February 25, 2007

Don't Arrest Andrea!

serafinusskull.pngAndrea Sandberg is a female graphics designer living quite close to where I grew up. She has a past as an officer in the Swiss navy, but recently decided to aim for a career as an artist. But she does a bit of consulting for the biotech company Pentapod Corporation.

Andrea is fictional, a persona I use when I have to sign up for websites and do not feel like disclosing my personal information. No doubt she has millions of relatives, many living at zipcodes such as 123 45 or with email addresses like foo@foo.no. But a new EU proposal will seek to outlaw using fake information to set up email accounts or websites, Wired reports.

This is apparently a spin-off from the Orwellian data retention directive, and of course concerns about making it easier for law enforcement to track down criminals and terrorists are used to motivate it. But it also seems like a godsend to marketers, who no longer have to worry about salting of their databases with Andreas. Sure, preventing fake users would reduce the potential for spam and anonyous threats. But it would also remove the shield of privacy from most users. As always it is the law abiding and clueless users who lose the most, the criminal high-tech users will be able to get around it. It is not that hard to get an anonymous account overseas or set up a Tor network - something the new legislation will have to ban if it wants to stay effective.

What is at stake is the freedom to contruct an arbitrary online persona. I have, like many, multiple personas for different uses. My Second Life self is different from my website who is different from the persona my travel agency knows. Some are hermetically separated, others could with some diligence be linked to each other or my physical self. The reasons for having multiple personas are manifold, from practicality over different social networks to legal and deeply sensitive matters - I might not want anybody to know that I frequent www.goldfishsex.com or have a cricket paralysis virus infection. In many cases I want to be very sure my identity is secure, since even expressing interest in some areas might be enough to cause trouble (I'm surprised that NSA has not yet flagged me for being a bit too interested in the exact chemistry of uranyl salts, security at Venezuelan supercomputing centers, the function of airport metal detectors and the detailed regulations for DHS personell - all issues I have in my opinion had perfectly legitimate reasons to study).

The usual response is to assume that forcing a strong link between the core person and its personas could be done in a privacy-sensitive way. If only the government has access to stored data, then there is no trouble. The main problem with this is of course trusting the government. They have been known in the past to violate privacy, behave incompetently, being corrupt or just uncaring. Even if you trust your local government, what about of other allied governments? EU-level data retention combined with the EU arrest warrants and other forms of international cooperation likely mean that another, far less trustworthy government, can claim access. Especially if it makes up a claim that the information is relevant for antiterrorism. The US is a warning example: since 911 not only has many legal protections been wiped out as soon as national security is invoked, but local law enforcement happily re-label meth labs as chemical weapons and a pipe bomb as a weapon of mass destruction. And of course, the US has forced the EU to share data before. In a globally networked world, any system is only as secure as the least secure system it is connected to, and this goes for law enforcement too.

Even if governments were 100% trustworthy and competent, there is another party involved in creating an online persona. The provider of the online service where the sign-up occurs has a vested interest in getting as much valuable information from the user as possible. A forced link between person and persona will pass through the system on its way to the government, and it appears hard to legislate that it cannot be used by the service. EU database and privacy directives might limit how far the information can be spread, but they seem to be effective mosly when dealing with formal organisations. Many are simply under the radar and can't be trusted to handle the information. What does www.goldfishsex.com do with the credit card numbers it requests "for age verification"? When I try to join a racist forum to do undercover journalism, how do I prevent them from storing my real address, enabling physical retaliation when I tell the world about them?

Making entering erroneous information illegal when setting up an relation with an online system is also problematic from an enforcement perspective. We make mistakes when writing our names. People systematically distort their age. Some information while true simply has the wrong format to be entered, forcing the user to lie. If it is not illegal to make mistakes, then a lot of privacy conscious people will make mistakes. The alternative is cryptographic authentification. But even if such a system would be implementable (writing this in anti-identity card Britain it seems problematic) it would suffer the problems of incompatible systems. Witness the forcing Katrina victims to use a particular web browser or the problems of running e-identity cards with organisations that do not support Linux. Mandatory authentification works best in hardware and software monocultures. And those are the most vulnerable to fast-spreading attacks. Would increasing the risk of major Internet disruptions and the establishment of government-supported perpetual monopolies be worth the advantages of identification? Unfortunately the drawbacks occur in other fields than law-enforcement, so they might not be recognized by the people proposing more authentification.

Anonymity is often undesirable for setting up trustworthy social structures. One reason the Internet is as it is is the strong anonymity it provides. Hence many online forums are plagued by trolls, spammers and con men. But it also enables amazing new forms of expression, freedom from many constraints imposed by local culture and views, and a way for many disadvantaged groups to network. An internet based on total anonymity is just as undesirable as one with no anonymity or conditional anonymity.

Accountability should be the goal: when I do something bad, it should be possible to hold me accountable for it. But the level of accountability, who meters out the punishment and the reliability of the system must be kept under control. It should also be symmetric: everybody and every institution should be equally accountable. Strong person-persona links are not in themselves enough for accountability, since they might be asymetric and do not guarantee the proper level of accountability. Hence the most important part of any online accountability system must be the social and political control over the accountability, and in particular checks and balances on how it is being used.

Perhaps one compromise might be a reciprocal data retention directive. This is based on the general reciprocity principle: any extension of authority into our private lives must be balanced by a equal or larger extension of transparency in the authority. It is not just citizen data traffic that should be retained, but all government and law enforcement traffic. And after a fixed period it must be made public or at least requestable. The design goal ought to be that any misuse of these powers will become visible. Minor misuse might be ignored, but anybody trying to use the system for sinister or questionable purposes will know that after (say) ten years their use will become public (or seen by an oversight committe not sharing the collegial ties of the agent).

Implementing it might be tricky, but there are both legal, social and technological ways of facilitating it. The important thing is to realize that this might be the only way to get the benefits of traceability without too many drawbacks, and that it hence ought to be a political goal for anybody wanting a well-functioning, accountable society.

[ The image is an illustration from the indispensable Codex Seraphinianus. ]

Posted by Anders3 at February 25, 2007 01:58 PM