Barriers to access; Perils of digital identity
Barriers to access: This week the Internet Architecture Board hosted a workshop on community networks, the digital divide and censorship to better understand what the technical community can do to lower the barriers to internet access.
- Websites are getting bigger, and more expensive– also more consolidated in terms of market. Research by Rumaisa Habib quantifies website size as a cost barrier.
- Internationalised Domain Names are here, but there is much work to be done to ensure all scripts are truly interoperable (including the varieties of "dots" used to separate domain levels!), like this email address: 电子邮件测试@普遍适用测试.我爱你
(note: my markdown editor did not detect this string as an email address like it would have in Latin script.) - I have to include the satellite internet talk, because space. But also because this research from academics in Canada suggests we strategically place IXPs to improve connectivity, rather than leaving it to the market to decide. A wonder!
- All of the talks on the final day focussed on censorship. They were so excellent I suggest reading and watching all of them.
News you can use:
- ARTICLE 19 is hiring a public interest technologist to lead on standards engagement! https://article.peoplehr.net/Pages/JobBoard/Opening.aspx?v=e0075723-e6ee-48e3-a2fc-930b68500403
- I spoke during an ITU webinar about human rights in technical standards: https://www.itu.int/cities/standards4dt/ep39-2/
- Watch Sam Gregory of WITNESS talk about verifying digital assets: https://www.ted.com/talks/sam_gregory_when_ai_can_fake_reality_who_can_you_trust
- Read a new report out from Roskomsvoboda about censorship and VPNs in Russia https://roskomsvoboda.org/uploads/en__vpn_in_russia__from_blocking_services_to_blocking_protocols.pdf
- The FCC adds another tool to the toolkit to fight discrimination in internet access for US consumers https://communitynets.org/content/our-view-addressing-digital-discrimination-will-take-more-policing-isps
- Washington DC is giving away location trackers to combat car theft https://www.axios.com/local/washington-dc/2023/11/06/free-tracking-apple-tags-car-theft
The perils of digital identity: Long ago I was part of an effort by democratic states, companies and civil society to recognize the criticality to “move beyond the dominant rights versus cybersecurity paradigm, by recognising that individual security is a core component of cybersecurity and that a secure Internet is central to promoting human rights.”
And yet as cybercrime persists it remains compelling to look for novel solutions, even if they are tired ideas repackaged. One particularly tenacious idea is to control through centralization. Over and over we see this idea in various forms. It would appear to be easy to filter/block/control communications that are illegitimate if only we could have it all pass through the same point– to centralize it. But decentralization, defence in depth, and resilience through duplication and backup are core tenets of security and incompatible with central control. Internet architectures choose decentralisation versus total control, not just because it is good for end user freedom and privacy (it is that, too) but because the latter does not actually result in zero threats.
Today’s cybercrime and cybersecurity trends focus heavily on identity. This is likely because increasingly our identities are digitalised. The next front of cybersecurity is therefore moving to prevent authentication attacks in new and more sophisticated ways.
The term "digital identity" can encompass several meanings, depending on the context. Here are some of the key aspects people often refer to when they talk about digital identity:
What can be found out about you. This includes the basic information that identifies an individual on the internet, such as their name, date of birth, email address, and basic biographical details. It's the personal identification of you in the physical world, but openly or otherwise accessible through digitized sources.
What you’ve shared about you. A “Social Profile” is a person's digital identity often closely associated with their social engagement, where thoughts, photos, achievements, and interactions with others are shared. Your gaming platform, your blog, your hobby groups all use the internet, and data, to reflect who you are, wherever you are.
What services try to know about you. “Behavior” refers to the trail of data that individuals leave behind when using the internet, including browsing history, online purchases, and interactions. This aspect of digital identity can reveal a lot about a person's preferences, habits, and lifestyle. Others might learn about who you are through online reviews, ratings and feedback that you leave or that others might leave about you.
What you need recorded about yourself. If you study or work, there’s the professional and educational profiles about you: For many, digital identity also involves their professional online presence, including profiles on job-related sites, portfolios, and professional accomplishments. These are often verifiable credentials in the generic, offline sense of the word, because often you have to prove these things about yourself to others.
What is recorded about you. These are the costs of doing business. With the legal, financial and medical needs of modern life, those records are digital. Identity is bound up in the digital version of official documents, and digital-first records made when you transact, seek care or professional services. Think: digital signatures, electronic banking, tax records. Even if you want to transact in an analog-only fashion, these institutions have digitalised and your identity is pegged to these networked services on the service provision side.
Who you are, officially. Lastly there are civil obligations, and governmental and institutional IDs in some contexts are digital. They include government-issued identifiers and credentials for accessing public services, like social security numbers in digital format, digital driver’s licenses, or e-passports. States where you hold civic rights and places you’ve visited keep digital records about you.
It is easy to imagine that we could better protect identity if these elements were collapsed and handled by a highly trustworthy provider of very secure technology that facilitates better management by the end user of their digital identity. However.
While intuitive on a surface level, the idea of a centralized digital technology as a solution to cybersecurity issues is generally a bad one– even in limited ways such as digital identity. Centralization could potentially create more vulnerabilities, as it would present a single point of failure that could be targeted by malicious actors. The same is true for centralized identity management, especially if the State– any State you must share your identity with– is a potential adversary.
Decentralization, diversity in systems and protocols spread amongst many providers, and robust encryption are more effective approaches to enhancing internet security. This distributes risk and mitigation resources, allows for layered defence, and makes it more challenging for cyber attacks to have a widespread impact. It also gives users agency and choice, preserving privacy and freedom online.