15 December 1997
Date: Sun, 14 Dec 1997 16:54:29 -0700 To: cypherpunks@algebra.com From: Tim May <tcmay@got.net> Subject: Identity, Persistence, Anonymity, and Accountability--Part I of II [Note: This is a two-part article I posted to the "Nym" list. I'm posting it here as well, but not in a "cross-post" form, because it obviously touches on many themes of interest to Cypherpunks. Declan M. has created this new list to discuss anonymity and pseudonyms. It is, predictably, largely duplicative of discussions on the Cypherpunks and other lists, but Declan and others feel it is needed. It is not necessarily open to all, to reduce the number of insults, ASCII art posts, drunken ramblings (mine excepted), and off-topic spams and such, so don't ask _me_ for instructions on how to subscribe to it. Declan may send you instructions if he wants to, of course.] [The second part will follow this part] There are many swirling notions of anonymity here, and a bunch of what I think are misconceptions about the link between anonymous systems and "accountability." Some here believe accountability (which I'll define and discuss in more detail below) is important enough to take precedence over a "right to anonymity." I think this is confusing some important issues. First some observations: * The norm in most interactions is a very loose amount of formal checks of identity credentials. Most of us never actually check the credentials of our friends and associates. Most commercial transactions, and most travels, involve no identity credentials whatsoever. (A point nicely make my Marc Rotenberg today.) * However, as we have repeated dealings with people, on lists or in person, we begin to establish a "sense of identity" for those persons, a repeated history. This has nothing _formally_ to do with identity credentials, but much to do with _expectations_ about the future. Thus, in my several years of dealing with "Black Unicorn" I have come to view him (or her, or it) as a persistent personna. Whether or not he truly is one person, and whether I know his (alleged) True Name, is largely unimportant. * It is very important that even we non-lawyers keep in mind what a _contract_ is. A contract is an offer, and an acceptance. Whether a True Name is part of the offer, by any of the parties, is unimportant. (In terms of enforceability of the contract, in terms of going after parties who fail to meet the terms of a contract, some measure of identity may of course help accountability. But this is epiphenomenol to the basics of the contract...it's just a matter of convenience.) * Hence the view many of us have that if Alice and Bob interact, they may or may not use fake names, nicknames, handles, putative True Names, or even DNA-verified biological markers. Their call. * In cases where accountability is Very Important, as in purchases of large ticket items, the usual method is to use strict title search companies, specialists in tracking actual records. Title companies, in other words. (And, even then, proofs of identity are less extreme than many anti-anonymity advocates might think. In the purchase of three homes, I've only had to "flash" my state-issued I.D. card. In fact, it was a driver's license, hardly designed as an actual proof of identity. Of course, there are certain ontological assumptions about identity in such large-ticket purchases, such as that I.D. is backed up by other things, including possession of a title deed.) * The main question that involves Washington (or other lawmakers) is this: Under what circumstances may the state compell identity to be produced? I happen to agree with several on this list, including E. Volokh and (actually) D Brin, that there are cases where identity can be compelled. Even if it only means a _sworn statement_ (as in "making an X" on a statement written by others). Applying for a passport, appearing before court, perhaps driving on the public roads. But note that there absolutely is no requirement in the United States for a general form of identification. Non-drivers need not have any form of I.D. And as we have seen in court cases, a la Lawson v. Kolender (where a black man in dreadlocks used to like to walk the streets of San Diego...the cops stopped him many times and jailed him for not having I.D. on him...the court ruled that people don't have to present credentials issued by the state to walk the public streets). * Therefore, the issue is not of a "right to anonymity," which would probably be as nebulous to debate as the "right to privacy" (which Bork probably was correct in saying cannot be found in the Constitution), but, rather, the issue of when the State may compell identity. To put it in the blunt terms we libertarians find useful: "When can men with guns tell us we have to produce a piece of paper with our pictures on it that they find acceptable?" Possibly for the situations I mentioned above. But maybe not even in all of those situations. (Next time I am called for jury duty, and my last time was in 1973, I plan to take no state-issued I.D. junk with me...I will _tell_ them who I am and leave it at that.) * In ordinary interactions and in commercial transactions (modulo gun purchases and a few other similar areas), identity cannot be compelled. Alice is free to ask Bob for his name, or his blood type, or anything else she chooses (modulo questions banned by the Civil Rights Act, disgustingly enough), and either is free to cancel the interaction or transaction as they wish. Contracts again: an offer made and an acceptance. * Now if Alice wishes to _extend credit_ to Bob, or take his promise to pay via a check or some other "delayed clearing" instruement, she is free to request various things that will satisfy her that she can later track down Bob and collect from him. Importantly, this is not a _state_ function. This is still a matter of contract. Bob is of course free to refuse to give his name and to cancel the transaction. * It's a fact that most vendors (Alice) are less interested in acquiring market research data by getting True Names than they are in selling stuff. Hence, most merchants don't care about True Names. And for online clearing (instant clearing, as with cash or guaranteed payments sytems), names really don't matter. Even Radio Shack, which makes a big point of asking for names and addresses, will gladly make a sale to those who refuse to go along. * There are cases where this normal "Alice doesn't care about names" situation is distorted by other considerations. Recently, airlines have been instructed by the FAA to do a credential check...they are happy enough to comply, as it cuts down on the practice of companies buying advance tickets in bulk and then deciding later who will actually use the tickets. (I believe the pre-FAA ruling situation, where airlines didn't bother to check I.D.s to be a good indicator of what free market forces would produce absent such an FAA rule.) Certain large-ticket purchases may no longer be made in cash. Part of this is the move to control money-laundering and smurfing, and the "structuring" laws. Black Unicorn has an amusing story of trying to buy a car in suburban Washington, with cash (or a cashier's check, I forget which), and having law enforcment arrive a short time later and hold him for questioning.... Likewise, it's becoming more common for motels and hotels to demand photo I.D. Some even refuse to accept cash without a credit card (which we know is not an actual I.D., but it sort of acts as one). I'm not sure what all the reasons for this are. Here are some, briefly: fear of being stung by someone who trashes the room, concern about being charged with enabling prostitution, pressure from regulatory boards (who may be pressured by law enforcement), or perhaps just the general attitude that "I.D. is required." (As I've said, this attitude hasn't filtered down to ordinary daily transactions.) So, identity is not the same as accountability (though there are some correlations). And lack of identity does not mean criminality. And most importantly, most cases where some proof of identity is requested don't need any state involvement in what are private transactions or contracts. Lastly, there is no "is-a-person" (in the cryptographic sense) credentialling system in the U.S. In Part II of this post, I'll combine these various points, made somewhat anecdotally here, into a more graphical form. --Tim May
Date: Sun, 14 Dec 1997 16:57:35 -0700 To: cypherpunks@algebra.com From: Tim May <tcmay@got.net> Subject: Identity, Persistence, Anonymity, and Accountability--Part II of II As promised, here is Part II, with a more graphical analysis of the issues of identity, anonymity, traceability, accountability, and the correlations between them. Consider two principles axes: -- identity -- accountability A "0" on the identity axis means a complete lack of any identity, with no assurance whatsoever in the nickname, casual name, and certainly not in the True Name, of an entity. The canonical "Anonymous," with not even any clues as to identity. A "1" on the identity axis means a complete certainty as to whom someone is, with extensive credentials, perhaps even voiceprint, blood tests, etc. An appearance by Bill Clinton probably rates a "0.999" on this scale, as various input vectors are summed...most of my posts might be rated at "0.95," and so on. There are some meta-issues about what true names really are. Was Bill Clinton switched at birth? Did the Trilateral Commission actually kill the real Bill Clinton when he was at Oxford and replace him with a KGB lookalike? Do his footprints match that on the birth certificate on file in the Arkansas hospital? Is that stuff even what we mean by "that guy is Bill Clinton"? I won't get into these meta-issues here, but they are eventual boundary-value problems for any "is-a-person" formal system. On the "accountability" axis, a "0" means an entity cannot be held accountable. Cannot be reached, cannot be hauled into court, etc. This could be because the entity is outside a jurisdiction. Marc Rich, resident of Zug, Switizerland, is about a "0.1" on the accoutability scale. A "1" obviously represents full accountability. Clearly it is possible for someone to be high on the identity scale (like Marc Rich), but low on the accountability scale. Or, more interestingly, it is possible for a participant in a transaction to be essentially anonymous, but very accountable. This is what digital cash and anonymous escrow systems provide. Chaum's "credentials without identity" makes this clear. It is possible to present some credential for some property, such as age, without identity. (An easy to see example being admissions to bars...as ID scanning technology spreads, we would like to see methods for checking an age credential without also creating a computer record of all bars visited, number of drinks consumed, etc.) (Crime and illegal markets often work this way, too. That is, with identity not necessarily known ("Vinnie the Nose"), but with other mechanisms for ensuring accountability. The usual, but important, stuff about reputation capital. Ditto for primitve markets, with goods left in clearings...absolutely no "identity," but various mechanisms for enforcement of trading protocols (including "no future business if you screw me," which is how many markets have worked, a la the Law Merchant for international trade, which evovled into the Uniform Commercial Code.) OK, here's a diagram. Notice that the central diagonal, the "main sequence" ( a la Hertzsprung-Russell diagrams) is the correlation between "identity" and "accountability." To those who argue that accountability IS identity, this is there line. But there are many other place in this space. For ease (to me) in making this diagram, I've had to just use letters, with the legend below the diagram. ^ CASH TOTAL 1 | CHAUM | ESCROW ^ | BRIN | | DIGNYM | | CORP Accountability | | | MRICH | | ANON 0 |_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 0 1 Identity --> CASH = immediate clearing, but no identity CHAUM = Chaumian "credentials without identity" (in many forms) ESCROW = leaving a deposit, or linking to another payer (an anonymous VISA card, with a deposit, works this way. Or a corporate account, card, etc., where the company backs the transaction, but identity of the participant is unknown, or poorly known) BRIN = David Brin's "accountability means identity" mapping (no doubt there are nuances to his view, but I believe this fairly characterizes the position he has described here recently) TOTAL = The total state. Eveyone in their place, every transaction logged, everyone held accountable by the State DIGNYM = Digital pseudonyms, or signed messages. Identity may be variable, from almost completely anonymous (e.g., Pr0duct Cypher) to known to some (e.g., Black Unicorn). Accountability also varies, depending on factors like jurisdiction. CORP = corporate, or collective, accounts, where identity of actual participants is poorly known, but accountability is high MRICH = identity known to high certainty, but "judgment proof" (note that this applies to many other persons, such as poor persons, who may say all kinds of libelous or actionable things, but who are not worth going after) ANON = the canonical "anonymous" message, with no identity, no accountability. Of course, there are many other examples. And each examples has "scatter." Each is a "blob," not just a point. And they can move around, as laws change. (For example, Marc Rich could quickly become "accountable" were Switzerland to change its laws about extradition.) The structure of this identity-accountability space is itself interesting, with peaks and valleys (suggesting a third axis, that of "cost" to live in these spaces....). And so on. I hope this helps clarify for you some of my thinking on these issues. i find that simplistic arguments, whether, "accountability requires identity," or "anonymity is a basic right," are not very helpful. There are clearly times when participants in a voluntary transaction want some kind of "identity credential" (especially to the extent they think identity = accountability). There may even be times when the State has a legitimate interest in compelling identity (though many of us would quibble with most such demands, and look for ways to satisfy these "is-a-person" needs less invasively than by requiring national I.D. cards and tattooes on forearms). Again, I hope this has helped. --Tim May Voluntary Mandatory Self-Rating of this Article (U.S. Statute 43-666-970719). Warning: Failure to Correctly and Completely Label any Article or Utterance is a Felony under the "Children's Internet Safety Act of 1997," punishable by 6 months for the first offense, two years for each additional offense, and a $100,000 fine per offense. Reminder: The PICS/RSACi label must itself not contain material in violation of the Act. ** PICS/RSACi Voluntary Self-Rating (Text Form) ** : Suitable for Children: yes Age Rating: 5 years and up. Suitable for Christians: No Suitable for Moslems: No Hindus: Yes Pacifists: No Government Officials: No Nihilists: Yes Anarchists: Yes Vegetarians: Yes Vegans: No Homosexuals: No Atheists: Yes Caucasoids: Yes Negroids: No Mongoloids: Yes Bipolar Disorder: No MPD: Yes and No Attention Deficit Disorder:Huh? --Contains discussions of sexuality, rebellion, anarchy, chaos,torture, regicide, presicide, suicide, aptical foddering. --Contains references hurtful to persons of poundage and people of color.Sensitive persons are advised to skip this article. **SUMMARY** Estimated number of readers qualified to read this: 1 Composite Age Rating: 45 years