Having just read about Mark’s exploits in Vegas and being reminded about a conversation he and I had, I ended up trawling back through my posts to find the conversation in question. I think this is what he was talking about. Funny to see I wrote this all the way back at IIW2005… time flies.
Mark raises the question how hard would it be to “become someone else?” He claims:
“how over a period of years you could really craft a persona and migrate it to a full blown identity in short order through social engineering, working the system”
Migrating a persona to an identity? Is that like migrate a 3270 app to .NET? Seriously though, you can’t migrate a persona to an identity. You can, however, grow a persona into a legend. A persona is an episodic, contextually scoped set of assertions. An avatar. For this reason alone, I wonder how meaningful CardSpace will be to the typical home user. There is a decent sized population of people who are comfortable with the concept of avatars. Your IRC handle, SecondLife name, and MUD login are all avatars. For these users, presenting an InfoCard here, there and everywhere feels familiar. However, there is an even larger population of users for whom these concepts are alien. For these people, they are who they are and it never occurs to them that there is a layer (or three) of abstraction between their butt in their chair and their representation in Amazon, Hotmail, and E-Bay. Furthermore, the idea that they can “exploit” this abstraction for any number of reasons is even more foreign and strange.
But exploiting enough of these abstractions creates a legend. A legend is the complete package. An entire fictions pseudo-identity with all the trimmings: credit history, employment records, government records, etc. In the non-espionage world, you don’t need all the trimmings but just enough to create a high enough level of credibility to pass a solid sniff test. To Mark Mac’s point, I think you can create a legend with a little bit of effort. That “guy” on LinkedIn who wants to link to you because you worked together at Company X… that guy is creating his legend. He’s likely a combination link-whore, recruiter, or combination of the two. But that being said, by linking to him you are reinforcing the credibility of his legend.
What may start as a persona, say a fabricated LinkedIn account, can grow over time into a legend. Add some corroborating Facebook entries… a couple of tweets from Twitter and sure enough, you can start to put together a fine legend.
A final side note: managing enterprise employees’ identities (all aspects thereof) is an exercise in legend management, while managing “customer” identities is a persona management exercise. Who says HR data is clean after all? 😉