There have been a few events in the past week that have made me revisit a theme that I’ve had in my head for most of the last 15 years: that one of the crucial elements that holds back the Internet is a standard verifiable identity for individuals on the net, but that much of the libertarianism that underpins the ethos of the online world stops it from happening.
The events, in no particular order: a friend and former colleague having his identity spoofed on Facebook; the general uselessness of traditional passwords; the news about Twitter introducing 2-factor authentication (and what little difference that will make) and a few examples in Microsoft where assumptions of how we deal with the world outside are based on individuals not organisations or groups.
Without a standard way of identifying ourselves on the Internet, issues of identify, privacy and security will continue to provide challenge; but if we are all uniquely identifiable on the net, then privacy to an extent disappears and the implications of having your identity stolen become even worse (potentially) than they are today.
Personally all of this poses a moral conundrum. In the physical world, I have still to be convinced about the need for identity cards – a scheme that raised its head in the last decade and seems to have fallen down again (although recent events in Woolwich and beyond might see the issue raised again in the name of “National Security”). My core argument against ID cards is how the hell do you issue them? How can you make the first pass at issuing everyone with a verifiable identity?
The response to that question seemed to be “get people to produce an existing form of ID like a passport or driving licence”, at which point I, ever the contrarian, would then question why, if people can already identify themselves, they needed another form of ID.
But in the online world, it’s not so easy to pull out a passport or driving licence (or event ID card) at points at which you need to be able to verify absolutely who you are. There are a number of authorities on the internet who lay claim to be able to do this (companies who issue security certificates, for example), but it’s difficult to entrust such important issues to competing private sector organisations (I realise there’s a huge moral debate there as to why, but this isn’t the time or place…)
As it is, we are left with a muddle; anonymity on the Internet is possible, but is it any use without verified identity? Without verified identity fraud and identity theft is rife, and most folk don’t have the first clue about what’s really going on in terms of the way that services identify and share identity information about you (there’s a good exploration of that topic here).
I don’t have any answers, I’m afraid. But there are a few things that spring to mind:
- the concepts of privacy and anonymity that we have had are probably gone (it could be argued that they were something of an aberration in our history, a result of the anonymity associated with our move into cities in the industrial revolution)
- there are probably no purely technological solutions to any of this (and trusting that any security mechanism can’t be hacked either mechanically or socially is very dangerous)
- we really need to get more education of the general population about these issues, and not in a scare-mongering kind of way. Most people understand the reasons for locking their front doors…