Degrees of anonymity
We have one primary goal with PrefPass when it comes to changing the user experience on the web: convenience. This aspect is a simple proposition: instead of a registration form, a link in an email, and then yet another password to remember, you can join a site with one click.
But another aspect of PrefPass is that, unlike previous solutions such as form-filling utilities or single sign-on systems, PrefPass keeps users anonymous. This aspect is a bit more complicated.
Anonymous literally means “of unknown name,” but in reality we mean a lot more than that when we use the term. Does it mean that you don’t know who I am in the real world? That you don’t know that I’m the same person that writes a different blog? That you don’t know that I’m the same person that wrote the last post on this blog?
As far as I can tell, there isn’t really a standard way of characterizing these different degrees of anonymity. But there are some standard terms whose meanings can be perhaps slightly bent to cobble together a basic ranking:
- Unknown: absolutely nothing is known about the user
- Anonymous: the user is associated with an identifier that applies across transactions at a single site. Cookies are a common way of anonymously identifying users on a temporary basis.
- Pseudonymous: the user is associated with a pseudonym (AKA handle, username, or nickname) that applies at other sites. Most single sign-on (SSO) systems are designed to prove ownership of a pseudonym.
- Personally identifiable: the user is associated with information which can potentially be used to uniquely identify, contact, or locate them. Personally identifiable information (PII) includes things like name, telephone number, street address, and e-mail address.
One problem with pseudonymity is that it is susceptible to correlation, which can lead to personal identification. For example, if data associated with one pseudonym is collected across many sites, this richer dataset may make it possible to personally identify the user. Or if one site is compromised, this can affect the user across all sites where that pseudonym is used.
For these reasons and others, at PrefPass we decided to provide users with anonymity, not just pseudonymity. To do this, we used what in digital identity circles is called a unidirectional identifier. That just means that when you click on the PrefPass badge at two different sites, each site is provided with a different identifier. That way, each site can recognize you, but no one can tell that the same person joined those two sites.
Of course, PrefPass is all about user control, and with control comes responsibility. For example, you could manually enter a pseudonym at multiple sites where you use PrefPass to join. That would make you pseudonymous at those sites; but it would be your decision, not something built into PrefPass. And no other PrefPass sites would be affected by it.
Now, some might argue that true anonymity is impossible on the internet; that without extraordinary knowledge and care, anyone leaves a trail that can be pieced together to find out who they are in the real world. For example, see this recent blogosphere brouhaha.
But at least for me, that doesn’t at all mean that we should throw up our hands and sign our names on every page we visit. You can do a lot to remain anonymous on the internet, and as always, defaults matter. It’s true, if someone really wants to track you down, and is willing to dedicate time and money to doing so, there’s a decent chance they’ll succeed. But the same is true in the real world: if someone really wants to break into your house, they probably can. But that doesn’t mean that you shouldn’t lock your doors and safeguard the key. Most crimes are crimes of opportunity, and basic good habits will make a big difference in how likely you are to have problems.
I haven’t even touched here on another feature of PrefPass that complements anonymity: transparency. Details will have to wait for another day, but the basic fact is this: when you use PrefPass to personalize a site, the data being used for personalization is visible, editable, and controlled by you. The idea is that by making it easy for sites to ask you for your Prefs directly, they’ll have less reason to try to piece together your interests in some other way. In our view, the trade of Prefs for personalization is happening all the time on the web; so why not make it explicit, easy, anonymous, and transparent?
PS: “Degree of anonymity” is also actually a technical measure of how anonymous you are using a given anonymizing approach. Details here.
September 27th, 2006 at 3:36 am
Probably marginally along the line, I wonder if PrefPass should be combined/integrated (through some API & protocol) w/ OpenID (e.g. idkeed.com) where an user’s Prefs and PrefPass’s personalization capabilities (through Javascript) are blended w/ OpenID system’s autentication capability…. Thoughts?
October 1st, 2006 at 10:00 am
Hi RBC,
I’m a big fan of OpenID, and we’ve been trying to think of how it could fit with PrefPass. It’s interesting, because the two systems solve different problems: OpenID is a way to prove that you own a URL, while PrefPass lets a site know what you’re interested in and allows it to recognize you as the same visitor the next time you show up.
One good thing about the anonymous PrefPass approach is that it completely avoids any need for crypto, server-side libraries, or defenses against security attacks — there’s nothing to steal! But of course that means that PrefPass can’t help you prove that you’re someone in particular, so that you can leave signed blog comments, etc. as with OpenID.
BTW, I didn’t find anything at idkeed.com, was that a typo?