I’m authentically not real
[Dave Birch] The whole "identity thing" has been obsessing me because I've been invited to give my first TEDx talk at TEDxSussexUniversity later this week and I decided to talk about identity. I thought I'd try my PsychicID idea out on a different (i.e., not identity specialists) audience to test it out further. As far as I'm concerned, the need for it is growing.
According to Sheryl Sandberg, Facebook's chief operating officer, and Richard Allan, its director of policy in Europe, a critical mass of people only want online interactions supported by "authentic" identity.[From Online identity: is authenticity or anonymity more important? | Technology | guardian.co.uk]
They're not even wrong about this. Authenticity and anonymity are not on the same axis. My Facebook profile is entirely authentic, it just doesn't share my mundane non-unique sort-of-identifier (i.e., name). So what? Why would anyone need to know that my Facebook profile is in my "real name"? Well, apart from people who want to harass children, for example...
In an recent investigation, the TV station MSNBC found that many university sports departments now require students to "friend" their coach, giving officials access to their "friends-only" posts.[From 12-year-old US girl suing school over Facebook comments row - Telegraph]
It's really interesting to see how the "etiquette" around this is evolving. I picked up on it a few years ago and had the feeling then that the way the Facebook generation see identity will redefine they way society as a whole will come to see it in time, which is why attempts to force "old" identity notions on to them are doomed.
The kids aren't stupid: they live in that world and they can distinguish their multiple virtual identities. Faced with a privacy violation that undermines a virtual identity, they slash and burn.[From Digital Identity: Bring it on]
Quite. And why shouldn't they? Why shouldn't I have two Facebook identities, one for my work friends and one for my friends and family? And if want them to be able to connect me, then that should be up to me. I can easily have an identity that is authentic and anonymous.
The issue here isn't anonymity. It's privacy. Facebook should be looking at ways to deploying Privacy Enhancing Technologies (PETs) as part of its fundamental infrastructure. This is at the heart of my view of digital identity: that the only way to meet the requirements for security and privacy is stop seeing them as opposites or countervailing forces to be balanced, but as the simultaneously achievable goals of a properly designed identity infrastructure.
Many people do think eID could and should be implemented without full identification, i.e. more granular disclosure with pseudonymity - see e.g. Dave Birch's brilliant and very readable paper "Psychic ID: A blueprint for a modern national identity scheme" (PDF).[From Tech and Law: PETs - Stephan Engberg's response]
So this is what I'm going to talk about on Friday: why Dr. Who should be our national design authority for identity infrastructure for 21st century because Dr. Who (and not Martha Lane Fox or the Cabinet Office) has a narrative about the future of identity, authentication and credentials that everyone can understand and buy into. And he's already shown us that he uses NFC. We'll see how it goes.
But back to the problem space. If my Facebook profile is the name of Ziggy Startup, and all my friends know this, then what's the problem? It's not really anonymous is any sense: if Ziggy Startup starts making off illegal posts, then it won't take long for the police to get a warrant for the IP address and password and Ziggy will be off down the nick.
A man was jailed yesterday for posting videos and messages mocking the deaths of teenagers including a girl who threw herself under a train.[From Internet 'troll' jailed for mocking dead teenagers on Facebook - Telegraph]
These people are pathetic, revolting and deserve the appropriate penalties, but they're not a reason to make a fundamental and unrecoverable mistake in the design of the future online world. Since we don't have a national narrative around the future of identity, it's been abandoned to competing national security and commercial imperatives. Indeed, some observers would say that this is what's really going on with all the fuss about "real" names at the moment.
Is it possible that free and expressive social logons will take over where bank and government identities have failed to interoperate? Or will the higher risk management standards of serious online transactions remain beyond reach of the cyber brands?[From A new theory of digital identity - Networks - SC Magazine Australia - Secure Business Intelligence]
The battle over "authentic" identities is a power struggle. If the social networks are able to enforce it (I've no idea how they might do this, but let's say they can) then they have a fantastic business opportunity because they will be able to leverage their arbitrage around personal data even further: how much more will advertisers pay for a list of people interested in whatever-the-f**k-it-is if they get the real identities too? If you know who everyone is, then you have much less risk to manage anyway. But the nightmare (for my clients anyway) is that they'll end up having to offer Facebook Connect as a login otherwise they get no customers, and then Facebook know exactly what customers are doing all of the time.
On the one hand, I think good for them. The banks are doing nothing sensible in this space: they are messing around with one-time-passowrds by SMS, EMV-calculators thingies and a variety of incompatible dongles, when they should be working on an industry standards-based infrastructure. But is it good for us to abdicate responsibility for identity infrastructure and hand the whole thing over to Facebook?
I love Facebook. I use it many time every week to keep in touch with friends and family. What they should be doing is introducing optional 2FA (to end the problem of "fraping", for one thing) and moving to an NSTIC framework to accept identities from identity providers that meet certain standards. So if I turn up at Facebook with a Barclays identity that says I'm Ziggy Startup, then that should be fine. Facebook don't need to know who I am, all they need to know that someone knows who I am. If they insist that they need to know my "real name", then it's because they expect to exploit this for commercial opportunity - it has nothing to do with protecting children.
These are personal opinions and should not be misunderstood as representing the opinions of
Consult Hyperion or any of its clients or suppliers
The English language version of this work is licensed under Creative Commons Attribution-ShareAlike 3.0 Unported License. If you wish to acquire the rights to make a foreign language translation of the work, please contact Consult Hyperion.
Please note that by replying in this Forum your comments become the property of Consult Hyperion and you assign all rights in your comment to us. Your comments may be edited for length and used online and in print but will always be attributed.
Meet us at:
- December 2013
- November 2013
- October 2013
- September 2013
- August 2013
- July 2013
- June 2013
- May 2013
- April 2013
- March 2013
- February 2013
- January 2013
- December 2012
- November 2012
- October 2012
- September 2012
- August 2012
- July 2012
- June 2012
- May 2012
- April 2012
- March 2012
- February 2012
- January 2012
- December 2011
- November 2011
- October 2011
- September 2011
- August 2011
- July 2011
- June 2011
- May 2011
- April 2011
- March 2011
- February 2011
- January 2011
- December 2010