Pseudonyms are for everyone!
Too many analyses of Google's and Facebook's Real Names policy take a narrow view of pseudonyms, conceding only that they may benefit for example "[dissidents] in Egypt, China, colonial America [and] whistle-blowers inside corporations and labour unions" (see Berin Szoka's "What’s in a Pseudo-name?").
There's evidently a belief that regular upstanding citzens have no need for pseudonyms, and a veiled suspicion that wanting one means you must have something to hide. Yet in truth, a great many ordinary Internet users have developed pseudonymous habits to protect themselves in the Wild West that is cyberspace today.
To frustrate the efforts of junk mailers and spammers, it's standard practice amongst many to use multiple e-mail addresses, or to fib about their location or their age when filling in forms. And where does the Real Names creed leave all the advice we've been giving our kids for years in social networking, to hide their age, their location and any identifying details?
It's important for everyone -- not just Mid-Eastern freedom fighters -- to have the autonomy to represent themselves how they like social settings.
What a twisted world is cyberspace these days! Think about it: Why the hell is the onus on users to defend their use of nicknames, when it ought to be the informopolies that justify imposing their self-serving rules on how we users refer to ourselves? We don't go around in public with our 'real names' tattooed on our foreheads! No "Social network" should be dictating how we socialise!
Posted in Privacy, Nymwars, Internet, Identity, Social Networking
Other thoughts on Real Names
I'm going to follow my own advice and not accept the premise of Google's and Facebook's Real Names policy that it somehow is good for quality. My main rebuttal of Real Names is that it's a commercial tactic and not a well grounded worthy social policy.
But here are a few other points I would make if I did want to argue the merits of anonymity - a quality and basic right I honestly thought was unimpeachable!
Nothing to hide? Puhlease!
Much of the case for Real Names riffs on the tired old 'nothing to hide' argument. This tough-love kind of view that respectable people should not be precious about privacy tends to be the preserve of middle class, middle aged white men who through accident of birth have never personally experienced persecution, or had grounds to fear it.
I wish more of the privileged captains of the Internet could imagine that expressing one's political or religious views (for example) brings personal risks to many of the dispossessed or disadvantaged in the world. And as Identity Woman points out, we're not just talking about resistance fighters in the Middle East but also women in 21st century America who are pilloried for challenging the sexist status quo!
Some have argued that people who fear for their own safety should take their networking offline. That's an awfully harsh perpetuation of the digital divide. I don't deny that there are other ways for evil states to track us down online, and that using pseudonyms is no guarantee of safety. The Internet is indeed a risky place for conducting resistance for those who have mortal fears of surveillance. But ask the people who recently rose up on the back of social media if the risks were worth it, and the answer will be yes. Now ask them if the balance changes under a Real Names policy. And who benefits?
Some of the Internet metaphors are so bad they’re not even wrong
Some continue to compare the Internet with a "public square" and suggest there should be no expectation of privacy. In response, I note first of all that the public-private dichotomy is a red herring. Information privacy law is about controlling the flow of Personally Identifiable Information. Most privacy law doesn't care whether PII has come from the public domain or not: corporations and governments are not allowed to exploit PII harvested without consent.
Let's remember the standard set piece of spy movies where agents retreat to busy squares to have their most secret conversations. One's everyday activities in "public" are actually protected in many ways by the nature of the traditional social medium. Our voices don't carry far, and we can see who we're talking to. Our disclosures are limited to the people in our vicinity, we can whisper or use body language to obfuscate our messages, there is no retention of our PII, and so on. These protections are shattered by information technologies.
If Google's and Facebook's call for the end of anonymity were to extend to public squares, we'd be talking about installing CCTVs, tatooing peoples' names on their foreheads, recording everyone's comings and goings, and providing those records to any old private company to make whatever commercial use they see fit.
Medical OSN apartheid
What about medical social networking, which is one of the next frontiers for patient centric care, especially of mental health. Are patients supposed to use their real names for "transparency" and "integrity"? Of course not, because studies show participation in healthcare in general depends on privacy, and many patients decline to seek treatment if they fear they will be exposed.
Now, Real Names advocates would no doubt seek to make medical OSN a special case, but that would imply an expectation that all healthcare discussions be taken off regular social circles. That's just not how real life socialising occurs.
Anonymity != criminality
There's a recurring angle that anonymity is somehow unlawful or unscrupulous. This attitude is based more on guesswork than criminology. If there were serious statistics on crime being aided and abetted by anonymity then we could debate this point, but there aren't. All we have are wild pronouncements like Eugene Kaspersky's call for an Internet Passport. It seems to me that a great deal of crime is enabled by having too much identity online. It's ludicrous that I should hand over so much Personal Information to establish my bona fides in silly little transactions, when we all know that data is being hoovered up and used behind our backs by identity thieves.
And the idea that OSNs have crime prevention at heart when they force us to use "real names" is a little disingenuous when their response to bullying, child pornography, paedophilia and so on has for so long been characterised by keeping themselves at a cool distance.
What’s real anyway?
What’s so real about "real names" anyway? It's not like Google or Facebook they can check them (in fact, when it suited their purposes, the OSNs previously disclaimed any ability to verify names).
But more's the point, given names are arbitrary. It's perfectly normal for people growing up to not "identify with" the names their parents picked for them (or indeed to not identity with their parents at all). We all put some distance between our adult selves and our childhoods. A given family name is no more real in any social sense than any other handle we choose for ourselves.
Posted in Social Media, Security, Privacy, Nymwars, Internet, Identity, e-health, Culture, Social Networking
Real names is real sly
In a favorite West Wing episode, the press secretary advises VP running mate Leo McGarry that he doesn't have to "accept the premise of the question". Let's remember this when engaging with the self-appointed social scientists and public policy makers at Google, Facebook et al who insist we use "real names" on the Internet.
It's terrific that Google’s Real Names policy has been soundly rebutted so widely, with earnest and worthy defences of the right to anonymity. I especially like the posts by Identity Woman, Dana Boyd, and Alexis Madrigal at The Atlantic who compellingly relates how his own position shifted on the questions as he thought them through.
But at the same time I am disappointed so many defenders of freedom have been drawn into arguing the pros and cons of "transparency". The Namesake infographic (which dates from May, before the Real Names furore broke out, and was reprised by Mashable last week) dumbs down the debate by accepting it as a fight between extremes. Frustratingly, it grants legitimacy to Zuckerberg’s mad ideas that having two identities shows a lack of integrity.
As an aside, using the label "transparency" sub-textually reframes identity with a pro-Real Names bias, especially when juxtaposed against "anonymity" which sounds shady. Is it really fair to call it "transparency" when forcing people to reveal more than is necessary about themselves when they’re socialising?
This issue is really not about transparency at all. Let’s say loud and clear: the Real Names policies of Facebook and Google+ are self-serving commercial tactics intended to maximise the commercial value of their networked stores of Personal Information.
Obviously these informopolies add more value to their network data when they can index it with precision. The use of multiple personae disaggregates the metadata held by OSNs and reduces its value to advertisers and all other PI pirates. In fact reserving the right for individuals to disaggregate their PI is one of the cornerstones of information privacy. Thus in Australia we forbid businesses from reusing government-issued identifiers like Medicare numbers and driver license numbers.
We should not accept the premise that a Real Names policy serves any user-positive purpose, like "transparency", or that it forces better integrity in how people conduct themselves socially. The idea that bloggers are less than honest when not named is, ironically, utterly devoid of social nuance. At every turn, we instinctively compartmentalise our personae, revealing what matters when we interact in different circles – home, work, social, medical – and instinctively holding back what doesn't.
"Online Social Networks" should not seek to change the way we socialise.
We must not allow gurus like Zuckerberg get away with self-serving philosophies like 'we all have one true identity'. He really has no deep insights into the human condition. What he has is a mind-boggling personal fortune based entirely on knowledge about people he has harvested on largely false pretences, and which is diluted when those people are allowed to name themselves socially as they do in real life.
Posted in Privacy, Nymwars, Language, Internet, Identity, Culture, Social Networking
Forget what they taught you about authentication
If you work in e-commerce and cyber security policy, law, regulations or strategy, you've almost certainly been taught the difference between "authentication" and "authorisation". One describes 'who you are' and the other what you're allowed to do. The dichotomy is at the heart of most network access control, and it informs almost all contemporary thinking about digital identity. And it's misguided.
I believe the sterile language of authentication and authorisation, especially the orthodox primacy of the former over the latter, has distorted the study of digital identity. By making authentication come first, the language cements the tacit assumption that we each have just one main identity, and it surfaces that core identity in all routine transactions. This is not a good starting point if we seek the right balance of security and privacy online.
Kim Cameron tried to shift this dichotomy with his "Laws of Identity" but sadly this particular subtlty never quite caught on. Cameron said that digital identity is "a set of claims made by one digital subject about itself or another digital subject". This means that a digital identity is really all about the attributes, breaking the nexus between authentication and authorization. Cameron recognised explicitly that this new view "does not jive with some widely held beliefs – for example, that within a given context, identities have to be unique". And that belief is indeed widespread: it's at the heart of the "nymwars" dispute that erupted over Google's and Facebook's Real Names policies. Unfortunately, for all the forcefullness of the "Laws", opinions about the number of identities we 'really' have remain polarised.
People have been confused about the 'real' identity versus digital for a long time. A dogmatic obsession with 'real' identity is what shoved PKI off the rails in the mid 1990s. There are purists who say PKI can only be concerned with identity, but we really need to move away from an absolutist view of authentication.
In the vast majority of routine transactions, parties are only interested in authorisation and not identity. Consider: pharmacists dispensing prescriptions don't "know" (let alone trust) doctors. Investors don't "know" a company's auditors. Airline passengers don't "know" the pilots nor the airframe safety inspectors. Bank customers don't "know" their tellers. Employees don't "know" who signs their pay cheques. The parties to these transactions may be mutual strangers and yet they obviously know enough about one another to be able to transact usefully. Each party has a dependable identity in a particular context. In context, they are not total strangers. We can conclude that identity-in-context is precisely the same thing as authorisation.
The idea that authentication and authorisation are different things is an artefact which, it seems to me, arose when 1970s era computer scientists started thinking about resource access control. The distinction does not usually arise in regular real world business, where all that matters in routine transactions is the credentials of the sender, in context.
Internet commerce is a collision of worlds: IT and business. And far too many of the default assumptions, language and sheer imaginings of technologists (like "non repudiation") have infiltrated our e-business paradigm. It's ironic because we're told incessantly that e-business and identity management are "not technology issues" and yet the received wisdom of digital identity has come from computer scientists!
In IT, "attributes" and authorisation are always secondary to identification and authentication. Yet the real world is subtly different. Yes, I identify myself with a primary authenticator like a drivers licence when I open a new bank account or join a video store. However, I never use that breeder ID again, for the bank and video store each provide me with new credentials; that is, new identities in their respective contexts.
Surely the authentication-authorisation split is unhelpful to the twin causes of Internet security and privacy. It exposes to theft more breeder identity information than is generally necessary, and it enables otherwise dispirate business to be joined up. The sooner we cement a new simplifying assumption the better: in most routine transactions, authorisation and not identity is all that matters.
Better clarity follows about what the real problem is with digital identity. For the most part, our important business attributes (and the ones that are most prone to ID, like account numbers, social security numbers and government identifiers) are grounded in conventional real world rules. They are issued by bricks-and-mortar institutions, and used online. The main problem is not with existing identity issuance processes; it's with the way perfectly good identities once issued are so vulnerable online. We usually present our ids as simple alphanumeric data, which are passed around through the matrix without any checks on their pedigree. So the real challenge is to preserve the integrity, authenticity and pedigree of the different identities we already have when we exercise them online. This is actually a straightforward technical issue, with readily available solutions using ordinary asymmetric cryptography. It is not at all necessary to engineer a whole new identity paradigm, changing the time-honored conventions by which meaningful context-specific identities are issued. We simply need to take the recognised identities we already have and convey them in a smarter way online.