True Names and Identity on the Internet

As received by: Transceiver Relay03 at Relay Language path: Firetongue->Cloudmark->Triskweline, SjK units [Firetongue and Cloudmark are High Beyond trade languages. Only core meaning is rendered by this translation.] From: Arbitration Arts Corporation at Firecloud Nebula [A High Beyond military[?] organization. Known age ~100 years] Subject: Reason for concern

Cloudmark took its name from a language mentioned (fittingly enough in a set of message headers) in the award winning science fiction book A Fire Upon The Deep by Vernor Vinge. The book was published in 1992 and, influenced by the technology of the time, the interstellar computer network that Vinge imagined bore a striking resemblance to Usenet News. Today Usenet has largely slipped into obscurity, but Vinge is nonetheless a visionary when it comes to computer technology. He popularized the idea of the Technological Singularity. However, if you talk to an old time hacker they will tell you that his biggest contribution was a story called True Names, first published in 1981. At a time when the most advanced home computer you could buy was the original IBM PC and home networking was a 300-baud modem connecting to a BBS, Vinge imagined a worldwide network that bore a striking resemblance to Second Life or World of Warcraft. Hackers took on the role of warlocks in the system, and advanced programming was represented as potent spells. This hacking was of course not sanctioned by the authorities, so warlocks were careful to protect their real world identity, their True Name. Just as in some traditional accounts of magic, knowing a warlock’s true name gave you power over him or her. You might turn them over to the authorities for prosecution. If the government discovered a warlock’s true name, they might choose to force him or her to work for them as a double agent in the hacker community, rather than throwing them in jail. We’ve certainly seen this happen multiple times in the real world since then. When the FBI discovered that the true name of Sabu was Hector Xavier Monsegur, they got him to spy on Luzsec for ten months, and after the entire group was arrested, Monsegur received a minimal sentence for his hacking crimes. On the other hand, when the FBI found evidence to suggest that the Silk Road's Dread Pirate Roberts was in fact Ross William Ulbricht, he did not receive a Get Out Of Jail Free card. [caption id="attachment_5641" align="aligncenter" width="600"]

Public computers in Glen Park Library, where Ross William Ulbricht was arrested. Photo: Dan Conway[/caption] If only the feds had paid more attention to The Princess Bride they would know that Dread Pirate Roberts is a title and not a person. The Silk Road is now back in operation with a new DPR. It's not just law enforcement that has a use for true names, though. Facebook is currently deleting accounts that are not registered with a legal name. Though the Sisters of Perpetual Indulgence have been most active in the campaign against this policy, it's not just cross dressing nuns who are affected. There are many people who wish to use Facebook but have good reasons for not using their legal name.

The graphic above was created by a friend of mine, Mike Woolson, who for personal reasons was using the handle Unkle Mikey on Facebook. After the image had received 20,000 shares in a couple of days, Facebook shut down his account as he was not using his legal name, which incidentally hid all the shares. Mike was forced to give up on the publicity he had gained, or use his real name. He made the difficult decision to use his real name, but did get a certain amount of consolation when his story was reported by Business Insider. Anyone who works with at-risk youth or adults, political activists fearing reprisals from oppressive governments, and even members of the British royal family all have good reasons to establish an identity on the Internet that cannot be traced back to their true name. Facebook claims that fake accounts are often used by spammers and scammers, which is true, but there are other ways of preventing spam aside from requiring the use of genuine identities. Another argument that Facebook gives is that its policy reduces the possibility of harassment and bullying. However, Facebook has no real safeguards against disposable anonymous accounts being used for harassment. Indeed, it appears that someone is systematically searching Facebook for drag queens, and reporting their accounts for noncompliance - and doing so anonymously. This policy is forcing a number of my personal friends off Facebook. I lived in San Francisco for thirty years. Of course I have friends who are street performers, drag queens, and therapists. I hope that Facebook will change their mind on this and allow me to stay in touch with my friends through their service. Certainly, as a security researcher, I am sometimes frustrated by the protection given to cybercriminals by anonymization services of various sorts. However, there are good arguments that the need for anonymous speech outweighs the costs. In McIntyre v. Ohio Elections Commission, 514 U.S. 334 (1995), the Supreme Court of the United States ruled that the right to free speech under the First Amendment included a right to remain anonymous. The court's decision pointed out that anonymous speech had been of great importance in founding of America itself:

A forerunner of all of these writers was the pre-Revolutionary War English pamphleteer "Junius," whose true identity remains a mystery. See J. M. Faragher, ed., The Encyclopedia of Colonial and Revolutionary America 220 (1990) (positing that "Junius" may have been Sir Phillip Francis). The "Letters of Junius" were "widely reprinted in colonial newspapers and lent considerable support to the revolutionary cause." Powell v. McCormack, 395 U.S. 486, 531 , n. 60 (1969).

Of course, there is a converse to this. Sometimes we need to be absolutely certain that the entity at the other end of an Internet connection is who they say they are. If you are installing software on your computer, or accessing your bank account, you need to be sure that you are not dealing with an impostor. This is managed by a chain of trust. You may not be able to verify that you are really communicating with bankamerica.com or that bankamerica.com is really owned by Bank of America. However, if you trust a certificate authority to issue a certificate saying, "Yes, this web site really is bankamerica.com and it is owned by the real Bank America, and all your transactions are encrypted to prevent anyone intercepting them," and if you have a way of validating that certificate, then you can pay your bills in confidence. Unless someone manages to compromise the certificate authority, of course. In 2011 this happened to the Dutch certificate authority, DigiNotar, and over 500 fraudulent certificates were issued, allowing man-in-the-middle attacks against users of Gmail and other services. The attack was traced back to an IP address in Iran, but it has never been definitely established if the source of the attack was the Iranian government trying to spy in its citizens, the NSA trying to spy on the Iranian government, or just some hacker. In response to this, most software vendors refused to trust any certificate issues by DigiNotar and the company was declared bankrupt. This problems for anyone else who was using a certificate DigiNotar had issued to establish their identity. Though certificate authorities had be tricked into issuing fraudulent certificates before, this was the first time a compromise was severe enough to bring down the whole authority. Once again, Vernor Vinge got there first. In his 2006 novel, Rainbows End, he described a future on which not only identity but also most financial transactions are based on chains of certificates, and then described what might happen of one of the top level certificate authorities were taken down:

But the collateral damage would be enormous. Shutting down a top-level certificate authority was a metaphorical weapon of mass destruction. And now it was all that was left to them. Braun — > Mitsuri, Vaz: Mr. Rabbit must be stopped... I have begun the proceedings. Credit Suisse will begin issuing global revocations in fifteen seconds. Mitsuri — > Braun, Vaz: I'm sorry, Günberk. Ten percent of the trust apparatus of Europe would slide into chaos in the next half hour. The aftershocks would rattle the world. Whatever else came out of their mission here, for Günberk Braun it was a career-ending failure.

Incidentally, True Names left some unanswered questions at the end, so if you read this, Mr. Vinge, it’s never too late to write a sequel. UPDATE October 1st, 5:30pm EST A few hours after I posted this, Chris Cox, the Chief Product Officer at Facebook, apologized to the drag queens whose accounts had been blocked, and announced some changes in the way Facebook's True Names policy is implemented. Thanks to Facebook for taking some steps in the right direction.