“Propusk, pazhaluysta!” – On anonymous access to Internet services

Many of you will have seen the flurry of comment about a recent ‘frank exchange of views‘ between Andy Smith of the Cabinet Office and Helen Goodman MP, about whether it is ever appropriate to give false details when asked for them online. I was fortunate enough to be present when they had a civilised re-match in the IGF session on Aspects of Identity this week in Baku.

First, let me make it clear that I am not condoning or recommending fraud. There are many contexts in which it is right to expect users to make truthful assertions of identity or other attributes. But to suggest that people should have no right to access online services unless they reliably identify themselves is simplistic and harmful. I use the word ‘right’ because these were the terms in which Helen Goodman expressed it on Tuesday:

People do not have a right to anonymous online access because “you can’t have rights without a rights-holder”… implying “identified rights-holder”.

In other words, you only enjoy rights if you are identifiable.

A moment’s reflection should persuade us that this is not true, either in the real world or the virtual one. For example:

– If I pay for goods using cash (in other words, it’s an anonymous transaction) I don’t, in so doing, forfeit my rights as a consumer. Identifiability has no role to play, here: all that is needed is a reliable assertion of legal tender.

– If I speak in a public forum, my right to free speech is not conditional on first stating who I am.

Come to that, I have no right to run someone over just because I don’t know their name. Anonymity doesn’t rescind their right to life.

I’m entitled to send a letter without identifying myself. The Royal Mail needs to see the name and address on the outside of an envelope, not the signature inside… and of course, that signature might consist of a nickname, some initials, or a smiley face, for all that matter. Similarly, there is no reason why I should not be entitled to send emails using an email address which is something other than my real name, and to close my emails with whatever epithet I see fit. That’s quite a different matter from rules about what I can legally say in the letter or email.

There are countless online contexts where an assertion of identity is unnecessary, and to insist on one is disproportionate. Why, for instance, should I have to identify myself just to read the news, or check the weather?

Online payment transactions don’t necessarily require identity either. There are mediated payment architectures using which it is quite possible to pay a merchant on behalf of a consumer without disclosing the identity of the payer to the merchant, and without sacrificing the auditability of the transaction. Again, there are cases where identification is appropriate, but plenty where it is not.

An over-insistence on authentication for transactions where it is not needed also has predictable bad consequences. For instance, if interactions are personally identifiable, they come within the scope of data protection laws; if all transactions fall into this category, the potential regulatory and compliance burden for service providers balloons out of all proportion – and so does the cost and complexity of governance.

Then there are the perverse consequences of some well-intentioned forms of authentication: if you insist that a verifiable proof of age be used to control access to ‘safe’ online chat-rooms for teenagers, you give predatory bad actors a strong incentive to threaten/bribe/cajole teenagers into allowing their credentials to be used… potentially putting them at greater risk than they were before.

And finally, there are the slightly more specialised cases, where anonymity and pseudonymity are needed to protect witnesses, undercover law enforcement officers, victims of domestic abuse, intelligence officers and so on.

In all these instances, there is a clear public interest in not insisting on authentication.

But as anyone who attended the IGF in Baku ought to appreciate, a blanket insistence on authentication for online services has a chilling effect on free speech, too. It can stifle (and even put at risk) whistleblowers, human rights campaigners, or simply those who disagree with an oppressive regime. It is disturbing when policy-makers in a democracy call for an end to online anonymity, because that gives undemocratic regimes something to point to as they lock down free speech and access to information for their own repressive purposes. As readers of my blog will know, I reserve particular scorn for the pernicious “nothing to hide, nothing to fear” argument, and it saddened me deeply to see it deployed in the Aspects of Identity session.

Returning to the question of ‘no rights without a rights-holder’: the bizarre thing is that this is the kind of neo-con soundbite that used to be touted about by the likes of Janet Daly on the Moral Maze… “you can’t have rights without responsibilities”… When of course there are plenty of individuals – infants, children, those with severe cognitive disabilities, and indeed non-human animals, whom we recognise as having rights with no – or fewer – corresponding responsibilities.

A world in which those without responsibility were held to have no rights would be a genuinely disturbing one.  I wonder if Helen Goodman has really thought through what it would be to inhabit a world in which all rights were contingent on the rights-holder (or rather, rights-claimant) being identifiable.

IGF2012 session: Governing Identity on the Internet

I got the chance to take part today in a workshop session at the Internet Governance Forum in Baku, and as, for once, I had made some written notes, I thought I’d get a little more mileage out of them by posting a summary here… I hope this is useful. Comments welcome, as ever.

A 1, 2, 3 of digital identity

Having listened to the very diverse views and interpretations of identity here at the IGF this week, my worry is that we’re talking about governing something that we haven’t clearly defined. So here’s a perspective on digital identity, under three headings:

  1. One evolutionary sequence: how did we get here?
  2. Two models of what digital identity is…
  3. Three issues

1. Evolution

In the 80s, your ‘identity’ meant either your passport, or – if you were one of the few who used a computer – your account on a mainframe or (higher education) server. Siloed and incomprehensible to other systems or organisations.

In the early 2000s, it started to make sense to talk about your ‘network identity’; the collection of things that a panoptical third party could know about you, by looking at all the places where information about you was stored online (IDs, accounts, user profiles, etc.).

By the middle of that decade, federated identity was a reality, at least among large enterprises. A non-siloed digital credential that could be used to identify you to an organisation that had not issued it to you.

The current goal could be described as “Internet-scale” federation: a framework which can cater for many kinds of credential, understandable by many organisations, in different sectors, for different purposes, with different models for trust and liability. This is the aim of programs like the US National Strategy for Trusted Identities in Cyber-space and a similar initiative in the UK, for example.

In short: the goal is a digital ‘identity’ as multi-faceted and versatile as our real-life, individual identity as a person. That’s a long way from where we were 30 years ago – and we’re by no means there yet.

2. So let me describe two ways of looking at digital identity. I’ll describe the first one and then contrast its characteristics with the second. The first, I’ll call the Classic model. It is based on:

– Single authoritative source

– Credential

– Authentication

– Binary (Y or N)

– Level of assurance and a chain of trust, both of which can be formalised into procedures and assigned liability models (retroactive).

The second is what I’ll call the Emerging model. It looks like this:

– Multiple, low-assurance sources

– Attributes

– Authorisation

– Contextual and adaptive

– A web of trust, notions of mutable reputation, and quantifiable mainly in terms of risk management (predictive).

3. So, what issues does that present us with?

The Classic model is fundamentally retrospective. It’s the historical way of thinking about identity, it establishes an identity relationship between what’s happening now and a trusted event in the past, and liability is – basically – the arrangement for what you do after something has gone wrong.

As a result, one problem is that it copes badly with cases where an identity was issued for one purpose and is later used for other purposes – but you can’t stop  that from happening.

The Emerging model is future-facing. It is much more dynamic, and it is also completely compatible with anonymous authorisation. But it alters our conception of identity and trust, and relies on immature disciplines such as reputation management and contextual authorisation.

It is a model whose working parts are almost entirely hidden from the end user – where the Classic model at least (usually) requires the user’s involvement at the point of authentication. The Emerging model poses real questions of user control and consent.

And lastly, there’s a catch. This isn’t an either/or decision. We need both the classic and the emerging models – because neither, on its own, can get your digital identity close to being a reflection of your personal identity.