Written by [Dave Birch] The issues of social media free speech, anonymity and the possibilities for action rather than words about illegal activity are much in the news in the UK this week because of the disgusting Twitter campaign against the women's rights campaigner Caroline Criado-Perez. The basic dynamic was well summarised in The Guardian by the MP Stella Creasy.
For anyone who appreciates and uses social media free speech should be inviolable. That includes ensuring abuses of that freedom do not infringe on the ability of anyone to exercise it. To challenge, call out, parody or criticise someone is to practise freedom of speech. To threaten them with rape is not.
There is a talk about trying to get Twitter to add a "report abuse" button. Personally, I think that would be a little pointless. And while the tweets at issue are illegal, it's also pointless reporting them all to the police. There are not enough police persons in the UK to track down all of the perpetrators, even if they could. When everyone is focused on one high-profile case, I can well believe that the police will track down and arrest one or two perpetrators and send them through the court system, but for the great majority of cases this will never happen. And, as Dr. Brooke Magnanti notes in The Telegraph, what constitutes abuse is itself problematic.
On Twitter, the definition of a troll sometimes means "prolific abuser". But it's also become an umbrella term that can mean anything from "someone who disagrees with me" to "someone with fewer followers than me". It's a slippery definition that is far too often trotted out to silence dissent.
[From Feminists boycotting Twitter is not the way to end trolling – Telegraph]
We all recognise abuse when we sit, but I think it might be very difficult to explain this to a computer so that it can run some kind of automated anti-abuse Claire Perry-style filter system. Of course, we could simply say that abuse is in the eye of the beholder and instruct the police to follow up whenever anyone claims that they have been abused.
A university lecturer could be sent to prison for calling a city MP a “coward”. Alex Cline faces a two-day trial after a court heard Hove MP Mike Weatherley complained to police about the name-calling in November.
[From Brighton man faces jail for calling Hove MP Mike Weatherley 'coward' (From The Argus)]
I hate the bullies as much as anyone else. I want something done about them, but well-meaning campaigns about boycotts and such like will not do anything about this problem. I think there is a solution. Let me take you through my thinking. The place to start, I think, is by first of all by dealing with the issue of whether people should be allowed to be sort-of-anonymous in online communities. The author and campaigner Heather Brooke, mades a very good point.
But the idea that anonymity is a right and not a privilege is wrong. There needs to be good reason to avoid being accountable for what we say or write, particularly if what we say affects other people. Too often online, anonymity is the tool of the bullying coward, a means to avoid responsibility for publishing threats, abuse and lies.
[From Anonymity is a Privilege Not a Right « Heather Brooke]
This is a perspective that I think is broadly correct. If people publish threats there should be a mechanism to hold them to account. But what does it mean to a technologist? How would this "right" be implemented? I think it is important that we find a way to do this that does not abolish anonymity, which has many useful social functions — not only for whistleblowers and political activists, for people enquiring about health issues or unpopular causes, and so on — but provides a "smash the glass" option for when things go wrong.
Concurrent with the end of anonymity will, obviously, be the end of privacy.
[From 11 Big Tech Trends You'll See in 2013]
No, no, a thousand times no. We must not sit back and accept this! I think there is a better way. Here's what the "father of the Internet", Vint Cerf, says about it.
"Anonymity and pseudonymity are perfectly reasonable under some situations," Cerf said. "But there are cases where in the transactions both parties really need to know who are we talking to. So what I'm looking for is not that we shut down anonymity, but rather that we offer an option when needed that can strongly authenticate who the parties are."
[From Google services should not require real names: Vint Cerf – Yahoo! News]
He is, as might reasonably expect, absolutely correct. Real pseudonymity is a real solution. If there were organisations out there capable of linking your online persona to your mundane existence, they could act as a responsible bridge between the physical and virtual worlds. It would be like when you go to a web site to log in to something and you click on the Facebook button to log in via a standard service such as OpenIDConnect, except you'd be clicking on a button to log in via someone who actually knows who you are.
I'll use banks as the example, even though none of the UK banks currently offer anything like OpenIDConnect. But suppose they did? Suppose Barclays, which is where my current account is, were to provide such as service? Then we have workable solution that would be something like this:
- I go to Twitter to open an account as King_of_Wessex
- Twitter offers me the option of logging in by username and password, using my Facebook account or using my bank account
- I choose bank account, so I get bounced to Barclays and I use my dongle to log in
- Barclays authenticates me, and bounces me back to Twitter
- Twitter create the King_of_Wessex account and flag it as authenticated.
Now I can tweet to my heart's content as King_of_Wessex. No-one will know that the King_of_Wessex is me. Twitter don't know who I am because while Barclays told them "yes we have authenticated this user" they didn't tell Twitter who I am. Barclays know that they authenticated me to Twitter, but they don't know my Twitter name. This is two-sided conditional pseudonymity.
So why would we bother doing this?
Well, Twitter could then add a setting to their accounts so that users could choose whether to accept tweets from unauthenticated users. Like most people, I imagine, I would set my account to accept tweets from all users, so as not to miss any good stuff. But if for some reasons I start getting hate tweets, or death threats or whatever, I would switch to authenticated accounts only.
Now imagine that I get a death threat from an authenticated account. I report the abuse. Twitter can (automatically) tell the police who authenticated the transaction (ie, Barclays). The police can then obtain a warrant and ask Barclays who I am. Barclays will tell them my name and address and where I last used my debit card. If it was, say, Vodafone who had authenticated me rather than Barclays, then Vodafone could even tell the police where I am (or at least, where my phone is).
Would the police be swamped with millions of reports? I think not. Most people in the public eye would, I'm sure, set their accounts to receive tweets from authenticated users only. Tweets from unauthenticated users to authenticated-only accounts would simply be discarded. The bullies could post away as much as they liked. Perhaps it is therapeutic for them. Who knows. I wouldn't matter, because their tweets wouldn't go anywhere. I have enough faith in the judicial system to believe that when an MP went whining to the police about being called "a coward" this would be dismissed as nothing more than robust free speech, but if I threaten to come round and punch the MP in the face, then the police would obtain a warrant and proceed.
So the question is: would the average nutter post rape threats to female journalists if they had to use their bank card to create an authenticated account? I would have thought that, after the first couple of jail sentences, the problem would sort itself out.
(There might be a way to fix the problem without the courts as well. There's no reason why the police could not have an automated system that simply sends the warrant to the bank and gets back the real name and address of the tweeter and just publishes it alongside the offending tweet!)
This, then, is the solution. Twitter campaigns are pointless, but using identity infrastructure is not, and fixing this problem might well be a good way to deliver impetus for the banks (and the mobile operators and others) to work together to provide a platform for the future that would greatly benefit all of us. The Cabinet Office Identity Assurance (IDA) programme is developing the framework. We have the standards that we need (OpenIDConnect and such like) and the banks have "two factor" authentication.
To summarise once more as a soundbite: let me create a Twitter account using my Barclays bank dongle to log in. Then if I tweet something that breaks the law, the police can take a warrant to Barclays and get my name and address and arrest me. Sorted.
To summarise once more as a soundbite: let me create a Twitter account using my Barclays bank dongle to log in. Then if I tweet something that breaks the law, the police can take a warrant to Barclays and get my name and address and arrest me. Sorted.
You might be sorted. The whistleblower isn’t and neither is the political dissident.
… fixing this problem might well be a good way to deliver impetus for the banks (and the mobile operators and others) to work together to provide a platform for the future that would greatly benefit all of us. The Cabinet Office Identity Assurance (IDA) programme is developing the framework …
“The Cabinet Office… is developing the framework”, you say. You have good contacts and you are often asked to advise on this sort of thing. You will know.
But to us outsiders it looks as though nothing is happening.
As I understand it, under IDA, GDS can’t work directly with the banks. Are GDS using the “identity providers” in any way? Either as a group of eight or just concentrating on Experian? Do they have an alternative? The electoral roll perhaps? Or, God forbid, Facebook/Google?
Despite GDS’s claims to be open – “People are seeing the live, working software that’s already making government services Digital by Default … We are running this programme of continual iteration in the open” – there is actually nothing to be seen.
It’s impossible for a one-man event such as me to get a reaction out of GDS. But even big events like the NSA/GCHQ revelations don’t elicit a statement from GDS, either about IDA or about G-Cloud, for which they are now also responsible.
GDS have promised that HMRC will be the first users of IDA. Mind you, they have previously promised that DWP would be the first users. But there’s no sign of the IDA framework you mention. Nor of a replacement for the Government Gateway.
Is there any comment you can make?
That might work for criminal matters, but a civil law enforcement process would also be needed, as well as a clear picture as to which jurisdiction applies. (An American in Brazil uses an Italian service to make a remark about a Russian in London…)
The (narrow it’s-all-in-UK) IDA programme design principles are out for consultation, again, having not delivered in the spring. http://digital.cabinetoffice.gov.uk/category/id-assurance/
So now is the time to submit comments to get it to cover what is needed and to remove impediments. (No space here to debate details…)
Anyone who was serious about damaging or intimidating another person would ensure it was done anonymously. Any perceived threat which could be tied to a real person is surely not a serious threat. So if we don’t like the possibility of threats we have to stamp out anonymity altogether.
Which is fine if you trust the too big to jail global criminal custodians of your identity.
‘”The Cabinet Office… is developing the framework”, you say. ‘
Fair comment. It would have been more accurate to use Mark’s phrasing and say that the Cabinet Office is seeking consultation on developing the framework.