Posts tagged as:

Google+ Stumbles Over Identity

by on August 1, 2011 · 18 comments

I started to see hints of it last week, but I now believe Google+ is in full stumble-mode over user identity and naming. It looks as though they’ve taken common sense—everyone has one name—and woven it into their terms of service. You can’t use a non-traditional name on Google+. But naming and identity are more complex than that.

In my book, Identity Crisis, I wrote that an identity is a collection of information other people and institutions have about a person. Others use identity information they have to distinguish you from other people (or to group you) in their minds or records. This makes identity a gating mechanism: you can allow people into a part of your life by making them privy to the relevant set of identifiers, or keep them out by denying them that information.

Commonly, people use varied identities to exclude others, for social or professional reasons, such as when they open a social network account in a false name to keep their parents or their students from accessing parts of social life that are not meant for them to see. Sometimes identity is varied for political reasons, such as when an account opens in a pseudonym for the purpose of avoiding reprisal. This is an area where Facebook’s “real names” policy has stepped in it. The further one lives from conventional life in a given society, or the more contrarily to power, the more important it is to control identity.

Identity Woman—who tells her story at the first link above—uses her non-traditional identity in a non-traditional, but completely reasonable, way. It’s just the name that identifies her better to the community she plans to reach on Google+. But Google+ thinks that the name she is supposed to use is the same one her parents gave her, is the same one on her tax return, is the same one on her college degree, is the same one on her driver’s license.

Google+ has smartly replicated the real-world concept of social circles in its “circles” function. But they haven’t replicated real-world practice in terms of naming and identity. Why? Among other reasons, because doing so would allow users to decide which “circle” Google itself is in. Google doesn’t want that. Like Facebook wants to be your super-friend, Google wants to be your super-circle.

Google+ is seeing like a state, vastly simplifying the use of identity on its platform to serve its purposes. That will be a continuing discomfort and an impediment to its fullest success. But the fullest success of social networking will probably not be on an owned platform anyway.

SHARE: 18 comments

Facebook as Identity Provider

by on January 9, 2011 · 8 comments

It might take Facebook a while to turn identity provision into a revenue opportunity, but if it is a money-maker, it could be a substantial one. Simson Garfinkel has a piece in Technology Review that goes into some of the things Facebook is doing with its “Connect” service.

As security professionals debate whether the Internet needs an “identity layer”—a uniform protocol for authenticating users’ identities—a growing number of websites are voting with their code, adopting “Facebook Connect” as a way for anyone with a Facebook account to log into the site at the click of a button.

It’s a good, relatively short article, worth a read.

As an online identity provider, Facebook could facilitate secure commerce and communication in a way that’s easy and familiar for consumers. That adds value to the Internet ecosystem, and Facebook may be able to extract some of the surplus for itself—perhaps by charging sites and services that are heavy users small amounts per login via Connect. The security challenges of such a system would grow as more sites and services rely on it, of course, and Garfinkel highlights them in an accessible way.

Quibbles are always more interesting, so I’ll note that I cocked my head to one side where Garfinkel asks “whether it’s a good thing for one company to hold such a position of power.” Strange.

Taking “power” in its philosophical sense to mean “a measure of an entity’s ability to control its environment, including the behavior of other entities,” Facebook Connect gives the company very little power. Separate, per-site logins—or a parallel service that might be created by Google, for example—are near at hand and easy to switch to for anyone who doesn’t like Facebook’s offering.

Ironically, Garfinkel refers to these identity services as “Internet driver’s licenses,” inviting a comparison with the power structure in the real-world licensing area. If you want to drive a car legally, there are no alternatives to dealing with the state, so the state can impose onerous conditions on licensing. Drivers’ licenses require one to share a great deal of information, they cost a lot of money (relative to Facebook’s dollar price of “free”), and switching is not an option if the issuer starts to change the bargain and enroll licensees in a national ID system. Garfinkel himself noted how drivers’ licenses enhance state power in a good 1994 Wired article.

In sum, the upsides of an identity marketplace are there, for both consumers and for Facebook. The downsides are relatively small. The “power” exercised by any provider in a marketplace for identity provision is small compared to the alternative of using states as identity providers.

SHARE: 8 comments

Transcript of 7/27 PFF Event on Child Safety, Privacy, and Free Speech

by on August 18, 2009 · 5 comments

On July 27th, The Progress & Freedom Foundation hosted a Capitol Hill panel discussion entitled “Online Child Safety, Privacy, and Free Speech: An Overview of Challenges in Congress & the States.” The event featured remarks from:

  • Parry Aftab, Executive Director, WiredSafety.org
  • Todd Haiken, Senior Manager of Policy, Common Sense Media
  • Jim Halpert, Partner, DLA Piper
  • Berin Szoka, Senior Fellow, The Progress & Freedom Foundation

We’ve just released the transcript of the event, which I have also pasted down below the fold in a Scribd document reader. Also, the audio for this event can be heard by clicking below:

Download mp3

Here is the full event description: Continue reading →

SHARE: 5 comments

COPPA 2.0: The New Battle over Privacy, Age Verification, Online Safety & Free Speech

by on May 24, 2009 · 33 comments

Adam Thierer & I have just released a detailed examination (PDF) of brewing efforts to expand the Children’s Online Privacy Protection Act of 1998 to cover adolescents and potentially all social networking sites—an approach we call “COPPA 2.0.”

As Adam explained on Larry Magid’s CNET podcast, COPPA mandates certain online privacy protections for children under 13, most importantly that websites obtain the “verifiable consent” of a child’s parent before collecting personal information about that child or giving that child access to interactive functionality that might allow the child to share their personal information with others. The law was intended primarily to “enhance parental involvement in a child’s online activities” as a means of protecting the online privacy and safety of children.

Yet advocates of expanding COPPA—or “COPPA 2.0″—see COPPA’s verifiable parental consent framework as a means for imposing broad regulatory mandates in the name of online child safety and concerns about social networking, cyber-harassment, etc. Two COPPA 2.0 bills are currently pending in New Jersey and Illinois. The accelerated review of COPPA to be conducted by the FTC next year (five years ahead of schedule) is likely to bring to Washington serious talk of expanding COPPA—even though Congress clearly rejected covering adolescents age 13-16 when COPPA was first proposed back in 1998.

We’ll discuss some of the key points of our paper in a series of blog posts, but here are the top nine reasons for rejecting COPPA 2.0, in that such an approach would:

  • Burden the free speech rights of adults by imposing age verification mandates on many sites used by adults, thus restricting anonymous speech and essentially converging—in terms of practical consequences—with the unconstitutional Children’s Online Protection Act (COPA), another 1998 law sometimes confused with COPPA;
  • Burden the free speech rights of adolescents to speak freely on—or gather information from—legal and socially beneficial websites;
  • Hamper routine and socially beneficial communication between adolescents and adults;
  • Reduce, rather than enhance, the privacy of adolescents, parents and other adults because of the massive volume of personal information that would have to be collected about users for authentication purposes (likely including credit card data);

Continue reading →

SHARE: 33 comments

Another Reminder Why Age Verification Mandates Would Be a Bad Idea

by on March 1, 2009 · 10 comments

Whenever I pen anything about the dangers of age verification mandates for the Internet and social networking sites, I always point to Federal Trade Commission (FTC) reports about rising identity theft complaints. For the ninth year in a row, identity theft was the number one consumer complaint to the agency.

Now, imagine how much worse this problem could get if government mandated that everyone had to be “verified” before they were allowed to visit a social networking site, however that ends up being defined. Such a mandate would exponentially increase the amount of personal information — especially credit card information — that was available to identity thieves.  Age verification advocates often ignore this problem when making the case for regulation.

Worse yet, much of the information that would be made available via such mandates would be personal information about children, which makes for a very attractive target for identity thieves since those records are rarely checked until the kids get much older and start applying for things. At least most adults typically learn they have been the victim of ID theft shortly after it occurs, allowing them to take steps to deal with the situation. With kids, their records could be milked for years by bad guys without them or their parents ever knowing it.

ID theft FTC

SHARE: 10 comments

Internet Security Concerns, Online Anonymity, and Splinternets

by on February 15, 2009 · 31 comments

What would it take to create a more secure Internet?  That’s what John Markoff explores in his latest New York Times article, “Do We Need a New Internet?”  Echoing some of the same fears Jonathan Zittrain articulates in his new book The Future of the Internet, Markoff wonders if online viruses and other forms of malware have gotten so out-of-control that extreme measures may be necessary to save the Net.  Compared to when cyber-security attacks first started growing over 20 years ago, Markoff argues that:

[T]hings have gotten much, much worse. Bad enough that there is a growing belief among engineers and security experts that Internet security and privacy have become so maddeningly elusive that the only way to fix the problem is to start over.

Like many others, Markoff fingers anonymity as one potential culprit:

The Internet’s current design virtually guarantees anonymity to its users. (As a New Yorker cartoon noted some years ago, “On the Internet, nobody knows that you’re a dog.”) But that anonymity is now the most vexing challenge for law enforcement. An Internet attacker can route a connection through many countries to hide his location, which may be from an account in an Internet cafe purchased with a stolen credit card. “As soon as you start dealing with the public Internet, the whole notion of trust becomes a quagmire,” said Stefan Savage, an expert on computer security at the University of California, San Diego.

Consequently, Markoff suggests that:

A more secure network is one that would almost certainly offer less anonymity and privacy. That is likely to be the great tradeoff for the designers of the next Internet. One idea, for example, would be to require the equivalent of drivers’ licenses to permit someone to connect to a public computer network. But that runs against the deeply held libertarian ethos of the Internet.

Indeed, not only does it run counter to the ethos of the Net, but as Markoff rightly notes, “Proving identity is likely to remain remarkably difficult in a world where it is trivial to take over someone’s computer from half a world away and operate it as your own. As long as that remains true, building a completely trustable system will remain virtually impossible.”  I’ve spent a lot of time writing about that fact here and won’t belabor the point other than to say that efforts to eliminate anonymity for the entire Internet would prove extraordinarily intrusive and destructive — of both the Internet’s current architecture and the rights of its users.  There’s just something about a “show-us-you-papers,” national ID card-esque system of online identification that creeps most of us out. That’s why I spend so much time fighting age verification mandates for social networking sites and other websites; it’s the first step down a very dangerous road.

But what if we could apply such solutions in a narrower sense?  That is, could we create more secure communities within the overarching Internet superstructure that might provide greater security?  Markoff starts thinking along those lines when he suggests… Continue reading →

SHARE: 31 comments

NYT Article on Age Verification & Schools

by on November 15, 2008 · 4 comments

In a big post two months ago entitled “Age Verification Debate Continues; Schools Now at Center of Discussion,” I noted that there has been an important shift in the age verification debate: Schools and school records are increasingly being viewed as the primary mechanism to facilitate online identity authentication transactions. I pointed out that this raises two very serious questions: Do we want schools to serve as DMVs for our children? And, do we want more school records or information about our kids being accessed or put online?

Brad Stone of the New York Times has just posted an important article with relevance to this debate. In it, he points out that:

performing so-called age verification for children is fraught with challenges. The kinds of publicly available data that Web companies use to confirm the identities of adults, like their credit card or Social Security numbers, are either not available for minors or are restricted by federal privacy laws. Nevertheless, over the last year, at least two dozen companies have sprung up with systems they claim will solve the problem. Surprisingly, their work is proving controversial and even downright unpopular among the very people who spend their days worrying about the well-being of children on the Web. Child-safety activists charge that some of the age-verification firms want to help Internet companies tailor ads for children. They say these firms are substituting one exaggerated threat — the menace of online sex predators — with a far more pervasive danger from online marketers like junk food and toy companies that will rush to advertise to children if they are told revealing details about the users.

Continue reading →

SHARE: 4 comments

Age Verification Debate Continues; Schools Now at Center of Discussion

by on September 25, 2008 · 25 comments

This week, I have been up at Harvard University participating in another meeting of the Internet Safety Technical Task Force (ISTTF), of which I am a member. The ISTTF was organized earlier this year pursuant to an agreement between 49 state attorneys general (AGs) and social networking giant MySpace.com. A group of experts from academia, non-profit organizations, and industry were appointed to the Task Force, which is charged with evaluating the market for online child safety tools and methods and issuing a report on the matter to the AGs at the end of this year.  ISTTF members have been meeting privately and publicly in both Cambridge, MA and Washington, D.C. The Task Force has been very ably chaired by John Palfrey, co-director of Harvard’s Berkman Center for Internet & Society.

Although the ISTTF is looking at a wide variety of tools and methods associated with online child protection (ex: filters, monitoring tools, educational campaigns, etc.), many of the AGs who crafted the agreement with MySpace that led to the Task Force’s formation have made it clear that they are most interested in having the ISTTF evaluate age verification / online verification technologies.  In fact, at the start of this week’s session at Harvard Law School, AGs Martha Coakely of Massachusetts and Richard Blumenthal of Connecticut both spoke and made it abundantly clear they expect the Task Force to develop age and identify-verification tools for social networking sites (SNS). AG Blumenthal said we need to deal with “the dangers of anonymity” and repeated his standard line about online age verification: “If we can put a man on the moon, we can make the Internet safe.”  [Of course, putting a man on the moon took hundreds of billions of dollars and a decade to accomplish, but never mind that fact! Moreover, one could also argue that if we can put a man on the moon we can cure hunger, AIDS, and the common cold, but some things are obviously easier said than done. Finally, putting a man on the moon didn’t require all Americans or their kids to give up their anonymity or privacy rights in order to accomplish the feat!]

On many occasions here before, I have outlined various questions and reservations about proposals to mandate online age verification.  Last year, I also published a lengthy white paper on the issue and hosted a lively debate on Capitol Hill [transcript here] about this.  I also have discussed age verification in my book on parental controls and online child safety. [Braden Cox also talked about his experiences up at Harvard this week here, and CNet’s Chris Soghoian had a brutal assessment of this week’s proposals on his “Surveillance State” blog.]

In this essay, I will discuss the new fault lines in the debate over online age verification and outline where I think we are heading next on this front.  I will argue:

  • There is now widespread understanding that it is extraordinarily difficult to verify the ages and identities of minors online using the methods we typically use to verify adults. Because of this, age verification proponents are increasingly proposing two alternative models of verifying kids before they go online or visit SNS…
  • First, for those who continue to believe that we must do whatever we can to verify kids themselves, schools and school records are increasingly being viewed as the primary mechanism to facilitate that. This raises two serious questions: Do we want schools to serve as DMVs for our children? And, do we want more school records or information about our kids being accessed or put online?
  • Second, for those who are uncomfortable with the idea of verifying kids or using schools, or school records, to accomplish that task, parental permission-based forms of authentication are becoming the preferred regulatory approach. Under this scheme, which might build upon the regulatory model found in the Children’s Online Privacy Protection Act of 1998 (COPPA), parents or guardians would be verified somehow and then would vouch for their children before they were allowed on a SNS, however defined.  But how do we establish a clear link between parents and kids?  And will parents be willing to surrender a great deal more information (about themselves and their kids) before their kids can go online? And, is it sensible to use a law that was meant to protect the privacy and personal information of children to potentially gather a great deal more information about them, and their parents?
  • It remains very unclear how either of those two verification methods would make children safer online. Indeed, that could actually make kids less safe by compromising their personal information and creating a false sense of security online for them and their parents.
  • It is highly unlikely the Internet Safety Technical Task Force will be able to reach consensus on this complicated, controversial issue. A small camp will likely flock to the sort of proposals mentioned above. Another, larger camp (including me) will flock to education-based approaches to child safety as well increased reliance on other parental empowerment tools and strategies, industry self-regulatory efforts, social norms, and better intervention strategies for troubled youth. But the age verification debate will go on and, as was the case over the past two years, the legal battleground will be state capitals across America, with AGs likely pushing for age verification mandates regardless of what the Task Force concludes.

Continue reading if you are interested in the details.

Continue reading →

SHARE: 25 comments

USA Today, age verification, and the death of online anonymity

by on January 23, 2008 · 14 comments

The USA Today editorial board published a nasty piece today belittling MySpace.com’s recent efforts to implement more safeguards for its users. Despite the fact that MySpace made over 70 promises to the Attorneys General as part of the agreement–the entire agreement is summarized here–that’s still not good enough for the USA Today’s editorial board, which wants full-blown identity verification before anyone is allowed on a social networking site:

“Even in the absence of a perfect software solution, interim steps are possible. How about using databases of drivers’ licenses to cross-check ages? In more than 20 states, they are public records. The point is, more effective safeguards are needed now, …. MySpace [should be] moving faster to set up age and ID verifications, not just study them.”

Well, where do I begin? I get so frustrated when I see comments like this because it is abundantly clear to me that people don’t think things through when it comes to age verification. As I pointed out in my lengthy PFF report, “Social Networking and Age Verification: Many Hard Questions; No Easy Solutions,” age verification is extremely complicated, and it would be even more complicated in this case because public officials are demanding the age verification of minors as well as adults, which presents a wide array of special challenges and concerns.

What Age Verification Really Is: The Death of Online Anonymity We need to begin by understanding what age verification really is. By definition, mandatory age verification represents an effort to make online anonymity a crime. In simple terms, citizens would be forced to “show their papers” at the door of every website or else run the risk of being denied access–simply because they do not want to surrender their name or age.

Think about what that means. It’s easy to take the benefits of online anonymity for granted. There are millions of people who comment anonymously on blogs like this one every day, or write anonymous book or product reviews on Amazon.com or eBay, or who just chat with others about various topics under the cloak of anonymity. It is a wonderful thing.

Continue reading →

SHARE: 14 comments

Today’s MySpace-AG Agreement

by on January 14, 2008 · 3 comments

This morning in New York City, social networking website operator MySpace.com announced a major joint effort with 49 state Attorneys General aimed at better protecting children online. (Coverage at CNet, NYT and Forbes). At a joint press conference, MySpace and the AGs unveiled a “Joint Statement on Key Principles of Social Networking Safety” involving expanded online safety tools, improved education efforts, and law enforcement cooperation. They also agreed to create an industry-wide Internet Safety Technical Task Force to study online safety tools, including a review of online identity authentication technology. MySpace logo Generally speaking, the agreement is step forward for online safety. Indeed, many of the principles in the agreement could form a potential model “code of conduct” that other social networking sites could adopt. In a report I authored for the Progress & Freedom Foundation in August 2006, I argued that it was vital for companies and trade associations to take steps such as this to avoid the specter of government regulation or censorship:

All companies doing business online… must show policymakers and the general public that they are serious about addressing [online safety] concerns. If companies and trade associations do not step up to the plate and meet this challenge soon—and in a collective fashion—calls will only grow louder for increased government regulation of online speech and activities. What is needed is a voluntary code of conduct for companies doing business online. This code of conduct, or set of industry “best practices,” would be based on a straight-forward set of principles and policies that could be universally adopted by [a] wide variety of operators…

In particular, this code of conduct proposal called for companies to make specific pledges regarding improved online safety tools, expanded education / media literacy efforts, and ongoing assistance to law enforcement regarding investigations of online crimes.

Continue reading →

SHARE: 3 comments

← Previous Entries