Establishing Identity

I’ve been thinking a lot about identity lately. Not in the psychological sense, but in the sense of establishing that you really are who you say you are. No matter where I turn, I keep stumbling across the issue:

• Last week I had a dream about being on the run from the law. Fortunately, in the dream I had set up bank account under a fake ID, and I could still withdraw money without triggering any alarm bells.
• On Sunday evening I was filling out a passport application form for Fiona. In order for the application to be processed, it will have to be countersigned by “a person of standing in the community” (e.g. an accountant, doctor, teacher, etc.) as evidence that I am Fiona’s father and not just some random dude applying for a passport on her behalf.
• I’ve been looking at the new commenting features in Movable Type 3, and trying to untangle the shambolic mess of tags, script, and settings needed to provide integration with the TypeKey authentication service.

I have often thought about setting up an alternate identity. You know, just in case I might really need to go underground some day. How about you? How far have you gone down that road? In the questions below I’m not talking about nicknames, married/maiden names, names changed by deed poll, or other changes of name where your fundamental identity remains the same.

On-line:

• Have you set up an email account under a different name?
• Have you corresponded with other real people through this email account?
• Have you set up a web site or a blog under that name?
• Have you posted a comment or written an article on a third-party web site under that name?
• Have you researched and fleshed out the background of this alternate identity to a greater degree than just name, gender, date of birth, and country of residence?
• Have you set up a Paypal, or other online money transfer account under this identity?
• Have you always used an internet café, or an anonymising proxy server for your online actions under this identity? (So that your actions can’t be traced back to your own internet account?)

Real life:

• Have you ever rented a mailbox or a storage locker under a different name?
• Have you ever acquired fake official id documents (drivers license, passport, etc.) under your own or a different name?
• Have you ever acquired real official id documents (drivers license, passport, etc.) under a different name?
• Are you acquainted socially or professionally with anyone who knows you under a different name?
• Have you ever used these fake papers to prove your identity for some purpose?
• Have you ever acquired a credit card or a bank account under a different name?
• Have you ever paid for goods or services with funds from this card or account?
• Have you made sure that there is no link between your real home address and the address in which the alternate identity is registered?

Score one point for every “yes” you had in the On-line section, and three points for every “yes” under Real life.

Although false identities can be used as vehicles for doing harm, neither the on-line actions I noted above, nor their real-life counterparts are in themselves harmful. Yet the real-life actions carry so much more weight, because identity in the real world is a much more serious thing than it is on-line. It’s serious enough that in many places, establishing an alternative identity is a criminal offense.

People are already twigging to the fact that on-line identity can be equally important. Microsoft’s Passport system was mostly intended as a single sign-in mechanism to help users log in to multiple sites without having to remember multiple user IDs and passwords. It tackles the question of identity in a de facto kind of way: by gradually bundling all your systems access into a single login (“passport”), this login becomes your primary on-line identity.

Six Apart’s TypeKey authentication service comes at the problem from the opposite end: from the outset, TypeKey has been all about identity, with single sign-in thrown in almost as a fringe benefit. It is being sold (in a “free” sense) to users as a mechanism for proving that you really are Joe Bloggs. If you leave a comment on blog X, your TypeKey identity can prove to the blog owner (and to other readers) that you are the same Joe Bloggs who left comments on blogs Y and Z.

However, in support of the axiom that on the internet, no-one knows you’re a dog, there is no way for TypeKey to establish that the identity “Joe Bloggs” doesn’t in fact belong to the real-life “Jane Doe”. And conversely, Jane Doe is free to set up multiple TypeKey accounts, so she can also be posting comments as “Adam Smith” and “Mary Robertson” whenever she feels like it.

FOAF and XFN are ways of establishing chains and webs of trust (A trusts B, B trusts C, therefore A trusts C, but possibly to a lesser degree) in a distributed manner. PGP (or GnuPG) public key signing provides a decentralized way of proving an identity, and as such is an alternative to TypeKey, but again with nothing to stop someone from having multiple identities.

As governments become more eager to distribute services on-line, finding a way to extend each individual’s single real-life identity into the on-line space is going to become more and more important. (Hello, biometrics.) Identity is also inextricably tied up with security, the buzzword of the decade, and as such will also be one of the keys to rolling back the tide of spam.

In real life, it is unusual and intuitively suspicious for a person to have multiple identities. On-line, though, it is almost the norm to carry around a different persona for every occasion. The present anonymity of the internet makes this possible. But with an increased focus on identity and security, is this a situation that can continue? Is anonymity a fundamental property of the virtual world, or is it just a passing phenomenon, indicative of the medium’s immaturity? Will it eventually become taboo to represent yourself on-line as anything other than your real-life persona? Or is the freedom to be whomever you choose something that our society is going to accept on a long-term basis?

It keeps me up at night, wondering if now is the last time I’ll be able to feasibly establish a new identity with the low-tech tools at my disposal. If I don’t do it now, will I regret it in twenty years’ time, when the UK has turned into an oppressive totalitarian surveillance state, and my humble blogging attracts the strict attention of the net police?

Okay…straying too far into paranoia there. But you know what I mean. Don’t you?