The Internet is in trouble. Big trouble. Some of the problems include…
- Nation states dealing with foreign agents
- Personal privacy
- Balancing the positive aspects of anonymous participation with the potential violence (e.g. swatting, doxing, etc.)
This is a cultural problem, a public safety problem, and, frankly, a big problem for the technology companies themselves. Without a framework for resolution, lots and lots of people will find the Internet a more and more miserable place — and even those who never use the Internet will find themselves increasingly at risk of thugs and abusers.
Here are some solutions.
- Explicit association between a domain and the declared nation-state associated with that domain. That association should be displayed in user-agents everywhere — for most users that would include browsers and email clients.
- This implies that the DNS system would require security upgrades and additional data fields which are a) beyond the scope of this document but b) absolutely doable.
- Clarify that the legal framework governing each domain is attached to the nation the domain registration.
- This is already pretty intuitive, and is kinda sorta already a concept in the DNS system already with country-associated top level domains (TLDs). This all went to pieces with the expansion of TLDs, which is kinda sorta ok, as country code metadata not being directly associated with the actual domain is probably reasonable… but we really, really need that information back.
Once domains are sorted out, the next steps are up to each country. For most countries, I would suggest adopting rules along these lines…
Each country needs to sort out how to deal with identity. Right now in the United States, it’s an absolute hash. Companies often allow signing up a new account with nothing but an email address and a password. This leads to users adopting the same password over and over. It also allows for bad actors to create burner email account to establish identity, which can then be used for all sorts of nefarious activity.
The framework for dealing with this is two-fold, but relatively simple.
- Establish a minimum barrier for the legal transfer of responsibility of identity.
- Hold domain owners that do not maintain that threshold legally liable for content published on their domain/servers.
That’s… actually all there is to it. This will almost certainly lead to a massive increase in the number of independent identity services. Today, in the United States, a few entities already effectively act as the identity services, including Google, Apple, and Facebook. The user experience for these identity services is usually a “log in as” button.
It’s easy to imagine additional identity services coming on line with other specializations. For example, Disqus does an excellent job of managing identity for comment systems. Another more generic solutions is Okta.
There is a similar analogy here to be made between identity and credit card processing. Banks in the United States impose penalties on firms that do not properly manage credit card data, based on the Payment Card Industry Data Security Standard (typically shortened to PCI).
The thing about identity that’s hard is that without a standard, the threshold is tough. For the sake of discussion, the social security number of virtually every US citizen should be considered compromised. Credit cards can be used for authorization without the user’s knowledge (you might notice a fraudulent charge, but not if there is no charge…). Cell phones act as a sort of strange halfway solution — effectively, the cell service providers act as a kind-of-sort-of identity service via text messaging, but they are currently kind of terrible at it.
By formalizing a minimum bar for identity, it will reduce the user data being sprayed all over and establish a legal framework for identity. We already have the technical underpinnings in place, we just need a legal framework.
In the United States, an identity might require a credit card with a successful charge, a verified telephone number, and social security number or other form of government id. A verified credit history. There might be a notion of a two-tier identity — for example, children might use a parentally verified account. Government entities might offer identity as well — similar to how many states issue identity cards usable by those who do not qualify for a driver’s license but want the similar benefits. The specific requirements may vary depending on the legal framework and the identity provider.
As an aside, yes, that does mean that different countries will establish different rules for identity. That’s ok! Remember, each domain will be visible to the end user — you may treat a domain based in the US differently from, say, a domain based in China, or Russia, or Somalia. This establishes a legal framework for resolution of problems with a given domain — at least you know what you are getting yourself into, and who the legal authorities are for recourse.
But! What about anonymous accounts? Isn’t it a foundational principle of the Internet?
The key here is legal liability. The solution is manual, human-based moderation. Not an AI, or a keyword filter, or any of that. Over and over those technologies are shown to be ineffective.
Let’s consider a forum for scared pregnant teens. Under this scenario, that forum can, and absolutely should, exist. But the key is that someone is legally responsible for the content posted. We already have this pattern in wide-spread use — it’s a moderated forum!
Whoever runs that forum is now legally responsible for the content.
Most of the time, that probably means the moderation team will likely wind up switching to an approve-before-post system, especially for new accounts. That’s ok! Does it mean things will get a bit slower? Absolutely. Is human moderation more expensive? Absolutely, although it’s easy to imagine this being outsourced at scale.
It’s a cost, but it’s also the cost of maintaining security and safety in our modern age. This is the big one — it’s the thing that the tech companies all secretly know, in their heart-of-hearts, is coming, but is impossible to get to without a legal and regulatory framework.
1:1 vs 1:Everyone
It’s important to highlight that these provisions are explicitly targeted at the one-to-everyone challenges. Identity is, of course, insanely important on the personal level, but it’s anonymity + audience scenario (Penny Arcade, foul language… but, let’s face it, dead on) that is ruining the Internet. It’s not just name-calling — it’s anonymous death threats and swatting.
This where the critical difference between classic Common Carrier rules for telecom fall apart. Person-to-person communication is fundamentally different.
If a newspaper published an article with a person’s private contact details and a request for others to swat that person, the newspaper would absolutely be liable. We have to hold technology companies to the same standard.
This is where things get real. It’s one thing to have all of these nice and/or complicated sounding rules in place. The real action comes with penalties.
Stiff penalties for doxxing. Stiff penalties for swatting. Stiff penalties for other criminal activity, as defined by the legal framework of the country that owns the domain registration.
Incidentally, this would also be a big relief for a lot of technology companies. Facebook.com (the United States site) has to comply with Europe GDPR. Explicitly tying domains to legal frameworks would simplify the citizen protection frameworks. Amazon already has the notion of different sites to deal with the local government regulatory frameworks.
We see the beginning of this with GDPR. The fines are non-trivial. If GDPR had existed in the past, the fines would have been considerable.
Without fines like these, the business managers have no reason to take security and identity seriously. The incentives for artificial account inflation would be vastly restricted. It would radically change the business models of the worst offenders who host hate speech (and the violence that is incited, such as doxxing/swatting).
Will all of this happen? There is no reason not to — if GDPR can exist, there is no reason these changes couldn’t happen. They are simple, intuitive, and all of the technical foundations exist.
We just have to act.