Information Sluts

Yesterday, when I saw this article, I had a flashback to a conversation I had with a family friend back in May. She’s a labor attorney, and a very astute advocate of civil liberties, having fought for the rights of workers for her entire career. She has to fly incredibly frequently for her job, however, and I asked her how she dealt with the insanity that is TSA:

“Oh, I don’t deal with it– I have a CLEAR card.”

Wow, I said. Aren’t you concerned about giving that much data to a private corporation with no safety track record? (I could ask the same thing to Anil Dash, one of the VPs at my company, but he already wrote an explanation.)

“I’m too busy to deal with security; I don’t have another choice.”

I did– and do– see the practicality in this; shikata ga nai, as Kim Stanley Robinson often says, because security is so ridiculous. They harass me all the time, and for no justifiable reason. But I was concerned about what would happen in the near-inevitable data disaster, and I told her so. Now, just a few short months later, CLEAR has lost 330K+ records. (And don’t tell me that their investigation turned up no intrusion– TSA can’t even find the liquids I leave in my carryon, so I certainly don’t trust them to determine if a laptop has been compromised when the lost it for nine days.) And it’s not just the names and phone numbers, or email addresses, like a lot of websites might have; it’s all your personal data, because “we have to defend against terrorists.” So to defend against terrorists, all these people will lose a large part of their control of their identities.

It’s not, admittedly, like the government has a great track record of protecting data either; the VA, the Social Security Administration, and every other agency have had security lapses of one sort or another. At least there’s still some public outcry with the government, though; it seems like corporations aren’t even trying anymore– and corporations don’t even seem to notice when they should care, as I noted in a previous blog post.

The essential problem is that we give too much identity information away to all these places– governmental or private– in the course of our daily lives. Why does BGE, Verizon, or Hopkins need my social security number? (Especially because their declared use, “to identify you,” is most likely illegal.) Why does every arbitrary blog on which I might want to comment need my email address “to prove you aren’t a robot?” What, email addresses are perfect proof I’m not a robot now? (Of course, OpenID can solve that problem, but it’s not the default yet on too many blogs *cough* WordPress *cough*.) And why, in a simpler realm, does every arbitrary barkeeper get to have my home address, telephone number, height, weight, visual status (as in, if I’m partially blind), occupation (if I’m a commercial truck driver, it will be listed), etc. just so I can buy a beer? (Take out your driver’s license, and visualize giving that data to every scruffy character you’ve seen in a bar, ever. Now shudder.)

To take this to an even greater extreme, we have technologies like Gravatar, which can put my photo on any website I comment on– but it’s actually based on having given too much information away (my email address) in the first place! Why didn’t Automattic build it on URLs instead? (There actually is a technology to do it perfectly with URLs called hAvatar, but Automattic doesn’t seem to have invested as heavily into that, oddly….)

Of course, the reason for a lot of this is that we don’t have a method to give minimal-identity assurances, either online or in the real world. We have no way to prove to the barkeeper that I’m of legal age (which is all they need; they don’t need to know my age, just that I’m of legal age in the jurisdiction) without giving them all that other data too. We have no way to prove that I’m a new or old customer to Verizon.

We do, actually, have a way to give minimal identity to blogs at least, through OpenID– but blogs and other OpenID-enabled sites can still demand additional data through Attribute Exchange, and OpenID in general is not designed to enforce sanity on the data these sites want (usually for marketing reasons, which I don’t think is a good enough reason to give up all my personal information).

So the conclusion here? We’re screwed. All our identities are up for grabs, because we refuse to make a way to stop dropping data all over the universe. So either we need to do that– or we need to make a new society where identity is completely irrelevant, because your identifying details are already known to everyone in full detail, and thus their knowledge doesn’t identify you. Wait, I think I’ve already heard of that society.

We live with more opportunity each day to harness the data we all produce, as John McCrea has been talking about on his blog. Maybe it’s time for more people to wake up, and learn that maybe they don’t need to give all their data away, all the time.

I’m going to coin a new term for this: information sluts. As in, “why buy the person when you can get their data for free?”

Actions online are one thing– but giving my email, address, etc. to every random site that happens to ask for it is just as risky as sleeping with every person that asks. We have to realize this, and we have to address it– somehow.