Not all nations spy on their people without court orders, but Washington does.  In in my mind, this excludes the government from the privacy and trust business. Or at least from getting my business, if there were a real choice.

I’d prefer competition between nations and private firms in providing trusted identity management. For instance, I’d trust Iceland, a government with a huge privacy and free speech commitment, to guard my identity and privacy better than Washington. That’s not being unpatriotic; its just not being a patsy. Here’s what got me thinking about this.

We’re From the State, We’re Here to Identify You
Earlier this week the White House announced its plan to coordinate private-sector efforts to create trusted identification systems for the Internet.

Commerce Secretary Gary Locke described the drivers of an option for national online identification:

1. Prevent ID and data theft.
   Locke said about 8.1 million US residents were victims of ID theft in 2010.
2. Increase e-commerce by building trust.
   “Many people don’t trust the Internet,” Locke claimed. “[the Internet] will not reach its full potential — commercial or otherwise — until users and consumers feel more secure.”
3. Lower the current high cost of identity management
   The cost to business is high.  A company with 500 employees spends about US$110,000 a year managing employee IDs, according to the Department of Commerce.

I’m excited about colossal innovation happening all over the digital world, but not this. I don’t believe this will help one whit.  Yes, there are commercial interests this plan will serve (that’s why the Chamber of Commerce is all for it) but there is little chance this will advance the digital economy.

These goals seem to be somewhere between flawed and just false:

1. Preventing ID and data theft.
   Large scale data theft such as Epsilon’s Data Breach wouldn’t be helped by a federally established identity program.  Virus attacks, such as those being developed by the US for cyber warfare, simply don’t rely on identity. To protect data and identity, laws must require encryption and safe keeping of data. Statutes in Massachusetts create liability and fines for firms that fail to protect data. They’re being enforced, and the corporate focus on data security has never been higher.
2. Increase e-commerce by building trust.
   Sure, five or ten years ago there was mistrust of e-commerce.  Does anyone really believe that the App Store, or iTunes, or Kayak, or Amazon are missing sales because a significant audience doesn’t trust online retailers? As e-commerce takes place globally, does it make any sense for identity providers to take a nation-by-nation approach to identity?  These firms are doing well, and they’re earning international trade. Seems like we’re fixing something that’s working way above par, and oddly, only fixing it for domestic participants.
3. Lowering the high cost of identity management
   Lowering the high cost of health care is a national priority, and federal leadership on that is still rather a hot issue.  Of the challenges facing businesses, identity management is pretty low in the corporate hierarchy of needs. Yet the feds are itching to help with a problem that is marginal at best.

Identity management is far from perfect, but I have more confidence that the market will move us there at the right pace.  And if there isn’t a broad market-based demand for identity management, that could be because we value anonymity and a degree of disintegration in our digital lives.

Back in the day, there was something reassuring about state governments not being able to find out about drivers who were ticketed while visiting their states. Some inefficiency in government is reassuring, and I’m not sure I’m ready for that day to end on the Internet. Are you?

On The Internet Nobody Knows If You’re a 14-Year-Old Girl
In Wales, a 61-year-old woman suspected that her husband had been sharing elicit emails with a 14-year-old girl, and feared he was a pedophile. She logged on from a computer elsewhere in their home, pretended to be such a girl, and found he was all too willing to email revealing photos and attempt to seduce her. She promptly notified authorities, and even protested when he didn’t receive prison time. Good for her.

CNET gave her a tip of the hat, but thanks to a bad law made in response to an even worse case, the same act in the US might lead to the wife being federally prosecuted. Last year, 44-year-old Lori Drew was convicted under Federal law for computer hacking, because she falsely claimed to be a 16-year-old boy when harassing a child who later committed suicide.

By construing the use of a false identity as “unauthorized access to a computing system,” and equating it to hacking, Federal officials criminalized a common act.  They did this to get one seemingly bad person, but along the way could have ensnared virtuous acts as well.

After all, presenting a pretended identity is nothing new. Consider how common it is in Shakespeare. Nor is it inherently criminal, let alone a Federal crime. Fortunately, Lori Drew was convicted of lesser charges. But this is still an example of how a hard case made for a bad application of the law. And how later consequences can be hard to predict.

Turns out, impersonating a teenager online can be used for good, that is where its hasn’t been criminalized. Common law holds that we are the owners of our names, and anonymity has often been upheld as a speech right. So the use of a pseudonym absent malicious  intent seems both part of our culture, and a healthy relief for today’s closely tracked, segmented and surveiled visitors.

What’s in the water in St. Charles County?

You’ll recall that’s where Lori Drew was was indicted in a cyber bullying case related to the November 2006 suicide of teenager Megan Meier. The case, publicity and resulting legal responses have been a frequent topic here.

Now, another grown-up is facing felony harassment charges for allegedly placing a Craigslist “casual encounters” ad in the name of a teen ge girl. The ad, which included the child’s photo, phone number, and e-mail address, elicited exactly the kind of emails and text messages you might imagine.

Elizabeth Thrasher, 40, allegedly created the fake personal ad after the 17-year-old girl (whose mother is dating Thrasher’s ex) posted about her on MySpace. The charge of harassment seems non-controversial, and its likely to result in a more mundane prosecution than the federal hacking charges that were eventually brought against Drew.

If only the courts could exercise some prior restraint and keep the moms of  St. Charles County, Missouri, from mixing it up with the kids on MySpace.

In May, St. Louis Cardinals manager Tony La Russa filed suit against Twitter in California Superior Court, essentially claiming that someone using his name was posting comments that damaged his reputation and caused emotional distress. The suit also claims damage to La Russa’s trademark rights.

Ordinarily, I would have thought little about the case, believing it would get thrown out due to the legal precedent that says those who provide such services are not liable for the content that gets posted on them.

But there are two angles worth considering here. One is called the “right to publicity,” and the other is the evolving notion of digital identity.

The right to publicity is not a federal law, but many states do have it on their books, including California. The California law states:

Right of Publicity — California Civil Code Section 3344:

Use of Another’s Name, Voice, Signature, Photograph, or Likeness in Advertising or Soliciting Without Prior Consent.

(a) Any person who knowingly uses another’s name, voice, signature, photograph, or likeness, in any manner on or in products, merchandise, or goods, or for purposes of advertising or selling, or soliciting purchases of products, merchandise, goods or services, without such person’s prior consent, or, in the case of a minor, the prior consent of his parent or legal guardian, shall be liable for any damages sustained by the person or persons injured as a result thereof. In addition, in any action brought under this section, the person who violated the section shall be liable to the injured party or parties in an amount equal to the greater of seven hundred fifty dollars ($750) or the actual damages suffered by him or her as a result of the unauthorized use, and any profits from the unauthorized use that are attributable to the use and are not taken into account in computing the actual damages. In establishing such profits, the injured party or parties are required to prove his or her deductible expenses. Punitive damages may also be awarded to the injured party or parties. The prevailing party in any action under this section shall also be entitled to attorney’s fees and costs.

Skipping down to paragraph (f):

(f) Nothing in this section shall apply to the owners or employees of any medium used for advertising, including, but not limited to, newspapers, magazines, radio and television networks and stations, cable television systems, billboards, and transit ads, by whom any advertisement or solicitation in violation of this section is published or disseminated, unless it is established that such owners or employees had knowledge of the unauthorized use of the person’s name, voice, signature, photograph, or likeness as prohibited by this section.

Now, whereas the Twitter postings (“tweets”) were not commercial in nature, two points remain:

1. One can claim damage to one’s right to publicity through usurpation of identity and subsequent abuse.
2. Supposedly, Twitter was contacted repeatedly about removing the offending Twitter account but did nothing before the suit was filed. (The account is now gone.) Therefore, the owners of Twitter did have knowledge of the unauthorized use of La Russa’s name.

So, Twitter may not be liable for the content of an user’s posting per se, but it could be liable if the user is impersonating someone else and making comments objectionable or damaging to that real person.

And if Twitter was notified about the impersonation and took no action, they are on the hook. The tweets were, in fact, very offensive, which could be seen as damaging Tony La Russa’s reputation and right to publicity.

Whither Digital Identity?
Can anyone claim to be someone else on the internet? Yes. Anonymity works both ways. Will Twitter develop some user identity authorization mechanism? It’s already underway.

This is not only important to avoid liability issues relating to content, but also in the arena of financial transactions. Twitter is working on a payment system, and without some form of user authentication, such a system would be unworkable. Hopefully, such an authorization will serve to address financial and content liabilities at the same time.

What is interesting to me is how far this will go: Twitter as a payment and identity gateway? Blecch.

It raises the red flag of digital identity squatting. At the moment, anyone can use your name as a Twitter username (with all due sympathies to all the John Smiths out there).

By no strange coincidence, Facebook is also looking at a payment system. In addition, as of midnight June 12, users were able to create a more human-friendly link to their pages or profiles using their name. For example, if you are Zoogle McFillibuster, you can now be identitifed on Facebook by www.facebook.com/zoogle.mcfillibuster

It appears that each social networking service is establishing the framework for payment systems, and therefore, user authentication systems. It’s the threat of digital identity squatting — either for gain or for annoyance — that is the next tempest on the internet radar screen.  So, whether or not the La Russa law suit goes anywhere, at least it uncovered the issue of digital identity squatting.

In 2007, Facebook was valued by Microsoft at about $15 billion. It garners substantially less financial enthusiasm these days, at about $3-$4 billion. Not too shabby. Of course, the big question is why. Has it actually made a profit, or is this 1999 again? The valuation may very well be based upon the data Facebook contains about everyone that has ever used it. It’s a virtual gold mine of preferences, trends and connections, and Facebook has just amended its Terms of Service that gives it the right to keep all your information forever.

Previously, when a user left, all their information, including pictures, videos and writing, would evaporate. This is no longer the case; it’s too valuable, and perhaps this is the only way Facebook will ultimately make money: leeching off your personal information. It can use, sell or lease your data to anyone.

From the ToS:

You hereby grant Facebook an irrevocable, perpetual, non-exclusive, transferable, fully paid, worldwide license (with the right to sublicense) to (a) use, copy, publish, stream, store, retain, publicly perform or display, transmit, scan, reformat, modify, edit, frame, translate, excerpt, adapt, create derivative works and distribute (through multiple tiers), any User Content you (i) Post on or in connection with the Facebook Service or the promotion thereof subject only to your privacy settings or (ii) enable a user to Post, including by offering a Share Link on your website and (b) to use your name, likeness and image for any purpose, including commercial or advertising, each of (a) and (b) on or in connection with the Facebook Service or the promotion thereof. You represent and warrant that you have all rights and permissions to grant the foregoing licenses.

Here’s what was removed:

You may remove your User Content from the Site at any time. If you choose to remove your User Content, the license granted above will automatically expire, however you acknowledge that the Company may retain archived copies of your User Content.

And what exactly will they keep? From the Termination and Changes to the Facebook Service section:

The following sections will survive any termination of your use of the Facebook Service: Prohibited Conduct, User Content, Your Privacy Practices, Gift Credits, Ownership; Proprietary Rights, Licenses, Submissions, User Disputes; Complaints, Indemnity, General Disclaimers, Limitation on Liability, Termination and Changes to the Facebook Service, Arbitration, Governing Law; Venue and Jurisdiction and Other.

This could certainly be terrible for any individual foolish enough to post anything of a sensitive nature on Facebook (such as those pictures that got people fired from their jobs). But what is unclear is the impact on companies and other organizations that have accounts. If a company provides videos or any marketing material on its page, I don’t see a way Facebook can claim such broad legal rights to it.

If for example a company posted a piece of marketing literature with an embarrassing mistake or actionable inaccuracy on its Facebook page, they’d have every right to pull it.

Or would they? Would it be eternally archived in some nondescript building in Boston reminiscent of a scene from Fringe? Eternally searchable over and over again, never leaving the Internet’s consciousness, forever echoing embarrassment or legal liability?

It seems that only natural disasters happen suddenly. Man-made ones begin small. The EU is adopting policies that secretly allow the police to hack into personal computers anywhere, at any time, for any reason – all without any judicial oversight, which would be the start of a man-made disaster.

According to the TimesOnline:

The hacking is known as “remote searching”. It allows police or MI5 officers who may be hundreds of miles away to examine covertly the hard drive of someone’s PC at his home, office or hotel room.

Material gathered in this way includes the content of all e-mails, web-browsing habits and instant messaging.

Under the Brussels edict, police across the EU have been given the green light to expand the implementation of a rarely used power involving warrantless intrusive surveillance of private property. The strategy will allow French, German and other EU forces to ask British officers to hack into someone’s UK computer and pass over any material gleaned.

Make no mistake – this is the equivalent of the police knocking down your door and entering your house at any time.

The West is struggling to find ways to combat terrorism, which is arguably the result of globalism. The rise of China, India and the EU is creating a multi-polar world during a time when national and regional interests are jockeying for power in an evolving global power structure. Blatantly, some are taking advantage of the situation to consolidate power in unprecedented ways.

What about the technology? According to the same article:

Richard Clayton, a researcher at Cambridge University’s computer laboratory, said that remote searches had been possible since 1994, although they were very rare. An amendment to the Computer Misuse Act 1990 made hacking legal if it was authorised and carried out by the state.

He said the authorities could break into a suspect’s home or office and insert a “key-logging” device into an individual’s computer. This would collect and, if necessary, transmit details of all the suspect’s keystrokes. “It’s just like putting a secret camera in someone’s living room,” he said.

Now THAT’S bloody Orwellian by definition. Doubtless, the likes of Norton and McAfee will be directed to ignore these keyloggers a priori.

Police might also send an e-mail to a suspect’s computer. The message would include an attachment that contained a virus or “malware”. If the attachment was opened, the remote search facility would be covertly activated. Alternatively, police could park outside a suspect’s home and hack into his or her hard drive using the wireless network.

Police say that such methods are necessary to investigate suspects who use cyberspace to carry out crimes. These include paedophiles, internet fraudsters, identity thieves and terrorists.

The obvious flaw in this pale excuse is that a criminal investigation is a formal process that is presumably initiated for cause. The new police powers are not governed by cause, and lack any safeguards against abuse like random fishing expeditions.

The sum of all our PC-based activities has been labeled as the “Digital Self.” This electronic shadow of a human being is at risk, not by hackers, but by the people who are presumably there to serve and protect. When one considers the amount of information about a person, from financial information to medical history to online searches, the power held by the state not bound by law is as staggering as it is unacceptable.

Simply put, Europeans are being conditioned to surrender their privacy and consequently their control. It’s the Digital Age’s equivalent to the 1930s. No amassing of tanks and ships, but the increase in power of the state’s intrusiveness into people’s lives.

Do you have anything on your PC that you don’t want visible to some bureaucrat? With storage becoming infinitely cheap, governments can maintain a copy of your digital self and comb through it at will. All your purchases, searches, web surfing and correspondence can all be stored. Such omniscience in the hands of flawed human beings is a disaster to human freedom far more pervasive than Nazi Germany ever was. And, like that disaster, it begins small.

I can hear it now in Britain: “Fingers? Fingers? Where are your fingers?” Within the next 18 months, every police officer in the UK will be equipped with portable fingerprint scanners, and will be able to carry out identity checks at the drop of a bobby’s helmet.

The official (and implausible, given past history) claim is that such scans will not be permanently stored in a national database.

One of the companies bidding on the system, known as Mobile Identification At Scene (MIDAS), is American company Northrop-Grumman, better known as an aircraft company.

Beyond taking people’s fingerprints in the field and cross-checking against the national database, officials hope the next phase will include facial recognition. Now all they have to do is couple that with a retina-scan system mounted in a small robotic spider, and they’ll have a system Mr. Anderton of Future Crime, Inc. would be proud of.

Though there was initial skepticism, New York Magazine confirmed that really was him, and yes, he’s writing a movie about Facebook. Reuters and The Christian Science Monitor have covered it. He’s asked visitors to share their experiences and story ideas. Expect legal issues, at least in the plot, if not from his online collaborators.

A 23-year-old man who worked at a church in Wabash, Indiana, has been charged with felony stalking and misdemeanor harrassment.

MSNBC all but convicts him in its coverage, and complains that because he hasn’t been charged with a sexual crime, his Internet use will not be restricted. Bad journalism aside, when he appears in court to answer these charges on August 20th, there’s a good chance the charges will be tossed from court.

The man, who will undoubetedly soon to be named, used the identities of two women from his church to set up fake Facebook profiles and have online sex with other men while pretending to be the women. This went on for several years, and interestingly was discovered by the women’s pastor, who was researching his parishoners online.  OK, so bad journalism and icky church dynamics aside, there’s still more.

Law professor Susan Brenner notes in her blog CYB3RCRIM3 that this offense really doesn’t seem to be stalking. He impersonated people; he didn’t stalk them. Nor did he harrass, tresspass, or attempt to violate their privacy in any conventional sense. He infact wanted to escape their notice. Brenner wisely suggests that impersonation should be criminalized. Unfortunately, not everything icky is stalking. 

Forecast: lots of state and local anti-impersonation legislation most likely named after the young women involved in this case.

Most of the time, students who go to court are objecting to punishment for stunts such as making fake Facebook profiles about their principal. In this case it is the principal, Anna Draker, who went after offensive students in court.

Benjamin Schreiber and Ryan Todd, two 16-year-old Clark High School students, posted a false MySpace page about her in March 2006. The page was online for about a month before Draker learned of it. She contacted MySpace, who removed the page.

Besides disciplining the students and filing a criminal complaint, she also sought cash and accountability from the students and their parents due to defamation and emotional distress. The court of first hearing ruled that the exaggerated statements were not false assertions of fact, and so were not legally defamation.

The Texas appeals court upheld both the dismissal of the negligence and distress charges. The school’s punishment of the students was never challenged, and the principal’s claims for damages was entirely unsuccessful.

Perhaps because I’d likely have lampooned my high school faculty if the Internet were available to me then, I’m glad that faculty won’t be seeking civil damages for bad behavior. And, for any faculty from Moline High School who may be reading this entry, I’m still sorry for my past transgressions, which really did seem funny at the time.