Ben Laurie at Links, contemplating the “identity as a default” debate, argues “Anonymity is the substrate“:
Kim Cameron’s blog draws my attention to a couple of articles on anonymity. The first argues for anonymity to be the default. The second misses the point and claims that wanting anonymity to be the default makes it a binary thing, whereas identity is a spectrum.
But the point is this: unless you have anonymity as your default state, you don’t get to choose where on that spectrum you lie.
Eric Norlin says
Further, every “user-centric†system I know of doesn’t seek to make “identity†a default, so much as it seeks to make “choice†(including the choice of anonymity) a default.as if identity management systems were the only way you are identified and tracked on the ‘net. But that’s the problem: the choices we make for identity management don’t control what information is gathered about us unless we are completely anonymous apart from what we choose to reveal.
Unless anonymity is the substrate choice in identity management gets us nowhere. This is why I am not happy with any existing identity management proposal – none of them even attempt to give you anonymity as the substrate.
Ben has a valid point in terms of the network substrate. There are a number of hard issues intertwined here. But from a practical point of view, here is how I approach it:
- You can't solve every problem everywhere simultaneously. Solving one problem may leave others to be dealt with. But with one problem gone, the others are easier to tackle.
- There are interesting technologies like onion routing and tor that could be combined with the evolving identity framework to offer a more secure overall solution (Ben is better versed in these matters than I am).
- If society mandates storage of network addresses under certain circumstances, as it seems to be doing, a much more secure approach to this storage could and should be adopted. Any legislation that calls for auditing should also require that the audit trail be encrypted under keys available only to vetted authorities and then only through well-defined legal procedures with public notification and in an off-line setting. This would have a huge impact in preventing the ravages of Norlin's Maxim.
Network issues aside, in keeping with the second law of identity (minimal disclosure), users should by default release NO identifying information at all.
You can call this anonymity, or you can call this “not needlessly blabbing everything about yourself”.
Sites should only ask for identifying information when there is some valid and defensible reason to do so. They should always ask for the minimum possible. They should keep it for the shortest possible time. They should encrypt it so it is only available to systems that must access it. They should ensure as few parties as possible have access to such systems. And if possible, they should only allow it to be decrypted on systems not connected to the internet. Finally, they should audit their conformance with these best practices.
Once you accept that release of identifying information should be proportionate to well-defined needs – and that such needs vary according to context – it follows that identity must “be a spectrum”.
I have a slightly different take on anonymity. If anonymity means only that there can be a set of attributes about a person that does NOT include their name (or any name), then it might be OK. But if it means that there are no attributes about a person at all, which many seem to assume is meant by anonymity, I disagree.
If I can presume to know what happened with the first cave men, I suspect they didn't wear a name tag when they first met another cave man that they hadn't previously met. But the body language, strength of handshake (or whatever ritual was then in use) all conveyed attributes that allowed one to assess the trustworthiness or otherwise of the other.
In the online world, devoid of these cues, people seek out proxies for them, whether it be trusted third party certification or something less. It's hard to imagine how you could have any interchange with a totally attribute-less ‘person’.