williamcotton.com

The Tyranny of the Anonymous

January 16th, 2019

From the Federalist Papers to contemporary whistleblowers, there is plenty of evidence of the benefits of an anonymous check on power. There is no question that anonymity is the enemy of the traditional despot. Throughout history it has been deemed advantageous by authoritarian leaders to controls the means of communication and to punish those that question their powers.

Cryptography and the internet have forever closed the door on this kind of censorship. While individual websites like Facebook or YouTube can indeed monitor and police the content that is published on their platforms, there will always be alternative methods of publication that are impossible to silence. Between tools and technologies like Signal, Telegram, Tor, Bitcoin, or BitTorrent, there are many ways for people to avoid the prying eyes of nefarious controlling bodies.

While there are benefits to anonymity, there are very good reasons why people would want to use a communication platform that requires people to use their real names and identities. People have a need to interact with their friends, family, neighbors and other people whose identities they already know. The vast majority of our daily interactions are face-to-face.

Accountability and transparency, foundational elements of our society, are at somewhat at odds with anonymity. Commercial and financial transactions are built on various types of infrastructure to facilitate and enforce accountability. Facebook's marketplace works best with a verified identity for the same fundamental reason that a pawn shop requires a state-issued photo ID. There is also a need for accountability for the content published on social media platforms. Physical threats and other forms of unprotected speech will always need to be policed.

There is a false dichotomy that is presented to the contemporary internet denizen: either we live in an Orwellian nightmare where the government tracks our every digital utterance or we are free to speak our minds, even if there are consequences of unrestricted anonymous speech.

There is of course also the option of sometimes choosing to use a media platform that requires government verified identities and other times choosing to use a media platform that is entirely anonymous. Without this choice our society will always be forced to suffer from the negative aspects of anonymity.

Governments already issue verified identity cards in the form of driver's licenses, passports and more. We should be looking to update our public institutions to meet the needs of the information age. This should be preferable to heavy-handed regulations on companies like Facebook, Twitter and Google. They have and will continue to serve a set of needs that only they and their customers know best.

Broadly speaking user authentication can be either privileged or common. An example of privileged authentication is the well-known combination of username and password credentials. While a website like Facebook would not be storing the password, they most definitely need access to the password at login in order to verify the given username. Thus, Facebook sits in a privileged position relative to people who wish to be authenticated by their services. It also naturally follows that someone's Facebook authentication credentials are only valid with Facebook's services.

In contrast, an example of common authentication is PGP, one of the many different public-key cryptographic systems. In these systems the private key would only ever be known by the individual. This means that there are no individuals or institutions in a privileged position. Identities authenticated in this manner are portable and can be used anywhere.

With both privileged and common authentication systems there is a public identifier and private password or key. In either of these cases there is nothing that associates a username or a public key with an actual living, breathing individual. For these we will always require a trusted third-party, which in our case means a government that issues photo identification.

In a practical sense, we're in luck, as the United States Department of Defense already uses a common authentication system known as a Common Access Card. This card is a photo ID that contains a private key that is used to not only login to DoD computer systems but also to sign encrypted messages between individuals.

There is no real technical challenge for each state to issue CAC-compatible IDs through their respective departments of motor vehicles. The technology is literally battle-tested, cheap and abundant.

The reasons for wide-spread adoption of something like the Common Access Card extend far beyond fake news and online bullying. Privileged authentication systems are inherently insecure. There have been hundreds, if not thousands, of leaked databases full of username and password combinations which have contributed to the billions of dollars lost to identity theft every year.

It is time that we move towards secure common access systems based on public-key infrastructures that put individuals in control of their online identities.