On anonymity online
An exchange with mathematician Sarah Constantin (then a fellow LessWrong rationalist; later a writer on biotech and AI) about how to manage identity online. Alyssa lays out her own taxonomy and practice; an unnamed correspondent in the thread — quoted at length below in the indented blocks — pushes back, and Alyssa answers in turn. The terminology comes from computer security: a “principal” in the Kerberos authentication sense.
First, a bit of taxonomy. A principal is an identity, and is something that can have properties or authorizations attached to it. An example of a principal might be a Kerberos principal for a Kerberos realm, a PGP key, or a local username on a Unix system. Note that there is not necessarily a 1:1 mapping between principals and people, or principals and names.
An external identifier is an identifier given to a principal by a third party. Example external identifiers include social security numbers, A numbers on Green Cards, bank account numbers, customer IDs, and so on.
An internal identifier is an identifier assumed by a principal for itself. Example internal identifiers include screennames, nicknames, pseudonyms, and the like.
External identifiers worry me. They really do. External identifiers remove my ability to control which of my actions and words are correlated with each other, because I can’t decide when to change them and when to assume them. The best way to explain this is in the context of the legal system: everything I do, at all times, is implicitly bound to some particular principal (although this principal is named in a kind of soupy way involving my government name, physical description, whereabouts, relations, etc.) in the legal sense. Is it important that I not be able to change identifiers here? If so, why?
I have a great deal of paranoia, really, about external identifiers. I do my best to avoid them if I possibly can, and when I can’t, I aim to actively minimize the amount of information attached to them. Since a lot of the external identifiers attached to me really refer to the same principal (and could be cross-referenced as such by a moderately clever person), I’m really fighting a battle to have as little information attached to that principal as possible. To that end, I avoid electronic payment (I have a debit card, which I use as an ATM card), I pay for things in cash as much as possible, and I make a point of just outright lying to companies that think they need to know my address but actually don’t. If what I’m doing is working, my externally-known ‘immutable’ principal is a shade of a person: no rent, no utilities, no driver’s license, no bank transactions but incoming paychecks and outgoing withdrawals from ATMs near my billing address, no website memberships (except this one! heh, hi employer), no magazine subscriptions, no rewards programs, no anything that I can possibly avoid that gets anything else attached to that principal (I guess I’ll call it my “legal principal” in light of the question posed above). There is as much of “me” as there needs to be to survive and as little else as I can get away with.
Internal identifiers are a bit of a different story. Since I can create as many principals as I like with new internal identifiers, I have a separate one (more or less) for each social context, and I separate them very strongly (to the extent that I am cautious about mentioning the same fact about myself in more than one context, or about linking to the same thing, unless it’s wildly popular and the two separate principals could plausibly have found out about it independently). This has the effect of making each of the separate principals a little less than an entire person, in that each of them has a proper subset of the properties that “I” (my root internal principal, if you like :)) have.
Wow… this is a lot to process through. I like your distinction between internal and external principals, but I’m a lot less sanguine about the possibilities of minimizing external principals, or cross-principal correlation. The difficulties you mention in minimizing the data associated with your own “legal principal” seem very real and meaningful to me, and as time goes by the difficulty of doing that seems to keep increasing. And even if you manage to shard your activity across a large number of internal principals, it’s ultimately a matter of technology and data analysis to merge those externally. That technology is already in common use by state actors, and could easily be available to large corporate actors if any of them wanted it. It’s only a matter of time until that becomes available to smaller actors, at which point someone is going to do it commercially. At that point, keeping multiple disjoint principals is going to become exponentially more difficult, too.
In practice, I think that means that the era of easily-forked principals, which I would say started with the rapid urbanization of American society in the mid-19th century, is likely to end in the near future. (Or at least, you can fork as many principals as you want, but the correlation will be known to all and sundry, and that correlation will span both internal and external principals.)
I’m not particularly happy about this, but I don’t know what to do about it. I’ve turned down projects in the past to make and commercialize such technology, because I was concerned that it’s Just Plain Creepy; but that’s a holding action at best. Ultimately it’s not even clear to me that one should avoid making these broadly available, because the alternative is that these tools are freely available to state and large corporate actors and to nobody else.
In practice, I’ve adopted an ugly solution to identity for myself: I just maintain one, and work on the operating assumption that everything that I do is going to end up a matter of public record, legal process, and/or media interest in short order. It’s ugly in two ways: first, it’s unscalable (this approach can’t work for all people for obvious reasons — lots of people have really good reasons to want to fork identities, and I’m fairly sure that at various points in my life I’m going to need to do that, too), and second, it’s almost as difficult as the aggressive identity isolation you’re describing. (Consider that every single statement that I’m typing on the internet has to first go through my mental filters about how I’m going to respond when it’s publicized, and how I would answer when this came up in a deposition somewhere; and other behaviors require even more complex planning.) It’s an attempt to directly adapt to living in a fishbowl.
But this doesn’t work for everyone, can’t work for everyone, and I don’t know what that’s going to mean for our society. Anonymity was a core adaptation to living in urban environments, among lots of other people many of whom are very different. Forced-unitary identities worked in medieval European villages, but don’t exactly scale.
I spend a nontrivial amount of time on anonymity and am willing to make fairly major convenience/service tradeoffs in service of it. I don’t think it can be any other way, really; a lot of services and conveniences require (as part of their function) additional information from you that the provider would otherwise not get.
This identity (the one you’re talking to, my public one) is linked to a set of people (of which you are one). No person is linked to more than one of my identities, though. (Yes, this makes bootstrapping new identities socially difficult, but there are a LOT of social spaces.)
Alright, you win the award for aggressive identity segmentation. :) You’re going to leave us reduced to textual statistical analysis and network access patterns to merge your personae…
I have some primitive countermeasures to those things that I use. My identities generally have timezones, and I only post during the early evenings of their timezones, which ought to thwart time-based location inference. I try to choose random vocabularies, spellings, emoticons, and so on per identity, although it’s difficult and requires practice. As for network traffic itself, I route everything over Tor, which means there’s no particular host to check for up/down-ness of.
My external principal is exempt from all of these rules except the Tor one, due to it being, well, me, with a publicly-known location. This is all effort, but worth it.
I just started playing with the Tor Browser Bundle a few days ago… bootstrapping a network is a big challenge. I’ve been struggling with presenting enough of a person to be relatable without pretending to like things I don’t or disambiguating myself too much. Any tips?
I don’t often aim for relatability; it happens occasionally for no obvious reason. Much though it pains me to say it, outright falsehoods might be a good bet. (I really think the most important lesson of anonymity is to realize that lying to companies, and even people, is okay sometimes. I think our society puts a lot of stress on making people feel bad about this.)