“Anonymity as default,” which I mentioned in the previous post, is taking on a life of it's own. Now Tom Maddox has posted in his Opinity weblog, commenting on Ben Laurie's commentary about Kim Cameron's mention of Eric Norlin's post concerning David Weinberger's original thought that “Anonymity should be the default.”
(I'll just sit here and whistle for a moment while you follow that set of links)
The point I wanted to mention was Maddox’ statement:“We need to begin with anonymity/pseudonymity as the default, Laurie's ‘substrate choice’. Otherwise, whatever identity system we employ, we'll always be trying to get the cat back in the bag (or the scrambled egg back in the shell)“
The fallacy here is that he seems to believe that there can be an “identity system” in which anonymity is a choice! And not only a choice, but the default choice. But without a unique identifier for each object in the system, there is no identity system. And with a unique identifier there is no anonymity within the system. Rather, the default should be PRIVACY for all objects, with any dispersal or publishing of identity attributes only done with the consent of the entity if it's sentient, and the entity's controller if it isn't.
Maddox is correct that once the data is published you can't unpublish it completely. That argument shouldn't be overlooked. But it's equally as important to realize that the “anonymity bandwagon” is out of control and headed for the cliff. Privacy is the key, and privacy should be the issue.
I have trouble with Dave's use of the phrase, “within the system”. What is “the system” in a multi-centered world with an interpenetrating mesh of domains? Put another way, just because an object has a unique identifier, do entities dealing with the object have to know that?
Things may have unique identifiers that are known to some identity authority / domain (even infinitesimilly small ones) but these authorities don't have to release them when identifying things to other parties.
Would an example help?
Suppose some company – let's call it Contoso.com – runs Active Directory as its local identity infrastructure. Active Directory identifies all of the machines and people in Contoso's “domain” with a Security IDentifier (SID) – basically a unique id/domain pair. But when I am dealing with someone from Contoso.com, I probably don't give a darn about their SID, no matter how useful it may be to their local AD system. Dave, do you care about my SID? Knowing you and loving you, I think you've got better things to worry about!
In the world of web services, which will be a vast mesh where identity reaches beyond domain boundaries, the definition of what is “within the system” becomes very ambiguous.
The SID makes sense “within the system” thought of a narrow domain manager. It normally doesn't make sense “within the system” thought of as a connecting mesh of entities that happen to interact with many domains.
In this bigger world, I may be interested in the fact that someone is an employee of Contoso, byt totally uninterested in anything that uniquely identifiers them as an employee – even if such unique identification is necessary for some other purpose.
For example, if I call 411, I speak with a representative of the phone company. I don't know her or his name, or number, or location, or anything else. I just know the person I'm talking with works on behalf of Verizon – and that is all I really want to know.
Yet knowing they are an official employee is still a matter of identity!
Is this anonymous? I would say so. It “has an unknown or unacknowledged name”, as my pathetic online dictionary puts it (I'm travelling). So it is anonymous, but it is identity.
This is all part of the notion that an authority can make claims about a subject – and that this is done through a set of assertions. Given this, we need a name for the “empty set” of assertions.
So far, we call it anonymity. We believe this will ring a bell in more peoples’ heads than “empty set of assertions”.
If we now combine this thinking with the second law (minimal disclosure) – we come to the notion that if more is not needed, the identity set should be the empty set. This is what I think people are talking about when they say the default should be anonymous.