To protect society’s greater good, we willingly live with certain restrictions. We must show a photo ID and have our bags searched to travel by air. We must register vehicles and have a license to drive a car. To enter the country, we need a passport. Soon, to surf cyberspace we’ll need valid IDs. E-mail won’t get through to recipients unless the sender’s domain can be authenticated. All payloads (content and attachments) will be searched, verified, and confiscated if considered a security risk. Anonymity, for all practical purposes, is dead.
Anonymity will become as rare online as it is in the physical world. Sure, you can remain anonymous. But you won’t be able to participate in discourse or community activities in a meaningful way.
Two weeks ago, at the RSA Conference in San Francisco, Bill Gates gave the opening keynote and outlined Microsoft’s strategy for combating the constant security attacks on the Windows operating system. It offered a view into a future where security is no longer an afterthought, and ID checks are a staple of online life.
From a historical perspective, demands for better, more secure authentication in cyberspace follow a predictable pattern. Consider the evolution of another important communications infrastructure: air travel. Not long ago, you only needed a valid ticket to board an airplane. It didn’t even have to have your name on it, so long as the fare was paid. A ticket was proof of payment. There were no security checkpoints and no ID checks.
Then people realized they could board airplanes carrying guns and explosives and hijack the planes. The response was to erect barriers making that much more difficult.
Yet checking bags isn’t enough. Travelers are now asked for government-issued identification. Gate agents make sure the picture and name on the ID matches the face of the person checking in and the name on the ticket. Behind the scenes, a more detailed check is occurs. Travelers’ identities are matched against a database of known or suspected people who may represent a threat. When we travel, we’re effectively compared to a blacklist.
Air travel is safer, but anonymous travel is over. No longer can we use this infrastructure without revealing who we are and allowing airlines to run background checks on us.
The Internet’s evolution has striking parallels. Both the Internet and air travel infrastructures started as insecure and unregulated. Both expanded to become mission-critical to the way we communicate and conduct business. Both were abused due to security vulnerabilities. If we follow the analogy to its natural conclusion, travel through cyberspace will soon require a valid ID.
Metaphorically, this is not far from the evolving reality. Microsoft, Yahoo, and others recently proposed authentication schemes for email. Unless senders are willing to be authenticated, their messages will have an increasingly difficult time getting through. Being an anonymous email sender will be very difficult 12 months from now.
This may be fine if you have nothing to hide or protect. Yet most of us do. I have a business identity that doesn’t include elements of my private identity. I have a shopping identity apart from the other two. I may not want people or organizations I engage with to know whom I work for, or what I do for a living. My shopping identity reveals certain things to the companies I shop with, but there are many pieces of personal information I don’t want retailers to know.
An average Internet user has 2.1 email addresses. Think of each email address as a separate identity, much like a user name on eBay. Multiple identities don’t provide anonymity, nor full disclosure. What they offer is pseudonymity.
Each email address is a pseudonym, an identity that maps back to a real person. A third-party acts as an intermediary, protecting the person’s true identity from multiple pseudonyms. These mappings may or may not be available for all to see. Pseudonyms can protect our real identity while providing accountability.
Marketers must realize they know their customers only as pseudonyms. People increasingly know one another online as pseudonyms as well. Can we build a relationship with and trust a pseudonym? Certainly, if it has a history, a reputation, or a trusted agent’s backing.
A trusted pseudonym can act just like a trusted identity. It can send email without being suspected of being a spammer or deliver a payload I can install and run on my computer. A pseudonym can earn the right to be trusted not to threaten security or abuse public resources.
To secure cyberspace from attacks and abuse we need accountability. Anonymity and accountability don’t go well together. If we don’t know if somebody behaved badly in the past and therefore represents a security threat, holding that person accountable for his behavior is impossible.
Anonymity is problematic, but the response cannot be that people must reveal their true identities in all situations. Knowing our identities are protected is a basic value in cyberspace that should be protected. Give it up and we compromise the Internet as a place for private exploration, and free and open discourse.
Pseudonymity bridges the gap between anonymity and accountability. With pseudonymity I may not know who you are, but someone does. That’s good enough. If I can trust the entity that protects your identity, I can trust you.