I’m authentically not real

According to Sheryl Sandberg, Facebook’s chief operating officer, and Richard Allan, its director of policy in Europe, a critical mass of people only want online interactions supported by “authentic” identity.

[From Online identity: is authenticity or anonymity more important? | Technology | guardian.co.uk]

They’re not even wrong about this. Authenticity and anonymity are not on the same axis. My Facebook profile is entirely authentic, it just doesn’t share my mundane non-unique sort-of-identifier (i.e., name). So what? Why would anyone need to know that my Facebook profile is in my “real name”? Well, apart from people who want to harass children, for example…

In an recent investigation, the TV station MSNBC found that many university sports departments now require students to “friend” their coach, giving officials access to their “friends-only” posts.

[From 12-year-old US girl suing school over Facebook comments row – Telegraph]

It’s really interesting to see how the “etiquette” around this is evolving. I picked up on it a few years ago and had the feeling then that the way the Facebook generation see identity will redefine they way society as a whole will come to see it in time, which is why attempts to force “old” identity notions on to them are doomed.

The kids aren’t stupid: they live in that world and they can distinguish their multiple virtual identities. Faced with a privacy violation that undermines a virtual identity, they slash and burn.

[From Digital Identity: Bring it on]

Quite. And why shouldn’t they? Why shouldn’t I have two Facebook identities, one for my work friends and one for my friends and family? And if want them to be able to connect me, then that should be up to me. I can easily have an identity that is authentic and anonymous.

The issue here isn’t anonymity. It’s privacy. Facebook should be looking at ways to deploying Privacy Enhancing Technologies (PETs) as part of its fundamental infrastructure. This is at the heart of my view of digital identity: that the only way to meet the requirements for security and privacy is stop seeing them as opposites or countervailing forces to be balanced, but as the simultaneously achievable goals of a properly designed identity infrastructure.

Many people do think eID could and should be implemented without full identification, i.e. more granular disclosure with pseudonymity – see e.g. Dave Birch’s brilliant and very readable paper “Psychic ID: A blueprint for a modern national identity scheme” (PDF).

[From Tech and Law: PETs – Stephan Engberg’s response]

So this is what I’m going to talk about on Friday: why Dr. Who should be our national design authority for identity infrastructure for 21st century because Dr. Who (and not Martha Lane Fox or the Cabinet Office) has a narrative about the future of identity, authentication and credentials that everyone can understand and buy into. And he’s already shown us that he uses NFC. We’ll see how it goes.

But back to the problem space. If my Facebook profile is the name of Ziggy Startup, and all my friends know this, then what’s the problem? It’s not really anonymous is any sense: if Ziggy Startup starts making off illegal posts, then it won’t take long for the police to get a warrant for the IP address and password and Ziggy will be off down the nick.

A man was jailed yesterday for posting videos and messages mocking the deaths of teenagers including a girl who threw herself under a train.

[From Internet ‘troll’ jailed for mocking dead teenagers on Facebook – Telegraph]

These people are pathetic, revolting and deserve the appropriate penalties, but they’re not a reason to make a fundamental and unrecoverable mistake in the design of the future online world. Since we don’t have a national narrative around the future of identity, it’s been abandoned to competing national security and commercial imperatives. Indeed, some observers would say that this is what’s really going on with all the fuss about “real” names at the moment.

Is it possible that free and expressive social logons will take over where bank and government identities have failed to interoperate? Or will the higher risk management standards of serious online transactions remain beyond reach of the cyber brands?

[From A new theory of digital identity – Networks – SC Magazine Australia – Secure Business Intelligence]

The battle over “authentic” identities is a power struggle. If the social networks are able to enforce it (I’ve no idea how they might do this, but let’s say they can) then they have a fantastic business opportunity because they will be able to leverage their arbitrage around personal data even further: how much more will advertisers pay for a list of people interested in whatever-the-f**k-it-is if they get the real identities too? If you know who everyone is, then you have much less risk to manage anyway. But the nightmare (for my clients anyway) is that they’ll end up having to offer Facebook Connect as a login otherwise they get no customers, and then Facebook know exactly what customers are doing all of the time.

On the one hand, I think good for them. The banks are doing nothing sensible in this space: they are messing around with one-time-passowrds by SMS, EMV-calculators thingies and a variety of incompatible dongles, when they should be working on an industry standards-based infrastructure. But is it good for us to abdicate responsibility for identity infrastructure and hand the whole thing over to Facebook?

I love Facebook. I use it many time every week to keep in touch with friends and family. What they should be doing is introducing optional 2FA (to end the problem of “fraping”, for one thing) and moving to an NSTIC framework to accept identities from identity providers that meet certain standards. So if I turn up at Facebook with a Barclays identity that says I’m Ziggy Startup, then that should be fine. Facebook don’t need to know who I am, all they need to know that someone knows who I am. If they insist that they need to know my “real name”, then it’s because they expect to exploit this for commercial opportunity – it has nothing to do with protecting children.