[Digital] Papers Please

As the popular phrase “On the Internet nobody know that you’re a dog.” tries to explain the Internet is a bastion of anonymity. You can be whoever you want to be when posting online and if you properly utilize effective anonymity tools there is no practical way for anybody to connect your online identity to your real identify. This shield of anonymity enables truly free speech, which means the government wants to stop it. Meet the National Strategy for Trusted Identities in Cyberspace (NSTIC) initiative, an attempt by the executive branch to force people to obtain a license to use the Internet. This license isn’t merely are method for the state to identify you as being qualified to use the Internet, it’s an attempt to remove the shield of anonymity that protects free speech online:

The draft NSTIC says that, instead of a national ID card, it “seeks to establish an ecosystem of interoperable identity service providers and relying parties where individuals have the choice of different credentials or a single credential for different types of online transactions,” which can be obtained “from either public or private sector identity providers.” (p. 6) In other words, the governments want a lot of different companies or organizations to be able to do the task of confirming that a person on the Internet is who he or she claims to be.

Decentralized or federated ID management systems are possible, but like all ID systems, they definitely pose significant privacy issues. 1 There’s little discussion of these issues, and in particular, there’s no attention to how multiple ID’s might be linked together under a single umbrella credential. A National Academies study, Who Goes There?: Authentication Through the Lens of Privacy, warned that multiple, separate, unlinkable credentials are better for both security and privacy (pp. 125-132). Yet the draft NSTIC doesn’t discuss in any depth how to prevent or minimize linkage of our online IDs, which would seem much easier online than offline, and fails to discuss or refer to academic work on unlinkable credentials (such as that of Stefan Brands, or Jan Camenisch and Anna Lysyanskaya).

Providing a uniform online ID system could pressure providers to require more ID than necessary. The video game company Blizzard, for example, recently indicated it would implement a verified ID requirement for its forums before walking back the proposal only after widespread, outspoken criticism from users.

Pervasive online ID could likewise encourage lawmakers to enact access restrictions for online services, from paying taxes to using libraries and beyond. Website operators have argued persuasively that they cannot be expected to tell exactly who is visiting their sites, but that could change with a new online ID mechanism. Massachusetts recently adopted an overly broad online obscenity law; it takes little imagination to believe states would require NSTIC implementation individuals to be able to access content somehow deemed to be “objectionable.”

I will go so far as to argue that truly free speech isn’t possible without the availability of anonymity. We see this whenever a company sues a customer who wrote a bad review, the state kidnaps a businessman, somebody is kidnapped for holding the wrong political belief. Imagine how much easier it would be for a business to sue anybody who left a negative review of their products if the NSTIC initiative was realized. Confirming the identify of the reviewer would be simple and that would put anybody leaving a negative review at risk of a lawsuit.

The only reason I can perceive for the executive branch’s push for its NSTIC initiative is for squashing political dissidence and suppressing critics of its corporate partners. Problems of authentication, authorization, and accounting have already been solved in numerous ways that allow an individual to keep their online identity separate from their real life identity. There are even methods that allow a user’s real life identify to be verified (which is what my certificate provider does). Nothing in the NSTIC initiative solves a problem that hasn’t been solved already. It merely introduces another way to solve these problems in a manner that centralized information for easy federal and corporate access.