Re: Anonymity and multiple identities

Thank you for this fine answer.

On 07-07-2012 07:31, Michiel de Jong wrote:
> On Thu, Jul 5, 2012 at 1:38 PM, Flemming Bjerke<web@bjerke.dk>  wrote:
>> 1. Anonymity:
>> Wikileak, the Arabian spring, China, etc., etc. must make us conclude: The
>> point of departure must be anonymity, that is, the identity of an individual
>> has no bits except an identifier that may re-used by the individual. It is
>> the individual who decides how anonymous (i.e. which information about
>> herself should be disclosed by an identity) she likes to be. But, another
>> individual must also be able to specify the degree of anonymity he will
>> accept from others under different conditions.
> when you publish something, you automatically have an identity as
> "whoever published X". Anonymity for me means two things:
> - not linking what you publish now to what you published before
> - not linking what you publish online to (aspects of) who you are in real life.
>
> If by default what you publish doesn't get woven into a chain of
> published items, then you don't need any of the features of federated
> social web, the web as it is is enough. maybe you need wikileaks or
> Tor to properly erase your traces. Instead of chat you would only need
> chatroulette.

No, chatroulette gives anonymity with minimal purpose. Instead, imagine 
we were 6 Russian journalists that wanted to share information about 
Chechenya. Some of us know each other, and we want to add new 
journalists and sources to the group, or to larger groups, but without 
risking to disclose anyone's identity to the newcomers. We also want to 
be able to circulate information to a larger group, and even publish 
some. Our problem is that if FSB finds out who we are, they will 
probably kill or at least threaten some of us. We could also think about 
a fedsocweb behind a new generation of wikileak.

My point is that such networks should not be excluded by a future protocol.

> not linking your online personality to your real life personality is
> quite hard to do, but i think it doesn't really depend on the
> federated social web tools we develop. we could maybe add some user
> education messages when they are about to set their real name or
> location, or upload a recognizable photo.

Very interesting idea.

>> 2. Multiple identities:
>> It is trivial that we all have multiple identities (at work, at the café, in
>> the family, in the party, in the club, with your lawyer, etc., etc.). It
>> must be possible to have multiple identities and subidentities.
> multiple identities, sure. subidentities, i think that's more like
> audience control, right? so when you publish something you choose
> whether you want to publish it to a certain 'group' or 'aspect' or
> 'circle' within your list of friends.

Yes, but including the distribution of information about me. A 
subidentity does have the same information about me as the 
super-identity - probably hierarchy thinking is not appropriate, but 
partial heritage of information from another identity as well as linking 
are.

>> 3. Traffic-identity
>> Identity is not defined by a node with associated information, solely.
>> Identity is also defined by who communicate with whom about what. Therefore,
>> the individual must be able to control who have (direct) access to which
>> information exchange you have participated in. Anonymity also implies
>> control of your information exchange.
> that's quite hard to achieve though. I think what you're looking for
> is Tor. You can use fedsocweb over Tor.
>
>> 1., 2. and 3. may be combined: You may have an anonymous subidentity at the
>> "federated leak-webpage", while your family subidenty is not anonymous for
>> your family, etc. However, when you are devorcing, you don't want your
>> husband to have access to a lot of new information about you, e.g. what you
>> are communicating with your lawyer about.
> by anonymous subidentity, do you mean that each item you publish is
> published as coming from an anonymous source? then you basically get a
> sort of chatroulette, right? If you mean it's published under a
> pseudonym (say my pseudonym is 'Mr X.' and nobody knows who this
> mysterious 'Mr. X' is in real life), then this is more about how you
> untraceably access your Mr. X account (over Tor, probably), and how
> you make sure the photos you upload don't have any details that would
> betray your wereabouts.

You are right. But, in the fedsocweb protocol, it should be a privacy 
option to let the users conceal their identity. Example: last time I 
tried to go on Facebook via Tor, I was not allowed access, hence 
Facebook has no high level privacy protection.

>> I know this is controversial from the point of view of goverments and
>> content providers who have an interest in being able to survey every citizen
>> as much as they like. Drug dealers is a good example of this being
>> reasonable. However, it is more important, that we ensure that those who
>> protest against state-terrorism (e.g. Saudi-Arabia, Bahrain, White Russia,
>> etc. etc.) may conceal their identity on the net. Perhaps three principles
>> is the inverse of TCPM and DRM: Not that TCPM and DRM should be impossible,
>> but TCPM and DRM should never exclude the possibility of being anonymous and
>> having multiple identites (which was what Microsoft tried to effectuate with
>> their TCPM project).
> I think whether you use the web without any extra social features, or
> you use a closed social network on top of the web, or you use the
> federated social web which we are building, being traceable by
> (government) spies or not, doesn't change.

Eventually, I hope you are right. But, as I read your Webfinger point, 
it was presupposed that there were no problems with public dissemination 
of personal information.

>> I hope this is not too much out of touch with the group's intentions. But,
>> in my opinion, the three points must be addressed and discussed. At least a
>> future social network protocol must make 1-3 feasible.  We already have too
>> many big companies, like Apple, Google, Facebook, etc., who know much too
>> much about us. They may swear that they would never ever misuse it, but they
>> may change their minds whenever they like, say in 10 years.
> actually, they swear the opposite, they tell us "the reason we are
> here is that we will misuse your data, and by engaging, you agree to
> that", see http://tos-dr.info
>
> but that only makes your point stronger, obviously. IMO the reason
> these companies know so much about is, is that we allow them to by
> agreeing to their terms of service. The reason we let ourselves be
> coerced into such unfair deals is that they offer services that are
> unique. It's like when the only way to obtain a diamond is through
> DeBeers, then you either have to choose not to have such a diamond, or
> accept their terms and conditions. It's why monopolies are bad and
> free open market is good (setting aside the question of whether this
> "market" should money-based or commons-based).

Yes, I fully agree, but there is another reason why people accept the 
intrusion on privacy: They don't understand the possible implications. 
In order to put such problems a little more on the agenda, it is 
important to classify Facebook, Twitter, etc. as having relatively low 
levels of privacy.

> So if you choose to publish all your stuff anonymously or
> pseudonymously then this issue is irrelevant. You can do that using
> facebook over Tor and as long as you don't accidentally give away your
> identity inside the content you upload, you'll be fine.
>
> But if you use a recognizable online identity, then you will and
> should care about this. If i share my private data with my friends,
> then i don't want a third-party listening in, and i don't want a
> third-party to constantly try to make me accidentally overshare (see
> e.g. www.theage.com.au/opinion/society-and-culture/you-might-not-like-it-but-you-and-facebook-are-worst-friends-forever-20120630-219rq.html
> ). So for this I need what ToS;DR would call a "class A service". We
> are opening up this possibility with fedsocweb, simply by opening up
> the market for services you can choose from.

Well, I could not read this from your 6 points.

>> I have a Facebook profile (in Danish), but I give no information about
>> myself except my name, mobile phone, and my mail-address (as well as some of
>> my social relations). This is of course a good identification of me.
>> Nevertheless, denying to give information about me is clearly odd on
>> facebook. For instance, I have received several greetings on my 'birthday'
>> though it is Jan 1 1913. What provokes me is that it is Facebook, and not
>> me, that determines what is convenient public information about me.
> yes, you're doing well in giving only minimal data to facebook,
> because to them, you are a product that needs to be sold to
> advertisers.
>
>> I think point 2 to should be rephrased:
>>
>>> Step 2: "Webfinger" and "WebID" - WebID is the official way have an
>>> identity on the web.
> whereas webfinger can be combined with any technology including WebID,
> i would call WebID a niche product. Just like PGP is good, but also a
> niche product. If you want to use WebID or PGP or Firefox Sync from an
> internet cafe, then you  can't, unless you carry a USB stick with you.
> Only power users will be willing to do this, so i don't think we
> should design for that by default. We should definitely describe it as
> optional though, because asymmetric encryption does have its merits if
> you are willing to pay its cost.
>
>>> Webfinger takes user credentials as its
> well, a user address mainly, not credentials. You could include
> credentials of who is requesting the information, so that your friends
> see a more detailed webfinger record of you than strangers. but i
> don't think that's what you mean here.

Well, that was the point - thanks for making it clear.
>>> parameters, and may return information like full name, avatar picture
>>> in different sizes, home location, possibly some public keys that the
>>> user has on the device(s) she often connects from, and other contact
>>> information. But, since a WebID may be anonymous, the user control
>>> which information is to be returned.
> if the webid is anonymous then you wouldn't put it into a webfinger
> record, you would use it once and discard it. in fact, i'm not sure
> why using webid would be useful in this case. i think what you mean
> here is what you called sub-identity, so a webid that corresponds to
> the information you push out to a certain audience, like 'family'.

Exactly. Let's invent a case: I and my wife have two children and good 
jobs and are well respected Latvians. But, we are both gay as well, and 
we both have a strong incitement to gay experiences. But, due to the 
latvian homophobia we have to be very careful with our gay tendencies. 
Both of us would like to bulid identities in the fedsocweb at 
http://latviangayunderground.org. These identities may not be connected 
to our civil life identities. So, we have a gay WebID and a gay 
WebFinger that does not disclose our social identity. Please notice, 
that in this case, even physical identity is split up.

>>> If the user approves this, the
>>> webfinger may also link a WebID to any other information sources about
>>> the user, like a foaf profile or an activity stream, and possibly
>>> non-web contact methods like email addresses and jabber ID's. WebID
>>> makes a "user" into an agent which the web as such can understand in a
>>> unique and well-defined way. Any user may have multiple WebIDs, which
>>> may be linked as the user like.
> well, i would rather link user addresses (strings of the format
> 'user@host') to foaf profiles, activity streams, etcetera. Because if
> you use webid as required instead of optional, you are blocking out
> people who want to use their identity from an internet cafe without
> having to carry around a USB stick.
>

I think you are right.

Best

Flemming

Received on Saturday, 7 July 2012 10:00:59 UTC