The CEO of Russia's No. 1 anti-virus package has said that the internet's biggest security vulnerability is anonymity, calling for mandatory internet passports that would work much like driver licenses do in the offline world.
[From Security boss calls for end to net anonymity • The Register]
What he means by this is that he wants a technologically complicated and expensive solution to be implemented so that ordinary people are inconvenienced to the maximum while criminals can roam free (which is what would happen). Creating such an asymmetric solution is not the way forwards: for one thing, who would decide what to censor?
A little local controversy involving the Church of Scientology and its critics could lead to curbs on the right to anonymity of anyone using the web.
[From Scientology seeks to squash anonymity • The Register]
We already have experience of this "solution" in the UK. Laws giving a wide variety of bodies the ability to monitor CCTV, the internet, phone calls and everything else which were supposed to save us from international terrorism are used by local councils to stop people from trying to get their children into better schools and to check that people are recycling enough of their rubbish. I'm sorry, but creating a world in which anyone can read anyone else's e-mail, track anyone else's web browsing, see what anyone is reading is not the way stop Russian virus writers from taking over everyone's PCs. We need an identity infrastructure.
Why are these knee-jerk calls for Internet passports wrong? More to the point, why don't the proponents argue for CCTV cameras in all living rooms, policemen standing at all ATMs (oh, wait…) and the abolition of envelopes forcing all the post onto postcards (after all, if you've got nothing to hide…). There's a paradox at the heart of the calls for internet monitoring and control.
But people generally want anonymity for themselves, not for drug-dealing nazi child pornographers. Therefore people won't accept anonymous infrastructure: they expect "the authorities" to be able to track down miscreants… So if people don't want anonymity for other people, but do want it for themselves, then some form of conditional anonymity, pseudonymity or escrow must form the only acceptable compromise.
[From Digital Identity Forum: Anonymity as substrate]
As has been consistently pointed out (by Ben Laurie in particular) the internet isn't anonymous enough as it is, but unless it is anonymous then anything you want to put on top of it can be folded, spindled and mutilated. There is a better way: an anonymous internet with pseudonymous identities interacting on top of it.
It should be entirely reasonable for someone to have a portfolio of identities that they use for different purposes. The essence of the "little sister" society (in stark contrast to the "big brother" society) is that you should be able to do what you like with your identities, but if you get up to no good then "little sister" will tell.
[From Digital Identity Forum: Chinese whispers]
Hard cases make bad law, as the saying goes. The fact that some people do bad things because they are anonymous does not mean that removing anonymity will make things better. I'd like to be able to set my e-mail to reject all messages that are no digitally-signed with a certificate that I am happy to accept: this is not the same as saying that I need to know who everyone who emails me is. You could send me an email saying that you are Donald Duck, signed with a Citibank certificate. I'd be happy to accept this: I don't know who you are, but I know that Citibank do, and I trust them. There's a difference between someone knowing who you are, and everyone knowing who you are (which is the same as the government knowing who you are).
These opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]