[OpenID] Shade's questions - Privacy for Foundation members

SitG Admin sysadmin at shadowsinthegarden.com
Sat Dec 13 18:05:38 PST 2008


"You cannot have freedom of speech without the option to remain 
anonymous. Most censorship is retrospective, it is generally much 
easier to curtail free speech by punishing those who exercise it 
afterward, rather than preventing them from doing so in the first 
place."
(http://freenetproject.org/philosophy.html)

Is running the Foundation in an open/transparent way incompatible 
with any sort of privacy that could conceal the identity of its 
members? How do you reconcile the two ideas?

One of the criticisms of OpenID has been that it would make tracking 
far too easy, being able to target a single user and gain ALL 
information about their online activities because they would have 
used the same OpenID *everywhere*. We talk about using multiple 
OpenID's, of course, and some IDP's even automate the process 
(already!), but generally the margin of opportunity is the same: hit 
one target, get ALL that users' data (and possibly every other user 
there, as a bonus, but the goal here isn't mass data-mining of 
unknown victims, it's being able to execute precision attacks without 
going after multiple sources). Compartmentalization of identity in a 
user-centric manner, where the USER makes those decisions - will the 
Foundation, looked to by many as the sterling example of OpenID "in 
action", be led by its Board in a different direction?

I can see where privacy could be considered a dangerous thing for 
Board members to have; if you can't run a background check on them, 
they might be a secret Corporate lobbyist and you would never know. 
What's the risk from non-Board members, though? And what about the 
risk *to* them - let's say their "offline" identity works someplace 
that is politically opposed to OpenID, and the member is a good 
little office grunt who does their paperwork and stays out of such 
discussions, then goes home with their paycheck to spend all their 
free time working on OpenID development. If the employer were to 
discover a connection between one of their own employees and one of 
The Hated Enemy, they might find (or create) some reason to terminate 
that employee's stay with them. Suddenly, that employee is looking 
for a new job (yes, in THIS economy!), and may face other 
repercussions as well.

Especially if they had established that separate identity for the 
purpose of engaging in free-speech activities, and might then be 
targeted by nearby parties. They may have been free with information 
that they never would have let out if it could be combined with 
information associated with their *other* Identity, to discover such 
things as their physical address, or where they worked - as just one 
example, imagine being "out" in a Deep South town. BIG difference 
between being *anonymously* out on some message board, somewhere, and 
having all your neighbors learn that carefully-kept, long-held 
secret. Enabling hate crimes is NOT something OpenID should be seen 
as responsible for (so let us be VERY cautious about security, as it 
relates to privacy!), it could create a NASTY publicity backlash.

So, obviously, privacy is something that should be important for 
OpenID to preserve. But when it comes to membership in the 
Foundation, should we advise those who value their privacy to just 
stay away?

-Shade


More information about the general mailing list