Session 3: Who’s identity: starter for ten

Audio from the session
[audio:http://www.jisc.ac.uk/media/avfiles/events/2008/07/session3e.mp3]
To downlod the MP3 click here

A frenetic and energetic ‘goldfish bowl’ debate touching on key issues of access management and identity. Starting off as a discussion of the benefits of OpenID systems compared to university imposed identities, the debate moved around the challenges presented by Facebook, identity theft, permanent online records (and the way these can affect personal and institutional reputations) and moved towards a conclusion in which it was suggested JISC could perhaps help set up a framework and comprehensive cross-discipline debating space in which guidelines on personal conduct and control of identity systems might be laid down.

[A small blogger’s note: This debate moved so fast that I missed a few delegate’s names… If you recognise yourself here and want to assert your ‘identity’ online (instead of being labelled as delegate one, two, three etc) do leave a comment below and it will be fixed… I’m also more than happy to consider any other factual etc changes that you think should be made… I’d hate to misrepresent anyone’s online ID, after all… Sam]

First:

The rules of the Game

1. Only delegates in the central chairs may speak
2. Delegates wishing to speak tap the shoulder (gently) of one of the two central debaters.
3. Once ‘tapped’ the seated person must immediately return to the outer ring (no last minute arguments)
4. The new person takes the seat and makes their point / response.
5. The other seated person is given the opportunity to respond, then can be ‘tapped’
6. If no individual wishes to respond to statements a ring delegate may ‘tap’ and of the central delegates and declare a new topic/ statement… Please make it contentious.
7. Debate continues.

If someone is deemed to be dominating too much – or indeed being nasty – there are penalty systems:

Yellow card – Prevented from participation for 10 minutes
Red card – Prevented from participation for 20 minutes

The room is crowded, laptop wires have been carefully positioned so that they don’t trip delegates dashing for the central chairs.

The discussion could go anywhere… We’re starting on identity issues, but as has just been shouted from the floor it could move all over the place – even to ‘geek bling.’
The card system is causing much amusement, some delegates suggesting that they may take it as a challenge to achieve a red card…

And then James Farnhill from JISC opens the proceedings in the role of Devil’s Advocate: Why not use OpenID instead of the UK federation?

Nicole Harris, JISC: OpenID doesn’t work in an institutional context.

James Farnhill: But I’m a researcher and want to share stuff… … And want the repository open to everyone. I don’t want to have to bother with this federation and filling in forms…

Nicole Harris: If you want to carry institution ID and want to assert yourself as part of your institution you have to work within their systems. They don’t have the capability to manage OpenID at the moment.

Shirley Williams, Reading: Surely ID is about what you present to the rest of the world rather than your logon details.

James Farnhill: But with OpenID I manage what I present…

Shirley Williams: But that’s your details, not what other people see of you. Your ID is surely you, not what you sign on with – and the fact that you have different p’s for each place.

James Farnhill: Fair point. But with open ID I can tie in so many parts of myself – blogs and similar…

Shirley Williams now brings up the point of the issues relating to being friends with students on Facebook.

James Farnhill: It’s an interesting question. Do students want you to be their Facebook friends? Do they want tutors in that world or do they want separate areas…

Shirley Williams: I adopt the policy that I would never ask a student to be my friend, but if they ask me, I let them see my limited profile so we can communicate in that way.

[The first shoulder tapping sees Scott Wilson from the University of Bolton take Shirley’s chair]

Scott Wilson: I’m bored of Facebook! We talk as if there only two categories –what about SMEs and similar…Is OpenID a good way to bring in other systems?

James Farnhill: Yes… The question of how you bring things together is something we’re struggling with. What happens if people want to talk with, say, AstraZeneca, but only within their specific research group. There aren’t easy answers, to be honest.

Scott Wilson: What about people who don’t have formal relationship with institutions but are carrying out work and projects with them?

James Farnhill: Working with businesses in a wider context is something we’re looking at. As well as how to understand the model of engagement.

But does anyone want to tag me – I’m sure everyone’s sick of me…

Mark Stubbs steps up and says: I’ve got a similar situation in that I’ve got students who have a mentor in school where they’re in placement. How will OpenID help them?

Scott Wilson: Does the school HR system have the right to request certain materials?

MS: Do I have a duty of care to the students about who has to be their mentor?

Scott Wilson: It’s a really big issue. We take all these rights about the granting of information for granted… When we use technology to bridge these things — rather than phone-calls and similar — it becomes important to make the barriers explicit.

David Chadwick, University of Kent: I think we need to emphasise that identifier and identity are completely different. No two people can have the same one identifier – and it’s a computer algorithm… Identity is different. It’s not a unique number – it’s a whole group of things – like hair colour etc.

Scott Wilson: We have to be careful how we define identity…

[There follow computer definitions of identity and identifier, narrowing down the specifics for the argument… it gets confusing and semantic!]

David Chadwick: My name is an attribute of me.

Scott Wilson: You can argue that.

[laughter from the floor]

David Chadwick: I do! My attributes that make my identity are separate from my identifier. Every property that is a property of me is asserted by someone… The person who makes that assertion could be me… For instance, if I say what my favourite drink is… Or it could be something external like a degree certificate.

Scott Wilson: So you can validate it…
David Chadwick: If you don’t validate it, then I am the queen of Sheba. You never want a system on which you take attributes on trust…

Scott Wilson: Flickr, Yahoo, Google. Do you want a list? They work!

David Chadwick: But once you introduce value into the transaction, you need to have trust.

Scott Wilson: But in some cases you really don’t need to identify the individual.

David Chadwick: Perhaps their OpenID can be their identifier if they prove it belongs to them… But there’s a flaw in the model, in that OpenIDs can be recycled and granted to different people… Identifiers die and that’s a big problem. Attributes don’t. To get a degree certificate ten years later, they have to have authentication methods… If they had kept my login in perpetuity and I had remembered my password, we wouldn’t have to go through that process.

There’s a JISC project that allows users to take their identifiers and say they all belong to me… So the service providers know that various identifiers belong to individuals.

Martin Locock, National library of Wales: Do people have the skill sets to manage their profiles in all these clever ways or do they end up releasing stuff they don’t want to reveal to the public? It requires sophisticated choices.

Scott Wilson: Well, quite – and you’re talking to the right man. At my organisation the term ‘Scot mail’ is used to refer the habit of using ‘reply all’ on a large list about an inappropriate topic…I’m definitely guilty of making that mistake. Managing identity is going to be a big issue in the future. Take the issue of doctors… Does it matter if the GP has a public profile on Facebook with all kinds of goings on on it? Does it detract from or enhance his profile? Round him out as a human or make him look bad?

Martin Locock: It’s easy to say the Google generation know how to do it – but sometimes they can be naïve.

Wilbert Kraan JISC- CETIS: You could say they acquire that skill when they’re young by getting burned a couple of times. Better when they’re young than starting their professional career. So long as the circumstances are reasonably limited.

Nicole Harris: I agree – but we have a duty and accountability – to look out for those people when they make those mistakes.

Shirley Williams, Reading: There’s a book (The Future of Reputation by Daniel Solove) that explains how people’s reputations have been damaged by very simple things they did. Learning by mistakes is okay – if no one notices. But if it’s recorded, it’s there forever.

[Editorial note: You can read Shirley’s review of the book here: http://redgloo.sse.reading.ac.uk/ssswills/weblog/2520.html .]

Nicole Harris: And it’s not just you. It can impact on institutions and national level deals… And the whole sector. If a student makes a mistake there can be a bigger range of impacts than simply personal ones.

Scott Wilson: To take things in another direction: What happens to my identity when I die?

Nicole Harris: That’s a really interesting question. There’s actually a project running called ‘The Dead Professor Project’ . There are professors who died years ago who still have web presence… But the identities can’t be passed on in ways other people can use. The British Library have a project trying to work out how to capture all this material too.

Sean Melan: I’m confused! If somebody comes along and is a user in my system and leave that identity, as a good manager I should get rid of the ID and ensure no one can steal it. If someone else can assume it, it’s bad management.

If I die, my relatives will want access to my assets – and some of these would be digital. Can’t they prove that they are entitled to those assets? So where does the problem lie?

Nicole Harris: But the problem is that if your identitifer is still online

Sean Melan: That’s bad management! But it’s like books in the library – they don’t disappear when I die. Nor should my blog material.

Claire Davies: My husband had a friend who died young, but his Facebook account is still running.

Sean Melan: That’s disturbing. It’s a policy decision that the service provider has to take. But it’s not the question of using identity to gain access to assets. We shouldn’t try to re-identify the problem. You wouldn’t pose as me to gain access to my bank account, so it should be like that with digital ID.

Paul Walk: I had an academic colleague who died suddenly and I carried on a correspondence with his assistant (thinking it was him), for two weeks afterwards (not knowing he had died) which was very weird.

The great experiment with people’s identities is a risky dangerous area. There are areas we need to tread carefully.

Sean Melan: There is risk. But there’s risk in the physical world as well. We have to take that on board.
Delegate 9: The biggest problem we had was dirty data. There was no way of running a program… We’re having to do the whole thing again. Government systems have dirty data. There are more social security numbers than people in the country.

Nicole Harris: One of the problems is that so many people have so many different unique identifiers… And there become questions of how unique are they. How do we make them work together?

Claire Davies: What will happen when users start to worry about what they release to their institutions.?

Nicole Harris: It’s interesting to see how students will relate to their IDs in future. And whether the institution should manage student identities. Do we need to impose on them for purposes of, say, exams – or should they have a right to pick their own IDS as our customers?

Claire Davies: There are some very personal questions that they might not want released too.

David White, Oxford: At a recent conference there was a discussion of bank account details and questions of say the names of first pets, like you input to verify your bank ID – being given away on Facebook. But it emerged at the conference that some people will for that reason lie to banks or similar about their mother’s maiden name to protect themselves. Younger students seem to be doing this especially… The new problem comes in managing those lies…

Scott Wilson, now choosing to identify himself as Donald Duck, Orlando: Dirty data is really interesting. It generally occurs where people don’t care. And so in a sense, it doesn’t matter. Or seems not to. But universities collect all this information that they don’t use or care about, because they don’t use it…

David White: And by collecting, you create a risk: it’s written down somewhere… Perhaps we should collect less of it. Especially since lots of it may now be lies.

Scott Wilson: There’s so much of a drill down into data… But maybe we should roll up some of this dangerous material. Cory Doctorow described all this material in The Guardian as being ‘radioactive’.

Melanie King, Loughborough University: I’ve changed my name several times over the past few years, for various reasons… And it gets very complicated. It seems that who I am now is an audit trail of previous identities.

Scott Wilson: A colleague of mine got married recently, but kept her original name for purposes of professional identity.

Wilbert Kraan: We are used to using one attribute as the identifier, which really does cause problems. In this country it tends to be the case that what you call yourself is what you use in official correspondence. But in Continental Europe that isn’t necessarily the case. What is recorded in your birth certificate isn’t necessarily what you call yourself.

Melanie King: I heard that in Sweden you’re given a unique ID when you’re born.

Li Yuan: I’m from China so have a different perspective. All my records have been transferred with me from primary to secondary school – and then on to work. All your life, you can’t make mistakes because it’s all recorded in the file that follows you around.

Wilbert Kraan: But how much control do you have over the release of that data to your employer.

Li Yuan: I can’t control anything. I can’t open it. I have to hand over my past to my new employer. Good and bad.

Wilbert Kraan: Is there any way you can appeal the things that are in it?

Li Yuan: I’ve never thought about it.

Wilbert Kraan: What about control of who asserts the facts? Whatever your teachers and similar thought may bear no relation to reality as you see it.

Li Yuan: Possibly. I don’t know, because I can’t open it. But it motivates you because you know the good follows you around and the bad – so you have to be on the ball.

Wilbert Kraan: But what if someone lies about you?

Li Yuan: Well if it stops you getting a job, you can be told the reason, you can appeal.

Wilbert Kraan: So you can appeal on the decision but not on the information that’s there.

Li Yuan: That’s right, because you don’t know what’s in it.

Wilbert Kraan: I guess we’re not all that far off here. It’s just that it’s not in one file. If you can link all the various sources of information… and you can’t appeal those either.

Scott Wilson: When I hear about eportfolios promoting honesty, date management issues, it sounds very similar. For good intentions, people go down similar routes.

‘John Smith’: As a tutor, I hear people telling me to be careful out there… It’s a scary world. I think I’ll close my Facebook account…

[Floor, as one]: You can’t!

Scott Wilson: There’s a culture shift on privacy. Whether it’s generational, who can say. There are attitudes that everything will come out anyway and it’s about spin. And there are attitudes that you must protect privacy.

‘John Smith’: At what point do I become individually liable?

David White: There seems to be a difference between your identity from the point of view of computer systems and administrative ID. There’s a difference between trust in the sense that that’s my bank account and the sense that that blog post was written by me and it’s saying something ridiculous…

Some people forget that they’re expressing their identity and forming a reputation for themselves in very public spaces. I have a friend who writes a blog about his baby – and then was surprised that I read it…

‘John Smith’: As a tutor who doesn’t know the technology, I feel I’m in the dark. I don’t know the rules about how I express myself on Facebook and similar.

David White: My advice would be to think about what you write… If you make a mistake, people will find about it quickly. But as long as people know that, it’s a fair playing field.

Shirley Williams, Reading: Who should be advising our students about these issues? Should we?

David White: Why not?

Shirley Williams: Several years ago, a student of mine posted ‘I am a moose’ on Blackboard… Should I have given a seminar on why he shouldn’t have declared that to everyone.

David White: I think we’re in a short window where people aren’t yet aware of these issues. People will catch up with the technology soon.

Simon Whittemore, JISC: We need to make a clearer distinction between the Facebook world and university world. It’s in the interest of Facebook to have maximum traffic with minimum responsibility. It’s not in the interest of institutions.

Scott Wilson: I was an editor of a newspaper at University. And I had to be careful not to create new problems. Universities have been very naïve in terms of media use.

Simon Whittemore: Often technologies are adopted before the processes are properly thought through. You need to decide what and why you want to collect.

Scott Wilson: It’s back to the question of how much institutions have a duty of care.

Simon Whittemore: There’s a whole range of new skills that need to be worked out.
Sean Mehan: We’re now pushing towards a very interesting place about the technological aspect… Where should that debate be taking place. I don’t see a national discussion about how to inform students and similar about what they should be concerned with. Would that be a plank JISC could push out on a national level?

Scott Wilson: Yes, I think it would be very useful. There isn’t a single place for this discussion at the moment. In the field of medicine, it’s increasingly nuanced, but it has to be applied further. It makes sense in disciplines where there is a professional body… It needs to be applied further….

And that was the end of the debate as time ran out… On a suitably forward-looking note.

8 thoughts on “Session 3: Who’s identity: starter for ten

  1. Martin Locock

    Some thoughts on the goldfish bowl technique:

    it would have been a good idea to start with a three-minute introduction of what issues it was hoped to explore

    it would also be handy to have a recap every 10 minutes or so of what we were talking about

    it was very tiring concentrating so hard: a break after an hour would have been more productive I think

  2. Martin Locock

    I haven’t been able to find any more info on the “Dead Professor Project” mentioned by Nichole Harris: anyone got a link?

  3. Pingback: JISC Access Management Team » Blog Archive » No, I’m Spartacus

  4. Pingback: Skills Plus, e-Portfolios & PLEs « A Brand Called Flea: Digital Identity

  5. Pingback: Digital Footprints… « A Brand Called Flea: Managing Digital Identity

Comments are closed.