The major issue for the web is how to identify a user. At first glance, this seems an obvious question. We know who someone is by the IP address and the owner of the computer. Except that is not always the case. First, else might be using the computer. A child might be logged on instead of the computer or account owner. Second, someone might be using a false identity, a legend, to appear to be someone else. Third, someone might be using encryption to hide their identity, which makes it difficult if not impossible to identify the person at the computer. Google’s privacy counsel argued a similar point in the year after[1] the EU Article 29 working party ruled on personal data.[2]

Are you the person at the computer?

Google’s argument at the time was that the information they collect relates to a machine and not to a person. Yes, a person may own or associate with the machine and therefore it is personal data for the purposes of the UK DPA and the EU Article 29 Working Party.  However, the wider issue of privacy in the digital age is that we are not certain that the person at the MAC address or IP address is the person listed. Another person could use that address or computer either legally, a housemate, or illegally a hacker or someone seeking a cover. As the identity is difficult to determine, in a way that is not as difficult in the physical domain, the state has to undertake digital investigations and in some case surveillance.  However, encryption increases the difficulty associated with basic effort to validate someone’s identity.

Who is a friend, who is an enemy? The questions a state has to ask. 

The governments in the physical domain spend extensive resources making sure they can identify their citizens for their services. They issue them with passports, so they know they have a right of return if they leave. They issue them with driving licenses so they know they are licensed for the road. They issue them with social security numbers to know who is entitled to social service benefits. For each of these documents they have to prove their identity to the state usually through official birth certificates as issued by the state or a recognized institution. However, this is only part of the issue. Identity is not so much a problem as to determine whether someone is a threat.

Who you are in the physical domain is not always who you are in the digital domain

In the physical domain, residence is usually a sign that an individual is not an immediate threat. People who hate a government or the society usually move away. Even if they do not move away, their thoughts and views against the government can be seen in their physical behavior. They can participate in protests, support violent groups, or take direct action. In each of these, there is a clear line between legitimate politics, as accepted by the society and the illegitimate politics where violence is used for political change. Thus, the problem for a regime is when it uses the methods designed against illegitimate protest on legitimate protest. However, this is a secondary issue as the main issue is how to identify threats.

Unless the state can recognize friend from enemy, it cannot keep you safe

The state’s highest responsibility is for society’s self-preservation from physical threats and secondarily from intellectual threats. Even in the intellectual realm, a state will take a stand against threats to society’s safety especially if the society cannot manage those threats by itself. For example, many states will control or outlaw certain types of speech that are directed at violent overthrow of the state or society. In this way, the liberal democratic state serves to protect itself from a radicalism that would destroy it from within as would external physical threats. We can see this in ways that states, especially at war or under threat, will censor news outlets or even specific individuals. Yet, in those instances, the state can identify the threats.

There is a lot of work to make it easy to identify who you are in the physical domain.

In the digital domain, the identity is harder to confirm. Even if someone says they are the person using the computer at this moment, how does anyone reading their email or blog post know that it is? Moreover, does the ISP know it is their user and not someone else? They may have strong circumstantial evidence that it is user (proper authenticated sign in, regular pattern of behavior[3]) but these rely on secondary issues for verification such as cctv if available, coworkers if present, third party testimony someone else who witnessed the user’s behavior, or a personal statement from the user. All of these problems are ones that the state surveillance systems, through their intelligence agencies, have to overcome. They can be overcome through a huge intensive cross matching of many uncertainties. However, they are much more difficult than the physical domain where no encryption exists.

Will our physical identity become the basis for our digital identity?

What might happen with web identity is that computing becomes as organic as the physical domain.[4] If computing, and storage, become organic then our gene sequence will be our “face” or our identity just as in the physical domain our identity is created within the context of our family, community and state. We can then use ourselves to demonstrate identity or authenticity within the digital domain. With this identity confirmed, the state can then reduce the need to focus on those who can be dismissed as non-obvious threats as they do in the physical domain.

What is God’s name is the same question we ask in the digital domain.

The digital domain’s problem with identity is only an exaggerated version of the problem in the physical domain. We may have a name but who are we? Are we a threat? In this we are reminded of what God said when he was asked his name.  I AM WHO I AM (Exodus 3:14).

Verified identity will reduce the need for digital surveillance.

For the state, the question of identity can be the difference between life and death. In the age of encryption, it is no surprise that the stat is concerned to be able to identify friends from enemies so that it can keeps its side of the bargain to protect society and ensure its self-preservation. In this sense, encryption makes the problem worse and it identifies the problem is not technological it is a political issue of how a state can keep its obligation to its citizens by determining who is a friend and an enemy.

[1] http://peterfleischer.blogspot.co.uk/2008/02/can-website-identify-user-based-on-ip.html (accessed 29 March 2015)

[2] Here is the website that explains what the Article 29 Working Party is http://ec.europa.eu/justice/data-protection/article-29/index_en.htm (accessed 29 March 2015) There 2007 decision on personal data is her.

[3] Our online behaviour may tell others more about us than we realize as we type and use input devices. http://www.theguardian.com/technology/2014/jul/18/how-your-electronic-dna-could-be-the-secure-login-of-the-future (accessed 29 March 2015)

[4] http://www.swissinfo.ch/eng/swiss-team-uncovers-time-tested-preservation-method/41272794#.VOdWrIXddRY.linkedin (accessed 29 March 2015) and http://www.gizmag.com/dna-data-storage/36151/ (accessed 29 March 2015) and the research press release http://www.sciencedaily.com/releases/2015/02/150212154633.htm (accessed 29 March 2015)  Discuss the attempt to store data through saving data as a DNA sequence.