Re: Anonymity and multiple identities from Michiel de Jong on 2012-07-07 (public-fedsocweb@w3.org from July 2012)

From: Michiel de Jong <michiel@unhosted.org>
Date: Sat, 7 Jul 2012 08:31:31 +0300
To: Flemming Bjerke <web@bjerke.dk>
Cc: public-fedsocweb@w3.org
Message-ID: <CA+aD3u2jgz4kozJZGCKrfCJj=Ut4O+EJKF65n_6M_k9FOUFNSA@mail.gmail.com>
On Thu, Jul 5, 2012 at 1:38 PM, Flemming Bjerke <web@bjerke.dk> wrote:
> 1. Anonymity:
> Wikileak, the Arabian spring, China, etc., etc. must make us conclude: The
> point of departure must be anonymity, that is, the identity of an individual
> has no bits except an identifier that may re-used by the individual. It is
> the individual who decides how anonymous (i.e. which information about
> herself should be disclosed by an identity) she likes to be. But, another
> individual must also be able to specify the degree of anonymity he will
> accept from others under different conditions.

when you publish something, you automatically have an identity as
"whoever published X". Anonymity for me means two things:
- not linking what you publish now to what you published before
- not linking what you publish online to (aspects of) who you are in real life.

If by default what you publish doesn't get woven into a chain of
published items, then you don't need any of the features of federated
social web, the web as it is is enough. maybe you need wikileaks or
Tor to properly erase your traces. Instead of chat you would only need
chatroulette.

not linking your online personality to your real life personality is
quite hard to do, but i think it doesn't really depend on the
federated social web tools we develop. we could maybe add some user
education messages when they are about to set their real name or
location, or upload a recognizable photo.

> 2. Multiple identities:
> It is trivial that we all have multiple identities (at work, at the café, in
> the family, in the party, in the club, with your lawyer, etc., etc.). It
> must be possible to have multiple identities and subidentities.

multiple identities, sure. subidentities, i think that's more like
audience control, right? so when you publish something you choose
whether you want to publish it to a certain 'group' or 'aspect' or
'circle' within your list of friends.

> 3. Traffic-identity
> Identity is not defined by a node with associated information, solely.
> Identity is also defined by who communicate with whom about what. Therefore,
> the individual must be able to control who have (direct) access to which
> information exchange you have participated in. Anonymity also implies
> control of your information exchange.

that's quite hard to achieve though. I think what you're looking for
is Tor. You can use fedsocweb over Tor.

> 1., 2. and 3. may be combined: You may have an anonymous subidentity at the
> "federated leak-webpage", while your family subidenty is not anonymous for
> your family, etc. However, when you are devorcing, you don't want your
> husband to have access to a lot of new information about you, e.g. what you
> are communicating with your lawyer about.

by anonymous subidentity, do you mean that each item you publish is
published as coming from an anonymous source? then you basically get a
sort of chatroulette, right? If you mean it's published under a
pseudonym (say my pseudonym is 'Mr X.' and nobody knows who this
mysterious 'Mr. X' is in real life), then this is more about how you
untraceably access your Mr. X account (over Tor, probably), and how
you make sure the photos you upload don't have any details that would
betray your wereabouts.

> I know this is controversial from the point of view of goverments and
> content providers who have an interest in being able to survey every citizen
> as much as they like. Drug dealers is a good example of this being
> reasonable. However, it is more important, that we ensure that those who
> protest against state-terrorism (e.g. Saudi-Arabia, Bahrain, White Russia,
> etc. etc.) may conceal their identity on the net. Perhaps three principles
> is the inverse of TCPM and DRM: Not that TCPM and DRM should be impossible,
> but TCPM and DRM should never exclude the possibility of being anonymous and
> having multiple identites (which was what Microsoft tried to effectuate with
> their TCPM project).

I think whether you use the web without any extra social features, or
you use a closed social network on top of the web, or you use the
federated social web which we are building, being traceable by
(government) spies or not, doesn't change.

> I hope this is not too much out of touch with the group's intentions. But,
> in my opinion, the three points must be addressed and discussed. At least a
> future social network protocol must make 1-3 feasible.  We already have too
> many big companies, like Apple, Google, Facebook, etc., who know much too
> much about us. They may swear that they would never ever misuse it, but they
> may change their minds whenever they like, say in 10 years.

actually, they swear the opposite, they tell us "the reason we are
here is that we will misuse your data, and by engaging, you agree to
that", see http://tos-dr.info

but that only makes your point stronger, obviously. IMO the reason
these companies know so much about is, is that we allow them to by
agreeing to their terms of service. The reason we let ourselves be
coerced into such unfair deals is that they offer services that are
unique. It's like when the only way to obtain a diamond is through
DeBeers, then you either have to choose not to have such a diamond, or
accept their terms and conditions. It's why monopolies are bad and
free open market is good (setting aside the question of whether this
"market" should money-based or commons-based).

So if you choose to publish all your stuff anonymously or
pseudonymously then this issue is irrelevant. You can do that using
facebook over Tor and as long as you don't accidentally give away your
identity inside the content you upload, you'll be fine.

But if you use a recognizable online identity, then you will and
should care about this. If i share my private data with my friends,
then i don't want a third-party listening in, and i don't want a
third-party to constantly try to make me accidentally overshare (see
e.g. www.theage.com.au/opinion/society-and-culture/you-might-not-like-it-but-you-and-facebook-are-worst-friends-forever-20120630-219rq.html
). So for this I need what ToS;DR would call a "class A service". We
are opening up this possibility with fedsocweb, simply by opening up
the market for services you can choose from.

>
> I have a Facebook profile (in Danish), but I give no information about
> myself except my name, mobile phone, and my mail-address (as well as some of
> my social relations). This is of course a good identification of me.
> Nevertheless, denying to give information about me is clearly odd on
> facebook. For instance, I have received several greetings on my 'birthday'
> though it is Jan 1 1913. What provokes me is that it is Facebook, and not
> me, that determines what is convenient public information about me.

yes, you're doing well in giving only minimal data to facebook,
because to them, you are a product that needs to be sold to
advertisers.

>
> I think point 2 to should be rephrased:
>
>> Step 2: "Webfinger" and "WebID" - WebID is the official way have an
>> identity on the web.

whereas webfinger can be combined with any technology including WebID,
i would call WebID a niche product. Just like PGP is good, but also a
niche product. If you want to use WebID or PGP or Firefox Sync from an
internet cafe, then you  can't, unless you carry a USB stick with you.
Only power users will be willing to do this, so i don't think we
should design for that by default. We should definitely describe it as
optional though, because asymmetric encryption does have its merits if
you are willing to pay its cost.

>> Webfinger takes user credentials as its

well, a user address mainly, not credentials. You could include
credentials of who is requesting the information, so that your friends
see a more detailed webfinger record of you than strangers. but i
don't think that's what you mean here.

>> parameters, and may return information like full name, avatar picture
>> in different sizes, home location, possibly some public keys that the
>> user has on the device(s) she often connects from, and other contact
>> information. But, since a WebID may be anonymous, the user control
>> which information is to be returned.

if the webid is anonymous then you wouldn't put it into a webfinger
record, you would use it once and discard it. in fact, i'm not sure
why using webid would be useful in this case. i think what you mean
here is what you called sub-identity, so a webid that corresponds to
the information you push out to a certain audience, like 'family'.

>> If the user approves this, the
>> webfinger may also link a WebID to any other information sources about
>> the user, like a foaf profile or an activity stream, and possibly
>> non-web contact methods like email addresses and jabber ID's. WebID
>> makes a "user" into an agent which the web as such can understand in a
>> unique and well-defined way. Any user may have multiple WebIDs, which
>> may be linked as the user like.

well, i would rather link user addresses (strings of the format
'user@host') to foaf profiles, activity streams, etcetera. Because if
you use webid as required instead of optional, you are blocking out
people who want to use their identity from an internet cafe without
having to carry around a USB stick.

Ciao!
Michiel
Received on Saturday, 7 July 2012 05:31:59 UTC