May 25, 2009

The Inverted Pyramid of Identity

Let's talk about why we want Identity. There appear to be two popular reasons why Identity is useful. One is as a handle for the customer experience, so that our dear user can return day after day and maintain her context.

The other is as a vector of punishment. If something goes wrong, we can punish our user, no longer dear.

It's a sad indictment of security, but it does seem as if the state of the security nation is that we cannot design, build and roll-out secure and safe systems. Abuse is likely, even certain, sometimes relished: it is almost a business requirement for a system of value to prove itself by having the value stolen. Following the inevitable security disaster, the business strategy switches smoothly to seeking who to blame, dumping the liability and covering up the dirt.

Users have a very different perspective. Users are well aware of the upsides and downsides, they know well: Identity is for good and for bad.

Indeed, one of the persistent fears of users is that an identity system will be used to hurt them. Steal their soul, breach their privacy, hold them to unreasonable terms, ultimately hunt them down and hurt them, these are some of the thoughts that invasive systems bring to the mind of our dear user.

This is the bad side of identity: the individual and the system are "in dispute," it's man against the machine, Jane against Justice. Unlike the usage case of "identity-as-a-handle," which seems to be relatively well developed in theory and documentation, the "identity-as-punishment" metaphor seems woefully inadequate. It is little talked about, it is the domain of lawyers and investigators, police and journalists. It's not the domain of technologists. Outside the odd and forgettable area of law, disputes are a non-subject, and not covered at all where I believe it is required the most: marketing, design, systems building, customer relations, costs analysis.

Indeed, disputes are taboo for any business.

Yet, this is unsustainable. I like to think of good Internet (or similar) systems as an inverted pyramid. On the top, the mesa, is the place where users build their value. It needs to be flat and stable. Efficient, and able to expand horizontally without costs. Hopefully it won't shift around a lot.

Dig slightly down, and we find the dirty business of user support. Here, the business faces the death of a 1000 tiny support cuts. Each trivial, cheap and ignorable, except in the aggregate. Below them deeper down are the 100 interesting support issues. Deeper still, the 10 or so really serious red alerts. Of which one becomes a real dispute.

The robustness of the pyramid is based on the relationship between the dispute at the bottom, the support activity in the middle, and the top, as it expands horizontally for business and for profit.

Your growth potential is teetering on this one thing: the dispute at the apex of the pyramid. And, if you are interested in privacy, this is the front line, for a perverse reason: this is where it is most lost. Support and full-blown disputes are the front line of privacy and security. Events in this area are destroyers of trust, they are the bane of marketing, the nightmare of PR.

Which brings up some interesting questions. If support is such a destroyer of trust, why is it an afterthought in so many systems? If the dispute is such a business disaster, why is resolution not covered at all? Or hidden, taboo? Or, why do businesses think that their dispute resolution process starts with their customers' identity handles? And ends with the lawyers?

Here's a thought: If badly-handled support and dispute events are leaks of privacy, destroyers of trust, maybe well-handled events are builders of trust? Preservers of privacy?

If that is plausible, if it is possible that good support and good dispute handling build good trust ... maybe a business objective is to shift the process: support designed up front, disputes surfaced, all of it open? A mature and trusted provider might say: we love our disputes, we promote them. Come one, come all. That's how we show we care!

An imature and unstrusted provider will say: we have no disputes, we don't need them. We ask you the user to believe in our promise.

The principle that the business hums along on top of an inverted pyramid, that rests ultimately on a small powerful but brittle apex, is likely to cause some scratching of technophiliac heads. So let me close the circle, and bring it back to the Identity topic.

If you do this, if you design the dispute mechanism as a fully cross-discipline business process for the benefit of all, not only will trust go positive and privacy become aligned, you will get an extra bonus. A carefully constructed dispute resolution method frees up the identity system, as the latter no longer has to do double duty as the user handle *and* the facade of punishment. Your identity system can simply concentrate on the user's experience. The dark clouds of fear disappear, and the technology has a chance to work how the techies said it would.

We can pretty much de-link the entire identity-as-handles from the identity-as-punishment concept. Doing that removes the fear from the user's mind, because she can now analyse the dispute mechanism on its merits. It also means that the Identity system can be written only for its technical and usability merits, something that we always wanted to do but never could, quite.

(This is the rough transcript of a talk I gave at Identity & Privacy conference in London a couple of weeks ago. The concept was first introduced at LexCybernetoria, it was initially tried by WebMoney, partly explored in digital gold currencies, and finally was built in
CAcert's Arbitration project

Posted by iang at May 25, 2009 03:45 PM | TrackBack

The legal state needs to change in order for the "show disputes" concept to work, but it's for a different reason: if a company shows its disputes, and either itself or one of its watchdogs informs them of a pattern... does that pattern-recognition go into the dispute log, as well? What about people who have no legitimate dispute, but the only difference between 'legitimate' and 'illegitimate' lies in the wording of a verbal conversation?

i.e., does recognition and notification of a general pattern create additional liability? If so, is there any legal way to know what the cap of that liability is without dispute resolution (i.e. court)?

(I'm using as part of my basis for this question the curious case of the Prudential Life Insurance "Variable Appreciable Life" life insurance policies sold in the 1980s. Prudential's agents were alleged to have said, very commonly, that after a few years these policies would "pay for [themselves]". A class-action suit was filed against Pru; I don't know if Prudential's liability or risk was capped in any meaningful fashion.)

Posted by: Kyle H at January 15, 2010 02:17 PM

Kyle asks:

> does that pattern-recognition go into the dispute log, as well?

I guess that would depend on the detailed design of the system. In CAcert's system, yes, it does (but that's because other parts dictate it so). Other systems may prefer to put in an external appeal or overriding body.

(I would see your suggested case more as useful input, and a way to prove its functioning than a challenge to the system.)

Posted by: Iang (CAcert's Arbitration Forum) at January 16, 2010 12:11 PM

> i.e., does recognition and notification of a general pattern create additional liability?

Possibly. I know the American school ("a lawyer in every family") would treat any liability with fear&loathing, but Economics-wise, it needs to be balanced with the alternate. The use of dispute resolution solves problems, and if the greater part of the problems are solved, and this is greater avoided cost, then we are in profit overall; this applies broadly to the organisation and to the participants.

Litigation-wise, liability of this nature is difficult to predict. We do know that any open evidence can establish that pattern and liability, any open information gives the enemy weapons. The difference with the dispute approach is that when the event arises, there is no lone voice; in a dispute, the the service of dispute resolution systems *must look at it*. Else, shame on the resolver and the organisation.

E.g., to mention an un-named list we know, there are exactly those patterns, and potential for liability. And, because there is no effective way to resolve disputes, the lone voice goes unanswered (and worse) so I would say that the liability for inappropriate dealings does rise. But it is very much a speculation as to whether it rises from $1 to $10 or $100k to $1m, because in that business, all the liability is effectively dumped anyway.

Posted by: Iang (CAcert's liability disclaimer) at January 16, 2010 12:26 PM

to paraphrase:
> "these disputes would pay for themselves"

:-) that's a cheeky statement, and in an sales environment it would be seen as quite a claim. I suppose if the dispute system were to make a claim such as "every dispute returns profit ..." or "rub out your mobster enemies with our smiling disputers" then this could be treated as a sales pitch.

But if the dispute systems says "we resolve disputes" then that doesn't necessarily tilt in favour. As it happens, CAcert's system has the ability to fine members, and also the ability to levy fees, but none has ever happened to date. It's a membership group, I don't think it is meant to be a profit department.

Posted by: Iang (CAcert's formal policy for Dispute Resolution) at January 16, 2010 12:35 PM

I think you misread what I said... I was referring to the specific details of the life insurance policies/contracts that were issued under the "VAL" name. I do think that this would be an excellent test for any alternative dispute resolution system.

My original quote was: "these *policies* would pay for themselves", not disputes. Additional background for the scenario:

The Variable Appreciable Life policy was designed as a kind of non-annuity annuity. The way they work:

1) The policy owner is -guaranteed- that the contract will remain in full force and will receive the face value of the policy upon the death of the insured if and only if she pays her premiums, in full, until it becomes paid up.
2) She has the opportunity for more than the face value because the premium goes into an investment fund.
3) Each month, the commission is taken out of the fund. If the fund performs well, the value of the contract goes up, and as long as the value of the contract is above the pre-determined minimum value during monthly processing, no problem.
4) If the value of the fund ever drops below that pre-determined minimum value during monthly processing, the policyowner must make up the deficiency (unless the full premium payments have been made for the entire length of the policy).

If condition 4 is triggered, there are two ways to resolve it: make up the deficiency (and run the risk of the market underperforming), or pay the entire back balance of premiums.

The allegation was that the consequences of trigger 4 were never explained, and people who hadn't thought about these policies since the '80s were suddenly receiving notices of deficiency for hundreds of dollars, with a statement that they could guarantee the full face value of the policy if they paid the back premiums -- which could be in the range of tens of thousands of dollars.

(and to cover my rump: I am not licensed as an insurance agent in any state, I am not trying to sell any insurance product, and I am bringing this example up for educational and discussion purposes only. I cannot offer financial advice; if you feel that you need such advice, please contact a licensed financial advisor.)

Posted by: Kyle H at January 16, 2010 04:43 PM

Once you've grasped the above, try automating the top layers...

Posted by: Modria at May 26, 2015 08:22 AM
Post a comment

Remember personal info?

Hit preview to see your comment as it would be displayed.