Originally posted on blog.mozilla.org/ladamski on July 16, 2010
We’ve been thinking and discussing, and then thinking some more, about both privacy and identity at Mozilla. So far we have generally been treating them as two separate sets of issues, but I’m beginning to wonder if there might be another way to think about this.
People have been trying various ways of addressing privacy concerns
on the web. These approaches have generally consisted of mechanisms to
in some digestible way, and then optionally negotiate some happy middle
ground (or not). P3P
was probably the most ambitious attempt to crack this nut, without much
success. I won’t try to rehash these various proposals here nor
speculate as to why each has so far largely failed.
Instead, lets try a different tack. What if privacy is really just an aspect of identity?
One hypothesis: people don’t have a single identity… in the real
world, or online. Who you fundamentally represent yourself to be (in
terms of name, accuracy of location, age, social-demographics, etc.)
varies depending on the context. This is true whether you are
interacting online with a bank vs. an online hobby forum vs. craigslist,
and true whether you are interacting with your close family vs.
coworkers vs. random strangers in the elevator.
In each of those scenarios, you are projecting a different “view” of
your underlying self that you feel is appropriate for the given context.
Even in situations of relatively equal trust and confidence, say with
your parents vs. your significant other, you are sharing information on a
fundamentally different basis in terms of how you are presenting it,
how you want to be perceived and how much detail and honesty you are
willing to provide, even when the topic is the same. In Plato’s Cave,
we are putting on a unique shadow play for each audience. I’m sure
there is a formal academic definition of this, but lacking that at the
moment I’ll just call this the “contextual identity”.
The desire to be perceived in a certain way inherently includes a set
of privacy expectations, or put another way, an individual’s implicit
privacy problems online, where either their expectation of their
identity in a given context is not accurate (i.e. they are sharing way
more, or very different types of, information than they desired to), or
they are sharing it in a different context (i.e. embarrassing party
photos are viewed by a potential employer).
So maybe its not a surprise that many social networks have ended up
with privacy egg in their face. Part of the problem is that by
presuming that users should have only a single, canonical identity on
their network (and indeed, often the entire web), they lack the
flexibility for individuals to express their various identities
appropriately in different contexts.
So what if you could in fact maintain a set of identities, each
reflecting accurately your desired identity in a given context? Then
you could seamlessly interact with a wide range of services, from
commenting on news sites in a relatively anonymous setting, to sharing
health information with your family or doing online backing, each
relatively confidential and trustworthy things, yet still fundamentally
different. After all, your family shouldn’t necessarily know your
current bank balance and conversely, your bank doesn’t need to know
about your health.
Who would you trust with managing this set of identities, though?
Your favorite social network? The problem with that is this trusted
provider would need to be aware of the superset of your desired
identities, which likely includes identities that are more sensitive
than you’d be willing to share with said networks. Given social
networks are relatively low in the grand heirarchy of trust (for me,
anyway), they seem like poor receptacles for this degree of trust.
The best entity to trust with this information is, oddly enough,
yourself. The ideal solution would be locally managed on the user’s
system, but securely synchronized seamlessly to your devices. This
model has some important positive characteristics.
For one, the entity atop of this hierarchy of trust is: you.
Obviously you also need to trust the software you use, but that is the
tremendous power of open source software. Since you can inspect the
source code and build your own version of any open source package, you
can actually trust its behavior. Something that is only possible for
closed-source locally-installed software with immense skill and effort
in reverse engineering… and mostly impossible for remotely hosted web
The other reason is that because you control all these disparate
identities, you can choose which of them can be associated with each
other, and under what context. For example, I might be OK with my
social network identity to be associated with my blogging identity, but I
probably don’t want either to be aware of any of my banking identities.
Sounds great, right? Maybe… or maybe not. Either way, let me know! So what’s next, you ask?
Hmm, we’ll see. Stay tuned… 🙂