The old idea of what an entity could do in the world still underpins our world today. And it's causing…
One of the most compelling aspects of global digital interactions is privacy. Anonymity has provided people with great power to bring to the world discussions that had previously been impossible either due to technology or personal physical access or limits, regional restrictions or even danger due to personal exposure, no longer required by in-person registration or similar identity stipulations.
This anonymous reach affords tremendous power to the previously powerless as individuals and groups. At the same time anonymity also affords others the power to extend influence for potentially questionable or even harmful intentions.
Continuing to value anonymity calls into question the unfettered influence from anonymous entities and calls out the need for forms of accountability – entity-validation. How can we reconcile the two? My answer is that we don't. We don't need to abandon one for the other, rather embrace both while working with their respective strengths and weaknesses. The key in the middle is absolute transparency.
How Privacy and Entity Validation Currently Works
At the moment most of the time our individual accountability to identifying ourselves for accounts, registration, and interactions are for the most part voluntary. I could sign up as "santaclaus45" for a site or service with no oversight aside from maybe having to validate my registered email address, which in itself could also easily be anonymously registered. This means no validation – I could be anyone.
With this I could carry on registering using this 5 minute bring-your-own-identity for all sorts of services for email, newsletters, social media, video broadcasting, audio podcasting, communication/phone, even financial. If it suited me I could create multiple identites just like this, again and again.
So why should we care? Who is this hurting? Well, in this instance it's hurting no one. If santaclaus45 continues on posting harmless content about cats, curry recipes, and hockey who cares? Absolutely, why should we care if this person wants their anonymity, and for that reason casual anonymity at this level is fine.
This is a personal privacy use case - an individual doing their own thing for no other reason than surfing around and simple, idle, chit-chat.
Where the Value of Privacy Ends and Unfettered Anonymity Begins
If we acknowledge that privacy is good for casual use and light social interaction, we also need to examine where the personal benefit of privacy turns into a "vested interest" anonymity. Take the above scenario where santaclaus45, using the same private technique is not posting curry recipes but instead is trolling forum users. What if they're bullying kids? Go one step further and they are posting slanderous comments aimed at harming another?
The exact same technological situation moves from harmless privacy to harmful anonymity.
Where Anonymity Becomes Socially and Institutionally Harmful
No doubt you're aware of allegations and evidence of attempts at market manipulation, fabricated news article posts and blogs, as well as false entity advertisers. In each of these cases the goal amounts to influencing at a level that would never be tolerated, legal, or even possible in a non-internet situation. The sheer scale of technology, as awesome as it is, allows for a myriad of fraudulent behaviour at unprecedented levels.
This is all possible because we have allowed for privacy to equal anonymity at all costs. There is no meaningful concept of validating a person or entity where this level of activity may be misused. But this is not entirely true, it's just in its infancy and is, for the moment, very much based on traditional offline proof of identity and validation of a user or entity.
Countries need to look at what unfettered, unvalidated entities can do at a social, democratic, institutional, and financial level and decide where user validation needs to play a stronger role.
Taking an Inventory of When to Validate, When not to, and Why
Let's begin with the validation model we already have to provide background use cases; they're familiar. Even though these are last-century models, we have always needed to validate (and secure) users for situations like:
- Banking and Finance, trading, corporate, loan
- Government Accounts, tax, business, automotive, citizenship etc
- Municipal services, housing, library, transit, pet, utilities
- Insurance and related services
All of the above are firmly rooted in the past, the same rules of the past 100+ years, merely translated online. Move into the 21st century, however, and we have made no meaningful strides on coming to grips with additional account and interaction types that could be better served by requiring validation. Here are a few new identity-validation models:
- Cryptocurrency trading accounts, related to banking and finance
- Domain name registration, some registry validation attempts to look up corporate identities
- Fintech alternative lenders, again related to banking and finance
Notice what's changed in this second list? That's right, almost nothing. The only truly new activity in this list are domain name registrations, and even in this case the validation model if it even applies, is pretty rudimentary and frequently doesn't even work. This goes hand in hand with our thinking that remains almost completely unchanged regarding identity, validation, and what kinds of activities should require a user or users type (such as corporation or organization) to demonstrate their validity?
The Next Wave
We're now into new territory and that's a good thing. These are going to be society-level discussions and debates and that's also a good thing. Countries need to look at what unfettered, unvalidated entities can do at a social, democratic, institutional, and financial level and decide where user validation needs to play a stronger role. Activities already under the microscope include:
- NewsThis covers a large territory as a major societal, market, and business influencer
- FinancialRelated to news but specific to market and business reporting
- ElectoralPolling data, candidate news, and party policy papers
The above already touches on very sensitive situations recently uncovered, and regardless of actual level of fraud, damage, and ramifications, demonstrate significant vulnerability and more importantly, confidence, in our perception of how society now interacts with itself and how it can be co-opted now where it wasn't technically possible only just a few decades ago.
Does this mean that we regulate these industries? How much do we impose validation? And is validation even the same as regulation as we've come to understand it? Incumbent players will assume that their mere presence should be enough to warrant presumed validation – fair enough. But we should we still must encourage genuine competition, that's the magic of the open internet for all players. Therefore this means that an entry level player wanting to report on financial markets should be able to validate themselves in the same way that a large existing player would, with minimal invasiveness but still proper oversight.
And what does this mean for public acceptance, real-world use? If someone wants to report their take on the news and not disclose their identity invalidation, should this be allowed? I imagine this will take on different forms in policymaking, but it can take any number of path including, just as an example concept:
- Strict : only valid entities can participate in this area. For example, only validated news entities can report the news.Difficult to truly enforce, likely to be messy.
- Managed : allow for everyone to publish and post just as they do now, but validated entities show a "seal of validation" demonstrating that they have been verified by an oversight body as merit. Choose to be validated, or don't your choice.This could take on similar certification as SSL security certification with a green seal in browser windows, except perhaps an alternate colour. The internet culture already understands the validation of eCommerce for security purposes, this takes it one step further.
- Open : allow for everyone to publish and post just as they do now, but entities can show whatever validation certification they get from whatever governing body.The standards are not browser or server-tied and readers must trust that whatever visual certification they see is real.
If this sounds meritocratic, it does have that sensibility. We must come to terms with assuming, assigning, and allowing validation as based on the old fashioned concept where a business simply had the capacity (money, people, market access) to set up shop. If they acted improperly we could shut them down because we know where they are. But now, "improperly" can happen constantly, every day from any computer from every angle globally. The rules of entity operations have changed and therefore the rules of validation must adapt.