Not being you

Lately there has been a lot of talk about anonymity and pseudonimity. Just read around on the blog agregation Planet Identity.

There is a strong interest in walking around on the Internet, participating in transactions and doing whatever without people knowing who you are. Most federation and user centric protocols have some sort of support for this. Most of it driven by Kim Kameron’s identity law on minimal disclosure: only disclose that part of your identity that is absolutely necessary.

I happen to be a fervent player of World of Warcraft. For those of you who don’t know, that is an MORPG (massive online role playing game). Divided across hundreds of servers, players can create avatars, give them names and create an entire new personality in the virtual world. That sounds like pseudonimity heaven to me. You can literally recreate an entire new identity, new in every aspect. You can choose a different avatar from eight races. A human character versus an orc based, how different can it get?

Using that avatar you can play whatever you like. A female, suspicious priest or a strong and eager hunter. You can even start multiple characters, all completely different. This is in fact what most players do. Sounds easy to create different identities right?

Surprise … no it isn’t. Even seasoned players have complained about how difficult it is to create two different identities. Even when you have all the tools at your disposal: new avatars, new names, different clothing, different professions, different cities … It still isn’t easy to change identity. After a few weeks of playing their new character, most of them eventually are discovered: “Hey, aren’t you also playing this other character?”

You might think “Why?” Well, it seems there is one thing you cannot change, one thing none of the MORPG, games nor federation or user centric can change: YOU.

No matter who hard you pretend, no matter what tools you have at your disposal for creating a new identity, it is still you. You might be different in the way you look, in your name but you are still you. You betray yourself by talking, walking and liking the same things. Even if you try hard and pretend to like other things or walk differently, there are so many details of you, that are you, that people recognize and will blow your cover after a while.

Even if Cardspace of OpenID gives me anonymity or pseudonimity, I will probably betray myself the moment I start posting on the forum or buy my favorite music.

The hard part of anonymity or pseudonimity is not in the identification or authorization process, it is afterwards, when you start posting in forums or do stuff on the Internet. Thereby exposing the real you. Remember how search queries on AOL (or Google, Live …) could identify you?

Driver’s License to be the Next Debit Card

I just came across this article on Business Week “Use Your Driver’s License as a Debit Card“.

The intent is to use your drivers license for payment transactions. By coupling your license number to your bank account, they make your drivers license suitable for payments. Just swipe it, enter your personal code and the money is transfered. This way the shop owner doesn’t have to pay credit card companies those exorbitant fees and can carry less plastic around in your wallet.

Sounds like a good idea? Yes and no. Yes, since you don’t have to carry yet another card for doing payments. No, because they are overloading the drivers license to do stuff that it wasn’t made for.

We all know the the verification process for the US drivers license is shaky yo say the least on most states. The REAL ID act tries to improve this situation by introducing extra measures. But in the end, the verification process remains faulty. It is just less faulty but still faulty enough. Piggy backing a payment authorization is not such a good idea. You could couple the bank account of John to the drivers license of Jeff. And what happens if your drivers license is revoked? No payments anymore?

Their aim, reducing the number of plastic in your wallet, is worthy. Their modus operandi isn’t. Piggy backing one type of identification and authorization on to another type is often dangerous. Not always bad, but often questionable.

Why not introduce a blank card that can store multiple virtual ID cards like your credit card, drivers license … You just pick and unlock the one you would like to use. That reduces the plastic weight while still separating identities and authorization when needed and when you wish. Sounds like user centric identity in your wallet.