Ben Laurie at Links, contemplating the “identity as a default” debate, argues “Anonymity is the substrate“:
Kim Cameronâ€™s blog draws my attention to a couple of articles on anonymity. The first argues for anonymity to be the default. The second misses the point and claims that wanting anonymity to be the default makes it a binary thing, whereas identity is a spectrum.
But the point is this: unless you have anonymity as your default state, you donâ€™t get to choose where on that spectrum you lie.
Eric Norlin saysFurther, every â€œuser-centricâ€ system I know of doesnâ€™t seek to make â€œidentityâ€ a default, so much as it seeks to make â€œchoiceâ€ (including the choice of anonymity) a default.
as if identity management systems were the only way you are identified and tracked on the â€˜net. But thatâ€™s the problem: the choices we make for identity management donâ€™t control what information is gathered about us unless we are completely anonymous apart from what we choose to reveal.
Unless anonymity is the substrate choice in identity management gets us nowhere. This is why I am not happy with any existing identity management proposal – none of them even attempt to give you anonymity as the substrate.
Ben has a valid point in terms of the network substrate. There are a number of hard issues intertwined here. But from a practical point of view, here is how I approach it:
- You can't solve every problem everywhere simultaneously. Solving one problem may leave others to be dealt with. But with one problem gone, the others are easier to tackle.
- There are interesting technologies like onion routing and tor that could be combined with the evolving identity framework to offer a more secure overall solution (Ben is better versed in these matters than I am).
- If society mandates storage of network addresses under certain circumstances, as it seems to be doing, a much more secure approach to this storage could and should be adopted. Any legislation that calls for auditing should also require that the audit trail be encrypted under keys available only to vetted authorities and then only through well-defined legal procedures with public notification and in an off-line setting. This would have a huge impact in preventing the ravages of Norlin's Maxim.
Network issues aside, in keeping with the second law of identity (minimal disclosure), users should by default release NO identifying information at all.
You can call this anonymity, or you can call this “not needlessly blabbing everything about yourself”.
Sites should only ask for identifying information when there is some valid and defensible reason to do so. They should always ask for the minimum possible. They should keep it for the shortest possible time. They should encrypt it so it is only available to systems that must access it. They should ensure as few parties as possible have access to such systems. And if possible, they should only allow it to be decrypted on systems not connected to the internet. Finally, they should audit their conformance with these best practices.
Once you accept that release of identifying information should be proportionate to well-defined needs – and that such needs vary according to context – it follows that identity must “be a spectrum”.