August 21, 2006



Anonymity as the default: As digital identity management systems come on line, the norm is switching from being anonymous to being identified, with unintended consequences we may not at all like.
One Web Day: Earth Day for the Web. Come celebrate!
My Hundred Million Dollar Secret: I've self-published a kid's novel. You can buy it or read it for free. (My promise: Harry Potter does not die in it.)
Cool Tool: RoboForm is great...except for one thing.
Bogus Contest: A contest no one really enters.


dividing line
Anonymity as the default

[I ran a version of this in my blog a couple of days ago.]


I wrote about the limits of transparency, mentioning the value of anonymity. Eric Norlin used this as a springboard. Unfortunately, comments on his site are not showing up. Then, Kim Cameron, digital ID architect at Microsoft, reprinted Eric's piece, but I was unable to leave a comment at his site either. Then, the debate discussion expanded (my contribution seems to have been the phrase "anonymity is the default"): Ben Laurie argued that anonymity should be the substrate of identity systems. Kim replied. David Kearns posted on the topic, arguing that privacy, not anonymity, is the issue. He followed up here. Tom Maddox replied. Eric has posted again. AKMA posted.

So, in lieu of leaving comments on other people's sites, here's an attempt to be clearer about what I mean by saying that anonymity should be the default.

"Anonymity should be the default" doesn't say what I mean. Sorry to have put it badly. "Defaults" come to us from the software world where shipping software with the right options turned on can make or break a product. It may be that anonymity is the right default option for digital ID management software, but that's not what I meant. And if it is the right default, it will be due to anonymity's social, political and personal roles. Those roles are what interest me.

I probably should have said "norm" instead of "default." In fact, it's helpful (I think) to put this in moral terms. Philosophers have the useful concept of the prima facie. (If you disagree with how I describe the prima facie, then skip the phrase and go straight to the concept.) Something is prima facie good if you don't need a special justification to do it, but you do need a justification to do its opposite. Telling the truth is prima facie good because you don't need a special justification to do so, but you do to tell a lie. Likewise, anonymity is prima facie good in our culture: We don't need a special reason not to ask you to identify yourself and we do need a special reason to ask you to whip out your drivers license. There are places and contexts where this doesn't hold, e.g., entering a nuclear facility or the Nebraska State Twine Museum (on Homeland Security's Vulnerable Sites list) these days. But still, in general, anonymity is prima facie good and is the norm.

I don't want that to change on line. Here's why.

While obviously what we do — and who we are — on the Net keeps surprising us, we would be fools not to learn from our experience as selves in the real world. So, here's something I think the real world teaches us. The term "anonymity" has a bad connotation because it's used primarily where there's an expectation of identification. We don't say that someone entered a movie theater anonymously unless we're implying that the person had reason to hide her identity, even though, in truth, anyone who pays cash for a theater ticket is entering it anonymously. So, because we use the term "anonymous" mainly where identification is expected, this may lead us to think that being identified is the usual state — the default state — in the real world. In fact, the rarity with which we use the term actually indicates that the opposite is the case: Anonymity is the norm in the real world.

That of course doesn't mean that we're always anonymous. There are zones where being identified becomes the norm by law or policy. And, in a small-ish town or within a work community, we may expect to know who everyone is. But, even so, the people in the small town are not entitled (by law or custom) to demand to see a drivers license of a visiting aunt walking down the street. You need a special justification (in the real world) for demanding ID, but you don't need special justification for not demanding ID.

Of course that doesn't mean that anonymity should be the default online, just as e-commerce sites shouldn't replicate the real world experience of waiting on check-out lines. But, it's worth looking at the real world in this case because it can help undo anonymity's bad reputation, so that we can make a better judgment about what we want online.

Anonymity (including pseudonymity) does much good online. It also allows bad things to happen, but so does free speech. Before we tinker with the defaults, we ought to at least recognize what we may be giving up in the realms of (1) the political, (2) the social, and (3) the personal.

1. Anonymity allows people to say and do things that those in power don't like. It enables dissidents to speak and whistleblowers to blow their whistles.

2. Anonymity allows people to say and learn about things from which social conventions otherwise would bar them. It helps a confused teen explore gender issues.

3. Anonymity (and especially pseudonymity) enables a type of playing with our selves (yes, I know what I just said) that may turn out to be transformative of culture and society.

Anonymity also allows some awful things to happen more easily, but we can't fairly decide what we want to do about it unless we also acknowledge its benefits. Just as with free speech.

As David Kearns points out, some of these issues have to do with privacy. Since I'm interested in norms, I don't want to stipulate definitions of "privacy" and "anonymity," which is probably the only way to make their relationship crisply clear. The fact is that the two terms, as we use them in the real world, are murky alone and in relation. Roughly, when we talk about anonymity, we generally mean not knowing who I am, whereas when we talk about privacy, we generally mean not knowing things about me. (Logically, privacy includes anonymity since who I am is something to know about me, but in practice we use the terms separately.) In many instances, a strong right to privacy confers the benefits of anonymity. But, the real not-knowing of anonymity may be required in some regimes for people to feel free to speak. And it may have a subtle, liberating effect on the selves we're building in the new connected public.

Worse — at least if you insist on clarity — both terms are complex and gradated. Privacy is obviously something we can parcel out in dribs and drabs; that's what the new digital identity management systems enable. Anonymity sounds more binary, but because "who we are" is complex, so are the ways in which we can hold back information about who we are. An anonymous donor has probably identified herself to the organization that has agreed to withhold her name. An anonymous author may disclose that she has twenty years experience in the trade she's writing about. An anonymous stranger who runs after you with the wallet you dropped makes no effort to hide her face, even if she refuses to give her name. And the range of ways in which we are pseudonymous is enormous.

We don't have to sort this out entirely. Privacy, anonymity, publicness, responsibility, shame, freedom, self, community...these and other core terms are properly in a royal stew of meaning.

Before we have all this clear, we're going to have to make some decisions. My fear is that we are in the process of building a new platform for identity in order to address some specific problems. We will create a system that, like packaged software, has defaults built in. The most important defaults in this case will not be the ones explicitly built into the system by the software designers. The most important defaults will be set by the contingencies of an economic marketplace that does not particularly value anonymity, privacy, dissent, social role playing, the exploration of what one is ashamed of, and the pure delight of wearing masks in public. Economics will drive the social norms away from the social values emerging. That is my fear.

I have confidence that the people designing these systems are going to create the right software defaults. The people I know firsthand in this are privacy fanatics and insistent that individuals be in control of their data. This is a huge and welcome shift from where digital ID was headed just a few years ago. We all ought to sigh in relief that these folks are on the job.

But, once these systems are in place, vendors of every sort will of course require strong ID from us. If I want to buy from, say, Amazon, they are likely to require me to register with some ID system and authenticate myself to them...far more strongly and securely than I do when I pay with a credit card in my local bookstore. Of course, I don't have to shop at Amazon. But why won't B&N make the same demand? And Powells? And then will come the blogs that demand I join an ID system in order to leave a comment. How long before I say, "Oh, to hell with it," and give in? And then I've flipped my default. Rather than being relatively anonymous, I will assume I'm relatively identified.

Does that matter? I think it does, for the political, social and person reasons mentioned above. Don't make me also argue against being on one's best behavior and against being accountable for everything one does! I'm willing to do it! I will pull this car over and do it! Just try me!

The basic problem is, in my opinion, that the digital ID crew is approaching this as a platform issue. Most places on the Web have solved the identity problem sufficiently for them to operate. Some ask for the three digits on the back of your credit card. Some only sign you up if you confirm an email. Some only let you on if you can convince an operator you know the name of your first pet and the senior year season record of your high school's football team. Sites come up with solutions as needed.

Good. Local solutions to local problems are less likely to change norms and defaults. But the push is on for an identity management platform. It's one solution — federated, to be sure — that solves all identity problems at once. Because of Microsoft's market dominance, its building identity management into the operating system is an important plank in the platform. Even the sprouting of multiple identity management systems results in a platform because they will make it possible for vendors to expect you to use one.

If you want to change a social default, build a platform. That's not why they're building it, but that will (I'm afraid) be the effect. It's not enough that anonymity be possible or permitted by the platform. It's about the norm, the default. If the default changes to being naked at the beach, saying, "Well, you can cover up if you want to," doesn't hide the fact that wearing a bathing suit now feels way different. Yes, there's something wrong — and distracting — about the particulars of this analogy. But I think the overall point is right: We're talking about defaults, not affordances.

There are serious problems caused by weaknesses in current identity solutions. Identity theft is nothing to sneer at, for example. But are we sure we want to institute a curfew instead of installing better locks?*

About a year ago, my friend Ethan Zuckerman — whose blog is one of the great examples of why blogging matters — and I wrote a paper on anonymity that we never released. It tried to make two points: 1. Anonymity isn't just for criminals and terrorists. 2. You'd have to change the entire computing environment — hardware, software, operating systems, the network, the way Internet cafes work — to prevent bad people from operating anonymously.

The article in this issue of Joho is me blurting out that first point. Thank you, Ethan. The ground has shifted under the second point, however. We originally wrote a description of all you'd have to do to make it impossible for sufficiently motivated evil doers to act anonymously on the Net. The idea was that the list was obviously absurd. Now it is not. It is in fact the shape of the computing environment being imposed on us: Hardware with identifiers burned into it, operating systems that lock users out of their own computers in order to keep the computers "secure," US government requirements for backdoor access to all software that talks on the Net, policies such as requiring showing a photo ID to use an Internet cafe (as I experienced in Italy). What Ethan and I intended as a modest proposal in the Swiftian sense is being built by the most serious people on the planet.

The irony is that this will stop almost everyone from being anonymous except the people we're trying to catch.

*The curfews-vs.-locks trope has started to sound familiar to me. If I swiped it, it was unintentional...

dividing line
One Web Day

Susan Crawford — law professor, Berkman fellow, ICANN board member, blogger — has been working for the past year to make her idea real. Just as Earth Day is a time to celebrate our planet, One Web Day is a day to celebrate the Web. Just as on Earth Day it's up to each locality to decide how to celebrate, on OWD it's up to each locality — physical or virtual — to come up with an appropriate activity, although OWD encourages doing something that increases the Web's value and brings it to more people.

One Web Day is September 22, so it's coming up. But it's certainly not too late to jump on board as an individual, as a member of a geographic community, or as a group.

And if some politicians should happen to be reminded that the Web is about more than delivering Hollywood content to "consumers" — see Susan's brilliant dissection of the so-called Consumer Internet Bill of Rights — that wouldn't be the worst thing to happen.

dividing line
My 100 Million Dollar Secret

cover of My $100 million secret

I just published my novel for halflings (or "young adults" if you prefer), called My 100 Million Dollar Secret. It's about a boy who wins $100,000,000 in the lottery, but (for reasons explained) can't let his parents know and refuses to lie to them. In another sense, it's about the boy's growing sense of the moral obligations that come with having so much dang money. It's also supposed to be a little funny.

I published it through, the on-demand self-publishing outfit. You can get a nicely designed paperback (thank you, Stellio!) for $13.90 plus shipping, or you can read it online there for $4.00. Or you can read it online for free at my site for the book. Or you can download a Word or PDF version for free. There's also a Google group for anyone who wants to talk about it. (The book is licensed under Creative Commons, although I must have pressed the wrong button at Lulu because there it says it's got a plain old copyright. I intend the CC rules to be in effect.)

Thanks to the people who read it and commented on it before I posted it!


Cool Tool

I've become attached to RoboForm ($30), Windows software that fills in forms and passwords automatically with intelligence and flexibility I haven't been able to match in the freebies I'd been using.

It'll even generate passwords that are complex beyond memorization and that would twist your fingers into carpal tunnels trying to type them. But you don't need to type them or memorize them because RoboForm auto-enters them.

And there's the rub. My only trepidation about this software is that I haven't been able to find a way to export the passwords into a vendor-neutral format. I can't even print them out. So all is rosy so long as I never want to move to a different password manager.

1Password, a password manager for Mac OS X, says it imports RoboForm data. Until RoboForm itself provides some way to get its data out, I can't wholeheartedly recommend it, which is too bad because the software itself seems terrific.

CORRECTION: David Teare, the creator of 1Password wrote to me to tell me that RoboForm has a Print option in its Passcard editor. (It's not easy to find, but it's there.) So, at least you can manually reenter your passwords if you decide to switch to something other than RoboForm.


dividing line
Bogus Contest: A contest no one really enters

With the semi-success of Snakes on a Plane — which I've written really badly about and even wrote a sonnet to (but be sure to read Jay Cross' comment, which is funnier than what it's commenting on, and you should read Mark Federman on why hype no longer leads to tickets) — marketers are going to try to come up with equally honest, descriptive titles. And how might this play out outside of movies, hmm?

Total Gym Exercise System

The Plank and Roller Exerciser You'll Use Twice

I Can't Believe It's Not Butter

Butter-Colored Grease Tub

Super Bright 5-Cell Mag Flashlight

Reassuring Phallic Club with a Light in Its tip


Skin Bonder. (Formerly: Disappointment in a Tube)

Gosh, Honey, Your Hair Smells Great!

Shampoo + Smell

Operation Iraqi Freedom

Operation hit 'Em Where They're Not

Your turn. But who are we kidding?

Editorial Lint

JOHO is a free, independent newsletter written and produced by David Weinberger. He denies responsibility for any errors or problems. If you write him with corrections or criticisms, it will probably turn out to have been your fault.

Subscription information, or requests to be removed from the JOHO mailing list, should be sent to [email protected]. There is no need for harshness or recriminations. Sometimes things just don't work out between people.

Dr. Weinberger is represented by a fiercely aggressive legal team that responds to any provocation with massive litigatory procedures. This notice constitutes fair warning.

The Journal of the Hyperlinked Organization is a publication of Evident Marketing, Inc.

For information about trademarks owned by Evident Marketing, Inc., please see our Preemptive Trademarks™™ page at >