Regulating Digital Identity

Richard A. Spinello


As we approach the new millenium there will be many contentious debates on the need for new Internet regulations. Proposed content controls and encryption policies have already sparked major controversies in the United States. The Internet empowers its users and provides for an immense expressive capability, but there is a tendency on the part of the state to reimpose central controls and curtail that power.

One issue that continues to come under intense scrutiny is digital identity. At present, there is no uniform system or mechanism for identifying users in cyberspace. The Internet does support architectures that make identification possible including passwords, e-mail addresses, and Internet Protocol addresses. But it is still quite possible for users to interact in cyberspace anonymously, and it can be difficult to trace the real identity of users who are deliberately trying to conceal their identity. While anonymity supports privacy rights, it also interferes with security. Hence the lack of an identifying infrastructure has been detrimental for electronic commerce and for law enforcement.

The interconnected issues of digital identity and anonymity are highly charged ones which stir deep emotions. This was evidenced by the heated response to Intel Corporation’s announcement in February, 1999 about its plan to put identification numbers in its next generation of computer chips, the Pentium III’s. The primary purpose of the embedded serial numbers is to authenticate a user’s identity in business transactions and to allow organizations to better track their equipment. While Intel capitulated to pressure and agreed to ship its products with the serial number turned off, the incident has heightened awareness about the tenuous future of electronic anonymity.

In this paper we intend to examine the various options for a digital identity system. Any system will be located on a continuum from accountability to anonymity. At one end of the spectrum (anonymity) there is no link between the data in cyberspace and its originator, and at the other end there is an indissoluble link between one’s cyberspace identity and one’s real identity, which is accomplished by mandating traceability. Mandatory traceability might be achieved by making identification a prerequisite for Internet access. In this discussion we will also review various technical architectures such as digital certificates which can be implemented to achieve the correct level of identity on this spectrum.

The state obviously has a keen interest in regulating identity to provide greater security for the Internet economy and to deter criminal acts such as fraud that are facilitated by the cloak of anonymity. These regulations could take many forms and also fall on a spectrum. They can range from a regime of laws that stiffen the penalities for fraud and identity theft to the establishment of an identity infrastructure managed by a government agency.

But should the state regulate digital identity, and, if so, how should this be done? As we grapple with this critical question we will consider the costs and benefits of various regulatory schemes. We also consider the ramifications of non-intervention by the state — the possibility that private corporations like Intel will fill the vacuum with their own identifying mechanisms for tracing the identity of end users.

In the context of this discussion on the feasibility of state regulation we must come to terms with the following questions. In what contexts in cyberspace does the state have the right to require one’s identity? Can the right to anonymous free speech be balanced with the need for identification? Can traceability be mandated in a way that preserves some degree of Internet anonymity?

An important part of this discussion will be a brief reflection on anonymity as a key element of privacy. There is pressure to differentiate privacy from anonymity, to claim that the “right to be left alone” is not the same as the right to surf the Internet in secrecy. In our estimation, those pressures should be resisted. We will make the case that real privacy requires anonymity in some circumstances and that any efforts to control digital identity must respect a user’s preference for anonymous communication.

We will also take the position that there is a modest role for the state to play in regulating digital identity, but that its involvement should take the form of creative legislation. We support a digital identity system that facilitates a user’s options: there will be times when an authenticated identity should be required in cyberspace, but there are other times when users should be allowed to communicate anonymously. We reject any solution which establishes a perfect link to one’s real identity by mandating the traceablity of all communications.