Web 2.0: Design Patterns and Business Models for the Next Generation of Software. O'Reilly .
Peter Biddle, P. E. (2002). The Darknet and the Future of Content Distribution. 2002 ACM Workshop on Digital Rights Management. Washington DC: Microsoft.
Technorati. (2005). Hey bloggers: Claim your blog! Retrieved August 1, 2008, from Technorati: http://technorati.com/weblog/2005/11/58.html
Terry Anderson, L. R. (2001). Assessing teaching presence in computer conferencing transcripts. Journal of the Asynchronous Learning Network , 5 (2).
Ungerleider, C. (2003). Large-Scale Student Assessment: Guidelines for Policymakers. International Journal of Testing , 3 (2), 119-128.
Wilson, S. (2005, January 25). Future VLE - The Visual Version. Retrieved July 28, 2008, from Scott's Workblog: http://zope.cetis.ac.uk/members/scott/blogview?entry=20050125170206