|Home - Blog - Publications - CV - Scribblings - Photo Album - Funny|
On Monday the EFF, together with a “Nameless Coalition” of like-minded groups, escalated the backlash against Facebook’s “real names” or “authentic identities” policy with an open letter urging Facebook to end this policy like Google Plus did last year. Facebook’s response cites concerns about pseudonyms helping to hide “terrorist organizations”, “school bullies”, and “criminal behavior.”
While I support anonymity and have spent years working to strengthen it, terrorist fearmongering aside, Facebook is right that anonymity is often abused. Pseudonym-friendly Twitter constantly struggles with trolls, and has for years. Ironically, such abuse has even led die-hard anonymity advocates to de-anonymize trolls. And even Twitter’s demands for phone number verification rankle users desiring the stronger anonymity provided by Tor. Online services seemingly face a zero-sum choice between protecting people who have legitimate needs for anonymity, and protecting everyone else from those who abuse anonymity.
But this is a false choice, because most of an abuser’s power comes not from having one pseudonym, but from having many. Abuse using an army of fake identities is known as sockpuppetry on Wikipedia, or in computer science as a Sybil attack after a famous psychiatric case. The security benefit Facebook arguably derives from asking suspect users to confirm their identity has little to do with actually knowing the user’s real name: is Facebook going to decide that an “Alice” is more trustworthy than a “Bob”? On the contrary, the perceived security benefit has everything to do with verifying that the user is a real person controlling only that one account. But what if online services could verify that a user is a real person without intrusively demanding to know the user’s real name?
Years ago I proposed a possible solution that I believe a determined group of activists like the Nameless Coalition could readily put into practice on a grassroots budget and with only minimal buy-in from industry. The idea is simple: Once a year, organizers in participating cities and towns host an event to which anyone may show up in person and obtain a cryptographic token, which might be simply a random-looking number printed on a slip of paper. This token carries no identity information whatsoever, but merely attests that the holder is a real person. The holder can subsequently use this token to register or confirm pseudonymous accounts with participating online services throughout the subsequent year. Pseudonym party attendees need not show any ID, and would even be welcome to wear masks, but everyone would receive an indelible ink mark making it difficult for cheaters to acquire several tokens the same day.
Each token enables the holder to register pseudonymous accounts at many online services, but only one account per service. If the user abuses this one account, the service can shut it down, and be assured that the abuser will be unable to obtain another token-verified account until next year. The main amplication power of anonymous abuse, through Sybil attacks or sockpuppetry, would be neutralized without the online service having to know anything else about the user.
Tokens distributed at pseudonym parties would effectively enable online services to verify that users are real people without verifying their real names. For example, Facebook could add token-based verification as a fourth alternative to their three current ID-based verification options. Would they? That’s up to Facebook, but even if they didn’t, other online services might do so as a way to compete by presenting a more privacy-friendly image.
At least for now, there is no reason to expect that everyone should be expected to attend pseudonym parties and obtain tokens each year, only users who particularly care about their privacy or have specific need for an alternative to ID-based account verification. As a result, the costs of organizing pseudonym parties should start small, grow gradually with user demand, and remain within the reach of nonprofit, donation-funded budgets. Pseudonym party locations would initially be few and far between, but would also serve as opportunities to organize, celebrate, and meet other privacy-minded people in the region. If the idea were successful and proved sustainable in a few cities, and even just a few privacy-minded online services decided to support account verification via tokens, this would help build critical mass to open more locations and pressure other online services to support ID-free account verification.
The Nameless Coalition is absolutely right to critique Facebook’s real names policy and the problems it creates for more vulnerable and privacy-sensitive users. But the Coalition should also acknowledge the difficult tradeoffs most online services currently face between protecting their users’ privacy and protecting their users from anonymous abuse. Instead of treating this problem as a zero-sum cultural tug-of-war, we must give online services a means to verify that users are real people without having to check their real names — and we should not wait for industry or government to take the first step.