What’s in a Name: Less Anonymity Doesn’t Equal More Online Security

People should use their real names on Facebook. No, wait… they shouldn’t. Wait, they should… I shouldn’t make fun of politicians for not knowing what to do about identity because their voters don’t know what they want either.

Bartenders need to know your age, retailers need your PIN, but almost no-one needs your name -- except for identity thieves. ”

IMAGE_074

A very entertaining argument has broken out in the UK. Broadly speaking, it’s between the “Real Names” school and the “people who know something about the issue” school. The trouble started when noted internet security expert Andy Smith gave some sound advice to the nation. He’s not just any old internet security expert, but the government’s own internet security expert.

Andy Smith, internet security chief at the Cabinet Office said real names and addresses could increase security concerns. He advised users to submit “fake” details as this was a “sensible thing to do”.

[From Whitehall official: ‘Give fake details to protect online identity’ – Public Service]

Andy is spot on, although possibly unaware that providing fake details is in violation of Facebook’s “real names” strategy:

Simon Milner, Facebook’s head of policy in the UK and Ireland, was not particularly happy at Smith’s comments. He apparently had a “vigorous chat” with the Cabinet Office official afterwards to persuade him to revise his view.

[From Top civil servant calls for Brits to fake online identity – Cabinet Office says it’s the only way to be safe | TechEye]

As far as I am concerned, there are almost no circumstances where it is necessary to use real names and we only use them now because we lack a proper identity infrastructure.

Bartenders needs to know your age, retailers need your PIN, but almost no-one needs your name — except for identity thieves.

[From David Birch: Identity without a name | Video on TED.com]

By and large, we use the real name as a proxy to the attributes that are actually needed to execute a transaction. Andy’s comments elicited an immediate and vituperative response from noted internet security expert Helen Goodman MP.

Ms Goodman, shadow culture minister, told BBC News: “This is the kind of behaviour that, in the end, promotes crime… It’s anonymity which facilitates cyber-bullying, the abuse of children”.

[From BBC News – Give social networks fake details, advises Whitehall web security official]

Ms. Goodman’s confused opinions on security and privacy — and the false dichotomy implicit in the security vs. privacy paradigm she draws on — are representative of the shallow thinking and lack of informed discussion in this area. I’m not for one moment suggesting that Ms. Goodman’s concerns are not wholly real and heart felt. I’m sure they are.

Mrs Goodman, MP for Bishop Auckland, in the North-East of England, said she had been contacted by constituents who have been the victims of cyber-bullying on major social networking sites by people hiding behind fake names.

[From BBC News – Give social networks fake details, advises Whitehall web security official]

I don’t doubt that this is true. But so what? People bully under their real names too, and it doesn’t make any difference. If they have broken the law, they can easily be traced, since the interweb tubes will lead the police directly to them. Or, indeed, directly to the police!

A man arrested over claims that he tormented a mother with abusive online messages is a serving police officer.

[From Police Officer Arrested Over Internet Troll Abuse Of Woman, Nicola Brookes]

The Honourable Edward Vaizey MP, the British Government’s Minister of Culture, responsible for internet regulation, agrees with Ms. Goodman that the Cabinet Office’s advice is incorrect, leaving us none the wiser as to the government’s actual policy on this (hint: it doesn’t have one).

Culture minister [The Honourable Edward] Vaizey said he had not seen Mr Smith’s remarks but told the BBC that he “wouldn’t encourage people to put false identities on the internet”.

[From BBC News – Give social networks fake details, advises Whitehall web security official]

I don’t know why politicians don’t take the time to think this through. They always reach for the same knee-jerk response: some sort of internet passport or driving licence.

if there was an Internet Driving License that you had to use to log in to web sites, that would almost certainly make the situation far worse, since these website would now know exactly who you are, and this information would then be freely obtained by perverts, the secret police, News International or whoever else wants to pry. Why is this better than anonymity (which doesn’t exist anyway – look what happened to the not-Anonymous-at-all hackers).

[From Let’s not panic about online identity]

Since I wrote that, incidentally, some pretty convincing evidence has come to light to support my view. South Korea has rescinded its “real names” law.

In 2007, South Korea temporarily mandated that all websites with over 100,000 viewers require real names, but scrapped it after it was found to be ineffective at cleaning up abusive and malicious comments (the policy reduced unwanted comments by an estimated .09%).

[From Surprisingly Good Evidence That Real Name Policies Fail To Improve Comments | TechCrunch]

In fact the results of the “real names” law were predictably perverse. Identity theft went up, because real identities were stolen from the thousands of web sites that now had to ask for them and store them. And since people became used to be asked for their real identity, it was easier for dodgy web sites to get them to hand them over! So we don’t even have to speculate for Helen and Ed: we already know what the answer is, and it isn’t “real names”.

Please don’t read this as me saying that politicians are idiots. What I am suggesting is that we need a better-informed public discussion and debate to determine public policy and the balancing of interests between competing pressures needs to be made explicit. How should we determine whether Mumsnet or the EFF are right?

We (the public) have no idea what we want. We want anonymity for Syrian dissidents but not for pedophiles. We want anonymity for hospital nurses blowing the whistle on incompetent surgeons but not for looters. We want anonymity for celebrities in some circumstances but not others. Most of all, and most paradoxically, we want the authorities to spy on other people but not on us.

[From We don’t know whether we want real names or not]

The security vs. privacy balance is only for people who haven’t put any intellectual effort into this serious, important and urgent area of public policy. You can’t have privacy without security, but you can have security without privacy. Do we want that? Joanna Geary summed up the situation very nicely in her Guarian “Comment is Free” piece:

A Whitehall adviser has been slammed for telling people to make up data. But less anonymity doesn’t equal more security

[From Being wary of handing over personal details to websites isn’t ‘outrageous’ | Joanna Geary | Comment is free | guardian.co.uk]

Hear, as they say in the British Parliament, hear.

david g.w. birch

David G.W. Birch is a Director of Consult Hyperion, the IT management consultancy that specialises in electronic transactions, where he provides specialist consultancy support to clients around the world. Before helping to found Consult Hyperion in 1986, he spent several years working as a consultant in Europe, the Far East and North America. He graduated from the University of Southampton with a B.Sc (Hons.) in Physics.


Add a Comment