Lockstep

Mobile: +61 (0) 414 488 851
Email: swilson@lockstep.com.au

Pseudonyms are for everyone!

Too many analyses of Google's and Facebook's Real Names policy take a narrow view of pseudonyms, conceding only that they may benefit for example "[dissidents] in Egypt, China, colonial America [and] whistle-blowers inside corporations and labour unions" (see Berin Szoka's "What's in a Pseudo-name?").

There's evidently a belief that regular upstanding citzens have no need for pseudonyms, and a veiled suspicion that wanting one means you must have something to hide. Yet in truth, a great many ordinary Internet users have developed pseudonymous habits to protect themselves in the Wild West that is cyberspace today.

To frustrate the efforts of junk mailers and spammers, it's standard practice amongst many to use multiple e-mail addresses, or to fib about their location or their age when filling in forms. And where does the Real Names creed leave all the advice we've been giving our kids for years in social networking, to hide their age, their location and any identifying details?

It's important for everyone -- not just Mid-Eastern freedom fighters -- to have the autonomy to represent themselves how they like social settings.

What a twisted world is cyberspace these days! Think about it: Why the hell is the onus on users to defend their use of nicknames, when it ought to be the informopolies that justify imposing their self-serving rules on how we users refer to ourselves? We don't go around in public with our 'real names' tattooed on our foreheads! No "Social network" should be dictating how we socialise!

Posted in Social Networking, Privacy, Nymwars, Internet, Identity

Calling for a moratorium on SM facial recognition

Further update 27 Nov 2012: It is reported that new facial recognition services invite you to upload photos to find look alikes in pornography. That is, you can find out if the "girl next door" has a secret life. It's such an egregious threat to privacy that I call again for a moratorium on facial recognition. Mine will not be a popular nor politically correct view, but I reckon this technology is so intrinsically unsafe that we should suspend its use while we agree on ways to control its application.

I'd like to see a moratorium on commercial facial recognition.

It should be of acute concern that photos originally uploaded for personal use are being rendered personally identifiable, and put to secondary purposes by social media companies, who are silent in their Privacy Policies about what those purposes might be. The essence of privacy is control, and with facial recognition, people are utterly impotent: you might be identified through FR by virtue of being snapped at a party or in a public place by someone you never even met.

It’s clear that sites like Facebook have facial recognition bots poring over their image libraries, because this is how they generate tag suggestions. Crucially, when a user asks for a tag to be removed, Facebook does not automatically remove the underlying template that joins the distilled biometric data to the user’s name. That requires a separate and obscure request not mentioned in their Privacy Policy.[Update August 2012: earlier this year, Facebook made welcome changes. More information is provided now about facial recognition, and when tag suggestions is turned off, templates are indeed deleted. Their Privacy Policy however still leaves much to be desired for it does not restrain Facebook's secondary use of biometric templates.]

Identifiable faces in photos are an incredible resource. Combined with image analysis for picking out features like place names, buildings and logos, FR enables social media companies to work out countless new connections to add to their commercial lifeblood. They will be able to work out what we like - the brands we wear, cars we drive, the phones we use, airlines we fly, the places we frequent - without us having to expressly 'Like' anything.

Many users may be unaware of the rich metadata that goes with their photos and which then supercharges their linkages, including data about when a photo was taken, and in many cases where, thanks to GPS or geolocation in their camera phones. And then there is the metadata that the social media service adds, like the name of the user who uploaded the files. And from now on, who else is in it.

By encouraging its members to tag their friends, and then making tag suggestions which are validated by their subjects, Facebook is crowd-sourcing the calibration of its FR algorithms. Even if users are wily enough to have the templates deleted, at the very least Facebook still benefits from the learning to improve its mathematics. All this volunteer testing and training by Facebook’s members is another example of the unfair bargain and false pretenses under which Facebook harvests Personal Information.

As we're seeing in Europe, it appears that current Data Protection laws will put the brakes on facial recognition. There is a straightforward threshold issue: facial recognition converts hitherto anonymous image data into Personally Identifiable Information (in enormous volumes) and thus OECD style Privacy Principles apply. The custodians of this PII must in many jurisdictions account for the necessity of collecting it, they must limit themselves in how they use & disclose it, and they must be transparent in their Privacy Policies about these matters. Collection and use of biometric data may also be subject to consent rules; it may be necessary for individuals to consent in advance to the creation of biometric templates, which is a thorny issue when so many photographs in Facebook were taken by other people and uploaded without the subjects even being aware of it.

Where is all this heading?

Automated facial recognition is a lot like granting social media companies x-ray vision into millions and millions of personal photo albums. As the FR bots do their work, it’s equivalent to magically tattooing names onto the foreheads of people in the photos. And then they can figure out where everyone was, at different points in time, who they were hanging with, and what they were doing. In effect, social media companies can stitch together global surveillance tapes.

Today those "tapes" will be patchy, but they will become steadily more complete and detailed over time, as users innocently upload more and more imagery, and as the biometric efficacy improves.

Posted in Social Networking, Social Media, Privacy, Biometrics

Other thoughts on Real Names

I'm going to follow my own advice and not accept the premise of Google's and Facebook's Real Names policy that it somehow is good for quality. My main rebuttal of Real Names is that it's a commercial tactic and not a well grounded worthy social policy.

But here are a few other points I would make if I did want to argue the merits of anonymity - a quality and basic right I honestly thought was unimpeachable!

Nothing to hide? Puhlease!

Much of the case for Real Names riffs on the tired old 'nothing to hide' argument. This tough-love kind of view that respectable people should not be precious about privacy tends to be the preserve of middle class, middle aged white men who through accident of birth have never personally experienced persecution, or had grounds to fear it.

I wish more of the privileged captains of the Internet could imagine that expressing one's political or religious views (for example) brings personal risks to many of the dispossessed or disadvantaged in the world. And as Identity Woman points out, we're not just talking about resistance fighters in the Middle East but also women in 21st century America who are pilloried for challenging the sexist status quo!

Some have argued that people who fear for their own safety should take their networking offline. That's an awfully harsh perpetuation of the digital divide. I don't deny that there are other ways for evil states to track us down online, and that using pseudonyms is no guarantee of safety. The Internet is indeed a risky place for conducting resistance for those who have mortal fears of surveillance. But ask the people who recently rose up on the back of social media if the risks were worth it, and the answer will be yes. Now ask them if the balance changes under a Real Names policy. And who benefits?

Some of the Internet metaphors are so bad they’re not even wrong

Some continue to compare the Internet with a "public square" and suggest there should be no expectation of privacy. In response, I note first of all that the public-private dichotomy is a red herring. Information privacy law is about controlling the flow of Personally Identifiable Information. Most privacy law doesn't care whether PII has come from the public domain or not: corporations and governments are not allowed to exploit PII harvested without consent.

Let's remember the standard set piece of spy movies where agents retreat to busy squares to have their most secret conversations. One's everyday activities in "public" are actually protected in many ways by the nature of the traditional social medium. Our voices don't carry far, and we can see who we're talking to. Our disclosures are limited to the people in our vicinity, we can whisper or use body language to obfuscate our messages, there is no retention of our PII, and so on. These protections are shattered by information technologies.

If Google's and Facebook's call for the end of anonymity were to extend to public squares, we'd be talking about installing CCTVs, tatooing peoples' names on their foreheads, recording everyone's comings and goings, and providing those records to any old private company to make whatever commercial use they see fit.

Medical OSN apartheid

What about medical social networking, which is one of the next frontiers for patient centric care, especially of mental health. Are patients supposed to use their real names for "transparency" and "integrity"? Of course not, because studies show participation in healthcare in general depends on privacy, and many patients decline to seek treatment if they fear they will be exposed.

Now, Real Names advocates would no doubt seek to make medical OSN a special case, but that would imply an expectation that all healthcare discussions be taken off regular social circles. That's just not how real life socialising occurs.

Anonymity != criminality

There's a recurring angle that anonymity is somehow unlawful or unscrupulous. This attitude is based more on guesswork than criminology. If there were serious statistics on crime being aided and abetted by anonymity then we could debate this point, but there aren't. All we have are wild pronouncements like Eugene Kaspersky's call for an Internet Passport. It seems to me that a great deal of crime is enabled by having too much identity online. It's ludicrous that I should hand over so much Personal Information to establish my bona fides in silly little transactions, when we all know that data is being hoovered up and used behind our backs by identity thieves.

And the idea that OSNs have crime prevention at heart when they force us to use "real names" is a little disingenuous when their response to bullying, child pornography, paedophilia and so on has for so long been characterised by keeping themselves at a cool distance.

What’s real anyway?

What’s so real about "real names" anyway? It's not like Google or Facebook they can check them (in fact, when it suited their purposes, the OSNs previously disclaimed any ability to verify names).

But more's the point, given names are arbitrary. It's perfectly normal for people growing up to not "identify with" the names their parents picked for them (or indeed to not identity with their parents at all). We all put some distance between our adult selves and our childhoods. A given family name is no more real in any social sense than any other handle we choose for ourselves.

Posted in Social Media, Security, Privacy, Nymwars, Internet, Identity, e-health, Culture, Social Networking

Real names is real sly

In a favorite West Wing episode, the press secretary advises VP running mate Leo McGarry that he doesn't have to "accept the premise of the question". Let's remember this when engaging with the self-appointed social scientists and public policy makers at Google, Facebook et al who insist we use "real names" on the Internet.

It's terrific that Google’s Real Names policy has been soundly rebutted so widely, with earnest and worthy defences of the right to anonymity. I especially like the posts by Identity Woman, Dana Boyd, and Alexis Madrigal at The Atlantic who compellingly relates how his own position shifted on the questions as he thought them through.

But at the same time I am disappointed so many defenders of freedom have been drawn into arguing the pros and cons of "transparency". The Namesake infographic (which dates from May, before the Real Names furore broke out, and was reprised by Mashable last week) dumbs down the debate by accepting it as a fight between extremes. Frustratingly, it grants legitimacy to Zuckerberg’s mad ideas that having two identities shows a lack of integrity.

As an aside, using the label "transparency" sub-textually reframes identity with a pro-Real Names bias, especially when juxtaposed against "anonymity" which sounds shady. Is it really fair to call it "transparency" when forcing people to reveal more than is necessary about themselves when they’re socialising?

This issue is really not about transparency at all. Let’s say loud and clear: the Real Names policies of Facebook and Google+ are self-serving commercial tactics intended to maximise the commercial value of their networked stores of Personal Information.

Obviously these informopolies add more value to their network data when they can index it with precision. The use of multiple personae disaggregates the metadata held by OSNs and reduces its value to advertisers and all other PI pirates. In fact reserving the right for individuals to disaggregate their PI is one of the cornerstones of information privacy. Thus in Australia we forbid businesses from reusing government-issued identifiers like Medicare numbers and driver license numbers.

We should not accept the premise that a Real Names policy serves any user-positive purpose, like "transparency", or that it forces better integrity in how people conduct themselves socially. The idea that bloggers are less than honest when not named is, ironically, utterly devoid of social nuance. At every turn, we instinctively compartmentalise our personae, revealing what matters when we interact in different circles – home, work, social, medical – and instinctively holding back what doesn't.

"Online Social Networks" should not seek to change the way we socialise.

We must not allow gurus like Zuckerberg get away with self-serving philosophies like 'we all have one true identity'. He really has no deep insights into the human condition. What he has is a mind-boggling personal fortune based entirely on knowledge about people he has harvested on largely false pretences, and which is diluted when those people are allowed to name themselves socially as they do in real life.

Posted in Privacy, Nymwars, Language, Internet, Identity, Culture, Social Networking