As we move into the sixteenth year of this twenty-first century, we find the populace in many countries sharply polarized over many issues: political, religious, personal and even technological. Sometimes two or more of these get entwined and then we really have a mess.
In the IT world, two diametrically opposed trends are both growing stronger at the same time, and the resultant conflict is going to be difficult – if not impossible – to resolve. On one side is a growing desire for anonymity due to privacy concerns. On the other is a growing emphasis on better verification of identity for security enforcement. Both sides have legitimate concerns and make good arguments for their positions. In this article, I’m going to take a look at the rationale on both sides and whether and how the two can ever achieve peaceful coexistence.
I’m one of those people who has been online for a long time. Back in the 1980s, when I got my first Prodigy account, most of my friends didn’t even know what a modem was or understand how you could “talk to people through the computer.” In the early 90s, I paid an outrageous $25 per hour to log onto CompuServe, and when AOL dropped their prices to $3.99 per hour, we all thought we were getting a tremendous bargain – even though some of us were racking up $500+ monthly bills as we fed our email and chat room addictions.
During those early days, anonymity was almost mandatory among the Internet culture. Almost nobody used his/her real name; instead we went by “handles” or “screen names.” A law enforcement officer at the time I first got involved with the online world, I was known as MsSgt, and when I met my physician husband, one of his several identifiers was NeuroDoc. Even those who wanted to put their legal names out there usually found them taken and ended up with a user name like JohnSmith38754, unless they were lucky enough to have a one-of-a-kind moniker.
One reason for this was that back then, meeting people online wasn’t the normal thing that it is in today’s social networking era. We had grown up in a different and much more isolated and insulated world. Only a “wild child” would associate with someone to whom he/she hadn’t been properly introduced by a trustworthy mutual friend. In fact, part of the attraction of the Internet was that little thrill of feeling that you were living dangerously by having conversations with people you really knew absolutely nothing about.
This aspect of Internet communications was perfectly summed up in a cartoon in the New Yorker that appeared as the ‘Net was just beginning to be commercialized and started to become popular outside of government, academia and that little circle of geeks who were fascinated with all things techie. It was the old “On the Internet, nobody knows you’re a dog” funny.
And indeed, in those wild, wild, western days of IP communications, there were many who pretended to be something other than what and who they really were. Men posed as women, women pretended to be men, members of both genders exchanged fake photos and inflated their descriptions of their career positions, bank account balances, and/or physical charms and made claims about their talents and capabilities that were dubious at best.
It wasn’t just heartless scam artists who engaged in such behavior. Many standup citizens who would never think of lying to a neighbor or someone met on the street told tall tales on the Internet –because they could. Because they truly didn’t see the harm. Because it was, after all, just a game. Or at least that’s how it felt. Until some of those “just for fun” relationships went sour, real live humans with real feelings ended up in real pain, and in some cases people found themselves in real trouble – just legal hot water if they were lucky, or on the receiving end of somebody’s outraged real world retaliation if they weren’t.
Because it wasn’t long until we discovered that the anonymity we thought we had was mostly an illusion. The truth was that if somebody really wanted to find out how you were and where you lived, unless you had gone to the effort and had the know-how to disguise the origins of your online interactions (and most didn’t and hadn’t), it was possible to find you.
And the culture was changing. More and more people were getting online, both through their work and at home. Using the Internet moved from being an oddity that made you a little suspect in others’ eyes to being a legitimate and acceptable way of life to being so overwhelmingly the “norm” that now anyone who isn’t online is viewed as the oddball. As more people began to use the Internet as a business tool, more of them were using their real names in their email addresses and screen names.
As that became the new norm, a different demographic dominated the cyber world – more “regular” people and fewer haxors and phone phreaks who were engaging in legally questionable activities and had more reason to remain anonymous. Since most people were now using real names, those who hung onto their anonymity came to be looked at with suspicion.
This was exacerbated by the dramatic rise of criminal and bordering-on-criminal activity online. By the end of the 90s, the ‘Net was becoming a haven for spammers, scammers, pedophiles, stalkers and a myriad of other bad guys. In order to be able to go after the cybercriminals, law enforcement had to know who they were. At the same time, it was becoming standard operating procedure to do your shopping online. In an increasingly fast-paced world, the convenience of paying bills, buying your Christmas presents and managing your credit card and bank accounts without the hassle of leaving the house or the long waiting times involved with snail mail was irresistible. However, when you start conducting financial transactions online, you have to get serious about identity.
Even when money isn’t involved, the trend to allow employees to work at home all or part of the time and revised expectations on the parts of companies that workers would stay connected to the office and handle their email and get work done while on the road meant those people had to be able to log into companies’ networks – and when you start allowing remote access to your network and the mission critical data and applications that reside there, it’s essential that you be absolutely certain exactly who is connected. Again, verifiable identity is the key.
Then there’s another factor: How can you monetize Internet services unless you have a real person to whom you can send the bill and from whom you can collect the fees? Information might want to be free, but those who provide ways to access it want to make a profit doing so. And if you provide those services at no charge to the customer, then you need another way to make money – such as selling customer information lists. If you’re selling advertising, your advertisers want to know who they’re reaching with their ads. That, too, requires that you know the identity of the people who hold those accounts. Otherwise there’s no way to guarantee that they’re even real individuals and not, for example, ten different accounts all created by the same person in the names of his/her dogs.
Entire industries grew up around this need to authenticate the identities of individuals (and computers) on the Internet and on local networks. Directory services, digital certificates, Public Key Infrastructures, IAM (Identity and Access Management) systems, security token services, role based access control (RBAC) and a plethora of protocols and technologies such as OAuth, SAML 2.0, OpenID, and more attempt to ensure that we know with whom we’re interacting in online communications and transactions.
Even online, services that are free and are ostensibly designed just for fun have a stake in requiring customers to provide real identities (see the paragraph above regarding customer lists and advertising). In addition, there is a liability aspect; a site needs to show that it has done at least some due diligence to protect its users from predators. Thus social networks such as Google+ and Facebook include in their terms of service provisions that require accounts use only one’s real, legal name.
It might seem, then, that anonymity is dead or at least dying – and that might seem like a very good thing. And in many ways, it is. But while the recent trends have been toward pushing for more and better identity management, there has been some backlash against the growing difficulty of remaining anonymous online.
Over the past couple of years, there has been a trend to use anonymous social apps that sprang up such as Whisper or Secret, which allow users to bare their souls without revealing their identities. For more serious anonymization, forwarding proxies and anonymizer services can help privacy seekers to hide their IP addresses and other identifying information when they send communications online.
While there are some who want anonymity to cloak their clandestine activities – from multinational syndicated crime to the more mundane marital indiscretions – there are also some very legitimate reasons to want to keep your identity undercover. Victims of stalking or domestic violence may fear for their lives if their assailants track them down. Political dissidents living under oppressive regimes may face real danger if their identities are known. Whistleblowers who bring their employers’ illegal or unethical acts to the public risk losing their jobs – or worse.
Last year, ICANN proposed to end anonymity for those who register domains for web sites that are used for commercial services, bringing privacy advocates out in force to protect that the change would put domain owners at risk of harassment and identity theft.
On the other hand, studies have shown that many people behave differently (and not in a positive way) when they know (or merely believe) they’re anonymous. Flaming (name-calling, threats and verbal attacks) were more common and more vicious in the early days of the Internet when nobody knew who anyone was (which is not to say people don’t sometimes get nasty online even when their real names are out there). When there is no fear of reprisal, when you can say whatever you want and then disappear and come back with a whole new persona, when the real “you” can remain untouched by any of the consequences, you may be far less likely to self-censor and follow the usual rules of polite conversation.
These two seemingly incompatible desires – to be able to know and verify the real identities of everyone with whom we interact online for our own safety and security, and to protect our own identities from people who might use them to harm us – are not going away anytime soon. In the overall scheme of things, though, identity seems to be winning over anonymity. There’s a good chance it will become a moot point in the future, as stricter regulation and government control over the Internet is likely to result, eventually, in a requirement that we officially register our Internet account names – similarly to the way some jurisdictions require citizens to register their guns. When that day comes, there will be no more anonymity, except perhaps on an illegal underground “dark web” that is sure to flourish just as the black market in prohibited items and services does today.