Discover more from Phil Windley's Technometria
Life-Like Anonymity and the Poison Web; Technometria - Issue #11
Natural anonymity comes from our ability to recognize others without the aid of an external identity system. Online interactions will only be able to mirror life-like anonymity when we can use decentralized identity systems that don’t force all interactions to be under the purview of centralized, administrative identity systems.
Doc Searls published a piece last week entitled “How the Cookie Poisoned the Web”. Doc points to various privacy ills of Web 2.0 and in each instance says “Blame the cookie.” Doc’s larger point is that the web started out as a peer-to-peer publishing system that was wholly decentralized and gave everyone equal voice.
Holding forth on stuff since 1998
But gradually a poison disabled personal agency. That poison was the cookie.
Very few web sites in the early web had identity systems. For the peer-to-peer sharing of documents and discovery via embedded links, none were needed. HTTP, the foundational protocol of the web is stateless, meaning the HTTP server does not know whether any two requests are related to each other.
Stateless is fine for document sharing and linking using hypertext. But it makes building a shopping cart really hard. Back in the mid-90’s figuring out how to build a functional shopping cart was on everyone’s mind, mine included. I was the cofounder and CTO of an early ecommerce site, imall.com. Without changing HTTP, the most promising strategy was to include a correlation identifier in all the links generated by the site, so we’d know who was making the request. But this was buggy and caused lots of customer support issues.
A correlation identifier is a unique string that can be used to link requests. Ultimately, the the HTTP community added a correlation identifier called a “cookie” (which took its name from a correlation identifier used in unix). HTTP cookies are generated by the server and stored on the browser. Whenever the browser makes a request to the server, it sends back the cookie, allowing the server to correlate all requests from that browser.
This is how (simple) ad tracking works. When you see and ad on web site A, it’s being served from a server owned by an ad company that web site A has an agreement with. The ad server plants a cookie in your browser. Now you visit web site B who also serves ads from the same ad server. You browser dutifully reports the ad server cookie back to the ad server along with the information that the ad was on web site B. The company running the ad server now knows you were on web site A and web site B. Rather than correlating requests on a single web site, they are using cookies to correlate your activity across the web.
This is the poison Doc is talking about. The web cookie, as designed, goes well beyond correlating activity on a single web site for purposes of creating some utility like a shopping cart or a chat server. The web cookie allows correlating activities of people across the web. And it doesn’t stop with your browsing history. The ad company starts knowing other things about you (because the web sites you visit tell them) and soon they can develop a comprehensive dossier.
Like-Like Anonymity and the Administrative Internet
In real life, we often interact with others—both people and institutions—with relative anonymity. For example, if I go the store and buy a coke with cash there is no exchange of identity information necessary. Even if I use a credit card it’s rarely the case that the entire transaction happens under the administrative authority of the identity system inherent in the credit card. Only the financial part of the transaction takes place in that identity system. This is true of most interactions in real life.
In contrast, in the digital world, very few meaningful transactions are done outside of some administrative identity system. There are several reasons why identity is so important in the digital world:
Continuity—While web sessions can be pseudonymous, as we’ve seen, they are often correlated across multiple independent sessions and devices using an authenticated correlation identifier. This allows, for example, the customer to have a shopping cart that not only persists across time but also on different devices.
Convenience—So long as the customer is authenticating, we might as well further store additional information like addresses and credit card numbers for their convenience, to extend the shopping example. Storing these allows the customer to complete transactions without having to enter the same information over and over.
Trust—There are some actions that should only be taken by certain people, or people in certain roles, or with specific attributes. Once a shopping site has stored my credit card, for example, I ought to be the only one who can use it. Identity systems provide authentication mechanisms as the means of knowing who is at the other end of the wire so that we know what actions they’re allowed to take. This places identifiers in context so they can be trusted.
Surveillance—Unfortunately, identity systems also provide the means of tracking individuals across transactions for purposes of gathering data about them. This data gathering may be innocuous or nefarious, but there is no doubt that it is enabled by identity systems in use on the internet.
In real life, we do without identity systems for most things. You don’t have to identify yourself to the movie theater to watch a movie or log into some system to sit in a restaurant and have a private conversation with friends. In real life, we act as embodied, independent agents. Our physical presence and the laws of physics have a lot to do with our ability to function with workable anonymity across many domains.
So, how did we get surveillance and it’s attendant affects on natural anonymity as an unintended, but oft-exploited feature of administrative digital identity systems? Precisely because they are administrative.
Legibility is a term used to describe how administrative systems make things governable by simplifying, inventorying, and rationalizing things around them. James C. Scott’s seminal book, Seeing Like a State, nicely analyzes legibility and its unintended consequences. Venkatesh Rao has a great summary if you’d like the TL;DR.
In this wide-ranging and original book, James C. Scott analyzes failed cases of large-scale authoritarian plans in a variety of fields. Centrally managed social plans misfire, Scott argues, when they impose schematic visions that do violence to complex interdependencies that are not—and cannot—be fully understood. Further, the success of designs for social organization depends upon the recognition that local, practical knowledge is as important as formal, epistemic knowledge.
Identity systems make people legible in order to offer continuity, convenience, and trust. But, as we’ve seen, that legibility also allows surveillance. In some respects, this is the trade off we always get with administrative systems. By creating legibility, administrative systems threaten privacy.
Administrative systems are centralized. They are owned. They are run for the purposes of their owners, not the purposes of the people or things being administered. They are bureaucracies for governing something. They rely on rules, procedures, and formal interaction patterns. Need a new password? Be sure to follow the password rules of what ever administrative system you’re in.
Every interaction you have online happens under the watchful eye of a bureaucracy built to govern the system and the people using it. The bureaucracy may be benevolent, benign, or malevolent but it controls the interaction and people pay the price of the interpretive work necessary to figure out how it functions.
Real Life is Decentralized
On the other hand, in real life we interact as peers. We do interact with administrative systems of various sorts, but no one would describe that as real life. When I go to a store, I don’t think about shopping within their administrative system. Rather, I walk in, look at stuff, talk to people, put things in a cart, and check out. The administrative system is there, but it’s for governing the store, not the customers.
We can’t have online interactions that feel like real life until we redecentralize the internet. The internet started out decentralized. The early web was decentralized. But the need for continuity, convenience, and trust led more and more interactions to happen within someone’s administrative system.
Most online administrative systems make themselves as unobtrusive as they can. But there’s no getting around the fact that every move we make is within a system that knows who we are and monitors what we’re doing. In real life, I don’t rely on the administrative system of the restaurant to identify the people I’m having dinner with. The restaurant doesn’t need to check our IDs or surveil us in order to create an environment where we can talk and enjoy a meal together.
The good news is that we’re finally developing the tools necessary to create decentralized online experiences. What if you could interact with your friends online on the basis of an identity that they bring to you directly—one that you could recognize and trust? You wouldn’t need Facebook or WhatsApp to identify and track your friends for you.
Decentralized identity is the foundation for a decentralized web—a web that flexibly supports the kind of ad hoc interactions people have with each other all the time in real life. We’ll never get an online world that mirrors real life and it’s natural anonymity until we do.
SSI capitalizes on decades of cryptographic research and the now widespread availability of decentralized ledger technology to rethink identity solutions so that we can have scalable, flexible, private interactions with consent despite the issues that distance introduces.
Sovrin is an identity metasystem that provides the Internet’s missing identity layer. By creating a general-purpose system for constructing context-specific identity systems, the metasystem represents a universal trust framework. A universal trust framework is the foundation for supporting life-like identity in our digital lives.
The architecture of an identity system has a profound impact on the nature of the relationships it supports. This post categorizes the high-level architecture of identity systems, discusses the properties of each category to understand architectural influences, and explores what their respective architectures mean to their legitimacy as a basis for online life.
The real world is messy and unpredictable. Creating an identity system that is flexible enough to support the various ad hoc scenarios that the world presents us with can only be done using a decentralized system like Sovrin that allows multiple credentials from various authorities to be shared in the ways the scenario demands.
The problem is that the word privacy can mean two very different things — there’s our everyday real life definition of privacy, and then there’s the online definition of privacy. In academic circles…
Portions of this newsletter were originally published here.
That’s all for this week. Thanks for reading.
Please follow me on Twitter.
If you enjoyed this, please consider sharing it with a friend or twenty. Just forward this email, or point them at my news page.
I’d love to hear what you enjoyed and what you’d like to see more (or less) of. And if you see something you think I’d enjoy, let me know. Just reply to this email.
P.S. You may be receiving this email because you signed up for my Substack. If you’re not interested, simply unsubscribe.
© 2021 Phillip J. Windley. Some rights reserved. Technometria is a trademark of PJW LC.
By Phil Windley
I build things; I write code; I void warranties
In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Powered by Revue