Me, Myself and I: Aggregated and Disaggregated Identities on Social Networking Services

• Author: Omer Tene
• Position: Associate Professor, College of Management Haim Striks School of Law, Israel
• Pages: 118-133



















 !∀

118







Omer Tene

1

“The biggest reason [I avoided joining Facebook] was that I didn’t know which me

would join. Apparently, Mark Zuckerberg believes we should all be the same in every

context. According to Time’s 2010 Person of the Year profile of him, he onc e told a

journalist, ‘Havin g two identities for yourself is an example o f a lack of integrity.’ To

which my only response is, You’ve got to be kidding. I mean, I’m not even the same

person with all the members of my immediate family. And I’ve lon g thought that my

impulse to act differently with, say, my friend from grad school and my husband’s aunt

— to adjust my personality to fit the situation and the other person — is an example of

good manners, not bad ones.”

2

1. Introduction

The Internet is used b y more than 2 billion people worldwide for purposes ranging from electronic

commerce, online banking, social networking, the consumption of media and the provision of electronic

government services.

3

However, the Internet was not built with an embedded security and privacy

infrastructure;

4

it lacks a system of identification

5

and authentication.

6

Typically, identity

7

is managed one

application at a time.

8

This means that individuals are asked to maintain doze ns of different usernames

and passwords, one pair for eac h website with which they i nteract. The complexity of this approach is a

burden to both individuals, who are driven to reuse passwords or utilize trivial ones such as relatives’

birthdates, making online fraud and identity theft easier; and businesses, which are required to manage the

identity of users despite not having t he resources or interest to do so.

9

The Obama Administration’s recent

1

Associate Professor, College of Management Haim Striks School of Law, Israel; Affiliate Scholar, Stanford Center

for Internet and Society; Fellow, Center for Democracy and Technology. I would like to thank the College of

Management Haim Striks School of Law research fund and th e College of Management Academic Studies research

grant for supporting research for this article. I would also like to thank the participants in the Institute for P rospective

Technological Studies Workshop on "Electronic Identity for Europe" for their helpful comments.

2

Curtis Sittenfeld, I’m on Facebook. It’s Over, NY Times Op Ed, September 3, 2011,

http://www.nytimes.com/2011/09/04/opinion/sunday/if-im-on-facebook-it-must-be-over.html?_r=2.

3

Internet Usage Statistics, Internet World Stats, http://www.internetworldstats.com/stats.htm.

4

Jonathan Zittrain, The Future of the Internet and How to Stop It 31-33 (2008).

5

Identification is the process o f evaluating – based on the data provided – who a given person is; it is the association

of data with a p articular human being. See John Palfrey & Urs Gasser, Digital Identity I nteroperability and

eInnovation, Berkman Publication Series (2007).

6

Authentication is the process of verifying the claimed identity of a user, process, or device. Ibid.

7

An identity is “any subset of attribute values of an individual person which sufficiently identifies this individual

person within any set of persons. So usually there is no such thing as ‘the identity’, bu t several of them”. Marit

Hansen & Hannes Tschofenig, Terminology for Talking about P rivacy by Data Minimization: Anonymity,

Unlinkability, Undetectability, Unobservability, Pseudonymity, and Identity Management, IETF Working Document,

March 14, 2011, http://tools.ietf.org/html/draft-hansen-privacy-terminology. An identity of an ind ividual person may

comprise many partial identities of which each represents the person in a specific context or role. See generally Roger

Clarke, Human Identification in Information Systems: Management Challenges and Public Policy Issues, 7,4

Information Technology & People 6-37 (December 1994).

8

Identity management means “managing various identities (usually denoted b y pseudonyms) of an individual person,

i.e., administration of identity attributes including the development an d choice of the partial iden tity and pseudonym

to be (re-)used in a specific context or role.” Ibid.

9

Joseph Smarr, Plaxo, Google I/O 2008: OpenSocial, OpenID, and OAuth: Oh, My! (June 9, 2008),

http://www.youtube.com/watch?v=6SYnlH5FXz0, stating “every single site acts like you've never used another

website before in your life.”

Me,

Myself and I: Aggregated and Disaggregated

Identities on Social Networking S

ervices

119

National Strategy for Trusted Identities in Cyber space (NSTIC)

10

emphasizes the i mportance of allowing

people to choose a mong multiple identity p roviders, including not only government entities but also

private b usinesses, to issue trusted credentials that prove identity. This goal is based on the realization

that di gital identities are used extensively not only in contexts requiring strong authentication, such as

electronic voting or banking, but also for participating in online games, commenting on blog posts, or

accessing music profiles. In Europe too, policymakers realize that electronic signatures, formal identities

and public sector applications co nstitute only a part of a larger identi ty ecosystem for which there is no

existing regulatory framework.

11

Increasingly, new focal points for the provision of identity services are

emerging at the Internet’s applicatio n layer. These are primaril y social networking services (SNS), such

as Facebo ok or Goo gle P lus (which allows users to log in with their Gmail credentials), which benefit

from extensive membership and are seeking to branch out into the open web.

12

Indeed, Simson Garfinkel recently d eclared that “Facebook is in the process of tra nsforming itself

from the world's most popular social-media website into a critical part of the Internet's identit y

infrastructure.”

13

He explains that Facebook is well suited to being the repo sitory for people's identities on

the Internet. Unlike many popular websites, it not only requires users to register and log in b ut also to

"provide their real names and information."

14

Indeed, Facebook has terminated accounts that were created

with seemingly fake names or for fictional c haracters.

15

Moreover, since Facebook users invest their

accounts with a tremendous amount of durable personal content—including photographs, contact

information, and connections to their social network—they are likely to keep a long-t erm relationship

with the site. One of the most lucrative prospects for monetization by SNS operators of their role as

purveyors of digital identity i s the market for online and mobile payments. If SNS operators succeed in

positioning themselves as providers or verifiers of digital identity for the purpose of processing payments,

they stand to gain a cut of the entire market for e-commerce, which may be orders of magnitude greater

than their current advertising revenues.

16

In this article I explore some of the legal issues arising from the transformation of SNS operators to

providers of digital identity. I consider the implications of the involvement of private sector entities in the

field of identity management and discuss so me of the privacy implications, as wel l as the prospects for

conciliation between online anonymity and pseudonymity, on the one hand, and the need for

identifiability and accountability on the other hand.

10

National Strategy for Trusted Identities in Cyberspace: Enhancing Online Choice, Efficiency, Security, and

Privacy, April 2011, http://www.whitehouse.gov/sites/default/files/rss_viewer/NSTICstrategy_041511.pdf.

11

Anssi Hoikkanen, Margherita Bacigalupo, Ramón Compañó, Wainer Lusoli & Ioannis Maghiros, New Challenges

and Possible Policy Options for the Regulation of Electronic Identity, 5(1) J. Int’l Commercial L. & Tech. 1 (2010),

http://www.jiclt.com/index.php/jiclt/article/view/95/94; Wainer Lusoli, Ioannis Maghiros & Margherita Bacigalupo,

eID policy in a turbu lent environment: is there a need for a ne w regulatory framework?, European Commission Joint

Research Centre (2009), http://www.epractice.eu/files/eID%20policy%20in%20a%20turbulent%20environment.pdf.

12

Daniel Kahn, Social Intermediaries: Creating a More Responsible Web Through Portable Identity, Cross-Web

Reputation, and Code-Backed Norms, 11 Colum. Sci. & Tech. L. Rev. 176 (2010).

13

Simson Garfinkel, Facebook Wants to Supply Your Internet Driver's License, Technology Review, January 5,

2011, http://www.technologyreview.com/web/27027/page1/?a=f; also see Natasha Singer, Call It Your Online

Driver’s License, NY Times, September 17, 2011, http://www.nytimes.com/2011/09/18/business/online-id-

verification-plan-carries-risks.html.

14

Facebook, Statement of Rights and Responsibilities, Date of Last Revision: April 26, 2011,

http://www.facebook.com/terms.php.

15

The New York Times reported that Facebo ok recently de-activated an account used by world-acclaimed author

Salman Rushdie, “demanded proof of identity and then turned him into Ahmed Rushdie, which is how he is identified

on his passport. He had never used his first name, Ahmed, he pointed out; the world knows him as Salman.” Somini

Sengupta, Rushdie Runs Afoul of Web’s Real-Na me Pol ice, NY Times, November 15, 2011,

http://www.nytimes.com/2011/11/15/technology/hiding-or-using-your-name-online-and-who-

decides.html?_r=1&hpw.

16

See Launch ing Google Wallet on Sprint and working with Visa, American Express and Discover, The Official

Google Blog, September 19 , 2011, http://googleblog.blogspot.com/2011/09/launching-google-wallet-on-sprint-

and.html; Jennifer Van Grove, Square Sets New Record: $2M Processed in One Day, Mashable, April 30, 2011,

http://mashable.com/2011/04/29/square-payments.