Dan Geer’s keynote speech at the Blackhat security conference earlier this month (video, transcript) included an important discussion of the often-misunderstood “right to be forgotten” and the larger context of why it matters: the threat posed by compelled identification, and how we can defend ourselves against that threat:
Privacy used to be proportional to that which it is impossible to observe or that which can be observed but not identified. No more — what is today observable and identifiable kills both privacy as impossible-to-observe and privacy as impossible-to-identify, so what might be an alternative? If you are an optimist or an apparatchik, then your answer will tend toward rules of data procedure administered by a government you trust or control. If you are a pessimist or a hacker/maker, then your answer will tend towards the operational, and your definition of a state of privacy will be my definition: the effective capacity to misrepresent yourself…
The Obama administration’s issuance of a National Strategy for Trusted Identities in Cyberspace [NSTIC] is a case in point; it “calls for the development of interoperable technology standards and policies — an ‘Identity Ecosystem’ — where individuals, organizations, and underlying infrastructure — such as routers and servers — can be authoritatively authenticated.” If you can trust a digital identity, that is because it can’t be faked…. Is having a non-fake-able digital identity for government services worth the registration of your remaining secrets with that government? Is there any real difference between a system that permits easy, secure, identity-based services and a surveillance system? Do you trust those who hold surveillance data on you over the long haul, by which I mean the indefinite retention of transactional data between government services and you, the individual required to proffer a non-fake-able identity to engage in those transactions? Assuming this spreads well beyond the public sector, which is its designers’ intent, do you want this everywhere?…
I conclude that a unitary, unfakeable digital identity is no bargain and that I don’t want one. I want to choose whether to misrepresent myself. I may rarely use that, but it is my right to do so. If that right vanishes into the panopticon, I have lost something and, in my view, gained next to nothing. In that regard, and acknowledging that it is a baby step, I conclude that the EU’s “Right to be Forgotten” is both appropriate and advantageous though it does not go far enough. Being forgotten is consistent with moving to a new town to start over, to changing your name, to a definition of privacy that turns on whether you do or do not retain the effective capacity to misrepresent yourself…. A right to be forgotten is the only check on the tidal wave of observability that a ubiquitous sensor fabric is birthing now, observability that changes the very quality of what “in public” means….
Mr. Geer’s comments help answer one of the questions we are most frequently asked: What’s Wrong With Showing ID?
Identifying ourselves or showing government-issued ID credentials enables two major evils: surveillance and control.
If we are identified as having been in some location or engaged in some activity or event, then that transaction can be recorded in a log entry linked to that identity. That transaction/surveillance record (Geer correctly equated the two) lingers, unless and until it is irrevocably “forgotten”. So does the inherent potential for future abuse of those records by malign parties and for malign purposes, including those as yet unknown.
If and only if we are identified, then decisions that control our ability to act (such as whether we are allowed to pass through checkpoints, including invisible ones, or to exercise our right to travel) can be based on our identity — and on the transaction/surveillance logs and other records associated by others with that identity.
The right to anonymity (including anonymity in the exercise of other rights) and the right to be forgotten are thus vital protections against surveillance and control of our actions. To be identified is to be placed at risk. Not to be able to have the records of those identifications forgotten is to have that risk perpetuated.
Whether to take the risks of non-anonymity should be our own choice, not one imposed by governments. Non-anonymity should not be a condition for the exercise of our rights.
But what if, as Geer suggests, we can be (and often are) identified by others without identifying ourselves? Or what if ill-designed (or malignly designed) systems require us to adopt some identity in order to do certain things, or even to exercise certain of our rights?
Geer suggests that we have the right to “misrepresent” our identity. What does that mean? Is it really “misrepresentation” to use multiple identities at different times or for different purposes, even single-use “disposable” identities?
The REAL-ID Act, for example, purports to require the use for certain purposes of a “full legal name”. But what does that mean? Under common law and the law of most states, you can legally change your name simply by using a new name, as long as you aren’t doing so for a fraudulent purpose.
If you choose to adopt a new name each time you interact with the government (or with a private party), that name is your “true legal name” as long as you are using it. And even those states that have laws overriding this common-law right to change your name by usage would appear to be required by the Constitution to give full faith and credit to common-law name changes effectuated in the majority of states that allow them.
The TSA has defended searching for and copying ID cards and other documents on the grounds that possession of “identification media” in more than one name is a legitimate basis for suspicion, further search, and possibly watchlisting or blacklisting. We disagree. Name changes or the use of different names at different times may indicate nothing more or less than the implementation of prudent personal security protocols. For victims of domestic violence, for example, name and identity changes can be essential for survival — but can also be frustrated by compulsory linking of new and old identities.
Neither anonymity nor the use of different names or identities at different times or for different purposes should be considered a lawful basis for suspicion, detention, search, or other adverse government action.