Foreword SOCIAL ASPECTS OF INTEROPERABILITY IN IDENTITY MANAGEMENT

Social aspects of interoperability in identity management

Dr. Martin Meints and Martin Rost, ICPP 

The target of this chapter is to investigate from a social perspective how interoperability in various communicational contexts is supported by different types of IMS. For this approach we take a look at formalised and interactional types of communication which are provided by social systems. As a result we get an understanding in which communicational context interoperability is supported and by whom and where we can observe obstacles towards or special aspects within interoperability.  

This chapter uses  

1. Social systems as they are described in D5.2 and D2.3 

2. The model of authentication / authorisation in social systems as described in D5.2 

3. The three defined types of IMS as described in D3.1 (chapter 3)

To enhance understanding and readability of this section, the mentioned terms and models are summarised. 

Authentication and authorisation in social systems 

From a sociological point of view, the specific identity as “person” is a construction through a specific situation which is mainly formed by a specific social system. Sociologists model at least three types of social systems :

1. Interactional systems (forms of community in which participants are not subject to documented rules, but nevertheless schemes apply; examples are neighbourhood, friendship, spontaneous encounters) ,

2. Organisational systems (characteristics are membership and effective production of decisions; examples are public bodies, institutes and companies),,

3. Functional systems (economy, law, politics and science as “self-conducted” communication systems).  

Functional systems are characterised by communication that has specialised functionality. Organisations have to be connectable to all four functional systems, but normally have a main emphasis on one of them: 

1. 1. Economics: payment / non-payment; programme: price; generic person: e.g. “client” and “employee” 

   2. Law: legal / non-legal; programme: laws; generic person: e.g. “citizen” 

   3. Politics: power / non-power; programme: political programmes; generic person: e.g. “responsible citizen” in the meaning of the French term „citoyen” 

   4. Science: true / false; programme: theories and methods; generic person: e.g. “the human being” 

For some authors religion (immanence / transcendence; programme: religious program; generic person: “priest”, “member of the community”) is discussed among other issues as a further functional system.

Sociologists understand social systems as a pool of schemes, events and communicational components which are used by persons. The thinking of persons taking part in communication is focused by the components mentioned within the appropriate social system. The different types of social systems operate using different addressing modes to link these communicational components. 

The social subsystems reproduce particular patterns of communication that have particular social functions (e.g. the above-mentioned generic persons also correspond to typical roles within these systems). These functions, in turn, generate pointed sense horizons for organisations, which create particular sets of expectations (role conformity as “client”, “citizen”, “responsible citizen”, “human being”) for the persons acting in them. 

When communication in social systems starts, the participants run through a procedure of authentication and authorisation, albeit informally at times. We therefore understand interoperability between the participants of the communication as an essential requirement especially in this start-up phase of communication. Authentication / authorisation have three dimensions: 

1. The social dimension (concerning social systems and roles taken therein) 

2. The personal dimension (concerning personal identity) 

3. The technical dimension (concerning technical support for authentication / authorisation). 

The procedure of authentication / authorisation runs through up to four steps: 

1. Authentication - determination of the social systems and functional system 

2. Authentication - role taking / role making

3. Authentication - personal identification / verification 

4. Authorisation - determination of the rights a participant is granted respective to the requirements he has to meet 

Types of IMS 

Taking a look at the market for existing IMS of prototypes, concepts and IM-related tools, we determine several approaches towards IMS which differ for example in: 

1. Procedure of management (by whom? which operations on data possible?) 

1. Type of managed data (person or organisation controlled data? comprehensive profiles or selection of roles or partial identities? anonymity or identifiability?) 

With respect to these properties, we observe three main types of IMS explained and further investigated in Deliverable 3.1: 

1. Type 1: IMS for account management, ,

2. Type 2: IMS for profiling of user data by an organisation,,

3. Type 3: IMS for user-controlled context-dependent role and pseudonym management 

Interoperability of IMSs with respect to social systems 

Depending on the type, IMS act as a bridge function for the managed identities from the point of view of the organisation itself (type 1 IMS) and the roles (e.g. “member”, “client”) taken by persons (type 3 IMS) in various social systems. Some of the generic roles within social systems will be discussed in their interoperability aspects in detail. In this context we do not further examine the personal dimension of authentication / authorisation in the context of interoperability. The reason is that the personal dimension depends on the communication content and related security needs, especially of organisations and thus cannot be generally defined.  

One example might be a customer of a shop (social system: organisational system; functional system: economics) purchasing something. In the case he pays with cash, no personal authentication is required; he stays anonymous throughout the communication and the subsequent transaction. In the case he uses a credit card, he is additionally identified (and authenticated) personally.  

Organisational systems: 

Role as “member”: Members get access to information that is highly important for internal decisions and thus can be more or less confidential (e.g. protected by law: politics and law; trade secret: economy; internal rules: religion); organisation-specific, globally not usable authentication systems for higher security requirements can be used (e.g. using special, not common tokens, ID cards, biometrics etc.).

It could be argued that interoperability (social and technical) with other organisations or clients is often not a main emphasis nor especially desired. The bridge function of IMS cannot easily be performed even if it is needed e.g. in a network of trusted organisations. 

As a result we see much expenditure on creating special solutions of type 1 IMS to resolve those problems. In addition, the development and maintenance of personal trust among key members of the participating organisations, the social network within the cooperation, is a key factor for success for the whole network. Commercial needs and the possibility of considerable financial investment create the potential to overcome the social and technical hindrances of interoperability.

This does not apply to scientific functional systems as far as the results of the research are consolidated and published in the case that commercial use (e.g. through patents, licenses etc.) is not planned. In this case, open scientific discourse is a standardised method for generating and exchanging knowledge. If commercial use is planned, these systems clearly belong to the category of commercial systems and experience the same hindrances in interoperability. 

Role as “client”: To reach as many potential clients as possible, organisations need universal addressing and authentication systems. As a result we often see socially accepted, simple and generic authentications using three or four observable steps. Authentication is often simply role-based (e.g. the customer entering the store is not personally authenticated as long as he pays cash). If personal authentication is necessary, commonly available IDs are used, such as a credit card number, an assigned or chosen username / password, an identity card, or a PIN.

Interoperability (social and technical) therefore is a main emphasis for organisations with respect to their clients. The bridge function of IMS can easily be performed. 

Resulting from the social acceptance and easy, universal use of the authentication systems in combination with strong authorisation, we often observe vulnerability in respect of identity fraud. In turn, the introduction of new, commonly used and secure IDs, such as biometrics in passports, or using PKI, is not an easy task. Over and above the investment in infrastructure, the acceptance and trust of the user is always a major task within the enrolment process.

Type 1 IMS and many tools and systems of type 3 are available. The lack of central organising forces for the development of type 3 IMS from the perspective of many clients from various organisations leads to numerous insular technical solutions. They are mainly caused by the lack of technical standards (e.g. for the integration of PGP in various mailers).

Interoperability (social and technical) between one or more clients and various organisations is hindered by the lack of central organisation and financing. 

Interactional systems: 

In view of the informal and oral way of communication, authentication of participants is not typically supported technically; authentication with respect to certain expectations within a relation between two persons such as friends is done visually and over a longer period of time in which informal communication takes place.

shares in informal communication such as written communication, technical supported login to access the internet and so on. Following the traditional understanding of interactional systems, identity management mainly is directed to this organisational aspect of informal communication, such as address (role: citizen), telephone number (role: client of a telecommunication provider), e-mail address (role: client of an ISP). But in these cases the informal content of the communication when using a chat room, blog or avatar is not connected to the formal, organisational exchanges (such as the login to access the internet). One reason for this is that there is no direct link between the login procedures to use the internet and authentication/authorisation procedures within interactional digital communication platforms. What remains as a core difference to the traditional understanding of interactional systems springing from the technical communication platforms, are written communication and the absence of physical presence. In this context a new description of the borderline between interactional and organisational systems might be necessary.

Operators of technical systems acting as platform for informal communication have the same need for simple and universal addressing and authentication as organisations have towards their clients. The technologies used to authenticate are in many cases very similar and thus directed towards compatibility (the technical part of interoperability) between operator and client. These platforms delegate especially the making of roles (e.g. “the evil” in an avatar), while organisations typically “make” (create, form, shape) roles themselves (e.g. the customer or supplier formed by an enterprise) together with new designed or adapted behavioural schemes. Apart from general guidelines such as insults being forbidden, interactional platforms do no provide the well defined behavioural schemes that are typically found in organisational systems. Instead the social dimension of authentication and thus the interoperability takes place among the users of such a platform. The technical parts of the interoperability, the compatibility, is needed between the operator of the platform and the clients (users), while the social part of interoperability takes mainly place among the users themselves.

In this context we can see a clear dichotomy in interoperability in the two types of systems. For example, the formal roles of the organisational type presume informal rules of the interactional type. In the next section we discuss the impact on privacy of interoperable IMSs.