Dave Kearns discusses the first part of my examination of the relation between identity technologies and linking, beginning with a reference to Paul Madsen:
Paul Madsen comments on Kim Cameron's first post in a series he's about to do on privacy and collusion in on-line identity-based transactions. He notes:
“A meaningful distinction for RP/RP collusion that Kim omits (at least in the diagram and in his discussion of X.509) is ‘temporal self-correlation’, i.e. that in which the same RP is able to correlate the same user's visits occurring over time.“
and concludes:
“Not to say that designing identity systems to inhibit correlation isn't important & valuable for privacy, just that there is little point in deploying such a system without addressing the other vulnerabilities (like a masked bank robber writing his ‘hand over the money’ note on a monogrammed pad).“
Paul makes some good points. Rereading my post I tweaked it slightly to make it somewhat clearer that correlating the same user's visits occuring over time is one possible aspect of linking.
But I have to admit that I have not personally been that interested in the use case of presenting “managed assertions” to amnesiac web sites. In other words, I think the cases where you would want a managed identity provider for completely amnesiac interactions are fairly few and far between. (If someone wants to turn me around me in this regard I'm wide open.) To me the interesting use cases have been those of pseudonymous identity – sites that respond to you over time, but are not linked to a natural person. This isn't to say that whatever architecture we come out with can simply ignore use cases people think are important.
Dave continues:
I'd like to add that Kim's posting seems to fall into what I call on-line fallacy #1 – the on-line experience must be better in some way than the “real world” experience, as defined by some non-consumer “expert”. This first surfaced for me in discussions about electronic voting (see Rock the Net Vote), where I concluded “The bottom line is that computerized voting machines – even those running Microsoft operating systems [Dave, mais vous êtes trop méchant! – Kim]- are more secure and more reliable than any other ‘secret ballot’ vote tabulation method we've used in the past.”
When I re-visit a store, I expect to be recognized. I hope that the clerk will remember me and my preferences (and not have to ask “plastic or paper?” every single blasted time!). Customers like to be recognized when they return to the store. We appreciate it when we go to the saloon where “everybody knows your name” and the bartender presents you with a glass of “the usual” without you having to ask. And there is nothing wrong with that! It's what most people want. Fallacy #2 is that most Jeremiahs (those weeping, wailing, and tooth-gnashing doomsayers who wish to stop technology in it's tracks) think that what they want is what everyone should want, and would want if the hoi-polloi were only educated enough. (and people think I'm elitist! 🙂
I do wish that all those “anonymity advocates” would start trying to anonymize themselves in the physical world, too. So here's a test – next time you need to visit your bank, wear a mask. Be anonymous. But tell your lawyer to stand by the phone…
Dave, I think you are really bringing up an important issue here. But beyond the following brief comment, I would like to refrain from the discussion until I finish the technical exploration. I ask you to go with me on the idea that there are cases where you want to be treated like you are in your local pub, and there are cases where you don't. The whole world is not a pub – as much as that might have some advantages, like beer.
In the physical world we do leave impressions of the kind you describe. But in the digital world they can all be assembled and integrated automatically and communicated intercontinentally to forces unknown to you in a way that is just impossible in the physical world. There is absolutely no precedent for digital physics. We need to temper your proposed fallacies with this reality.
I'm trying to do a dispassionate examination of how the different identity technologies relate to linking, without making value judgements about use cases.
That done, let's see if we can agree on some of the digital physics versus physical reality issues.
One thought on “No masks in the grocery store”
Comments are closed.