Is identity a thing?Some people talk about identity as some special kind of object - a valuable possession that can be stolen by fraudsters (identity theft), appropriated by authority (e.g. government), and/or captured in some technological device (database, smartcard).
Some people say we have exactly one of these things, while others say we may have several different identities (corresponding perhaps to different social contexts). Some of us may have a cluster of overlapping but not-quite-consistent identities.
Some people say identity is a permanent fixture, while others say it can develop over time.
Identity may be fractured into technological bits. For example, Phil Windley describes identity in terms of "a collection of attributes, preferences, and traits stored in a computer record". He contrasts this (as he puts it) "dry technical definition of identity" with "the living language of identity" mooted by Tim Greyson. Perhaps the computer record is merely an impoverished representation of a living identity.
But perhaps it isn't a thing after all ...?
Is identity a function or process?In my 1992 book on Information Modelling, I argued (following Frege) that identity was a special kind of rule, defining when something could be regarded as the same again. This notion of identity is invoked by Johann Ernst and Scott Lemon.
A company identifies me using a relatively small set of characteristics. If a fraudster manages to replicate these characteristics, then he can impersonate me for fraudulent ends. If the company is unable to detect the impersonation, then the fraudster and I are (at least temporarily) indistinguishable.
One way of making sense of this is to say that there are at least two different identity functions in play here. The bank's identity function answers YES when asked if the fraudster and I are the same; my own identity function answers NO. From my perspective, the bank's error counts as a false positive, caused by inadequate information.
In general, such identity functions are epistemological rather than ontological. They are about what a company knows (or chooses to know, or is permitted to know) about a data subject, rather than the intrinsic nature of the data subject himself.
And importantly, whereas ontological identity obeys all sorts of simple logic (excluded middle, transitivity), epistemological identity (indistinguishability) doesn't.
Is identity a policy?This kind of identity is not stable, because it depends on the company's policy - what it chooses to know about me. It also depends on my own preferences - what I am willing to divulge to the company - for example whether I choose to participate in loyalty schemes or frequent flyer programmes. In some industries, there are also regulatory concerns - for example, banks have been forced to increase the amount they know about their customers, and this is apparently to counter money-laundering.
From this perspective, the question of biometric identity is not whether two people are theoretically indistinguishable, but whether anyone can be bothered to spend enough money to make the technology sufficiently accurate. (See discussion on the Ultimate Biometric by Neils A Bjergstrom (pdf), Stefan Brands and Kim Cameron.)
... more later