Friday, March 2, 2012

Privacy Through Multiplicity

Internet privacy is a big deal and will become an even bigger deal as web-based software to track clickstreams and collect personal information continues to become more effective. As an Internet user, I don't want web sites to be able to conspire to build and maintain a complete picture of my online activities. I want to be able to protect personal information about myself (e.g., credit card #, home address, business email, demographic info) from the prying eyes of web sites that I may casually visit. It would seem that Ethosphere would provide the ultimate in user privacy, since the privacy directive prevents a web site administrator (or anyone else) from discovering the true identity of a persona. However, this may not be enough.

Suppose I always use the same persona, named @UncleAlbert, within Ethosphere. During the day, @UncleAlbert works as a trusted financial advisor, but he is also interested in hang gliding and, being a single person, occasionally hangs out in a singles-only online club. @UncleAlbert also buys books from, rents movies from, and he owns a laptop he bought on By simply tracking @UncleAlbert's interests and activities on the Internet, an observer could learn a great deal about the person who "owns" @UncleAlbert in RL. The privacy directive would not allow disclosure of the person's real home address or age or gender, but it would still allow some pretty powerful inferences to be made regarding his or her lifestyle and buying habits.

Within the Ethosphere, this sort of inference-by-clickstream invasion of privacy could easily be thwarted by simply using many different personae. For example, if I create a new persona each time I log on to the network (assuming persona creation is cheap and easy), there would be no way for anyone to connect the behavior of one persona with any of the others, and each persona would therefore be completely anonymous. Unfortunately, this strategy would also make any kind of long term relationship, including business and commerce, impossible. Who would trust or choose to associate with an anonymous persona? Privacy is not the same as anonymity.

It is necessary, it seems, for personae to have associated, recognizable characters or personalities that persist across logins. Nobody would trust financial advice from @UncleAlbert (nor be willing to pay for it) without some kind of credentials or track record that indicates he knows what he's talking about. Moreover, if the system maintains that reputation and provides it to clients or even competitors in the financial community, this doesn't really seem to raise any privacy concerns (even though it might possibly be professionally harmful to @UncleAlbert). If a client chooses to record some praise or criticism of Al's work, it seems fair to @UncleAlbert and to other clients and potential clients that this bit of information be made available to them. On the other hand, if the system maintained and provided information about @UncleAlbert's other interests, say hang gliding, to clients or competitors, this does seem to violate reasonable privacy expectations (even though it might not harm @UncleAlbert in any way).

There is a basic tension between maintaining a persona's privacy and its identity. It may be that the best compromise is to compartmentalize one's personality and create several personae, each one representing an independent aspect of the real person. If @UncleAlbert is my financial advisor persona, then perhaps @buzz represents the hang glider enthusiast and @rex is the wild and crazy single guy. Each of these three personae might be individually known, recognized, and perhaps trusted in three separate socio-economic contexts, without compromising the privacy of any of them or their common owner.

No comments:

Post a Comment