Re: Strangling the Internet with ID

[David Farber <dave () farber net>]

Begin forwarded message:

From: Roelof Temmingh <roelof () paterva com>
Date: May 7, 2007 6:48:10 PM EDT
To: dave () farber net
Subject: Re: [IP] Strangling the Internet with ID

A response to Lauren....if you wish.

Let me start by saying that I fully agree with what you stand for. It  
will be indeed a sad day when we have to start providing some kind of  
ID before Google gives us some results (let's ignore that whole  
cookie thing for now). But, there is some part of me that understand  
the need for it. Perhaps...

You have a strong online presence. You have at least 3 email  
addresses, a blog, and your point of view is well documented on the  
Internet. But I suspect you are part of small group of people - most  
of the rest of the world do not have such a strong identity on the  
net - although the net provides hundreds of ways of establishing your  
identity and your viewpoint. This means that it would be fairly  
simple for someone to take over a less "connected" individual's  
online identity. Register them on a couple of social networks,  
register an email address here and there, and on some IM chat  
services. And, in a matter of hours, you own that identity. Do it  
carefully so that it's not that obvious. And do it over a long period  
of time. And do it with your target's friends and his/her colleagues,  
in fact do it with an entire segment of their social/professional  
sector. This "identity creation" can be automated - save for some  
nasty captchas. No doubt someone will catch on when doing an ego  
search, but it now becomes a matter of "who shouts the loudest", and  
confusion (which could have been the strategy from the start) sets  
in. When services like LinkedIn and Zoominfo have a line that reads  
"This is Me", you must know that there is something fundamentally wrong.

If you wake up one fine morning and find that your name has been used  
in a variety of online forums (with a plausible email address), that  
you have been created on LinkedIn, Facebook, Orkut, Myspace and Xing,  
that 'you' are chatting away with unknown people on MSN, Skype and  
GoogleTalk I am sure that you won't like it - but it won't be the end  
of the world for you. Because you have been around on the 'net -  
people know you. You have a track record. But if it was someone else  
that's less "connected", that use the Internet only for mail (think  
many many CEOs)  I figure they would rather just go back to bed.  
Especially when a 'track record' has been created for them over  
months which includes posts/blogs/comments that contain dubious  
content. I am sure that such a person would look at these service  
providers and ask "But how come you did not verify that is was really  
ME!??".

I guess there is no real answer here. Forget privacy issues - service  
providers that try to enforce the use of a real life ID will not be  
popular with the generation of instant gratification, and social  
networks need big numbers to be useful. I think we find ourselves in  
an akward situation really - on the one hand we know that big  
corporations and governments love to track every letter we write and  
every site that we visit, and therefor we try to hide our real  
identity...but on the other hand we want to make sure that we are who  
we say we are and that our online identities remains intact.

The Myspace/Facebook generation lives in total ignorance of data  
collection and correlation. And why not? They grew up in a world  
where they are constantly watched on CCTVs, they never questioned a  
cookie that expires in 2038, have friends and family that list their  
mobile number all over the net, their phone calls are monitored for  
keywords, they never bothered to think about how Google adds Adswords  
to their email, etc. etc. And one day we will have IPvX running and  
RFID implants in everyone's wrist - that communicates to a receiver  
in the base of every keyboard ever manufactured which in turn  
instructs the computer to sign every packet that goes out to the 'net  
- no matter if you at home, office or at a cyber cafe. Oh, and if  
it's not signed it gets dropped at the switch.

I think this is a likely scenario - if you like it or not - not  
because of the fear of online identity theft, but because of what's  
happening in the real world today (FUD) and because of the ease in  
which the new/next generation is trading their privacy for perceived  
usefulness and blissful ignorance. Well - at least online identity  
theft is less likely to be a problem anymore...;)

Regards,
Roelof.


On 5/6/07, David Farber <dave () farber net> wrote:

Begin forwarded message:

From: Lauren Weinstein <lauren () vortex com>
Date: May 6, 2007 5:39:25 PM EDT
To: dave () farber net
Cc: lauren () vortex com
Subject: Strangling the Internet with ID


Dave,

This New York Times piece:

http://www.nytimes.com/2007/05/06/nyregion/06myspace.html

gives an excellent overview of efforts now in progress in various
states to require verified ID before allowing anyone to sign-up for
"social networking" sites like MySpace, and the impacts these could
potentially have on all manner of Web sites.

In particular, the article notes the view that such efforts would be
impractical and could even do more damage by pushing children (the
group these laws would ostensibly protect) toward other sites
completely under the radar.  The article also recognizes that
requiring ID (most likely a credit card) would then provide
networking sites (or their third-party subcontractors) with a direct
linkage to all users' true identities that could be subject to later
exploitation and abuse.

While we all want to protect children, these ID-based models will
not do so, and indeed will bring with them a whole host of other
major risks.

How long will it be before some bright boys inside the Beltway get
the idea of requiring that *all* Internet usage be tied to verified
IDs?  This would fit in just dandy with the mandated data retention
push, COPA, and the other efforts to turn the Internet into an ever
more purpose-built computerized arm of law enforcement.

Wanna use Google?  Verify your ID first, please, so retained records
can be retroactively tied to you at any point in the future by
various agencies.

Too dark a scenario?  Couldn't happen?  Do you really want to bet
against me on this one given current trends?

Of course, we can still turn the tide, working together as consumers
and Internet service providers alike.  We can tell the politicos
that enough is enough.  But will we?  Or will it be business
as usual?

Place your bets.

--Lauren--
Lauren Weinstein
lauren () vortex com or lauren () pfir org
Tel: +1 (818) 225-2800
http://www.pfir.org/lauren
Co-Founder, PFIR
    - People For Internet Responsibility - http://www.pfir.org
Co-Founder, IOIC
    - International Open Internet Coalition - http://www.ioic.net
Founder, CIFIP
    - California Initiative For Internet Privacy - http://www.cifip.org
Founder, PRIVACY Forum - http://www.vortex.com
Member, ACM Committee on Computers and Public Policy
Lauren's Blog: http://lauren.vortex.com
DayThink: http://daythink.vortex.com



-------------------------------------------
Archives: http://v2.listbox.com/member/archive/247/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com



--
------------------------
Roelof Temmingh
+27 83 448 6996
GMT+2

-------------------------------------------
Archives: http://v2.listbox.com/member/archive/247/=now
RSS Feed: http://v2.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com