“Propusk, pazhaluysta!” – On anonymous access to Internet services

Many of you will have seen the flurry of comment about a recent ‘frank exchange of views‘ between Andy Smith of the Cabinet Office and Helen Goodman MP, about whether it is ever appropriate to give false details when asked for them online. I was fortunate enough to be present when they had a civilised re-match in the IGF session on Aspects of Identity this week in Baku.

First, let me make it clear that I am not condoning or recommending fraud. There are many contexts in which it is right to expect users to make truthful assertions of identity or other attributes. But to suggest that people should have no right to access online services unless they reliably identify themselves is simplistic and harmful. I use the word ‘right’ because these were the terms in which Helen Goodman expressed it on Tuesday:

People do not have a right to anonymous online access because “you can’t have rights without a rights-holder”… implying “identified rights-holder”.

In other words, you only enjoy rights if you are identifiable.

A moment’s reflection should persuade us that this is not true, either in the real world or the virtual one. For example:

– If I pay for goods using cash (in other words, it’s an anonymous transaction) I don’t, in so doing, forfeit my rights as a consumer. Identifiability has no role to play, here: all that is needed is a reliable assertion of legal tender.

– If I speak in a public forum, my right to free speech is not conditional on first stating who I am.

Come to that, I have no right to run someone over just because I don’t know their name. Anonymity doesn’t rescind their right to life.

I’m entitled to send a letter without identifying myself. The Royal Mail needs to see the name and address on the outside of an envelope, not the signature inside… and of course, that signature might consist of a nickname, some initials, or a smiley face, for all that matter. Similarly, there is no reason why I should not be entitled to send emails using an email address which is something other than my real name, and to close my emails with whatever epithet I see fit. That’s quite a different matter from rules about what I can legally say in the letter or email.

There are countless online contexts where an assertion of identity is unnecessary, and to insist on one is disproportionate. Why, for instance, should I have to identify myself just to read the news, or check the weather?

Online payment transactions don’t necessarily require identity either. There are mediated payment architectures using which it is quite possible to pay a merchant on behalf of a consumer without disclosing the identity of the payer to the merchant, and without sacrificing the auditability of the transaction. Again, there are cases where identification is appropriate, but plenty where it is not.

An over-insistence on authentication for transactions where it is not needed also has predictable bad consequences. For instance, if interactions are personally identifiable, they come within the scope of data protection laws; if all transactions fall into this category, the potential regulatory and compliance burden for service providers balloons out of all proportion – and so does the cost and complexity of governance.

Then there are the perverse consequences of some well-intentioned forms of authentication: if you insist that a verifiable proof of age be used to control access to ‘safe’ online chat-rooms for teenagers, you give predatory bad actors a strong incentive to threaten/bribe/cajole teenagers into allowing their credentials to be used… potentially putting them at greater risk than they were before.

And finally, there are the slightly more specialised cases, where anonymity and pseudonymity are needed to protect witnesses, undercover law enforcement officers, victims of domestic abuse, intelligence officers and so on.

In all these instances, there is a clear public interest in not insisting on authentication.

But as anyone who attended the IGF in Baku ought to appreciate, a blanket insistence on authentication for online services has a chilling effect on free speech, too. It can stifle (and even put at risk) whistleblowers, human rights campaigners, or simply those who disagree with an oppressive regime. It is disturbing when policy-makers in a democracy call for an end to online anonymity, because that gives undemocratic regimes something to point to as they lock down free speech and access to information for their own repressive purposes. As readers of my blog will know, I reserve particular scorn for the pernicious “nothing to hide, nothing to fear” argument, and it saddened me deeply to see it deployed in the Aspects of Identity session.

Returning to the question of ‘no rights without a rights-holder’: the bizarre thing is that this is the kind of neo-con soundbite that used to be touted about by the likes of Janet Daly on the Moral Maze… “you can’t have rights without responsibilities”… When of course there are plenty of individuals – infants, children, those with severe cognitive disabilities, and indeed non-human animals, whom we recognise as having rights with no – or fewer – corresponding responsibilities.

A world in which those without responsibility were held to have no rights would be a genuinely disturbing one.  I wonder if Helen Goodman has really thought through what it would be to inhabit a world in which all rights were contingent on the rights-holder (or rather, rights-claimant) being identifiable.