Reputation Is the Identity We Need
Lincoln Cannon
13 May 2015 (updated 5 May 2024)
Information systems have long relied on identity to facilitate security and other forms of decision-making. In its most basic sense, an identity may be nothing more than an identifier, which, combined with a password, has sufficed for the practical concerns of many historic systems. However, as our systems have become more complex, more integrated, and more intelligent, new risks and opportunities have presented themselves, demanding more robust forms of identity – perhaps even aspirational notions of true identity.
In any absolute sense, there is no such thing as true identity. The grounds for this go much deeper than information technology, into fundamental science and philosophy. True identity, in the practical sense, arises from a confluence or aggregation of experience over space and time, or from data that reflects that set and stream of experience. We call that data “reputation”. In other words, true identity arises from reputation – not the other way around. We all enter life (and each new situational subset of life) with implicit pseudonyms that gather explicit names and reputation from ourselves and others to form a reputational identity, which increasingly approximates notions of true identity.
One possible aspect of a reputational identity is legal identity (and other forms of authorized identity). Legal identity has real value, but it does not exhaust the value of reputational identity. Persons with reputed and verified legal identities do all kinds of good and bad things to others in surprising ways that would have been otherwise less surprising had they shared other aspects of their reputations before the transaction. For example, sharing my legal name is less likely to predict my behavior on a comment board than sharing others’ ratings of my past behavior on comment boards. Already, most of us trust holistic reputations much more than legal identities, and that will become increasingly the case going forward, as reputations are increasingly digitized and aggregated across applicable domains.
Another possible aspect of reputational identity is reliable cross-domain verification of identity, perhaps technically implemented as single sign-on authentication. That also has real value, and there are numerous service providers in this space on the Internet. However, that also does not exhaust the value of reputational identity. While reputational identity can certainly enable authentication, it is much more than that. It can also facilitate decision-making, improve safety, provide self-improvement feedback loops, and enable automation of complex intelligent systems in the Internet-of-things, all based on a history of contextualized behavior. Returning to the comment board example, you can only white or black list me based on my legal name, but you can filter me based on others’ ratings of my past behavior on comment boards.
And yet, for many good (and bad) reasons, people sometimes want anonymity, maybe for whistle-blowing, to express ideological dissent within oppressive communities, or simply to have fun. Of course, anonymity is actually rather illusory and may not even be possible in the most permanent sense. All agents (human and otherwise) leave patterns in time and space, and our technology is rapidly enabling us to discern and associate those patterns, particularly when those patterns involve events on the Internet, even when the agents make an effort to obfuscate relations between events. So practical anonymity may be limited to temporary pseudonymity. But despite limitations, even pseudonymity on the Internet has real value, at least for now, when agents use it carefully.
Perhaps paradoxically, a reputational identity works just fine, and even better than other forms of identity, in cases of pseudonymity. A person could have any number of reputational identities, each with any number of pseudonymous identifiers, each used to collect whatever reputation is applicable to actions performed while using it. Others can then decide, based on whatever reputation is associated with whatever pseudonym the person offers to use in a given transaction, whether or not to engage. Even better, a person might use a single reputational identity to share only applicable portions of reputation in a given transaction, thereby preserving desired degrees of privacy for an otherwise non-pseudonymous identity. For example, I might use a subset of my reputational identity under a pseudonym on a comment board, and that comment board could still filter me based on that subset.
We need more than basic, legal, or authentication identities. We need reputational identities. We need identifiers that gather reputation and thereby may increasingly approach something like true identity. We need identifiers that we can associate with reputed and verified legal identities as well as much richer sets of data, to enable better decisions in many, if not all, domains of life. And of course we need reputational identities to be reliable, which means we need a reliable system for communicating them, because a reputation cannot be more trustworthy than the means by which it’s communicated. So ideally, the system would not be owned or subordinate to the unilateral interests of anyone, but rather would be decentralized and open source. We also need reputational identities to support legitimate cases of pseudonymity. Open Reputation is architected to satisfy these needs.