Identity Management

The Sybil, Mr. Smith, and Rich Little Internet Accountability Problem

by  •  • Comments Off

Bruce Schneier’s current article on Wired Magazine’s website makes a great point about anonymity: as long as we have accountability, real identity doesn’t matter. I agree with this wholeheartedly – even “true” identity is somewhat arbitrary. But there is a huge hole in his argument, one I call (starting now ;-) ) the Sybil, Mr. Smith, & Rich Little Internet Accountability Problem (maybe I won’t call it that ;-) ).

Sybil has multiple personality disorder. She has many different personalities and enjoys freedom to be whomever she wants, whenever she wants. If she commits fraud, it is okay, because she can magically erase any accountability by creating a new identity. Sybil is very successful as Fred on eBay; Kathy on Amazon (oops, now its Jane); and Jack AND Jill on Craigslist.

Then there is Mr. Smith. Mr. Smith lives on the Internet-Matrix. He is actually many people collaborating as a single entity – say, an activist organization. This is fine until one Mr. Smith decides to break the law and hack into on offender’s website. Then you have a “violent faction”. We’d like to keep these people online (saves a lot of real blood), but nobody is accountable.

Finally, there is Rich Little. Rich is (was, actually) a great impersonator. He enjoys sometimes being Sybil-Kathy, sometimes being Mr. Smith, and sometimes being Bruce Schneier (check out Schneier’s comments section on previous posts to see if Rich is already “out there”). He can change his name at will, and the cool thing is he is never accountable – the other people are… not either. Nobody is accountable.

[I am reminded of my daughter’s preschool playmate Notme (the oldest preschooler ever). Notme is either a real nuisance or is erroneously blamed for everything.]

Yes, accountability is the problem. Unfortunately, you can’t be accountable without identity somewhere in the equation. But now we are stuck because we have this other problem: trust. And problems with trust manifest themselves as power abuse.

Mr. Schneier and many others don’t trust the powers that be. Certainly, power abuse incidents occur frequently (Schneier lists a few recent examples in his article). And though I am not persuaded that Schneier’s “cost-benefit” analysis is reasonable, given the amount of fraud in the world, I do agree trust of power is a reasonable concern.

So how can we reconcile the need for accountability which drives the need for identity which creates the problem of trust? Simple, we cede our (online) identity to those we do trust. Who do people trust if they don’t trust the powers that be? Certainly in the case of online anonymity and privacy, EPIC and the EFF are at the top of the list.

In light of this apparent problem I propose a new mission for EPIC and the EFF: if they truly care about anonymity to protect against power abuse, in the face of the need for accountability, they must become the world’s first Anonymous Identity Service Providers. The notion of an Identity Service Provider has been around for a few years now; the AISP would just protect identity perhaps a bit more than the typical ISP. Sure, it sounds paradoxical, but if you can’t trust EPIC to maintain your anonymity, then you can’t trust anyone. In this scenario, the AISPs would be willing to be recognized as the responsible authority over all of the identities it protects. They would take the hits and police their own, except in circumstances where violent crimes are committed.

We can’t get away from identity (somewhere) because accountability breaks down with anonymity. Pseudonymity may help, as long as true identity is maintained somewhere. The concerns of power abuse can be addressed by an AISP that protects its members’ identities and bears the burden of accountability for them.