Home/red-rock-eater/[RRE]Agre: the architecture of identity 1/2

[RRE]Agre: the architecture of identity 1/2writing

militaryeducationinternationalmediasurveillancecivil-libertiesinternet-policyprivacycryptographylaborailibrariestelecommunicationscognitive-sciencerrelawcommerceforwarded-contentauto-importedrre-postadministrative
1998-09-06 · 22 min read · Edit on Pyrite

Source

Automatically imported from: http://commons.somewhere.com:80/rre/1998/RRE.Agre.the.architectur1.html

Content

This web service brought to you by Somewhere.Com, LLC.

[RRE]Agre: the architecture of identity 1/2

``` [I apologize for sending this message out in 2 parts. Its length oversteps the limits of Eudora (or the limits of my knowledge of Eudora).--p]

---

This message was forwarded through the Red Rock Eater News Service (RRE). Send any replies to the original author, listed in the From: field below. For (un)subscribing, send a message to requests@lists.gseis.ucla.edu with Subject: info rre

---

The Architecture of Identity

Philip E. Agre Graduate School of Education and Information Studies University of California, Los Angeles Box 951520 Los Angeles, California 90095-1520 USA

pagre@ucla.edu http://dlis.gseis.ucla.edu/pagre/

Telecommunications Policy Research Conference Alexandria, Virginia October 1998

This is the draft of 6 September 1998.

//1 Introduction

A minor industry is trying to give intellectual shape to the widespread intuition that information technology is bringing about a revolution in human affairs. Even to call it a revolution, of course, is already to have a theory; the social changes that accompany information technology are likened to violent, discontinuous changes in a political order, or to epistemological discontinuities in science. One template for understanding the changes, accordingly, is the industrial revolution, with its extraordinary increases in productivity. The problem with this approach, notoriously, is that little evidence supports it: the aggregate productivity increases that the analogy would predict are nowhere to be seen. Another approach sees the Internet writing its decentralized architecture onto the economic and political workings of the global society. This approach, too, conflicts with the evidence, as networked computing facilitates the most dramatic period of industrial concentration in human history.

Yet for all the cold water, revolution is still somehow in the air; we are still challenged to make sense of changes that, whatever their eventual magnitude may be, are strikingly pervasive. To understand them, we need to focus on another of the implications of this talk of revolution: the idea that human relationships, and perhaps human nature itself, will be transformed. Computers increasingly mediate human relationships, this argument goes, and so therefore the computers and the relationships, if they change, will necessarily change together. Revolutions, of course, have frequently held to be impossible precisely because human nature does not change overnight. Perhaps human nature does not change at all past a certain point, and perhaps as a consequence the possibilities for computer-induced revolution are limited as well. I cannot evaluate these suggestions, but I can offer some account of what they mean.

No simple analysis of these matters will suffice. It is no good to infer changes in human life simply from the workings of machines; such an approach is inevitably reductionistic and can never do justice to the complexity of human life. Machines cannot be understood as neutral tools, given the immense effort that organizations put into inscribing their own contingent selves into the machines' workings. Nor can they be understood as mere epiphenomena of larger social processes, given the immense creativity that user communities put into appropriating them.

To understand the place of information technology in society, we need to take an institutional approach. Institutions are the persistent structures of social life: social roles, legal systems, linguistic forms, technical, and all of the other components of the playing field upon which human relationships are conducted in a given society (Commons 1924, Goodin 1996, North 1990, Powell and DiMaggio 1991). Central to the institutional approach is an analysis of the relationship between institutions and people, and between institutions and information technology. Institutions are not external to human affairs; they do not regulate our lives simply by reaching in to intervene. To the contrary, institutions go a long way toward defining us. To see this, consider Austin's (1962) analysis of speech acts. According to Austin, a given utterance does not count as a wedding vow or a jury verdict simply for arranging the correct words in the correct order. These speech acts are not felicitous unless certain institutional conditions obtain, and their result is to create new institutional facts in the world. The institutions, in other words, are constitutive of the acts themselves. The person who performs those acts does so in a particular institutional capacity, as the occupant and performer of a particular institutional role, in relationship to other individuals who are successfully occupying and performing complementary roles. Much of our lives are spent enacting institutional roles, and much of our own understandings of ourselves, and most of others' understandings of us, are bound up with those roles. That is not to say that we are puppets dangling on institutional strings. It is, however, to say that we have only a partial awareness of the depths to which our institutions define us. Nor is it to say that the institutions can live on without us; to the contrary; every institution is either reproduced or transformed on every moment through the actions of its participants. The relationship between individuals and institutions, in that sense, is reciprocal.

The institutional approach is particularly well-suited to the analysis of privacy issues. Privacy is patently an institutional matter; it pertains to the institutionally organized ability of individuals to organize and negotiate their relationships with others. Philosophical and legal analysis has often identified privacy as a precondition for the development of a coherent self (Schoeman 1984), and privacy issues have come increasingly to the fore as technologies for mediating human relationships have become more pervasive (Clarke 1994).

But the connection between institutions and privacy can also be found at a deeper level: both pertain to the construction of human identity. Information technology and privacy policy as we know them today both evolved under the assumption that computerized records fully and transparently identify the people whose lives they represent. Once those records are created, we have assumed, privacy is a matter of regulating the uses to which the records are put. Recent innovations in cryptography, however, have changed this picture considerably (e.g., Chaum 1985, 1992), and it has become clear that privacy can often be protected at in a more fundamental way by simply not creating individually identifiable information in the first place.

More generally, new cryptographic protocols have created a vast design space. Along one edge of this space lie the traditional technologies for creating personally identifiable records. Along the opposite edge lie technologies of anonymity, for example smart cards purchased with cash, for which it is nearly impossible to infer a user's identity. Between these two extremes lie numerous other possibilities. Digital cash (Chaum 1989), for example, makes it possible for a payer's identity to be traced, but only under specific conditions. Subsequent work (e.g., Maxemchuk 1994) has generalized these methods to the point where the identities of numerous participants to a transaction are protected, while still making it possible to reconstruct particular identities when certain complicated conditions obtain.

For these technologies to fulfill their promise, they must be integrated with the larger institutional world, including business models, regulatory systems, contractual language, and social customs. My purpose here is to prepare the conceptual ground for this integration. I will argue that privacy-enhancing technologies undermine some fundamental assumptions about both technology and economics. I will proceed in several steps, as follows. Section 2 will frame the contemporary policy debate by sketching some of the complexity hidden within the widespread notion that privacy can be regulated by means of markets. Section 3 will introduce the question of human identity more fully by drawing attention to certain features of the "natural history" of identity in ordinary settings and to the difficulties that surround current institutional practices of identification. Section 4 will recount the evolving place of identity in the history of computer science, focusing particularly on information technologists' long, slow transition from notions of representation based on an almost God-like objectivity to notions based on the perspectives of finite individuals. Section 5 will trace a parallel development in the history of economics, starting with the roots in physics of the neoclassical synthesis and moving toward the more complicated picture in contemporary game-theoretic models. Section 6 will draw these perspectives together by considering the construction of identity in economic institutions. Section 7 will open up the large question of the information-related dynamics by which economic institutions, and particularly their consequences for the construction of identity, are shaped. Section 8 will then conclude by sketching some new directions that these phenomena suggest for privacy policy.

//2 The policy agenda

The conceptual basis of contemporary privacy policy originated in the late 1960's (Flaherty 1989). As the countries of northern Europe began building their welfare states, historical memory of the Nazi era led to concerns about centralized state databases. The "data protection" policies that arose in this environment, therefore, have been framed in political terms: data subjects are first and foremost citizens who possess rights, such as the right to correct inaccurate information about themselves in bureaucratic records. These policies also bear the marks of a technological environment characterized by small numbers of large, centralized, and poorly networked mainframe computers. As both the political and technological environments have evolved, the data protection model has been saved from obsolescence primarily by its abstract nature. Rather than specify technical architectures, the data protection model specifies technically neutral principles that can be - indeed, that must be - given content in the context of each sector, public and private, and each information processing technology.

Nonetheless, in recent years many commentators have suggested that the data protection model is out of date. The Clinton administration in particular has been vocal in urging industry to develop market-based self-regulatory mechanisms that achieve the goals of privacy protection without the purported downsides of a formal regulatory apparatus. Indeed, when considered abstractly, the notion of rights to personal information as commodities that can be traded like any others in the marketplace has a compelling inner logic. Different people value their personal information to different degrees, and many situations will arise in which the most stringent measures for privacy protection will require systems or procedures that are inherently more expensive, given the current state of technology, than those that offer less protection. Whether society should make an infinite investment in privacy protection, or zero investment, or some investment in between these extremes, it is argued, should be left to the same market mechanisms that determine society's investments in building cars and grilling burgers.

The principal challenges to this model are ethical and economic. The ethical arguments insist that the data protection model's political framing of privacy issues is the correct one, and that privacy is indeed fundamentally a right and not something that a person should have to buy at the going rate. Economic arguments point to the special properties of information. Talking of privacy as a commodity may make sense when we compare privacy to physical things like cars and burgers, but privacy rights are in fact special kinds of commodities because of the special economic properties of information (Arrow 1984). Kang (1998), for example, points out that an individual will have a hard time evaluating whether to pay a company extra to keep her personal information to itself, given that many other companies that possess similar information will most likely equivocate about their willingness to implement similar protections. Because information can be duplicated without being destroyed, even a single uncontrolled source of personal information can take up the slack for scores of other, more responsible organizations.

The problem here does not pertain to markets as such. Rather, scenarios like Kang's point to the necessity of institutional analysis. Simply speaking of "markets" is not to say much, given the diversity of actual and potential market institutions. Indeed, one way to interpret the data protection model is precisely as a set of ground rules for a market -- ground rules that aim to ensure that markets in privacy rights function correctly. If every firm is compelled to reveal its data-handling practices then obvious problems of asymmetric information in the privacy marketplace are alleviated and consumers can make their own choices.

Nor can the analysis end here. Quite the contrary, these elementary observations open up the complex issue of the role of personal information in the design of institutions generally and market institutions in particular. Markets institutions provide contexts in which people come together to transact business, and in doing so they create information whose embodiments and uses may concern the parties just as much as the goods and services that are bought and sold. In order to raise the question of markets in privacy, in other words, we should also investigate the question of privacy in markets.

The question of privacy in markets becomes particularly complicated in the context of privacy-enhancing technologies (Burkert 1997). One of the longstanding principles of data protection, the principle of minimality, suggests that an organization conducting a transaction with an individual should only create and store the information needed for the purpose -- what Kang (1998), in the context of American privacy policy, calls "functionally necessary" information. Traditionally this concept has been construed to minimize the number of data fields that are created and stored with regard to a particular transaction. But it can also be construed to minimize the degree to which the data subject is identified at all. Even if the principle of minimality is not legislated as an inherent property of market institutions, it should not be ruled out from the start. That is, market institutions should at least not make it technologically or administratively impossible a priori for buyers and sellers to contract for a minimal degree of identification. The great difficulty of conceptualizing this guideline in practice may provide us with the full measure of the difficulty of the topic.

//3 The question of identity

Identity is central to social and institutional life, and yet the concept of identity is interpreted in quite different ways. A vast intellectual and popular discourse, for example, speaks of ethnic identities, of the role of identity in the construction of nation and community, and of the difference between the identities that are ascribed to one by others and the identities that one fashions for oneself. Identity in this sense is a public, symbolic phenomenon that is located in history, culture, and social structure.

This conception of identity contrasts strikingly with the conceptions that have historically been employed by information technologists. For information technologists, identity is epitomized by proper names. But identities in technical discourse are not the same as names: they are somehow purer, more mathematical. The identity of a human being, or for that matter a chair or a company, essentially consists in its being one single thing that is different from other, countable things. In the traditional ontology of computer science, in other words, the identity of a thing is strictly separate from, and prior to, its attributes.

To investigate the actual or potential role of information technology in real institutional life, therefore, our starting question should be something on the order of, "what does it mean to know who someone is?". The question answers itself automatically, of course, if we imagine that everybody has direct access to a realm of Platonic essences - one for each thing in the world, and particularly each person. The evidence, however, does not favor that theory. Instead, questions of (what philosophers call) definite reference direct our attention to the social practices in which we are embedded, and particularly to the social networks and authority relationships through we can make reference to people, places, and things that may be distant from our own experience (Donellan 1966, Kripke 1980). Simply to know a person's name is obviously not to know who that person is, even when the name in question is unique (as my own name would seem to be). Yet even a person whose name is very common can be identified reliably if the speaker and hearer share a reflexive orientation to the same institutional context and social network.

We can also know who someone is without knowing their name. A person can be a regular at a restaurant, eliciting greetings and an Anchor Steam, simply through the recognizability of her personal appearance. Indeed, in the big picture of the natural history of identity, face recognition occupies an important place in the aforementioned spectrum between complete identification and complete anonymity. Human beings can recognize one another's faces with remarkable skill, even if they cannot as readily attach names to them, and yet they find even familiar faces hard to describe. Walking into a restaurant, whether once or a hundred times, does not permit the employees or customers of the restaurant to create a representation of your face that can readily be indexed into a database and connected to other sources of information. Police artists can make sketches of a suspect's face from witness reports, and members of the public can often recognize a face from sketches published in the newspaper, but making such sketches requires unusual skills and is expensive and fallible. Faces, in other words, have a one-way quality that is at least broadly reminiscent of the conditional traceability of identity in cryptographic protocols such as digital cash. And social customs depend on this quality. Social relationships unfold not through instantaneous access to one another's complete dossiers, but rather through an exchange of information that is incremental and negotiated. In face-to-face contexts, almost by definition, the first information that one reveals is the appearance of one's face, and the traditional customs for negotiating relationships would collapse if faces could be easily communicated in a uniquely precise way to others, much less connected by automatic means with computerized dossiers.

In an institutional setting, to "know who somebody is" is roughly speaking the ability to get hold of them. A party to a contract, for example, may need the ability to hail the other party into court if an agreement is not kept. Vendors may need to collect debts. Organizations that maintain customer accounts need to be assured that a person who shows up at a customer service point, or who calls on the telephone, is the same person who opened the account. The conventional strategy for establishing identity is, obviously, to create a unique representation of each individual. Each interaction between an individual and an organization then has (at least) two steps: first find out who the person is (that is, establish and authenticate an identifier) and then transact business with him or her (that is, work on the records that are indexed using that identifier). And yet, in actual institutional practice, this strategy has been implemented in a remarkably slapdash manner. Simsion (1994; cf Agre 1997c), for example, observes that real systems have tended to employ identifiers such as name-plus-birthdate that are not necessarily unique, and that can even change as an individual changes social status or when errors are discovered. Many organizations employ identifiers such as the Social Security Number that were never intended for such purposes and are poorly suited for them. What is more, organizations that issue identification mechanisms such as driver's licenses have frequently been plagued by corruption (Ellis 1998). As a result, many institutional systems of identification are riddled with opportunities for error and fraud, and organizations frequently attempt to strengthen their own identification mechanisms by requiring individuals to display identification from other organizations.

In short, institutional mechanisms of identification, particularly in the United States, are undergoing a slow-motion catastrophe. And with the spread of information technologies that can mediate institutional relationships across great distances, the problem is likely to become severe. Approaches to alleviating the problem can be sorted, at least for heuristic purposes, into two broad categories: centralized and decentralized. A centralized system would be a complete, functioning, and unified version of the scheme just described: one single unique identifier for each person, used consistently for every purpose. A decentralized system, by contrast, would resemble much more closely

the "pseudonym" scheme devised by Chaum (1990), in which each individual is assigned a distinct identifier by every organization with whom she does business, such that these identifiers are incapable of being linked to one another without the individual's permission.

Although the notion of a "pseudonym" would normally conjure notions of advanced cryptography or other special trickery, in fact something like the decentralized picture follows naturally so long as the various systems are developed independently of one another. Because of this, the institutional mechanisms of identification that we actually have in 1998 fall somewhere between the centralized and decentralized extremes, and their lack of robustness can be understood precisely in terms of the haphazard and accidental nature of this compromise. Organizations are well known to suffer from "islands of automation" within themselves, and in many cases the computers in the manufacturing divisions of different firms are more likely to be compatible than are the computers of the manufacturing and finance divisions of the same firm. A minor industry has grown up to patch over these separate spheres of representation (e.g., Brackett 1994), and this industry must contend with the extraordinary inertia induced by legacy systems and the sprawling networks of skills and practices that have usually grown up around them.

The project of privacy protection, in other words, does not begin from a clean slate, or from any other ideal-typical case. To the contrary, the current situation is a historical muddle of some complexity. To move forward, therefore, we need to comprehend the current situation on several levels. To keep the remainder of my discussion within manageable bounds, I will concentrate on only a few of these levels. Specifically, I want to consider some of the intellectual inheritances that shape our understandings of these problems. I will argue that those inheritances are themselves internally complex, and that only a proper historical analysis of them will make them useful in guiding the future evolution of both institutions and technology.

//4 Technical evolution

Conventional histories of computing often focus their attention on the machinery itself and on the mathematical basis of logical design and programming. Important as this level of analysis is, we cannot comprehend the institutional history of computing without also attending to the specifically institutional ideas of its inventors. Schaffer (1994), for example, recounts the role of religious ideas and political economy in Babbage's understanding of the computer. Babbage followed in a long line of engineers by understanding his own work on the analogy of God's creation of the earth (Noble 1997). The factory was a microcosm, and the engineer's job was to impose upon it a perfect rational order, arranging the machinery and activities within it without any regard for the subjectivity of the workers.

The computer epitomized for Babbage this God-like ordering principle, and this conception of the computer set in motion a certain conception - tacit to be sure, but tremendously powerful and pervasive nonetheless - of the nature of computational representation. The word "representation", let us note, can take on several meanings. In the law, for example, a representation is a social action that carries certain responsibilities, some of which can be enforced legally (Shapo 1974). But a representation can also be a thing: an artifact that has been designed to refer in some systematic way to circumstances in the world. And that is the sense in which computer scientists have understood the representations that they have embodied in their machines. Indeed, although the word "representation" is employed routinely by practitioners of artificial intelligence (Agre 1997a), practicing mainstream computer professions tend to use words such as "file" and "record" that name the representational artifacts of traditional institutional practices.

For Babbage and his descendents, however, the purpose of computerized representations was not simply to replicate the practices of bureaucracies but transparently to mirror the world (Agre 1997c). Even though the contemporary discourse of computing has secularized much of Babbage's overt theology, there remains the assumption, or ideal, that computers take up a God's-eye view toward the world. This approach to representation made a certain sense in the military and industrial settings in which computing was first developed, in which power relations were such that all activities were indeed subject to omniscient monitoring. Privacy problems arise precisely when this model is transferred into settings where such relations of representation are taken less for granted.

This, however, is not the end of the story. Computer technology has obviously evolved a great deal since Babbage's day, and even since the days when the practices of organizational computing first took shape at IBM. Among the many lines of evolution, the ones that are relevant here are the ones that begin to recognize the perspective of individual human beings. The conception of individual human beings that is implicit in the conventional practices of computer systems design, in other words, is changing, and yet much of that change has escaped notice. I have already mentioned one area of innovation that has not escaped notice -- the emerging generation of cryptographic protocols that permits designers to underwrite a remarkably wide range of informational relationships among persons. More recently these developments have been formalized into architectural frameworks that promote the routinized design of such schemes (Blaze, Feigenbaum, Resnick, and Strauss 1997; Roscheisen and Winograd 1996; Stefik 1997).

Important as these developments are, they also depend upon a more fundamental shift that has been little recognized. Mainframe computers presupposed (and still do) that they are embedded in an institutional framework in which somebody authenticates the identities of users before issuing accounts to them. The machinery itself, of course, does not obligate the organization that owns it to establish the absolute, Platonic, once-and-for-all identity of every user, whatever that would mean. Nonetheless, the designers of timesharing operating systems have assumed that they are dealing with multiple users, and that one of their central tasks is to distinguish clearly between these users and to build barriers that prevent them from interfering with one another (Agre 1998b). A mainframe may not exactly know who its users are, but it presupposes that somebody has done enough work to tell the users apart.

Personal computers, by contrast, are designed on no such assumption. The notion of separate users is not central to the ontology upon which personal computer operating systems are designed, and those personal computers that do distinguish among different users do so superficially, perhaps through a password protocol in a screen saver. Your personal computer truly does not know who you are. The Internet, for its part, was first pioneered during the mainframe era. The early Internet derived its security largely through social mechanisms -- by peer pressure within the small world of Internet users and by the institutions that selected people to be users in the first place -- and it derived its technical means of security largely from the timesharing operating systems through which its users gained access to it. Yet that all changed with the introduction of personal computers. Individuals on personal computers could gain access to the Internet without logging in to anything, and the concept of logging in to the Internet itself did not exist. The most widely used Internet software packages arose in this setting, and it is this historical circumstance that explains, in sharp contrast to the picture of traditional timesharing systems, the remarkably poor facilities that the Internet provides to enable people to create boundaries for themselves. Whereas the cultural norms and cognitive practicalities of face-to-face interaction make it possible to negotiate incremental access to oneself, Internet users find themselves inadequately equipped to defend themselves against forgery, spam, and other aggressively antisocial practices.

The fundamental point is this: whereas mainframe operating systems represent their users, personal computers do not. Lest personal computers seem too strange as a result of this difference, however, we should recognize that the mainframes are the exception. Personal computers need not identify their users because the continuity of a user's relationship to a personal computer is provided for by the brute fact of her or her physical access to the machine. A personal computer does not understand its user as "John" or "Mary", any more than a car or an electric razor does, but rather as something more like "the person who is using me". The designer may well, of course, have an elaborate story in mind about the attributes and relationships of this person (Sharrock and Anderson 1994), and this story may well have been inscribed in the device itself (Akrich 1992), but the user himself or herself is still characterized in indexical terms through a certain definite description ("the person who ..."). The concept of indexicality is derived from linguistics, where it refers to any aspect of grammar whose referent depends on the circumstances in which it is used (Hanks 1990). The crucial point, in Smith's (1996) provocative formulation, is that the laws of physics are themselves indexical: they depend not on particular places and times but on "here" and "there" and "now" and "then".

Nor is this trend toward indexicality in representation confined to the tacit workings of personal computers. Research in artificial intelligence has long presupposed that human beings and other "intelligent agents" employ representations that resemble the "view from nowhere" (cf Porter 1994) that AI people call a "world model". And yet human beings, like cats and robots, are finite; they have bodies and are located physically and epistemically in space. For this reason and others, attempts to build intelligent machinery have been compelled over time toward a more explicitly indexical understanding of representation (Agre 1997a, Lesperance 1991). The point is not exactly that anonymity is the natural order of things. We can, after all, recognize one another's faces. What is unnatural, so to speak, is precisely the attempt to establish a God-like representational perspective that gives all things their true names. ```

This web service brought to you by Somewhere.Com, LLC.