Who are you? (Yeah, you!)
If you were reading this as a subscriber to a print magazine or a newspaper, I wouldn't need to ask that question: I'd know your name and where you live. I might even have your credit card number.
Here on the Web, though, I truly don't know who you are. I can guess, and I can play some tricks with Internet addresses (IP numbers) and "cookies," and I can ask you to register to visit my site (with no assurance that the information you provide is accurate). But I can't honestly say I have any reliable information as to your identity.
That ignorance stems from the architecture of the Internet itself, which was designed for openness, not security. If you keep this in mind as you follow the onslaught of Internet-news headlines, a lot of seemingly unrelated and confusing stories start to make a lot more sense.
Consider this week's brouhaha over Intel's plan to build unique I.D. numbers into its next-generation Pentium III chip. Intel told the world that it aimed to enhance security for online transactions by giving Web users and merchants a trustworthy identity-verification system: Web sites and other Net-based software could query your processor to make sure you are who you say you are before providing access to, say, online account data or other "for your eyes only" information.
Intel sells hardware, so Intel wants to build security into hardware. But the resulting scheme is phenomenally silly on the face of it: Who says I do all my Net-based work from a single computer? What if more than one person uses my computer? Aren't we moving away from the single-desktop-computer model toward a world of diverse Net-access devices, anyway? Isn't the point of Web-based businesses and services that you can access them from any available browser? What if I want to do my online banking from a public Net terminal in an airport or cafe?
Privacy groups, which called for a boycott of the Pentium III under the banner "Big Brother Inside," raised other issues with Intel's numbering plan. If your processor cheerfully hands out your unique I.D. to any Web site that asks, those sites can begin to build a vast database of consumer information and behavior. The moment you provide Web merchants with your name and address to fulfill an order, they can link it to your processor I.D.; conceivably, groups of Web merchants could begin to pool their information and assemble the mother of all spam lists. While today's "cookie" files already give Web sites a chance to track you in limited ways, at least the files reside on your computer's hard drive and can be easily deleted (you can also set your browser to reject them). Intel's I.D. is indelible.
Under public pressure, Intel quickly reversed course and declared that the I.D. system would be turned off by default on new computers -- you'd have to turn it on yourself for anyone to access your number. Unfortunately, such control is software-based, and thus bound to have holes that unscrupulous Web sites or creative hackers could exploit.
The real problem with Intel's scheme goes beyond the technical details. The trouble is that Intel set out to design a scheme to defeat the anonymity that people take for granted on the Net -- without ever asking consumers whether they wanted it or liked it or would design it differently themselves.
- - - - - - - - - - - -
- - - - - - - - - -
Intel isn't the only company or institution playing this game. A similar
yearning to replace free-for-all online anonymity with controlled
accountability lies behind such disparate phenomena as Microsoft's new software registration scheme and the Child Online Protection Act (COPA).
Microsoft feels that, thanks to piracy, it's not making quite enough
profits from sales of its Office software suite, so it has devised a new
registration scheme for the software: Once you've paid your hundreds of
dollars, if you wish to use your programs more than 50 times you will also
have to obtain a code from Microsoft that is tied to the particular
configuration of your computer's hardware. (For now the scheme will only be
applied in certain foreign countries and for academic users in North
America, but you can bet Microsoft would like to make it universal.) Like
Intel's processor I.D., Microsoft's registration scheme aims to link your
personal identity with your personal computer's identity; unlike Intel's
plan, there isn't even a pretense here that there's any benefit to the user.
Intel and Microsoft both want to know who you are; so, too, do the feds
-- at least they want to know enough about you to check your age. In its
wisdom, the U.S. government has decided that Web sites need to check
visitors' I.D.s at the door before granting them access to material that
anyone in any state of the union might consider "harmful to minors." Under
the provisions of the Child Online Protection Act (which Salon, along with
a group of other plaintiffs led by the American Civil Liberties Union, is
challenging in federal court), Web sites face $50,000-a-day fines and
six-month prison terms if they fail to prevent underage visitors from
accessing content that's "harmful to minors."
Forget about the problem of defining that term; on a more mundane
level, there's no way a Web site can card you or check your age if it
doesn't know who you are. Credit card numbers alone aren't good enough --
minors can type them into a Web browser, too. That's why the COPA is such a
ludicrous law. You're never going to be certain of the age of Web-site
visitors until and unless you devise some kind of universal Internet I.D.
scheme. And nobody wants that, right?
Think again. The Intel chip I.D. tempest is a wake-up call for Net users
-- a reminder that personal information is the ultimate asset in the online
marketplace, and that if consumers don't defend it, companies across the
board will grab it. It used to be that only Web sites with aggressive
marketing schemes tried to compile detailed information on masses of users.
Now we've got hardware giants like Intel and software giants like Microsoft
doing the same thing. Don't doubt for a moment that the
hybrid service providers/content companies like America Online and
@Home/Excite will join in, too: Unlike mere Web site operators, they know
their customers' names and addresses, which helps explain why they have
become Wall Street darlings.
To be sure, anonymity isn't an unvarnished good. There are some online
activities, like banking, where secure identities are vital. Inevitably,
the online world will adopt new systems for ascertaining people's identity.
The question worth fighting over is, in whose interests will the system be
The skyrocketing market valuations of today's big Internet companies is
going to put ever greater pressure on them to deliver real profits, soon.
It's a good bet that they will try to do so by gathering, using and even
selling whatever information they can about the people who use their sites.
As that pressure builds, don't be surprised if more ill-devised schemes
like the Intel processor I.D. bubble up from the stewing Net industry.
Ultimately, what consumers need is an I.D. plan that offers a good balance
between the convenience of online services that know who you are and the
privacy we all have a right to expect. (A good technology already exists
that meets these criteria -- it's called public-key encryption, and we'd all probably be using it today except
for the opposition of the FBI and other law-enforcement groups.)
Companies that figure out how to deliver both convenience and privacy
will win users' loyalty and prosper. Those that just try to cram I.D. schemes
down the public's throat -- as Intel got caught doing this week -- will
deserve all the black eyes they get.