Tactical Information Systems
Biometric Identification Software

Tactical Information Systems Blog

Identity & Technology

Changing Attitudes About Anonymity

If you will allow me to put on my "old man" hat for a while, I was around for the birth of the Internet, and its precursors like Fidonet, Compuserve, Bulletin-Board Systems (BBS), etc. I even ran a BBS called "Electric Dreams" in Dayton, Ohio in the early 90s. It was a lot of fun.

The environment back then was a lot different than it is now. The networks were mostly composed of hobbyists, researchers, and a few government people. It was a self-policing environment that was mostly free of bad actors. Advertisement of any kind of was strictly prohibited (imagine that!). It was, to use a trite phrase, a place where you could keep your digital doors unlocked and not have to worry about it. In short, it was like Mayberry, RFD. We were about as equipped to deal with fraud and bad guys as Barney Fife would be able to handle Hannibal Lechter. There was no need for identity verification.

Andy! He ate that man's head!

Andy! He ate that man's head!

This kind of story is repeated many times throughout societies and organizations - things start out with a large element of trust, but as they grow they have to adapt to an influx of bad actors looking to take advantage of that trust. We see it all the time with our clients - their sites start out small and don't have much fraud, mainly because no one knows they exist. But as they grow, the bad guys come in, just like clockwork. The Internet makes it easy for them to hide.

In a similar vein, people used to trust online sites to protect their information, and they didn't worry too much about what information they shared online. What could happen? As the Ashley Madison hack, showed, plenty of bad things can happen. But even if you aren't having an affair, bad things can happen if sensitive information gets shared online. You can be fired for speaking out about your employers; you can be swatted by someone who didn't like what you said about the PS4; you can be harassed for your opinion, or a host of other problems due to some random Internet weirdo not liking you for some random reason. The technical term for this is doxing - researching and broadcasting publicly identifiable information (PII) about a person online.

It is really a simple math problem. Let's say that even if you are the nicest guy/gal in the world, you will utterly enrage 1/1,000 people you interact with. A typical person might interact with a few hundred people a year. So you can go years without enraging someone. But on the Internet you deal with millions of people. So you are almost guaranteed to enrage someone.

A recent article by Attentiv highlighted the changing consumer perceptions of anonymity online. In the "Mayberry RFD" days, people didn't worry about protecting their online identities - online anonymity wasn't even a concept most people were familiar with, but people are starting to think about it, even ones not planning affairs. That is a good thing. In the article, 59% of people thought that it was "impossible" to be anonymous online. I've done some work in this area and that isn't true. It isn't easy, but it is not terribly hard to be 100% anonymous online. However, unless you are doing something illegal, I would posit that 100% anonymity is not a reasonable goal. Instead, the goal should be to minimize the amount of personal information you put online to the absolute minimum needed for a particular thing.

The motivation for anonymity is clear from the chart below:

Source: http://attentiv.com/anonymity-impossibility/ 

Source: http://attentiv.com/anonymity-impossibility/ 

This actually maps pretty well to the real world - I can think of plenty of occasions where I want to avoid all of these classes of people, depending upon the context. The challenge online is that all of these people can search for my name and find me pretty easily. But the answer is not true anonymity, because that leads to all kinds of bad behavior online. The answer is unique pseudonymity - basically allowing people to have one identity online for a particular context that isn't tied to a real-world identity.