[OpenID] Shade's questions - Privacy for Foundation members
SitG Admin
sysadmin at shadowsinthegarden.com
Sat Dec 13 18:05:38 PST 2008
"You cannot have freedom of speech without the option to remain
anonymous. Most censorship is retrospective, it is generally much
easier to curtail free speech by punishing those who exercise it
afterward, rather than preventing them from doing so in the first
place."
(http://freenetproject.org/philosophy.html)
Is running the Foundation in an open/transparent way incompatible
with any sort of privacy that could conceal the identity of its
members? How do you reconcile the two ideas?
One of the criticisms of OpenID has been that it would make tracking
far too easy, being able to target a single user and gain ALL
information about their online activities because they would have
used the same OpenID *everywhere*. We talk about using multiple
OpenID's, of course, and some IDP's even automate the process
(already!), but generally the margin of opportunity is the same: hit
one target, get ALL that users' data (and possibly every other user
there, as a bonus, but the goal here isn't mass data-mining of
unknown victims, it's being able to execute precision attacks without
going after multiple sources). Compartmentalization of identity in a
user-centric manner, where the USER makes those decisions - will the
Foundation, looked to by many as the sterling example of OpenID "in
action", be led by its Board in a different direction?
I can see where privacy could be considered a dangerous thing for
Board members to have; if you can't run a background check on them,
they might be a secret Corporate lobbyist and you would never know.
What's the risk from non-Board members, though? And what about the
risk *to* them - let's say their "offline" identity works someplace
that is politically opposed to OpenID, and the member is a good
little office grunt who does their paperwork and stays out of such
discussions, then goes home with their paycheck to spend all their
free time working on OpenID development. If the employer were to
discover a connection between one of their own employees and one of
The Hated Enemy, they might find (or create) some reason to terminate
that employee's stay with them. Suddenly, that employee is looking
for a new job (yes, in THIS economy!), and may face other
repercussions as well.
Especially if they had established that separate identity for the
purpose of engaging in free-speech activities, and might then be
targeted by nearby parties. They may have been free with information
that they never would have let out if it could be combined with
information associated with their *other* Identity, to discover such
things as their physical address, or where they worked - as just one
example, imagine being "out" in a Deep South town. BIG difference
between being *anonymously* out on some message board, somewhere, and
having all your neighbors learn that carefully-kept, long-held
secret. Enabling hate crimes is NOT something OpenID should be seen
as responsible for (so let us be VERY cautious about security, as it
relates to privacy!), it could create a NASTY publicity backlash.
So, obviously, privacy is something that should be important for
OpenID to preserve. But when it comes to membership in the
Foundation, should we advise those who value their privacy to just
stay away?
-Shade
More information about the general
mailing list