At last month’s Internet Identity Workshop and the subsequent DataSharing Summit, Markus S and Drummond Reed unpacked several ideas about r-cards, which, to a certain extent, are an evolution of the Information Card at the heart of CardSpace.

Going into IIW, I understood r-cards simply as a hybrid of InfoCard’s managed and personal card models. Managed cards are issued by another party–all the data associated/transmitted with that card is controlled by that managing party, while personal cards are self-asserted, allowing individuals to serve as their own card provider, controlling all of the associated data. R-cards then, allow a managing party to co-control a card with the user–with some data controlled by the managing party and some controlled by the user.

However, during the IIW demo of r-card, I had an epiphany about how powerful the r-card is, once we actually allow the user to manage the personal claims through multiple, dereferenceable links.

One issue that came up during the demo was that if the “personal” side of the r-card is manually entered claims, such as contact information, then the user is creating a management nightmare: duplicate claims would need to be entered and maintained across many different r-cards. The more r-cards, the worse the problem.

The “obvious” solution discussed at the session was to allow the user to specify specific claims that are served by other IdPs, such as a Personal Address Manager. And for completeness sake, let’s note that such claims could be mashed up from multiple other IdPs, not just a single one. Thus, any number of claims from a particular IdP could act as a sort of sub-card, combining with other subcards at presentation time.

The net result of this is a realization that that perhaps the most interesting thing about r-cards is their use as dynamic cards or aggregate cards or mashup identity cards.

That’s pretty cool in itself.

However, it also struck me that this also potentially fixes usability problems around authorizing a bunch of vendor’s (M) access to identity claims at a variety of different identity providers (N). This potentially requires N points of authorization and authentication for each M vendors (or relying parties). Sub-cards (or r-cards) may combine that task at the point of presentation for much greater user understanding and simplicity.

Since the Card Selector is itself a trusted point of authorization, we should be able to use the “mashup” gesture as explicit authorization for relying parties to access the claims specified in the sub-cards. That is, the UI of creating the r-card/mashup card/dynamic card also explicitly approves access to specific claims from multiple IdPs, since after all, the selector is where you select which claims to present to relying parties.

This adjustment to the Information Card ceremony greatly simplifies the user experience, while retaining all the power of distributed claims at appropriate IdPs. For example, it would allow me to specify my Passport # to United Airlines, as a verifiable claim served by the US Secretary of State IdP (which should be trusted by UA), streamlining any international travel I might do, while retaining my contact info at my Personal Address Manager. All with the same authorization ceremony I use with any information card relying party.

This realization was, for me, the most surprising insight into the power of the r-card. In fact, I’m wondering if the name “r-card” captures it best.

From Yahoo News:

Majority Uncomfortable with Websites Customizing Content Based Visitors Personal Profiles

Level of Comfort Increases When Privacy Safeguards Introduced

ROCHESTER, N.Y.–(BUSINESS WIRE)–A majority of U.S. adults are skeptical about the practice of websites using information about a person’s online activity to customize website content. However, after being introduced to four potential recommendations for improving websites privacy and security polices, U.S. adults become somewhat more comfortable with the websites use of personal information.

Good stuff, although one should read closely to understand exactly what users dislike. Customization isn’t the problem… it’s the unauthorized invasion of privacy. The questions asked by Harris were rather leading. It would be interesting to see what people say to “if asked, would you allow a Search engine to provide enhanced results based on your behavior.” My understanding is most people do opt-in to the advanced features of Google desktop, which asks essentially the same question at install time. People don’t like surreptitious activities, but if you ask up front, it’s much easier for folks to say yes.

The title says it all, as reported by the Guardian:

BT admits tracking 18,000 users with Phorm systems in 2006

Bummer. I kinda like BT.

The Washington Post today exposed considerable excesses by “fusion” centers organized post 9/11.

Intelligence centers run by states across the country have access to personal information about millions of Americans, including unlisted cellphone numbers, insurance claims, driver’s license photographs and credit reports, according to a document obtained by The Washington Post.

…

Dozens of the organizations known as fusion centers were created after the Sept. 11, 2001, terrorist attacks to identify potential threats and improve the way information is shared. The centers use law enforcement analysts and sophisticated computer systems to compile, or fuse, disparate tips and clues and pass along the refined information to other agencies. They are expected to play important roles in national information-sharing networks that link local, state and federal authorities and enable them to automatically sift their storehouses of records for patterns and clues.

…

The list of information resources was part of a survey conducted last year, officials familiar with the effort said. It shows that, like most police agencies, the fusion centers have subscriptions to private information-broker services that keep records about Americans’ locations, financial holdings, associates, relatives, firearms licenses and the like.

Centers serving New York and other states also tap into a Federal Trade Commission database with information about hundreds of thousands of identity-theft reports, the document and police interviews show.

Pennsylvania buys credit reports and uses face-recognition software to examine driver’s license photos, while analysts in Rhode Island have access to car-rental databases. In Maryland, authorities rely on a little-known data broker called Entersect, which claims it maintains 12 billion records about 98 percent of Americans.

In its online promotional material, Entersect calls itself “the silent partner to municipal, county, state, and federal justice agencies who access our databases every day to locate subjects, develop background information, secure information from a cellular or unlisted number, and much more.”

…

“There is never ever enough information when it comes to terrorism” said Maj. Steven G. O’Donnell, deputy superintendent of the Rhode Island State Police. “That’s what post-9/11 is about.”

The last statement pretty much sums up current institutional thinking on individual liberty and national security: in the fight against terrorism, we have a moral obligation to do everything we can. Everything.

It’s scary how much that position echoes that of fascism. As promoted by Mussolini, fascism builds a moral framework based on the primacy of the state. Fasciste means a bundle of sticks, symbolizing that the group is stronger than any individual. Fascism extends that thinking, declaring that each individual’s rights exist only insofar as they support the state. Or to restate, in the defense of the state, there are no individual rights.

Which, if you think about it, is exactly what anti-terrorist programs assert when claiming that terrorism trumps the rights and privileges of the suspect or accused. Due process, protection from unreasonable searches, freedom of speech. All of these have rights have been trampled on in the name of the War on Terror. The fusion centers are just one more institution created by the mindset that brought us illegal wiretaps, extraordinary extradition, secret prison camps, extra-territorial detention, and torture.

I understand law enforcement’s position. It is easier to enforce laws when you know everything about everyone, just like in a police state (see The Lives of Others for an Academy Award-winning story of pre-information age East Germany’s police state). But it is impossible for a police state to generate the economic and social well-being that emerges in a free society… and it is that well-being which, ultimately, is the core of U.S. global power. Simply put, undermining freedom undermines US security.

In contrast, consider the subtle brilliance of Kim Cameron’s Laws of Identity, in particular, law 2:

2. Minimal Disclosure for a Constrained Use

The solution that discloses the least amount of identifying information and best limits its use is the most stable long-term solution.

We should build systems that employ identifying information on the basis that a breach is always possible. Such a breach represents a risk. To mitigate risk, it is best to acquire information only on a “need to know” basis, and to retain it only on a “need to retain” basis. By following these practices, we can ensure the least possible damage in the event of a breach.

At the same time, the value of identifying information decreases as the amount decreases. A system built with the principles of information minimalism is therefore a less attractive target for identity theft, reducing risk even further.

By limiting use to an explicit scenario (in conjunction with the use policy described in the Law of Control), the effectiveness of the “need to know” principle in reducing risk is further magnified. There is no longer the possibility of collecting and keeping information “just in case” it might one day be required.

The concept of “least identifying information” should be taken as meaning not only the fewest number of claims, but the information least likely to identify a given individual across multiple contexts. For example, if a scenario requires proof of being a certain age, then it is better to acquire and store the age category rather than the birth date. Date of birth is more likely, in association with other claims, to uniquely identify a subject, and so represents “more identifying information” which should be avoided if it is not needed.

In the same way, unique identifiers that can be reused in other contexts (for example, drivers’ license numbers, Social Security Numbers, and the like) represent “more identifying information” than unique special-purpose identifiers that do not cross context. In this sense, acquiring and storing a Social Security Number represents a much greater risk than assigning a randomly generated student or employee number.

Numerous identity catastrophes have occurred where this law has been broken.

We can also express the Law of Minimal Disclosure this way: aggregation of identifying information also aggregates risk. To minimize risk, minimize aggregation.

Whether or not you think the War on Terror is being handled well, it is a demonstrable fact that human systems fail. People make mistakes.
And that means we can guarantee that institutions–even when acting in our own best interest–will make mistakes, like the admitted errors of the FBI, as reported by the NYT:

F.B.I. Made ‘Blanket’ Demands for Phone Records

WASHINGTON — Senior officials of the Federal Bureau of Investigation repeatedly approved the use of “blanket” records demands to justify the improper collection of thousands of phone records, according to officials briefed on the practice.

…

Under the USA Patriot Act, the F.B.I. received broadened authority to issue the national security letters on its own authority — without the approval of a judge — to gather records like phone bills or e-mail transactions that might be considered relevant to a particular terrorism investigation. The Justice Department inspector general found in March 2007 that the F.B.I. had routinely violated the standards for using the letters and that officials often cited “exigent” or emergency situations that did not really exist in issuing them to phone providers and other private companies.

F.B.I. Says Records Demands Are Curbed

WASHINGTON — The Federal Bureau of Investigation improperly obtained personal information on Americans in numerous terrorism investigations in 2006, but internal practices put in place since then appear to have helped curtail the problems, Bush administration officials said Wednesday.

The Justice Department’s inspector general is expected to issue a report in coming weeks that updates the findings of a major investigation last year into the F.B.I.’s use of so-called national security letters, which allow investigators to obtain telephone, e-mail and financial information on people involved in investigations without a court warrant.

Last year’s report caused an uproar in Congress when it was disclosed that the F.B.I., under powers granted by the USA Patriot Act, had misused its authority to gather records in thousands of instances from 2003 to 2005. The new report from the inspector general will examine the bureau’s use of the records demands in 2006.

At the end of the day, this isn’t about any particular individual, nor even any particular violation of our constitutional rights.

It’s about addressing the systemic problems of the information age. There will always be threats to national security. There will always be the drive to get as much data as possible into the hands of a few, elite law enforcement agencies, capable of acting in the “public good”. And there will always be those individuals who break the rules, whether for good intent or malicious device. We don’t need conspiracy theories to point out the dangers of centralizing all the information about everybody.

What we need is an open-eyed approach to building information systems on user-centric principles, such as Cameron’s seven Laws of Identity. Do that and a vast number of systemic risks of the information age go away.

Excellent chat today by Steve Gillmor, Chris Saad, Mary Hodder, Karoli Kuns, Robert W. Anderson, Matt Terenzio, and Bruce Lerner about data portability. They get to the nitty gritty about data portability, licensing, and social networks. Perhaps the best Gang I’ve ever heard.

So, Steve, if you’re listening, take this to the next level and talk about service portability.

It’s great to be able to move my data from service to service. Data portability is a good thing–and we absolutely must address the licensing and privacy issues that cloud that horizon. We also need to be able to move our services from provider to provider.

We can do that today with domain names that we own. We can move our blog or our website or our email from one hosting provider to another. The next step is to extend that to user-controlled services that expose data on our terms, under our control.

Data portability lets everyone pass data around so different service providers can do smart things with that data. Ok. But we learned long ago that software systems are more robust, more scalable, and more maintainable when rather than exposing the data, you expose functions that use that data.

I don’t want people who email me to have direct access to my email data file a server somewhere. That would be insane. I want them to have a well-defined, constrained, complete service interface for sending me email, no matter which service provider I choose. An interface that lets them reach me, but keeps them from reading and deleting other email.

Similarly, we need to take user data, place it in a personal datastore (yea! portability!), then provide specific, well-defined access services to third party service providers, using that data, where the user controls those services completely: what services are available, who can access them, and even who the underlying service host is. This is how email works. How websites and blogs work. Next is to take this to user-centric services with complete, seamless data and service portability across the entire cloud.

We know that we need to be able to move our email service from one service provider to another. We know that we need to be able to move our websites to the host of our choice. We know that we need to be able to move our cell phone number from one carrier to another. And we know that we need to be able to change our attorney of record, our doctor, our insurance provider, etc.

We also need to be able to move our MySpace profile and Facebook page anywhere, anytime, on our terms… not just the friends list, but the entire visual gestalt. We need to be able to move our IM and our Twitter services. We need to be able to move our search history from one search provider to another. Pick any service you have come to depend on and understand that dependence creates the need for liberation, the need to get that service on your terms with the provider you prefer, under your complete control.

Without complete portability–services and data portability–innovative service providers will corner markets with data silos and service lock in. Only with transparent, seamless portability, can we leverage the open market and open network to drive to the most desirable and most useful services.

The user-centric identity community is way ahead of the curve on this one, and I’m looking forward to the data portability movement re-discovering the architectural realizations learned the hard way by OpenID, CardSpace, Liberty Alliance, and Higgins, just as the identity community begins to extend from the hard core technology built for identity and starts working towards the applications that will connect ultimately to real value for real users. And it has all been learned and continues to be built through collaborative efforts toward real portability and interoperability at the heart of the infrastructure. In particular, XDI has made great progress hashing out exactly the sort of licensed-based identity-authorized data access that Steve talked about in the podcast. ProjectVRM is driving a user-centric approach to commerce in this conversation and I encourage folks to join us all at the next IIW unconference and to keep an eye open for a VRM workshop sometime later in the year.

The EU is years ahead of the US in user rights and privacy. For a VRM example, see the UK’s Buyer-Centric Commerce Forum.

Now, according to the Washington Post, an EU judge has pushed the privacy envelope even further, saying “IP addresses are personal data“:

BRUSSELS — IP addresses, strings of numbers that identify computers on the Internet, should generally be regarded as personal information, the head of the European Union’s group of data privacy regulators said Monday.

This will be interesting to watch…

Here’s a nice, clear introduction to OpenID that Phil Windley blogged recently. If you are curious about all this user-centric identity stuff or have taken on the role of explaining OpenID to others, I highly recommend it.

I love Doc Searls. Few people inspire the future as well as Doc, especially when he is on a tear. Here’s a delightful short (<5 min) romp in an interview at LeWeb3 in Paris about the future of the web and the critical importance of making user-centric open systems the core of a ubiquitously connected future. (Think VRM and The User As the Point of Integration)

A few gems:

What is meta about life transcends what is meta about electronics.

We have to look to solve problems for ourselves.

What really matters is our indendence, our freedom, our ability to act on our own

Enjoy!

On the Social Network Interoperability list, Danny Ayers recently pointed to a great post, “The World is Now Closed” by Dan Brickley, with the following quote:

[[from Dan Brickly:] So what am I getting at here? I guess it’s just that we need these big social sites to move away from making teen-talk claims about how the world is - “Sally (now) loves John” - and instead become reflectors for the things people are saying, “Sally announces that she’s in love with John”; “John says that he used to work for Microsoft” versus “John worked for Microsoft 2004-2006?; “Stanford University says Sally was awarded a PhD in 2008?. Today’s young internet users are growing up fast, and the Web around them needs also to mature.]

This is fascinating. It belies an underlying hubris of much thinking in both AI and the semantic web. We often imagine that it is somehow possible to map out, understand, or process some sort of “objective” set of facts. Computer Science practically conspires to force this world view on its practitioners. When programming, we not only start with assumptions about data, we must concretize those assumptions so our algorithms have something to transform from input to output. “Fuzzy logic” and neural nets embrace ambiguity, but computer science on the whole lives in a world of clearly defined inputs and outputs. It literally forces one to think in terms of objective data.

But in the real world, nothing is that simple. Was Princess Diana murdered? Is OJ guilty? Is DNA evidence conclusive? These are legal examples, where ambiguity is argued to death in court so contestants can eventually move on with the rest of their lives, but what about love, betrayal, politics, or discrimination? Does he really love her? Did your business partner always plan to stab you in the back or is he actually still acting in what he believes is in the best interest of the company? Were there weapons of mass destruction? Did race or gender influence your hiring decision?

Answers to these kinds of questions can’t be reduced to facts. They can only be reduced to “good enough” approximations of facts.

This is particularly apparent, for example, in Freebase, a socially maintained structured “factual” semantic database which came out of Applied Minds and at least in part from the brilliant mind of Danny Hillis. Freebase is like Wikipedia on crack. Delightfully ambitious, it has set out to leverage the social editing power of wikis to construct a semantically and computationally accessible knowledgebase of everything worth talking about.

If we ignore for a minute that Wikipedia–and all similar social constructs–can never be perfectly accurate and instead accept that they can be exceptionally useful, then we can begin to see the allure of a socially edited and maintained database of facts such that a computer could query or reason over embedded topics. It’s a great idea and hopefully will create enough value by solving enough of the problem.

And yet, one can see in its “factual” hubris, the beginning of its fundamental limitations. Take for example the “type” associated with living people. There is a different distinct type for deceased people. There was a fair amount of discussion about this, but apparently rather than allow “people” to be either living or dead, it made more sense to separate the two types. Ok. It’s often easy to tell if people are really dead. But what if it isn’t? What if someone, like Steve Fosset, is lost and presumed dead? (That’s my presumption, anyway.) What about Amelia Earhart? What if an individual is brain-dead but still breathing? Do you wait for a definitive statement from a coroner? What if there is no body? The “factual” paradigm requires someone–or the collective someone of social editing–to make the call about whether or not someone is categorized as a living person or a deceased one.

And I have barely scraped the surface on religious “facts”. Both Freebase and Wikipedia (which is often used as the source used in Freebase)  address this in part by shifting from “fact” mode into contextualized statements or claims. See Jesus and Mohammad entries in Freebase. Coincidentally, at the time of this writing the Wikipedia entry on Mohammad is locked to editing because of disputes. It is the nature of the most interesting topics to generate disputes, and yet these same disputes prevent us from asserting any sort of singular claim with any honesty.

The solution used is in Wikipedia is to state that so-and-so religion claims certain things, for instance, about Jesus or Mohammad, and cite a source for those claims (and implicitly listing the editor who entered those claims). It is not clear yet how much these semantics will be captured in the underlying data structure at Freebase.

Generally, these factual databases and modeling systems (such as certain unified schema proposed by some proponents of the semantic web) implicitly require someone to distinguish what is fact from what is not, and often do so without clarifying the asserted “fact” is really a “claim”, although the editing history at least allows you to know who made the claim. The systemic requirement that somebody decides what is “true” is patriarchal, Apollonian, and unrealistic. It enforces a top-down view on the world, even though we know as a matter of practical experience that there are many, many viable and interesting and rewarding competing world views. And yet, the architectural assumptions of Wikipedia are clearly making it difficult to come to terms with appropriate language to present “facts” about Mohammad.

Whether or not there is a classic objective reality in the Ayn Rand sense is irrelevant from a systems development perspective. What’s important is that there are numberless different and competing views of the world, stored in people’s heads, in corporate data silos, and soon coordinated in individual personal data stores. No one system can ever assimilate, aggregate, and accommodate all of those distinct datasets into a unified whole. Trying to do so is a fool’s errand and designing your systems to count on it a recipe for an unscalable system.

Instead, what is important, in my not so humble opinion, is that the interfaces between as many sources as possible allow for fluid, low-transaction-cost, accurate engagement across the network, no matter who you are or who they are, moderated by appropriate rights management and identity access control, so each of us can seamlessly access the datasphere as broadly as we have the right to, as easily as if each data store were our own. Consider how most web browsers can access (mostly) all web pages. That ubiquitous access to different data fuels Wikipedia’s editorial preference for citing accessible web pages whenever making claims. That’s a profoundly simple and powerful model for engaging the world’s diverse data and communications needs. We just need to upgrade to sharable semantic interfaces and proper access mechanisms. Brickley’s comment on claims verses facts highlights a critical system requirement: the acceptance of ambiguity.

Clearly this is the kind of thinking that fuels much of my interest in VRM. Vendor Relationship Management still requires much gestation and care before it can truly be judged as a widely useful effort. But what it does in this crazy world where each data silo has divergent data and every vendor wants to own it all, is redefine the working context so that we can focus on what each individual actually knows and needs, which at least for that individual, for that customer, for that “monetizable opportunity,” is actually quite likely to be “right.” And since it is “right” for that closest dataset to that individual, it is likely to be right in a way that might create value for someone who can respond to those needs and for the person whose needs get addressed. We are working by focusing on the interface between these distributed systems, on the protocols that make networked semi-automated vendor-customer relationships work, not on any presumptions of fact or a globally rigorous index or model of all the world’s information.

Hence the incredible resonance of Dan Brickley’s observation about the relative value of “claims” verses “facts”. We can’t really know if a fact is true, generally, but we can convince ourselve that a given person or company or entity has asserted a claim. And by connecting the claim to an a particular person or company, anyone relying on that claim can decide on their own whether or not to trust that entity or keep checking the facts. For most of us, most of the time, a handle for consistent claims is enough to weave together a shared set of expectations and understandings, which we can use in the face of a philosophically intractable inability to discern the “objective” truth.

Some of this is, of course, old-hat to those folks coming from the Identity world, where they already speak of “claims” and “assertions” rather than facts. And as such, VRM gladly claims that heritage and common sensibility. If you think about it, it makes sense in a vendor relationship. Who really cares what the “factual” price of an item is when you can find a credible vendor willing to offer that same item at a better price. That’s all about claims at the interface between the buyer and seller and all about how we, as individuals, relate with vendors.

The upshot: systems that represent claims of fact made by specific entities will be more robust and more useful than systems that simply represent claims of fact. And that you can design on.

Michael O’Connor Clarke on Web 3.0 and Personal Reputation Management:

I feel the need for some secure, personal repository that would hold all of my connections and “whuffie” together. I want to keep my whuffie in my wallet - but not in a Microsoft Passport/Hailstorm kind of way. Ack, no.

It should include most elements of OpenID, a lot of FOAF, and maybe some of the stuff being worked on by the Attention Trust people.

I want it in XML, of course, and I want it to be incredibly easy to implement and use, as secure as it possibly can be, and extensible without being completely unmanageable.

Naturally, I’d want everyone to adopt it – from eBay to Amazon, Facebook to Flickr, Google to Microsoft to Yahoo.

This is a VRM perspective on reputation and it makes perfect sense (and the rest of the post is worth reading as well).

This immediately triggered an insight: identity seems to be inseparably bifurcated between assertions and reputation, between the direct and the indirect, or in legalese, between the statutory and the case-based. The latter two terms I think are particularly useful.

Reputation is a critical missing piece in the Identity meta-system. The meta-system enables reputation–as infrastructure you can build reputation with it–but I have yet to see good, concrete thinking about how to capture, build, leverage, and work with reputation in a general way. It’s still fairly fuzzy, despite its criticality. It’s a bit like the World Wide Web as a commerce platform in 1992. Sure, you could see how http and html could enable wide-spread e-commerce, but few grokked a future made of SSL, shopping carts, pay-per-click, and affiliate marketing.

Yet, I think that figuring out reputation is required to completely resolve the issues of Identity. Michael’s post focused on the isolated reputation silos at places like eBay and Equifax. And a personal data-store containing our transaction history, feedback, and ratings, is a great start for decentralizing identity, but doesn’t address what makes reputation distinct from other aspects of Identity.

Think about this missing piece as the distinction between statutory and case-based Identity.

I like this reference because it is a useful distinction in the U.S. legal system. Statutory law is what the government explicitly makes law, typically by legislative bills signed by governors or the President. It also includes local city and county ordinances and the like. These are explicit rules, formally enforceable in court.

Case-based law, on the other hand, is based on how the courts have decided to interpret the law, based on all existing applicable statutes and prior case law. It is essentially a case-by-case distillation of the entire history of the jurisdiction in the matter at hand. It requires analysis and evaluation of the entire set of applicable laws and prior judgments, and it is the ultimate arbiter when statutory laws are in conflict, such as when state and federal law disagree.

Think of Identity as a combination of statutory and case-based claims. Since identity, in the Identity meta-system, is the sum of all claims about an entity or individual, I think it behooves us to understand more clearly the distinction between statutory and case-based claims.

So, I’d like to introduce two new terms into the Identity conversation: “Statutory Identity” and “Case-based Identity”.

Statutory Identity

Statutory Identity is based on the explicit assertions of fact made about me by Identity Providers (IDPs) as to my true nature, e.g., that I am a Sun Microsystems employee (I’m not, btw), of a certain age, or a US citizen. These easily fit into the “claims” architecture of the emerging Identity infrastructure, and Relaying Parties can readily judge the validity of a particular claim based on the authority ascribed to the IDP. For example, the Department of Motor Vehicles is arguably definitive regarding my right to drive, authoritative for my age, but not authoritative for my current employment status.

Case-based Identity

In contrast, Case-based Identity is built from the accumulation of transactions (historical facts) or assertions of opinion/judgment by others. It is emergent or generative and is more a matter of judgment than fact. It is our reputation, as rendered by a particular method or by a particular service based on a knowable and refutable set of data. For example, your credit rating is a construct of one of three credit-bureaus, it represents their judgment about your credit worthiness. Rarely do these three sources agree, often because they base their judgment on varying data. Similarly, eBay generates its own reputation ranking based on feedback from transactions at their service. Both of these reputation architectures are (1) based on real transactions (2) refutable through some appeals process.

The good news is that these underlying data points can readily be communicated via the Identity infrastructure. The bad news is that there is as of yet no clear agreement about how to convert those facts into a reputation. Different folks have ideas, but we lack even a clear conceptual framework.

And yet, my identity is clearly both the factual statutory claims about me and the emergent reputation based on my history. While we have developed an architecture for the first, I think we are only beginning to establish a framework for the latter. Perhaps considering reputation as case-based identity, we can start to outline the components required for such case-based systems to work:

• transaction data (potentially including opinions of others)
• algorithmic evaluation
• refutation process

These may not be the definitive requirements for a reputation system, but they seem to be present in the working systems I know of and are perhaps a good starting point.

For the record, I think it is an even bet as to whether or not personal opinions can be effectively integrated as “transaction history” in a case-based identity system, given the challenges of emotions, grudges, slander, and the non-provability of opinions.

It is also a near certainty that for certain types of case-based identity that the user will never be able to actually fully control the data-set. For example, I could significantly improve my credit score if I had read-write control over that data-set. Unfortunately, that would render the current system completely ineffective. Perhaps a new one could emerge, but there are other domains, such as criminal records, etc., where an authoritative reputation requires a data-set with limited or heavily moderated user control–otherwise everyone would erase those pesky traffic violations.

Any suggestions for other elements in a good case-based identity system?