Writing about the recent phenomenon that is #Gamergate, Kirk Hamilton makes some interesting points about identity:
It makes sense that doxxing—sharing someone’s address and other personal information against their will—is one of the primary instruments wielded in this battle. Doxxers use identity as a weapon, and so much of this conflict is, at its core, about identity. There’s the stated claim that the gamer identity is under attack, and also the pervading sense that this “war” is less about journalistic ethics and more about the murk of entrenched identity politics. Video games have hugely informed our generation’s cultural identity, and so cultural criticism of games feels somehow personal, like we’re the ones being criticized. I get it. I do.
He’s describing a tectonic shift in gamer culture as gaming goes from being largely white, male and young, to being increasingly diverse of race, gender and age. The cultural realignment of broadly defined identity can be expected to set off aftershocks that ripple through adjacent populations and disciplines. In this case, there was an identity quake of about 6 on the Richter scale in the gamer subculture that is rippling through journalism, hardware manufacturing, marketing, law enforcement, and on down to individual people. Among the results is a much wider public perception of the danger one’s personal details represents when in the hands of people you don’t trust.
Gaming is a very geeky subculture. It is assumed by many that the Gamergaters would have no trouble getting anyone’s personal information. Another result then is a social laboratory environment in which we get to see how that assumption affects behavior. Certainly Felicia Day held this belief when she wrote:
I haven’t been able to stomach the risk of being afraid to get out of my car in my own driveway because I’ve expressed an opinion that someone on the internet didn’t agree with.
HOW SICK IS THAT?
I have allowed a handful of anonymous people censor me. They have forced me, out of fear, into seeing myself a potential victim.
And that makes me loathe not THEM, but MYSELF.
Within moments of posting this, someone tweeted Felicia’s address.
From its beginnings, the Internet was designed and built functionality first, with security and privacy a very distant second, if at all. SSL was an afterthought. DNSSEC was an afterthought. The original Internet anticipated how functions would work, not how they could be exploited.
Then we built Internet commerce on that shaky foundation and following the same template. There is a strong parallel between the architecture of the commercial web and toxic waste dumping of the late 20th century. Both involved the externalization of costs extracted from a manufacturing process. The manufacturing of things based on atoms resulted in escrowing those costs as time capsules of toxic waste that would become the problem of some future people in return for larger profits today. In the case of bits, widespread failure to implement even basic security to protect personal data generates larger profits today but also creates a situation in which the incremental cost of retrofitting security into large established systems is cost prohibitive. Since that personal data can be used as easily to harm people as to help them, large databases of personal information which lack adequate security are akin to undiscovered pools of toxic waste – cheaper to build today, someone else’s future problem if it is abused.
We are now in the stage where the toxicity of bad security is leaking into the digital groundwater. Those regular reports of massive breaches on high-profile web sites are today’s digital version of yesterday’s cancer clusters. They are the early warning signs that a Security Cleanup Superfund is needed. Except that the maps we draw will have corporate names like Hannaford, Sony, Target and Lowe’s instead of geographic names like Love Canal and Lemon Lane.
We ramping up quickly to build the Internet of Things according to the same old template. We hear about a new “smart” version of an ordinary device just about every day. Just as rapidly we hear about these same devices being hacked, or that the security is so bad that no hacking is required. Since the prevailing model is that the devices are modern Trojan Horses, built first as a portal to your most intimate data and second with the functionality for which you bought it, they represent simultaneously our greatest opportunity and our greatest threat on the network to date.
So when I write about false parallels between the worlds of atoms and bits, or the need to build privacy-protecting or privacy-enhancing architectures, I feel a sense of urgency. I am very aware that the work underway at IIW, NSTIC, OIX and elsewhere in the Identity world potentially powers the world of tomorrow. As Dave Birch says, identity is the new money.
But I’m also keenly aware that identity can be turned into a weapon. I’m generally lonely in that view but the Gamergaters have demonstrated how effective even a small amount of identity information can be as a weapon. People are taking notice. If we embark to build Personal Clouds using the same template we’ve always used, if we assume that privacy and security are legal and policy rather than technical problems, if the individual does not have sovereign ownership of their personal data, then we might as well be honest about what it is we are building. Research into personal data technologies without design goals of privacy, sovereignty and agency, and lacking state of the art security controls would be a digital Manhattan Project. The commercially successful implementation of such a security-free Personal Cloud would be Cyberspace’s atomic bomb, capable of devastating millions of lives at one shot.
So, yeah, identity is the new money. We definitely need to figure out the functionality of identity and the benefits it will bring to the digital world. But the systems must be designed first for security, privacy, and personal sovereignty because it is from these attributes that functionality arises, not the other way around.