[fay59]

One of the points brought up by privacy folks in review of Apple’s plan to have your ID in your digital wallet is that the mere convenience of allowing access to ID may create ID requirements for users where none existed before, which is a loss for privacy. Do you think that Identity is going to create such new requirements?

[dcow]

I sure hope so! Anonynimity is not a fundamental human right, it is a tool that should be used sparingly and only when the situation is appropriate (whistleblower, for example). The internet would be a better place if there were more identity requirements SO LONG AS companies are not legally allowed to sell or transmit that information to advertisers or other third parties without explicit opt-in consent ideally on a per-use basis. Or simply at all. If easier access to online identity systems means we as a society turn focus on legal ground rules governing how that data is treated and used, then we'll be in a really good position (: I'm excited.

[potamic]

What a terrible, broad statement to make, and on an anonymous forum of all places. There are plenty of places where default anonymity makes a lot sense and it is important to a good societal structure. History has shown time and again that those in positions of advantage will abuse their access to information for their own gains. Increasing the surface of your online activity trail can and will be used against you by a bad actor when the opportunity arises. There is simply no good reason to make identity requirement as the default. There is a reason identity requirements have traditionally been restricted to highly regulated entities, but off late there seems to be a trend of "internet companies" freely exchanging KYCs with each other. This blurring of boundaries between banks and regular companies is a dangerous precedent and I'm afraid it will be too late before we realise the net damage to society as a result.

[dcow]

> There are plenty of places where default anonymity makes a lot sense and it is important to a good societal structure.

Can you list some examples of the types of places where you think this property holds true and explain what you mean by "good social structure"?

> History has shown time and again that those in positions of advantage will abuse their access to information for their own gains.

What are some examples of scenarios where this has happened in relation to online identity where there have been legal restrictions in place that would have otherwise prevented it? The healthcare industry and credit card industry seem to do a pretty good job of protecting sensitive information, for example.

> Increasing the surface of your online activity trail can and will be used against you by a bad actor when the opportunity arises.

How anonymous do you think you are online? If you're not deliberately taking steps to conceal your identity, your trail is thick and clear for the people who know how to track it. And that's an actual problem: people track you even if you think you're anonymous and we have no legal protection in place to prevent abuse of data that can identify you online. If you are in a position where you need to *depend* on anonymity, you simply can't because nobody will respect your wish. So the internet operates in this grey zone where because we have no rules governing abuse of PII, everyone throws on the cloak and turns to anonymity as the answer. This degrades our ability to fight spam and makes things like strong mutual authentication very very hard to do because platform vendors can't ever expose any sort of fixed identifier because privacy. Look at the insane things Apple does: zero out your mac address when scanning for wifi networks and recently issue a new certificate for every single use so that a persistent identifier does not show up. And look at IPv6, we invented "privacy extensions" where you generate a random IP every few minutes. These hacks break functional systems because we don't understand how to regulate the internet as a society.

All that is somewhat irrelevant, though. We're talking about the identity relationship between you and a service, not necessarily "the features of interacting with the internet that can be recorded and tracked either on purpose or incidentally". Do you think your email address makes you anonymous? Again, unless you're deliberately taking steps to maintain pristine op sec with your online browsing, you identify yourself to service providers one way or another. And again, the problem is people think they're anonymous when they really aren't so they misinterpret what it means to be anonymous and its importance in good societal structure. I honestly don't see a difference between providing a service your email address or your physical address or telephone number. What's so bad about having a third party say "yeah, this person is who they say they are" and optionally "and here's the list of verified fields"? The internet is the only place where people get weirded out when someone asks for an ID. Do you not show the bar tender your ID when asked because you need to be anonymous at a restaurant? How about at the gas station, the liquor store, the axe throwing range, the DMV, the hospital, when making a purchase on a credit card, taking out a loan, etc. What real world interactions do you have that are primarily anonymous? It's not normal.

Strong identity combats spam and abuse. I would choose strong identity over spam almost every single time. I do not disagree that there are some online communities that are respectfully anonymous. But do you think e.g. Reddit is one of those? Because I do not. Regardless, you can still both a) identity check and b) run an anonymous community (and c. not store identity information). You don't have to expose the identity data in the product/community/forum itself, so nothing about making identity easier to use and more streamlined defeats the ability to operate pseudonymous services in the least. I really don't understand the "anonymity by default is good for a wholesome society" angle whatsoever.

[potamic]

Oh no, I'm not going to go down that slippery slope. We are not talking about CIA whistleblower levels of anonymity here. This is just basic sanity. You may never be able to fight abuse 100%, so it's good practice to reduce the surface of compromise as much as possible. If the information is not needed, just don't send it. It's about de-risking the possibilities. The fact that banks, healthcare institutions etc. are trusted within a boundary does not automatically mean every tom and dick company out there should be trusted as well. There must be a strong justification for access to identity and spam is certainly the weakest out there. Fake identity is not hard to create. Bank fraud is rampant in many countries where fraudsters run large rings using such fake accounts. If banks are not able to stop these, online communities for the purpose of bot detection most certainly won't.

[dcow]

Fake identity is is not hard to create online. You’re right! That is the problem. Fake identity is orders of magnitude harder to create in meatspace. You don't solve that problem by saying “welp I guess we just have to deal with spam to realize pseudo-security via anonymity”. I don't disagree about privacy, even. I think you’d find we agree about not sending information you don't need. Where we talking past each other is on the topic of anonymity vs privacy. I want strong identity and privacy and tools and laws that protect my identity and privacy online as well as offline. Tools that let me manage who has access to my private information and for what use cases. Tools that alert me when that information is accessed or shared. Tools to allow me to verify the information provided by others is genuine. This has nothing to do with anonymity.

[d110af5ccf]

> The internet would be a better place if there were more identity requirements

This is a completely baseless claim, as most arguments against weak (ie pseudo) anonymity seem to be. Outside of banks, healthcare providers, and payment processors, I see little of benefit. Before bringing up any arguments that involve poor behavior or misinformation, please refresh yourself on the current state of Facebook (where nearly everyone is using their full name).

I already think twice before (and often decide against) using a service that requires my phone number. I will _never_ use Discord or Twitter (in my personal life at least) for this reason. Except for banks, liquor, and the pharmacy, I am almost certain to decline doing business rather than providing my ID.

[dcow]

I'm curious, do you take this same stance in meat space? Would you rather not know who your friends are and address them by a changing handle? Would you rather be given a pseudonymous name to use for the duration of your trip to the grocery store? Would you prefer to be delivered a new car every time you need to go somewhere so people can't associate you with a vehicle? Do you really have these anonymity requirements.

The claim is not baseless. There are strong technical reasons why identifying the components in your system is a good thing. and there are practical social reasons.

[CogitoCogito]

> I'm curious, do you take this same stance in meat space? Would you rather not know who your friends are and address them by a changing handle?

There are many people I'm friendly with that I know little about. They could very well be giving me fake information about their life. I don't see this as a problem.

> Would you rather be given a pseudonymous name to use for the duration of your trip to the grocery store?

Well in most cases I wouldn't give anyone any name at all. Why does the grocery store require my name?

> The claim is not baseless. There are strong technical reasons why identifying the components in your system is a good thing. and there are practical social reasons.

There are also strong technical reasons not to. And there are practical social reasons not to. As far as I can tell, you've provided essentially no argument supporting this general claim:

> The internet would be a better place if there were more identity requirements

[dcow]

We already have a society that identifies people when doing business. The burden of proof is on an anonymity advocate to demonstrate why that is harmful and should be changed. I may mot have convinced you that having strong identity enables strong security and reduces spam (that is my argument). But it’s also not my problem if you aren’t aware of the nuances surrounding how security, privacy and anonymity work. You haven’t made any compelling argument as to why we don't need identity in cyberspace beyond a naive axiomatic assertion that “businesses don’t need them so they shouldn’t collect them” and some FUD level fear that strong identity is an Orwellian technology hell bent on ruining your life. There is so much nuance I don't feel like we’re doing the topic justice. There is a huge spectrum between “ad tech tracking everything you do” and “everyone looks like a spam bot”. The mindshare is heavily skewed toward spam bot because ad tech is abusive. You can have strong identity and privacy without invoking anonymity. You can be anonymous and still fall victim to fishing attempts and scams. Anonymity is not synonymous with security or privacy. Security means you know who you’re communicating with online so you can establish trust. Privacy means you don't need to share invasive personal details in the regular course of existing in society. Anonymity means nobody knows who you are. I want a society where my digital communication with other people is authenticated and a baseline of trust is established. Do you use a secure messenger app that has E2E encryption? Guess what, that depends on strong identity. You are not anonymous but you are private. I would take a secure and private society every time over an anonymous one that offers weak, if any, guarantees of security and/or privacy.

I work on a product that doesn't collect any PII. We made the decision very early on not to collect any information we don’t need because that’s literally not our business. I am deeply aware of the landscape on these topics. However, as a society we cannot run in a “normal meatspace anonymous cyberspace” mode. We need to bridge civil identity in a secure and private (those are fundamental human rights) way into the online era. That is the core focus of the product I’ve been working on. In reality people have identities whether they use them offline or online. The goal is to protect those identities so they cannot be abused, not remove them altogether.

[CogitoCogito]

> We already have a society that identifies people when doing business.

This is false. There are many cases in real life when this is not the case as explained in the very post you just responded to.

> The burden of proof is on an anonymity advocate to demonstrate why that is harmful and should be changed.

You are making certain claims and then saying it's up to others to disprove you? If that's your attitude why are you engaging in this discussion at all?

> But it’s also not my problem if you aren’t aware of the nuances surrounding how security, privacy and anonymity work.

Frankly I don't have the energy to engage with you. Take that as you will. You clearly think you know much more than everyone here already anyway.

[hashStuff]

So do you provide your full name, street address, phone number, drivers license, and social, to everyone you meet? And do you require that from everyone you wish to be friends with? Otherwise how do either party know the other is not providing false information? This is essentially what you are stating you are hoping for on the internet by allowing every company to request identity information.

[unityByFreedom]

> The internet would be a better place if there were more identity requirements SO LONG AS companies are not legally allowed to sell or transmit that information to advertisers or other third parties without explicit opt-in consent ideally on a per-use basis. Or simply at all

This is a pipe dream. The online world spans the globe and we can only enforce the law in our own respective countries.

And even if all countries were cooperative about enforcement, distributed communication tools already exist. The internet has always been a place where you can go to share your thoughts without worrying about what your family or friends think. I don't think that will change in our lifetime, if ever.

Anyway, the market can sort this out. If using an ID to authenticate your Twitter account makes Twitter more successful than its competitors, great! I would not count on it.

[dcow]

A fully anonymous society is also a pipe dream. It doesn't work.

You already provide your name and phone number and email to Twitter. You already identify yourself. We're talking about making that exchange more reliable and more secure...

[unityByFreedom]

I haven't called for a fully anonymous society. I said realistically we cannot force people to identify themselves across the world. And, once there is a breach of identities, we will be back to where we are now where we can't reliably sort out who's who. It is a pointless exercise that potentially enables authoritarian regimes to silence dissent indefinitely. No thanks.