Online Identities: Part of a Bigger Picture
The issues surrounding identities online are complex and critically important, but they need to be addressed in relation to the larger ecology of issues in which they are embedded. Changes in the ways identity is handled on the Internet can have unintended consequences, such as jeopardizing the value of the Internet as a new space for democratic expression and accountability. For such reasons, a number of working groups and conferences have been organized to address these issues.[i] For the purposes of this briefing note, I will highlight issues that might not otherwise be given more attention:
1. The Internet is facing growing threats of over-regulation. Identity initiatives could add to this threat in ways that undermine the value of this new platform.
Contrary to journalistic headlines, the Internet is highly regulated. All the laws that apply offline, such as those tied to liability or fraud also govern Internet users. Many other telecommunication regulations also shape the Internet, such as copyright and other IP regulations, and existing telecommunications policy, which provides the basis for Internet provision. International bodies such as ICANN and the W3C shape the assignment of domain names and technical standards and so on. The Internet is not an unregulated ‘Wild West’ frontier.
In this current regulatory environment, the Internet is rapidly becoming the most central media of our time, increasingly viewed as essential to everyday life and work. Its successes – not its faults – are driving industries, governments, particularly the regulators of earlier communication and broadcasting media, and the public to focus increasing attention on its regulation. It is entirely possible that we are seeing the nationalization of the Internet and what was formerly known as the ‘World Wide Web’. Identity initiatives should not feed into this jurisdictional impulse to impose national regulatory regimes.
2. No single level or standard of identity is appropriate for all activities.
Freedom of expression often requires anonymity, and many other activities and services have no need for identification of users. While not everyone agrees, creating what some of us called an ‘accountability versus anonymity’ debate, it is an important issue.[ii] Often there is only a need to authenticate that a person has a right to the service, such as being over a certain age. Therefore identity systems online must support this full range, and not require a level of identification greater than required by a particular service. One European advisory board on which I sat made the following recommendation:
The EC, together with the Member States and industrial stake-holders, must give high priority to the development of a common EU framework for identity and authentication management that ensures compliance with the legal framework on personal data protection and privacy and allows for the full spectrum of activities from public administration or banking with strong authentication when required, through to simple web activities carried out in anonymity ’ (RISEPTIS 2009: 31).
Some within the technical community might want a one-size-fits-all system for identifying users because it is easier to design and implement. However, we should no more accept such a technically driven standard than we would accept one level of identification in everyday life and work. The best approach is to build incrementally with open debate around key issues.
3. We are in a transition for institutions in data handling and identity practices.
We are in the midst of a major transformation not only in technologies, but also institutional and social practices tied to identification and related privacy and data protection policy: moving from organizational-centric approaches to protecting privacy and identifying people to more federated and decentralized approaches, permitting individuals to have more control, such as with bank cards. This is a period of transition in the cultures and practices of handling information, so this will take a decade or more embed new and evolving systems into everyday life and work. This is all the more reason not to rush into a solution that could have negative unintended or unanticipated consequences, such as on privacy or freedom of expression.
RAE (2007), Royal Academy of Engineering, Dilemmas of Privacy and Surveillance. London: Royal Academy.
RISEPTIS (2009), Research and Innovation on Security, Privacy and Trustworthiness in the Information Society, Trust in the Information Society. http://www.think-trust.eu/general/news-events/riseptis-report-published.html
Rundle, M. (2007), ‘e-Infrastructures for Identity Management and Data Sharing: Perspectives across the Public Sector’, Oxford Internet Institute Forum Discussion Paper No. 12, University of Oxford: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1325235
Rundle, M. and Dopatka, A. (2009), ‘Towards a Policy and Legal Framework for Identity Management: A Workshop Report’. Oxford Internet Institute Forum Discussion Paper No. 16, University of Oxford: http://www.oii.ox.ac.uk/publications/FD16.pdf
[i] The OII has held two workshops around identity management, including those reported by Rundle (2007) and Rundle and Dopatka (2009).
[ii] For example, this debate arose in the deliberations of RISEPTIS (2009), but also in a committee focused on privacy and data protection (RAE 2007).