7 Personal names on the surface may appear to be well defined and legally regulated, but in practice they show an amazing diversity (especially in multicultural settings) that make formalizations deeply problematic. See http://www.kalzumeus.com/2010/06/17/falsehoods-programmers-believe-about-names/ for an interesting discussion about the real-world problems of assuming anything about what a personal name “is”. 2. Inform The adage “ online medi new forms o setting of hu Online id Social networ just 25 contac but it is relati they were sho Online iden accounts an addresses, a other online Many of the of different eBay profile The Facebo reflecting di persona may known to B mation an “on the Inter ia allow a hig of identificat uman face-to dentities rk of contacts a cts, they in turn ively easy to de ot, and commen ntities are bec nd online per a Facebook o e products an ese identities online servic e, showing th ook account m ifferent aspe y be less inte Blizzard Enter nd commu net nobody k gh degree of tion, docume -face commu and contacts-of n have 4442 co educe much p nts made on va coming incre rsonas. For or Google+ a nd services, s are interlinke ces. A PayPa e transaction might serve t cts of her li egrated with rtainment; an unication knows you ar anonymity a entation and unications and f-contacts of on ntacts. Within ersonal inform arious topics. easingly impo example, an account, an iT uch as the m ed. An email al account wi n history of th to tie togethe fe – hobbies an individua nd the gaming technolog re a dog” has and the possi tracking. No d private/pub ne of the autho this forum ide mation from the ortant. Man n individual Tunes accou massive multip l address may will be linked he user and t er many diffe s, sports, frie al’s offline id g persona ma gies s always been ibility to set u ormal intuitio blic environm ors on the phot entity is mostly e content of th ny people in might have unt, an eBay player online y be used as a to a bank ac he reputation erent commun ends, family, entity, but is ay itself have n of doubtful up alternate i ns about ide ments, are unr to-sharing site y defined by sh he images, loca today have a PayPal acc account, and roleplaying g a username o count, and it n she has acq nities of whic and work. at least tied e various disti l veracity. W identities, th entity, honed nreliable onlin e Flickr. While hared photogra ation and time a variety of count, a cou d subscription game World or password f t might also quired as a bu ch a person i The World d to the custo tinguishable i 10 While modern ey also allow in the social ne. the author has aphic interests, data of where distinct user uple of email ns to various of Warcraft. for a number be tied to an uyer or seller. is a member, of Warcraft omer identity dentities as a 0 n w l s , e r l s . r n . , t y a 11 participant in guilds and other friendships within the game.Some identities are deliberately fragmented. People regularly try to separate their work email account from their private account, often extending this to phone numbers and other ways of gaining access. Parents often instruct their children to never reveal their real names and addresses online. Online game characters or forum identities may be ways of ‘letting off steam’, and hence may require keeping them distant from the main social identities of their creator. This is in many ways a natural extension of our existing separate social personas, projected into online media. Maintaining this kind of separation requires not only the right technology but also some social and mental discipline, keeping the personas distinct. With the proliferation of identities – online as well as offline – growing demands are being placed on identity management systems and on the skills of the citizen. Identity management systems are the software (and institutional) systems that create and keep track of digital identities, as well as connect them to the attributes of their identity (such as resources they can access). These systems can range from simple password protections to complex systems maintaining traceability, data integrity, privacy, preferences, parental and institutional controls and interfaces to other identity management systems. However, unlike social identity management (i.e. how we act among other people) such systems are often inflexible and completely prohibit unplanned uses of identity (which often leads to users finding workarounds that might undermine security) while at the same time missing undesirable activities: they are ‘brittle’. There is little doubt that finding better forms of identity management is going to be a major research and investment area over the next decade as more and more people come online across the world and use new kinds of services. There might not just be competitive advantage in the right kind of identity management, but important social effects. For some identities, it is important that they can be tied in a verifiable way to the legal identity of a person. A PayPal account needs to be linked to a bank account, and the user must verify their identity and that they are the holder of the bank account in question. For other identities, the user might prefer that they be dissociated from their legal identity or entirely anonymous. Online anonymity can be an important component of personal privacy. For example, an individual maintaining a blog in which they expresses politically unpopular views, suffering a serious disease, or opinions that are critical of their employer may suffer grave repercussions if they lose the veil of anonymity. Hiding an identity is an aspect of privacy, but privacy is actually about controlling who can access an identity, not prevent all knowledge of it. Privacy is not absolute – there are sometimes ethical or legal reasons to limit it – but it is often highly desirable that people can control how their identity can be observed or used. Yet, from a practical standpoint enforcing privacy protection can run into the problem of getting the designers of new systems to build it in, making existing widespread systems privacy compliant, handling data that exists in a distributed but collectable form, enforcing the intended protection, avoiding making enforcement so costly that it prevents technological innovation (while Google can afford privacy compliance officers it is unlikely that a small start-up or open source hobby project can), and – perhaps most problematic – making the privacy protection fit the actual social norms of privacy. Given that actual privacy norms vary enormously between groups and develop organically it is likely that any formal system of privacy protection will be lagging social and technological change. “NightJack”: police blogger unmasked The police blog “NightJack” won the prestigious Orwell Prize for political writing 2009. The blog often expressed critical views related to the police and justice system. The author, a Lancashire detective constable, was unmasked by The Times after a landmark High Court ruling that stated that blogging was “essentially a public rather than a private activity” and that it was in the public interest to know who originated opinions and arguments. As a result, the constable was disciplined by the police force. This case illustrates the complicated relation between freedom of speech, accountability, anonymity, and risks of reprisals. 12 Trouble can also arise from inappropriate linkages between different snapshots of a single identity across time. A teenager may post pictures and make statements that later prove embarrassing – and, as recruitment officers increasingly Google job applicants, even career-hampering. In this case, a problem arises if people regard the earlier online expressions as relevant manifestations of an unchanging character. While information gleaned from researching a candidate online can often be relevant and highly useful, there is also a risk of self-fulfilling prophecies. If the person is shunned by employers because of something they have said or done, they may be unable to establish a track record to rehabilitate their reputation as a good employee. Furthermore, with the increasing persistence of identity-relevant information online, one cannot rely on the past being forgotten; it will, in some cases, instead have to be forgiven8 . These linkages also include the shadow of the future: in the future much of our present information will be available to people with vastly larger computational resources (making many current forms of encryption or security weak) and different values. While some of the uses they will put our personal information to will be neutral or positive from our perspective, others might not be so benign. Long-lived politicians today have to explain past policies that seemed to make sense at the time they were made but today appear deeply racist; in the future we might be similarly be held accountable for views or activities we currently find entirely moral. Worse, there is no guarantee that this information will not eventually be used by future governments or groups of ill intent. The claim that “if you have done nothing wrong you have nothing to worry about” presupposes that the accepted criteria for ‘wrong’ will remain the same. The response to this problem might not be to attempt to amplify privacy, but rather to recognize that the need to safeguard open societies and human rights grows with government power over individual lives. One particularly pernicious current possibility is online character assassination. The practises of libel and slander are as old the human species, but the online world offers new opportunities for their efficient implementation. It is easy to post material online anonymously, and material thus inserted may remain available for a very long time and the proficiency of the search engines will ensure that anybody who looks for information about the victim will be presented with the slanderous assertions. Even if the victim obtains a court injunction it may be difficult to remove the offending material, which might be posted on servers located in foreign jurisdictions. If the false information has spread it may even be impossible for the perpetrator to remove it from the net. There is, however, at least one important mitigating factor: just as the Internet makes it easier to disseminate slander, it also makes it easier to publish a rebuttal and to ensure that it will be seen by the relevant people. Unfortunately smears can be stickier than the truth: developing technologies and habits that help uncover slander is a major challenge for future social technology. Identity metasystems 8 The EU Commission draft framework for data protection policies famously states that people have a “right to be forgotten” (or rather, their personal data). The “Social network users’ bill of rights” http://cfp.acm.org/wordpress/?p=495 also includes “the right to withdraw”. Both documents however assume the personal data resides within the domain of some actor who can obey legal or customer demands. If personal information can be collected or inferred from the other information available online these rights may be of little use. The current legal case against Google in Spain where plaintiffs demand references to them to be removed from the search database is a case in point: even if it succeeds, it will not remove the references from other search engines, or from emerging future tools. http://news.yahoo.com/s/ap/eu_internet_right_to_be_forgotten 13 While digital identities within single systems are useful, it is common for people to wish to maintain their identities across many systems and institutions, ideally without having to authenticate themselves in countless different ways (consider the issue of password-re-use). Identity metasystems are interoperable architectures that allow users to manage collections of digital identities. Key roles within the metasystem are identity providers (issues digital identities), relying parties (entities that require identities, such as online services) and subjects (entities about whom identity claims are made, such as users, companies and organisations)9 . Existing examples are the identification systems sponsored by Microsoft (Passport), Yahoo, Facebook and Google where a single login gives access to many web services. A possible future example would be a metasystem linking a person’s legal identity, various email addresses and a bank account so that commercial and government relying parties could transact official business (e.g. paying taxes, making official requests, signing online contracts). At present few widespread identity metasystems exist. There are economic, technical and legal problems that need to be overcome. A likely scenario is that as society becomes more integrated online the demand for identity metasystems increases (due to the cumbersomeness of fragmented digital identities) and, since there are clear economies of scale, consolidation and competition leads to a few or a single metasystem. These global metasystems could very well be under the control of private foreign companies who would have unprecedented control over digital identity. Government-sponsored metasystems also pose interesting problems, as the globalisation of the digital world would mean many non-citizens would wish to join the national metasystem, essentially becoming digital subjects. However, past attempts at creating “federate authentication” have often failed, largely due to mismatched incentives between the stakeholders. In particular identity providers need to assume some liability, relying parties need to benefit from the system and users had legitimate worries about a single point of failure – if their master online identity was subverted, they would risk significant trouble10. If these issues can be solved (perhaps more a business problem than a technological one11) we might see the emergence of global metasystems; if not, online identities will continue to be fragmented. 9 While this structure was originally proposed by Kim Cameron at Microsoft Corporation (The Laws of Identity, 2005, http://msdn.microsoft.com/en-us/library/ms996456.aspx ) and is currently used in various implementations, the concepts of identity providers, relying parties and subjects is useful for our discussion regardless of their origin. 10 Ross Anderson, Can we fix the security economics of federated authentication? http://spw.stca.herts.ac.uk/2.pdf 11 J.D. Lasica, Identity in the Age of Cloud Computing: The next-generation Internet's impact on business, governance and social interaction, The Aspen Institute, 2009 Sorry, we’ve spilled your secrets The October 2007 loss of two disks containing child benefit data is just one example of how large data breaches can occur relatively easily. The discs, containing names, addresses, dates of birth of children, National insurance numbers, and bank details of approximately 25 million people in the UK, were sent by junior staff at HM Revenue and Customs to the National Audit Office as internal mail and were lost. No data fraud or identity theft appears to have occurred as a result of the loss. In January 2009 a security breach in Heartland Payment Systems (a US company) compromised up to 130 million credit cards. In this case a computer criminal was indicted for the attack, which had a clear profit motive. Other data leaks of note are the August 2006 AOL release of 20 million Internet search keywords that could be linked to particular users, the November 2008 leak of full contact details of British National Party activists and the 2010 Wikileaks “Cablegate” of 250,000 US embassy diplomatic cables. Each of these represents the loss of control over important aspects of identity (financial, interests, political views, international association), and were due to simple Identity pro personal inf identifiable involving te and as the n Identity met increasing ri Rate of repo accidentally r Control ov Press freedo propped up television ch of the Intern under press broader issu the issue o Approximat 2010, and th current pos communicat 12 India is pla http://www.t oviders have formation. B information ens of million number grows tasystems mig isks for sudde orted data los revealed. Data ver social sp om and own p by subserv hannels that a net, online m ure will be t ues of censor of the owne tely one half his number w ssessor of w tion and for t anning to issue timesonline.co a responsibil But as shown has been ac n or more pe s of online id ght if implem en, correlated sses (worldwid from http://da paces and i ership of the vient state-o are controlled media are bec tempted to r rship, which f ership of so of the UK p was rapidly g what is per the expressio e each of its 1.2 o.uk/tol/news lity for mana n in the figu ccidentally or eople are cur dentities a per mented badly d outbreaks o de) 2005-2009 atalossdb.org/ dentities e media are i wned media d by individu coming essen egulate or m fall outside th cial space, w population cu growing). T rhaps Britain on of individu 2 billion citizen /world/asia/a aging identiti ure below, th r maliciously rrently regula rson possesse amplify such of fraud or sa where person / important iss a, and some uals who are c ntial forums f manipulate th he scope of t which is no urrently uses This makes Fa n’s largest u ual identities. ns with biome article6710764 ies appropria he number of y disseminate ar occurrence es, such large h risks, limitin abotage that c nally identifyin sues for dem times also b close to the r for political d ese online fo this paper. A ow often co Facebook (th acebook, a fo unified socia etric ID, the M .ece ately, especial f reported in ed is very hig es. As larger breaches wil ng the usabili could affect a ng information mocracy. Ma by privately regime. With debate and ac orums. We Attention mu ncentrated i he UK had 2 oreign-owned al space for Multipurpose N lly when the ncidents wher igh. Even v r databases co ll become mo ity of global i a society deep n has been s any a dictator owned new h the growing ctivism. Regi will not here ust be drawn, in a few pr 26 million use d private cor r individual National Identit 14 ey are tied to re personally vast breaches ome online12 ore common. identities and ply. stolen, lost or rial regime is wspapers and g importance imes that are e discuss the , however, to rivate hands. ers as of July rporation the and public ty Card. 4 o y s 2 . d r s d e e e o . y e c Owners are of expressio or by disallo influenced: information to prevent b Many online discussion th implicit enfo to ‘safe’ top one’s online This can inc writing incr especially in precludes de Users often to cancel pla are likely to 13 Data from 14 Greg Last freedom of sp 15 http://www free to regul on and identit owing them controls ove can be linke bullying or se e games prev hreads, uploa orcement of pics without a e identity can clude control reasingly dem n cases of un eliberately an feel strongly ans to retain be contested http://www.f owka, Virtual peech in massi w.guardian.co.uk late social spa ty14. Overt e from signing er the kind o ed to what ot xually explici vent avatars a aded materia what is perce any formal (o be threatene ls on what ki manding that nusual handle onymous or y about their user data eve d, the more so facebook.com/ l Justice, Yale U ively multiple k/technology/20 Activ aces in nume exclusion of c g up) is a cru of content th ther informat it messages b and usernam l, groups or eived to be th or legally cha d by stepping inds of identi t users prov es. This is no fragmented i online identi en after they h o the greater /press/info.ph University Pre on-line role pl 009/feb/19/fac ve Facebook us erous ways, co certain peopl ude way. Th hat can be p tion. For exa by forcing com mes seen as u users can be the unstated r allengeable) r g out of line. ities users ex ve that their ot just linking identities. ities. After st had left the n the space’s im hp?timeline ess, 2010, Pete laying games, J cebook-persona sers13. ontrolling bo le or groups here are many posted, how ample, some mmunication nsuitable or deleted if th rules of the o regulation, jus xpress. Faceb screen nam g online iden trong protest network15. Ru mportance to er S. Jenkins, Journal of inte l-data oth what valu (either by mo y more subtl identities ca social spaces n through a li copyright inf hey are seen a owners. This st the chilling ook and Goo mes correspo ntities closer ts from its us ules governin o its users. The virtual w rnet law vol. 8 ue is created, oderators rem le ways the s an be expres s for kids hav imited pre-se fringing. Th as unsuitable can limit fre g effects of k ogle+ are at ond to their to legal iden sers Faceboo ng the use of world as a com 8:1, july 2004 15 and freedom moving them space can be ssed or what ve attempted t vocabulary. he threat that e also acts an ee expression knowing that this point of real names, ntities; it also k was forced social spaces