There is a real problem brewing in social media. Regualtors, law enforcement and parents want some form of age verification for social media use. The providers of social media platforms do not. Or, as in the case with Meta’s response to proposed age gating laws in Australia, they are willing to go along with some restrictions provided that the responsibility (and presumably the liability) falls on someone else. Actually, they might be right: but is should not be the app stores that step in to fix the problem, it should be the banks.
Let’s think this through, starting with listening to an actual expert. Dr. Elisabeth Carter, Associate Professor of Criminology at Kingston University in London, has a very well-informed view around online harms and their mitigation. She says that that “conceptual change” is needed, where frictionless social media experiences are not seen as desirable but dangerous, akin to cars without seatbelts. I could not agree with her more. And what’s more, I think that the relevant conceptual change, and the relevant frictions, the equivalent of the standard three-point car seat belt that no-one even thinks about any more, but for the internet, is already clear, even if people do not see it that way. The conceptual change isfrom elecronic versions of analogu idenity (ie, digtised identity, which has been around for years) new forms of digital identity that are native to the new environment.
We will come to what that digital identity seat belt might look like shortly, but first let us summarise the problem. When people read about the scale of online harm—and there are news stories that illustrate the scale of the problem every single day—their natural reaction is to call for some form of internet passport and to demand that online discussions need to show the real name of the participants. Even setting aside for a moment the problem of deciding what “real” means in this context, this view is misguided. Real names don’t fix anything (but real reputations do, as I will explain).
This misguided view of action around online fraud, abuse and criminality is endemic. Just to illustrate with one example, way back in 2012 I wrote about legislator’s lack of understanding of the issues around online privacy. The reason for my comments at the time was that the head of internet security at the Cabinet Office, the administration department of the British government, Andy Smith, had commented wholly accurately that demanding real names and addresses in online transactions might actually make security worse. Indeed, he advised people to use fake details in Facebook at this was a “sensible thing to do”. He was apparently unaware that providing fake details was in direct violation of Facebook’s policy, which is why Simon Milner, Facebook’s head of policy in the UK and Ireland at the time, was not particularly happy with Andy and had a “vigorous chat” with him to persuade him to revise his view.
I wasn’t writing all of that to shill for Andy Smith. Andy and I disagreed about things from time and time, and while I make no comment on whether he was an
Epic F***ing Secure Hero or not, he certainly was an actual internet security expert, unlike the politicians who criticsed hs remarks. His comments were informed and relevant and exposed a lack of policy integrity. Nothing has changed in the past decade. Politicians still reach for the same knee-jerk response: some sort of internet passport or driving licence in response to call from the general public (who are not by any stretch of the imagination experts on internet security) for real names. In a 2023 YouGov survey of 1,000 American adults, around two-thirds said that social media platforms should require users’ real names and identity verification. They are wrong. There are almost no circumstances where it is necessary to use “real” names.
(Even if we could agree what a real name is. My father’s forenames were Frederick Gerald. To everyone in family he was known as Gerry, but to everyone else he was known as Fred.)
As has been clear from the earliest days of the web, if there was an “Internet Driving License” that you had to use to log in to web sites, that would almost certainly make the situation far worse, since these websites would now know exactly who you are, and this information would then be freely obtained by perverts, the secret police, the National Enquirer or whoever else wants to pry.
You do not have to specualte about whether I might be right about this because there are plenty of real examples to look at going back over the years. Consider the early experiences of South Korea as a case study. In 2007, South Korea temporarily mandated that all websites with over 100,000 viewers require real names, but rescinded the law after it was found to be ineffective at cleaning up abusive and malicious comments. In fact the results of the “real names” law were predictably perverse. While unwanted comments fell by an estimated .09%, identity theft went up, because real identities were stolen from the thousands of web sites that now had to ask for them and store them. And since people became used to be asked for their real identity all the time, it was easier for dodgy web sites to get them to hand them over, which is exactly what will happen with mobiel driving licences as they enter general use.)
There are plenty of places where I would not want to log in with my “real” name or by using any information that might identify me: the comments section of national newspapers, for example. “Real” names don’t fix any problem because your “real” name is not an identifier, it is just an attribute (there are a great many David Birches) and it is in any case only one of elements that would need to be collected to ascertain the identity of the corresponding real-world legal entity anyway. What would my real name mean anyway? What matters, it seems to me, is not so much whether you are commenting anonymously, but whether you are invested in your persona and accountable for its behaviour in that particular forum. There seems to be value in enabling people to speak on forums without their comments being connected, via their real names, to other contexts. This is not an anecdotal perspective: the online comment management company Disqus, in a similar vein, found that comments made under conditions of durable pseudonymity were rated by other users as having the highest quality.
The key point here is that we only use real names now because we lack a proper identity infrastructure. That is, by and large, we use the real name as a proxy for the attributes that are actually needed to execute a transaction.
Snippings 