Privacy, anonymity and perverse consequences

I very much doubt Andy Smith, of the UK Cabinet Office, thought that his remarks yesterday about disclosing fake personal details would generate quite the flurry of comment they did. But that’s the problem with the whole topic of online privacy and anonymity: it is fraught with unexpected and sometimes perverse consequences.

I won’t re-hash the background here; you can get a far better write-up from Alec Muffett’s excellent piece of re-contextualisation and analysis, here, and Joanna Geary’s article in the Guardian, here.

What I will do, though, is quote a participant at last week’s OECD Working Party on Information Security and Privacy:

“It’s not a matter of designing for privacy *or* security: the proper goal is to optimise for both”

That’s not to say, by any means, that it’s an easy problem. Far from it. Let me give a couple of examples of how challenging it can be to do this well:

1 – Perverse consequences

If you oblige people to prove that they are, for instance, under 18 in order to use a ‘safe online chat environment’ for young people, one foreseeable consequence is that you create a market for the malicious use of valid credentials. Now put yourself in the position of a young person with valid “under 18” credentials; are you really any safer now that a bully or child abuser has a strong incentive to bribe, threaten or cajole you into lending them your credentials?

2 – Is it OK to lie about your age?

Helen Goodman MP may, like Andy Smith, be wondering if she could perhaps have expressed herself better yesterday. Her line of reasoning appears to have been as follows:

“If you let people lie about their personal details online, you make it possible for them to lead potential victims towards abuse. Therefore it should be made illegal to give false personal details online.”

Unfortunately, whether or not the premise is true, the proposed solution doesn’t work. If you make it illegal to give false personal details online (and if, for the sake of argument, you are able to enforce such a law), you also expose individuals to risks of identity theft, fraud, reputational damage, and in some cases physical harm unless you can also create a legal and regulatory environment in which it is impossible for that data to be subsequently abused, either accidentally or on purpose. Since Helen Goodman must know that that, in turn, is also impossible, her line of reasoning looks increasingly foolish.

And let’s not forget the basics: a ‘date of birth’ disclosure, to a third party who has no means of verifying it, is an essentially unreliable self-asserted attribute. As a security mechanism, it is only made weaker if the information in question is known to multiple third parties.

Unfortunately, the bottom line is that optimising for privacy and security is tough, and tough problems are never solved by soundbite. In this instance, it needs (at least) realism about policy objectives, clarity about what ‘authentication’ really is, and an understanding of what the internet means for personal privacy. Then, perhaps, we can start to close the reality gap between policy aspirations and social reality.

Advertisements

2 thoughts on “Privacy, anonymity and perverse consequences

  1. paulbernal64 says:

    I agree with almost all of that – it’s a balance of risks. For me, currently, the benefits of supporting anonymity outweigh the risks: and the risks of enforcing real names outweigh the advantages!

  2. Thanks for an interesting blog post.

    The policy gap will never be closed. In many ways, privacy and security cannot be reconciled. The main reason is that these are apples and oranges. Privacy (in contradistinction) to anonymity, is only predicated upon security to the extent that a person wants to exclude contact. If a person wants to maintain privacy while interacting, they have immediately created a vulnerability vector. To put it crudely, if you do not want anyone to break in, do not build a door. You can never meet anyone, but you reduce your worry about privacy.

    Anonymity, by contrast, is what most people want to have when interacting in public so that they can control their own interactions. You start talking to someone or interacting with them and you begin to be “known”. In that sense, you will lose your anonymity, but that does not mean you have (yet) lost your privacy. You invite them home, then you start to lose your privacy (of a sort).

    The challenge, though, is how we understand privacy. The term contains too many nuances to summarize and needs to b disentangled based on context. I may have privacy, but I exist in a bureaucratic sense by my birth certificate and my bureaucratic persona that interact seperately, but not completely independently of me, wherever I go or whenever the state seeks to interact with me with, or without, my knowledge. If I have that persona, as any citizen does, then I do not have privacy. As Aristotle said, to live outside the walls of the city, you have to be a beast or a god. Privacy is the same way as true privacy would be to live outside the city completely, without *any* bureaucratic shadow. Few live like that, even in TOR or any cyberspace.

    As I expressed, it my blog, to have privacy you need to kill God. http://lawrenceserewicz.wordpress.com/2012/06/13/to-have-privacy-you-must-kill-god/
    I would be interested in your views on that post.

    Thanks for a really interesting post and I look forward to reading more in your return to blogging.

Comments are closed.