One of the most compelling aspects of global digital interactions is privacy. Anonymity has provided people with great power to bring to the world discussions that had previously been impossible either due to technology or personal physical access or limits, regional restrictions or even danger due to personal exposure, no longer required by in-person registration or similar identity stipulations.
This anonymous reach affords tremendous power to the previously powerless as individuals and groups. At the same time anonymity also affords others the power to extend influence for potentially questionable or even harmful intentions.
Continuing to value anonymity calls into question the unfettered influence from anonymous entities and calls out the need for forms of accountability – entity-validation. How can we reconcile the two? My answer is that we don't. We don't need to abandon one for the other, rather embrace both while working with their respective strengths and weaknesses. The key in the middle is absolute transparency.
At the moment most of the time our individual accountability to identifying ourselves for accounts, registration, and interactions are for the most part voluntary. I could sign up as "santaclaus45" for a site or service with no oversight aside from maybe having to validate my registered email address, which in itself could also easily be anonymously registered. This means no validation – I could be anyone.
With this I could carry on registering using this 5 minute bring-your-own-identity for all sorts of services for email, newsletters, social media, video broadcasting, audio podcasting, communication/phone, even financial. If it suited me I could create multiple identites just like this, again and again.
So why should we care? Who is this hurting? Well, in this instance it's hurting no one. If santaclaus45 continues on posting harmless content about cats, curry recipes, and hockey who cares? Absolutely, why should we care if this person wants their anonymity, and for that reason casual anonymity at this level is fine.
This is a personal privacy use case - an individual doing their own thing for no other reason than surfing around and simple, idle, chit-chat.
If we acknowledge that privacy is good for casual use and light social interaction, we also need to examine where the personal benefit of privacy turns into a "vested interest" anonymity. Take the above scenario where santaclaus45, using the same private technique is not posting curry recipes but instead is trolling forum users. What if they're bullying kids? Go one step further and they are posting slanderous comments aimed at harming another?
The exact same technological situation moves from harmless privacy to harmful anonymity.
No doubt you're aware of allegations and evidence of attempts at market manipulation, fabricated news article posts and blogs, as well as false entity advertisers. In each of these cases the goal amounts to influencing at a level that would never be tolerated, legal, or even possible in a non-internet situation. The sheer scale of technology, as awesome as it is, allows for a myriad of fraudulent behaviour at unprecedented levels.
This is all possible because we have allowed for privacy to equal anonymity at all costs. There is no meaningful concept of validating a person or entity where this level of activity may be misused. But this is not entirely true, it's just in its infancy and is, for the moment, very much based on traditional offline proof of identity and validation of a user or entity.
Countries need to look at what unfettered, unvalidated entities can do at a social, democratic, institutional, and financial level and decide where user validation needs to play a stronger role.
Let's begin with the validation model we already have to provide background use cases; they're familiar. Even though these are last-century models, we have always needed to validate (and secure) users for situations like:
All of the above are firmly rooted in the past, the same rules of the past 100+ years, merely translated online. Move into the 21st century, however, and we have made no meaningful strides on coming to grips with additional account and interaction types that could be better served by requiring validation. Here are a few new identity-validation models:
Notice what's changed in this second list? That's right, almost nothing. The only truly new activity in this list are domain name registrations, and even in this case the validation model if it even applies, is pretty rudimentary and frequently doesn't even work. This goes hand in hand with our thinking that remains almost completely unchanged regarding identity, validation, and what kinds of activities should require a user or users type (such as corporation or organization) to demonstrate their validity?
We're now into new territory and that's a good thing. These are going to be society-level discussions and debates and that's also a good thing. Countries need to look at what unfettered, unvalidated entities can do at a social, democratic, institutional, and financial level and decide where user validation needs to play a stronger role. Activities already under the microscope include:
The above already touches on very sensitive situations recently uncovered, and regardless of actual level of fraud, damage, and ramifications, demonstrate significant vulnerability and more importantly, confidence, in our perception of how society now interacts with itself and how it can be co-opted now where it wasn't technically possible only just a few decades ago.
Does this mean that we regulate these industries? How much do we impose validation? And is validation even the same as regulation as we've come to understand it? Incumbent players will assume that their mere presence should be enough to warrant presumed validation – fair enough. But we should we still must encourage genuine competition, that's the magic of the open internet for all players. Therefore this means that an entry level player wanting to report on financial markets should be able to validate themselves in the same way that a large existing player would, with minimal invasiveness but still proper oversight.
And what does this mean for public acceptance, real world use? If someone wants to report their take on the news and not disclose their identity in validation, should this be allowed? I imagine this will take on different forms in policy making, but it can take any number of path including, just as an example concept:
If this sounds meritocratic, it does have that sensibility. We must come to terms with assuming, assigning, and allowing validation as based on the old fashioned concept where a business simply had the capacity (money, people, market access) to set up shop. If they acted improperly we could shut them down because we know where they are. But now, "improperly" can happen constantly, every day from any computer from every angle globally. The rules of entity operations have changed and therefore the rules of validation must adapt.
Great article! Really has me thinking about balancing privacy with what we see daily from cyber bullies et al. It will be interesting to see how this evolves.
Thanks Rob, this is likely to take a very long time to work through unfortunately. Kind of like email spam management frameworks "stuff" is probably going to just happen for a long time at a regulatory level, most of it not very effective. Eventually a few things will start to demonstrate improvement in the space and people and governing bodies will start to notice. Eventually.