Identity, Privacy, and Accountability
I hope this post doesn’t upset too many privacy-loving people. And perhaps I’m being naive in my thinking. It’s hard to tell these days. Apologies if you find the post unnecessarily redundant to some degree.
Ok. So, short statement to get people’s attention, since this will likely be a quite longish post:
Privacy and trust are mutually exclusive on the Internet.
Now, privacy is something I don’t think I need to expound on too much. Trust, on the other hand, is a word that people constantly use to mean different things. There’s the traditional definition within a social context, there’s PGP’s web of trust, there’s “trusted computing,” (eww) etc, etc.
Let’s assume for the sake of argument that privacy is one’s ability to control who has one’s personal information and to control how much of it they have. And let’s assume trust is another party’s ability to use that information to determine whether this person should be allowed to perform some action.
Ben Laurie posted awhile back that an identity management system should be ‘verifiable,’ ‘minimal,’ and ‘unlinkable.’ And really, in a way, this post is just me saying, “That’s probably a pipe dream.”
Verifiability is the easy part of his three requirements. Of course, there’s no such thing as 100% verifiability, because there have been plenty of cases where people have managed to adopt entirely new identities, complete with new names, birth certicates, valid social security numbers, drivers licenses, mortgages, jobs, the whole kit and kaboodle. If that’s possible, then perfect verifiability on the Internet is a near impossibility. But good enough verifiability is comparatively easy.
It’s the other two requirements that are the problem. Minimality would be realisitic if it weren’t for the ability to link. Linking breaks minimality quite thoroughly, and unfortunately, (or fortunately, depending on how you view the issue) linkability is simply not something you can prevent. Attempting to prevent it is as futile as trying to prevent the copying of digital music.
By way of example, let’s consider a couple very possible, even likely cases.
First, we have Alice. Alice is a paranoid privacy nut. She uses tor everywhere she goes, and she subscribes to services with disposable email addresses. She makes liberal use of encryption technologies.
Second, we have Bob. Bob is careful with his personal information, giving out his email address only when necessary. He occasionally uses his credit card to make purchases online.
And finally, we have Carl. Carl uses a really good spam blocker. And then signs up for every “Web 2.0” service in sight. He blogs, and posts his email address on his website, within a mailto: link no less. He’s even got a FOAF document that lists his phone numbers.
Now… first off, here’s a question: Which of these three people is the most trustable? Note that I just made up a word. “Trustworthy” means “Warranting trust; reliable.” And that’s not quite what I’m talking about. I mean, from the perspective of a computer system, which of those three people are you most willing to take a calculated risk with? Because that’s essentially what trust is. A calculated risk based on past history or visible indicators.
Personally, I would have said Carl. Your answers may vary, depending on your prejudices. But here’s why I pick Carl: Accountability. Carl has a heck of a lot more to lose if he does something untrustworthy. Alice has the least to lose, and Bob falls somewhere in the middle.
If Alice does something bad, she has effectively no legal liability because she’s been so careful to never give legitimate personal information that can be tracked back to her. Likewise, in terms of time required to rebuild a new identity, hers is quite low. She gets a new disposable email address, probably a new key generated with GPG. And she’s recovered. The key might be an emotional loss, but probably not too bad in terms of time, especially if no one signed the thing. And since she’s been so careful about personal information, it’s likely she never showed a photo ID to anyone signing her key. Actually, any signatures on her key were probably questionable in the first place.
Bob, on the other hand, he’s got an email address being given out, and email addresses (not to mention SHA1 hashes of email addresses) make for great inverse functional properties. Just ask the FOAF folks. So linkability can come into play here. If Bob just did something untrustworthy, service providers now have identifying information with which to determine not to trust Bob in future. And of course, Bob is also open to legal repercussions, assuming his untrustworthy action was also illegal, and subpoenas get handed out in the quest to link Bob’s email address to other more useful forms of identification. Not necessarily good for Bob, but it does mean that he’s more trustable than Alice.
But Carl… Carl actually has something really valuable to lose if he does something untrustworthy. Carl has a reputation at stake, especially because he’s a blogger. If Carl does something untrustworthy, there may even be negative repercussions in the form of angry mob justice. As far as I’m concerned, that makes him the most trustable of the three. It can take a lifetime to rebuild a broken reputation, and I’m willing to bet Carl won’t risk that, especially if the potential gains are minimal, which is typically (though obviously not always) the case when it comes to untrustworthy actions on the Internet.
So… the point. Privacy is a nice idea. It sounds great in theory, and people always ought to have a right to choose privacy if that’s really what they want. But since private information cannot be made private again once it’s revealed, and since ‘data linkability’ is becoming easier and easier as the days go by, privacy is going to become more difficult to maintain as technology advances. And, more importantly, I’m not sure it’s really the right choice in the first place. I personally cannot establish sufficient trust with someone who demands complete privacy because the repercussions for betraying my trust simply aren’t high enough.
On the Internet, trust and usefulness go hand in hand. Write actions are where the real usefulness of the web lies. Read actions usually require very little trust, and most people are quite content to allow anonymous users to read content without establishing any formal trust relationship. (Things like bank accounts, obviously… not so much.) But obvious abuses of systems such as blogs (in the form of comment spam) have meant that people are much more reluctant to allow write actions without some level of accountability. Weblogs, Inc. verifies your email address before you can comment, for example.
And as that type of practice becomes more common, it’s going to mean that participating in conversations will require increasing levels of publicity instead of privacy. (I almost wanted to say, “Privacy considered harmful,” but I don’t think anyone’s ready to go there yet. Myself included.) I think it would be most accurate to say that we should expect that privacy should be the exception, not the rule going forward.
In other words, complete privacy in an identity system really just makes the whole system worthless.
Update: Ben’s got a good reply.
It’s not that privacy and trust are inverse; rather, exposure and trust are linked. If I want you to trust me, I have to expose myself to you (forgive my choice of terms).
Privacy means limiting your exposure to the public—or to anyone you don’t intend.
The CIA has an incredibly high level of trust for its spies. That’s because, although they are extremely careful about privacy in general, they have thoroughly exposed themselves to their superiors.
If we want both privacy and trust, we need to find ways to pinpoint our exposure to those people whom we want to have trust us.
Hi Jeremy.
Alright, a tad complicated because you altered my definitions a bit, but…
I think you’re effectively taking the exact same stance that Ben Laurie had. See, really what I’m arguing, is that you have two choices: either complete privacy, or effectively none at all (with varying shades of the illusion of it). And given that, you’re faced with two corresponding choices: to be untrustable, or trustable.
My point is, limiting exposure is an utter impossibility in an environment where linking inverse functional properties is trivial (i.e., given your email address, with enough effort, I may eventually dig up your phone number, or far more likely, your website). If you give me even the tiniest sliver of information (possibly even by visiting my webpage with a static IP address, though this is a notoriously unreliable method of identification—see RIAA) I may be able to expose just about everything. If that kind of thing is possible (and it is), then you cannot have both privacy and trust, because there’s no truely effective way to limit exposure.
Also definitely worth noting, that when I said ‘identity management system’ I was thinking in terms of a single sign-on system. So that’s effectively the general public. Considering that you said, “Privacy means limiting your exposure to the public—or to anyone you don’t intend,” I think my arguement still holds.
Bob Aman says: “Privacy and trust are mutually exclusive on the Internet.” This could be a really toxic assertion, the sort of thing that would brighten the hearts of those who want to turn the NSA loose on everyone’s communications. However, what Bob really wants to do is examine the practical aspects of trusting people online. I can’t do justice to his entire argument here, but I do want to single out one interesting point concerning reputation.
Leave a Response