The Problem of the Ambiguous Digital Self

Following last week’s foreward, The Mask-Off Moment for Digital Identity, this is the first of ten key findings from the largest (and perhaps most consequential) report to date, The Digital Identity Event Horizon.

If you or your organisation are interested in collaborating on a case study, or if you have any questions about this work, we’d love to hear from you, via email or Signal.

^[1]“An identity is a set of attributes related to an entity.”^[2]

In 2019, ISO ratified ISO/IEC 24760-1:2019 with an authoritative definition of digital identity. This is the standard most often cited by institutions. While technically accurate—an identity can, in fact, be a set of attributes related to an entity—the phrase is both definitive and remarkably empty: it says as little as possible, as broadly as possible, and appears to be designed for as many stakeholders as possible. It is also incomplete; as a product of Western rationalist tradition, the ISO definition both denies other forms of identity possible within digital systems, and ignores how digital identity shifts when it is perceived or interpreted by a system. A cynical reading might suggest this emptiness is deliberate: by saying almost nothing, the standard grants vendors and governments carte blanche to claim compliance while ignoring substance.

The ISO working group included representatives from Microsoft, Oracle, IBM, and major defence contractors^[3]—entities whose business models depend on definitional flexibility. By crafting a standard that says nothing while appearing authoritative, the resulting ambiguity-as-technical-guidance creates a grey area in which any and all forms of digital identity can be projected. In practice, this is, perversely, what makes the ISO definition so useful: it is the empty centre around which everyone in the field improvises.

Over four years of research into digital identity, and having reviewed hundreds of definitions, we found that authors, researchers, policy-makers, and systems designers regularly include a definition of digital identity that satisfies their immediate motivations, interests, objectives, or political context. The irony, of course, is that this is true even of this research project. In order to interrogate the first principles of digital identity against the three problem statements, we require our own working definition of digital identity.^[4] We have yet to uncover a reliable, universal, or authoritative definition for digital identity. Points of contention remain: the inclusive nature of digital identity, the limitations inherent to digital identity, and the classification of digital identity as conceptual or material. This key finding has vast implications for how digital identities affect the wider world.

In The Great Enabler: Transforming the Future of Britain’s Public Services Through Digital Identity (2023), Kirsty Innes, Jeegar Kakkad, and Ryan Wain of the Tony Blair Institute for Global Change described digital identity as inherently self-sovereign:

“There is no way for individuals to control how information is shared between different parts of government. By contrast, well-designed digital infrastructure would give people control of their data, make it easier and quicker to prove their eligibility for needed services and, in turn, allow those services to be personalised to individual needs. This digital infrastructure would need to be developed and delivered in close collaboration with the private sector and civil society.”^[5]

Echoing other governmental advisors and think tanks, the authors invoke the taxonomy of financialisation (in this case, wallets) as the core vehicle of digital identity transactions between users and service providers: “The wallet could be used to gain access to personal data held in various parts of government. People could also use it to agree to privately and securely share data to produce collective aggregated data sets that could be used to draw insights about all sorts of government functions and services.”^[6]

In contrast, Thales Group, a multinational defence and infrastructure contractor, describe the plurality of digital identity and define the concept strictly within the bounds of existing digital protocols:

“The most common form consists of an email address and a password to access different online services. In this case, they are not verified and, therefore, not trusted. It is critical that user identity is verified and trusted when it comes to sensitive services such as government, financial services, mobile communications and a whole host of others.”^[7]

From their perspective, the ideal digital identity is immutable and trusted:

“A trusted digital identity provides the ability to prove that the person or device trying to access a service is the one for whom the service is provided, and is vital to the development of online services and seamless experiences when interacting in digital space.”^[8]

What counts as a digital identity changes drastically, whether driven by the whims of market forces or technological trends. Since the release of ChatGPT, and other machine learning large language models, digital identity has been redefined as an assistance tool to be leveraged in online interactions on behalf of a user. This trend was observed both in the wider landscape of digital identity and amongst research participants. For example, one participant described a desire for large language models to represent users in healthcare negotiations:

‘For an elderly population on social insurance, expecting them to pick up their smartphone, and negotiate identity sharing and consent when they’re just trying to get a prescription refill, those are all present challenges. And where I’ve been involved in discussions in the U.S. specifically around consent […], to say how are you consenting to share your data within the confines of how it’s kept right now? Consent solutions can be complicated, and we worry about consent fatigue, where a system comes back and asks me 30 questions […]. And I think anyone of us would just go default yes after a while because we’re trying to watch a movie and we don’t have time to answer. But at that point, we have to consider: where does autonomous AI and personal AI assistance come in to do some of that heavy maths and give you in plain language: “we think that it’s okay to share X, Y, and Z. We recommend you share it for this period of time.’”^[9]

In the wider landscape, examples of large language models acting as identity representatives abound—if greeted with incredulity. In 2024, Zoom CEO Eric Yuan claimed users would represent themselves in white-collar meetings via AI clones that mimic their identity and can be entrusted to make decisions on their behalf.^[10] While widely ridiculed, the AI tech scene is awash with competing products and platforms making similar claims: where the service is positioned as a digital extension of the self.

Historically, there are a number of examples of revisions redefining digital identity in response to market forces. Perhaps the most dramatic is the surging popularity of the iPhone throughout the 2010s, which in turn influenced socio-cultural and academic thinking around the conceptual relationship between digital identity and the self. In many cases, the definition of digital identity, in the 2010s, was constantly shaped by the capabilities of then current-gen smartphones. In Discourse, cybernetics and the entextualisation of the self, Rodney H. Jones describes digital identity as the entanglement of hardware and the quantified self:

“Historically, digital identity has been partially entangled with hardware, particularly smartphones. More and more I find myself emotionally attached to my iPhone, not so much as a communication device, and not as a physical object that expresses my identity and social status […], but, rather, as a ‘servomechanism’, a means for receiving constant feedback about my physical and mental well-being.”^[11]

Alongside policy think-tanks and technology platforms, academics and researchers have often defined digital identity through the immediate context of market forces, personal motivations and other trends: in The Stack: On Software and Sovereignty, a text published at the peak of the 2015-era smart city and internet of things hype-cycles, Benjamin Bratton defined digital identity as part of an esoteric ‘planetary-scale computation.’ Here, Bratton haphazardly assembles digital identity via layers of ‘Earth,’ ‘Cloud,’ ‘City,’ ‘Address,’ ‘Interface,’ and ‘User,’^[12] a set of properties that (coincidentally) correspond neatly with the data dependencies of the smart city and internet of things.

Yet even market-driven definitions contradict each other. In a subsequent chapter, Christoph A. Hafner offers a definition of digital identity that directly contradicts both Jones’s and Bratton’s data-driven self. Hafner instead defines digital identity as a ‘second-self,’ a performative avatar that a user iterates over, making changes to the content of the identity during its lifetime: “As with other online spaces, virtual worlds provide an opportunity for users to create a ‘second self’ (Turkle 1985), with the potential to establish a ‘fresh’ identity (or set of identities) online. The conception of identity that is invoked here is informed by a sociocultural perspective, which sees identity not as a fixed, static entity but rather as something that is fluid and evolving.”^[13] Although offered within the context of video games, this kind of definition can just as easily metastasise into policy initiatives: at the height of metaverse hype cultivated by incumbent technology companies in the early 2020s, the particular user-centric definition of identity offered by Hafner and others had a brief surge into the collective consciousness. Wholly incompatible with competing concepts of identity that demand cryptographic integrity and trust, the metaverse’s version of digital identity was nevertheless embraced by policy-makers at the European Commission in a short-lived and ill-conceived ‘Web 4.0’ programme that promised to bring ‘societal progress,’ ‘virtual public services’ and a ‘metaverse industrial ecosystem’ to Europe.^[14]

This is the grotesque circularity of the digital identity field: definitions are retrofitted to justify whatever technology venture capitalists are currently funding. The European Commission’s embrace of metaverse identity—a concept that actively contradicts their own privacy legislation—exposes the intellectual bankruptcy of institutional digital identity advocacy. Policy-makers do not seek coherent identity frameworks; they seek technological legitimacy for whatever Silicon Valley is selling this quarter.

As the wider world struggles with incompatible definitions of digital identity, this very conflict was represented directly within our qualitative participatory research. When prompted with the opening interview question, in which the researchers asked, ‘What is your definition of digital identity?’, no two research participants provided a definition that could be described as aligned with another. Participants instead offered individualised definitions that, over the course of their interview, suggested strong influence from their occupations, their interests and political convictions.

“Digital identity is a way for me to prove who I am so that I can update or log into a product or service. I have an Apple ID that I got around 2002 and I have a whole host of products and services associated with that, and now it has expanded to a family plan that includes my children and my ex-partner.”^[15]

“Digital identity is something that an individual controls that represents their digital persona from the individual standpoint. It can have as many characteristics as they deem necessary to define themselves in a digital context, like their name, date of birth, and other information.”^[16]

“Digital identities are leveraged in everything from presentational layers – like the positioning of oneself as an artist and assembling a performative identity that’s legible online – to your passport. And also everything in between.”^[17]

“To me, digital identity is the mechanism by which you gain access to digital resources, and the mechanism by which you grant access to digital resources. I do not consider that a complete definition, but at the end of the day, I think that is the operational definition that matters to most people: the idea that I gain access to systems and information and can grant access to the same.”^[18]

“This is one of those things that’s really hard to overstate. I mean, digital identity is literally everything, right? Because if an attacker can adopt an identity, then there’s no limit to what they can do.”^[19]

“Digital identity is a gradient of assurance, it is not a singular concept or even context. It’s a function of perception and requirements that starts with my innate self, that then is assessed against some other counterparty requirements. It’s much easier for me to define what is not digital identity.”^[20]

‘Digital identity’ can thus be considered an umbrella term that describes both an abstract derivative and a forensically-sound representation of an individual, and everything in-between. Furthermore, the term refers to many parts of a digital system simultaneously; the presentational layer, the protocol (and its infrastructure), cryptographic primitives used to protect an identity or communication between two entities, or even the service providers accessed by a user. The immediate outcome of such a core ambiguity is a flattening of complex relationships between individuals into a simplified shorthand.

At the same time, the motivation to separate different layers of digital identity in pursuit of a universal definition creates new issues because those layers are enmeshed. In Problem Statement II^[21], we described digital identity as a topology of power, while Problem Statement III^[22] highlighted their amorphous nature.

When pressed about the weaponisation of digital identity within the context of their professions, none of the participants who self-identified as proponents could offer substantial answers around the use of digital identity in statistically generated pre-crime profiles of real individuals. For participants working in industries where algorithmic pre-crime assessment is routine, such as healthcare fraud detection, employment screening, credit scoring, and border control, the refusal to acknowledge widly known weaponised applications is a worrying symptom that underlies the entire digital identity enterprise.

An individual’s definition of digital identity is significantly influenced by external personal factors, such as socio-economic status, their background, their profession, and their own identity. Pressing participants to clarify their definition almost universally resulted in uncertainty, as irreconcilable idiosyncrasies and shortcomings inherent to digital identity introduced ambiguity in a participant’s conceptual model. For example, participants working with digital identity in healthcare (either as a patient or a vendor) described digital identity in stark contrast to participants from civil society, and these differences covered infrastructure, public perceptions, privacy threats, implementation opportunities, scoping, classifications of identity, etc.

“That concept of digital patient identity is really a bit of a misnomer. To date it has not been defined in that same context [as citizen digital identity]. […] You know, if I’m receiving specific government services or programs that I’m leveraging my citizen digital identity to receive [specific government services], I don’t think that’s necessarily any less important than healthcare services. The origins of providing healthcare, the evolution of healthcare data around providing healthcare, have always created this sociocultural bastion where healthcare data is separate from everything else.”^[23]

Within the field, even clashing definitions are routinely folded into a single “first principle” of digital identity. A clear example is the boundary between state-issued and enterprise-issued credentials. Kim Cameron’s seminal Laws of Identity notes that the employment context is treated as an autonomous sphere, where staff generally expect credentials to be created and retired by their employer, not a government identifier that would expose day-to-day work activity to continuous state scrutiny:

“In many cultures, employers and employees would not feel comfortable using government identifiers to log in at work… the context of employment is sufficiently autonomous that it warrants its own identity, free from daily observation via a government-run technology.”^[24]

We found that these conceptual silos are rarely adhered to, even when intentionally accounted for by actors with the best intentions. Instead, identities designed to be encapsulated within a single use or specific relationship were rolled up and reused in other unintended contexts. Our interviews and literature review show this autonomy is often honoured in name only; over and over again, we documented examples—both with participants and in the wider field—where the boundaries of theoretical or practical intent for a digital identity were overridden by opportunism or convenience. In the absence of a universal definition of digital identity, everything becomes fair game. Identity is everywhere, and as a result, it is nowhere.

Even partially-aligned definitions for digital identity revealed problematic and contradictory stances when examined closely. The concept of trust was an almost universally listed prerequisite for a digital identity system, and this was seen both in the wider industry thinking and directly from research participants. But beyond the baseline inclusion of some kind of system of trust, the understanding of what exactly trust is, and what is considered trustworthy or not, diverges wildly between definitions. Web3’s definition may be newer, but depends upon a conflicting pairing of trust; The protocol that governs the digital identity is designed to be trustless, an ungovernable or influence-free protocol utility enforced by cryptography nevertheless itself reliant on definitions of trust within the realm of information security. Within the same techno-libertarian protocol design, identities must be capable of trust, and this definition is usually borrowed from asymmetric key exchange, where public keys represent a derived transaction address in a network-wide namespace.

At the same time, proponents of so-called web-of-trust digital identity systems claim that trust can designed for and cultivated within a digital identity system via a social graph. Two models are popular. A digital identity is held within an a reputable identity vendor, and the awareness of this custodianship within the wider world cultivates trust. Alternatively, a digital identity system is designed to be able to cryptographically sign other identities, creating a social graph that can be analysed to determine the trustworthiness (or not) of any identity in the network. Keybase, a PGP key management service, allowed users to cultivate trust by posting ‘proofs,’ cryptographic signatures published on a user’s owned social media profiles, domain names, and other owned properties, creating a sort of almanac of identity through the ephemera of user-controlled digital presence. We note, of course, that none of the incorporated trust-building third party systems were designed with this use case in mind.

At the centre of all issues of trust, little time is spent defining what kind of trust is at play. Trust itself shares many conceptual properties with identity, and possesses a multiplicity of definitions depending on the context of its use. Cybersecurity trust, for instance, is not at all the same as trust between economic actors: in cybersecurity, gaining the trust of the system is to be treated as a security breach. But the digital identity industry profits from this confusion, deploying “trust” as a marketing term while building systems that systematically undermine every form of human trust that actually matters—trust in institutions, trust in privacy, trust in the possibility of authentic human connection.

Looking towards emergent identity-centric systems, this observation becomes stark. Web3’s transactional (anti)trust model, where cryptographic verification replaces human relationship, represents the logical endpoint of this trajectory. What becomes critical is to introduce elements fundamentally at odds with this paradigm: definitions of trust that imply chains of reciprocity, care and agency between actors, rather than fraud, commodification and clientelism between parties of a transaction.

The endless invocation of “trusted digital identity,” combined with a complete lack of standardisation and repeated catastrophic failure, cannot be seen as technical specification. The continued insistence towards trust without acknowledging this central contradiction reveals advocacy rhetoric for what it truly is: a propaganda campaign designed to obscure the fundamental hostility of these systems to the social bonds they claim to protect. At the core of this phenomena is the inability to name it directly: this is made possible by the absence of a formalised definition of identity. 🞻

A flagship adversarial analysis of past, present and future digital identity systems.

The Digital Identity Event Horizon is a groundbreaking report that exposes how digital identity creates brittle societies.
Become a free NDC member and get every chapter delivered in your inbox, every week.

Sign up for free