èƵ

The end of anonymity: A way to stop online abuse?

Warning: This feature begins with language that some readers may find upsettingBiometrics may soon make it impossible to hide your identity online. It could bring a new age of internet civility – if we don’t mind losing our liberty too
We are being watched, and so are less likely to transgress social norms
We are being watched, and so are less likely to transgress social norms
(Image: Alex Williamson)

Editorial:Has the time come to abandon online anonymity?

“HE SAID, ‘I’m going to write in your own vomit across your forehead what a sick, vile woman you are and then piss on the ashes while I burn you alive’,” recalls Nicola Brookes.

What could Brookes, an unassuming 45-year-old from Brighton, UK, have done to provoke such an attack? She had simply challenged the conduct of internet trolls who ganged up on a minor celebrity. When she didn’t back down, she became the victim of a two-year campaign of harassment, receiving nearly 10,000 similar messages.

She is hardly the first to feel the sting of a virtual attack. This summer, feminist campaigner Caroline Criado-Perez was subjected to a barrage of abuse after successfully campaigning for a woman to feature on the English £10 note. When UK Member of Parliament Stella Creasy voiced her support, she also received rape and death threats. And after Nina Davuluri became the first Miss America of Indian descent, Twitter exploded with racist invective. Not everyone can stand up to such abuse: it has driven several teenagers to suicide.

It has been called the , and it is a consequence of a basic fact of internet life: online, no one knows who you are. “A lot of people wouldn’t say things to other peoples’ faces that they do on the screen,” says Brookes.

Over the years, many attempts have been made to solve or lessen the problem, with limited effect. Now, the march of technology may be about to change things. In the search for alternatives to passwords, Apple and other firms are turning to biometric technologies such as fingerprints to unlock the devices with which we access the web. Soon, it may not be possible to go online without at least telling your device who you are. The end of anonymity on the web could be fast approaching, raising a host of questions about privacy, security and freedom. But could it also have a less anticipated effect: a new age of internet civility? If so, is the price worth paying?

Philosophers have long speculated about whether we succumb to our worst selves when our actions are separated from their . In 1976, a study by psychologist Ed Diener, then at the University of Illinois at Urbana-Champaign, demonstrated that trick-or-treaters whose faces were hidden by masks .

It’s a problem that the advent of the internet has only exacerbated. Anonymity has always been a rigorously defended principle of the web, allowing, for example, those persecuted in the outside world for their political or religious beliefs to communicate more freely. But hiding behind screen names has serious drawbacks: the reduction of our psychological barriers to abuse and incite others, including carrying out racist and sexist attacks.

It’s not that Google, Facebook and others haven’t been trying. In an effort to stem some of the worst online abuses, many social media sites have instituted real-name policies – ““, according to Facebook’s policy. “There’s lots of evidence that ,” says psychologist Adam Joinson of the University of the West of England in Bristol, UK. In one of many examples, when an online community of US soldiers eliminated anonymous posts, . That’s one reason why many news sites now ask commenters to register or log in via social media profiles.

However, the results of more widespread rollouts have been mixed. In 2007, a law was introduced in South Korea requiring . A year later, a study by the Korea Communications Commission showed abuse and venom had . Those who wanted to post anonymously simply fled to international websites, where the law didn’t apply. This, combined with evidence of widespread hacking and a decision by judges that the law was too great a restriction on free speech, led the government to drop the measure. A study of the law’s impact, by Daegon Cho at Carnegie Mellon University in Pittsburgh, found that the policy reduced some kinds of harsh language , but had “no unambiguous civilising effect”.

One reason why real-name policies are less effective than you might expect, according to Brookes, may be “flimsy, quick and easy” sign-up procedures. Disposable email addresses are easy to set up to comment on a news site, and no one checks whether the name you provide is real. “All my trolls have fake Hotmail email addresses,” says Brookes. Her experience is reflected in the findings from a survey by the Pew Research Center in Washington DC, published last month. It found that 18 per cent had used an entirely fake name. This could help explain the 80 million Facebook accounts thought to be false.

And anyway, the fact that a person’s name is known may not be enough to make them behave better. Last year, Noam Lapidot-Lefler and Azy Barak at Haifa University in Israel set out to pick apart what it is about anonymity that causes people to behave so antisocially. They divided 142 volunteers into pairs, tasked with resolving a thorny issue. A third of the volunteering pairs divulged their names; one third saw each other; the last third made eye contact. “We expected it to be all about their names,” says Lapidot-Lefler, now at Max Stern Yezreel Valley College in Israel.

Eye witness

In fact, it was eye contact more than knowing someone’s name that decreased conflict among the participants (). Eyes, says Lapidot-Lefler, increased their sense of identifiability.

That meshes with real-world studies. If we feel we are being watched, we are a lot less likely to transgress social norms, . It doesn’t even have to be real eyes looking at you. Earlier this year, researchers from Newcastle University in the UK placed posters with two intensely focused eyes and the caption “Cycle thieves: we are watching you” in areas where bicycles were commonly parked. .

“If we feel we are being watched, we are a lot less likely to transgress social norms, cheat, or steal”

It’s not just eyes that trigger this response, says Ryan McKay, a psychologist at Royal Holloway, University of London. The key seems to be anything that triggers feelings of identifiability. A literature review for the Information and Privacy Commission in Alberta, Canada, concluded that although closed-circuit television has proved largely ineffective at reducing violent crime, it causes individuals to “go out of their way to “.

Joinson’s research has revealed similar camera-induced coyness. “We’ve done interviews with young people and they report all kinds of activities like hiding cigarettes behind their backs when a photo’s being taken, or hiding beer bottles out of a fear that this photo will be uploaded to Facebook,” he says. The thought of being identifiable, it seems, is a powerful deterrent.

So what does this have to do with biometrics? Biometric ID wasn’t invented with the idea of making the internet more civil – it was a way of getting round the fact that we are pretty useless at making passwords that can’t be cracked. Despite being bombarded with warnings, we are still attached to easily remembered – and cracked – passwords such as “password” and “12345”.

Apple was the first major corporation to begin the password phase-out in earnest by equipping the recently released iPhone 5s with a sensor that recognises your fingerprint. Soon to follow are a number of other biometrics that can’t be forgotten, lost or easily forged (see “We know who you are“). Biometric ID in laptops and Android and Windows will soon follow, and banks, remote employers and have expressed an interest in using such technologies for online access.

The point about biometrics is that, for the first time, the device you use to access the internet will form an unbreakable link connecting you – unquestionably you – with all your pseudonymous online activity. Based on what we know about the effects of being watched, McKay thinks that could have intriguing consequences for the way we conduct ourselves online.

“For the first time, there will be an unbroken link between you and all your online pseudonyms”

“Even very subtle cues of surveillance can affect behaviour,” he says. And while Lapidot-Lefler suspects behaviour changes will be most explicit when cued by face or iris recognition biometrics, McKay thinks the idea of being observed can be abstracted further. “You can exploit this sensitivity with any number of other cultural innovations – visible security cameras, biometric logins and notions of God,” he says.

It’s early days, but circumstantial evidence suggests McKay may be onto something. A fingerprint authentication system in a school in India raised performance and reduced absenteeism (). Elsewhere in India, biometric sign-ins persuaded people to show up for . “If you have to provide biometric information, those are salient cues that your identity and behaviour are being tracked and recorded,” says McKay. “It’s only natural that you will be less likely to transgress in those situations.”

Even if he’s right, is that what we want? For law lecturer and privacy campaigner Paul Bernal, not necessarily. If our behaviour changes under observation to follow the prevailing social norms, that’s good news in a society that decries rape threats and cyberbullying. But it’s bad news in a society that, for example, is politically repressive or encourages prejudice. Bernal links the rise of biometrics to a future in which, in certain circumstances, escaping prejudice or repression will be less and less possible.

Authentication nation

Others raise more fundamental objections to the intrusive nature of biometric identification, and potential security risks. For now, Apple says that all identifying information for its fingerprint sensors will be stored only on the iPhone itself and not in centralised, hackable databases, in line with a general push to keep sensitive biometric details safe. The FIDO Alliance – a group of technology firms including Google and LG Electronics – has proposed a universal standard that authenticates specific machines, instead of specific people, to services, in much the way Apple’s TouchID now works. After your device confirms that you are you, it sends a separate authentication code to any online destination you access through it. However, many industry watchers question whether others will comply with such strict practices. Bernal, for example, believes that as fingerprints become attractive to app developers, companies and services will become less vigilant about our data.

Apple’s iPhone 5s fingerprint sensor was hacked within two days – albeit only with an expensive and time-consuming attack. But the consequences of losing a biometric log-in that cannot be changed are potentially much worse than losing a password. “If one service loses that biometric, then every other service that’s using the same artefact is going to be compromised – and the user can’t change their fingerprints,” says Billy Rios, a former Google and Microsoft security researcher now at Cylance Security in Irvine, California.

For Bernal, the real problem is that we haven’t yet thought through the consequences of the loss of anonymity and privacy that the widespread adoption of biometrics will inevitably bring. Biometric checking such as fingerprint scanning is used in many schools in the UK so that children can claim their school meal each day. “Kids are getting into this position where they think it’s normal to give their fingerprints,” he says. And they and their parents frequently don’t understand the consequences. “I ask them ‘have they told you who else will have access to this data?’ And, ‘do you know what’s going to happen to your fingerprints when your child leaves the school?’ They generally don’t know the answer.”

Such stories, and the lukewarm response to recent revelations about the US National Security Agency’s PRISM spying program, seem to indicate that most of us have given up on online anonymity anyway. According to the Pew study, 59 per cent of us don’t believe online anonymity is actually possible.

So why should we be worried? When biometrics are so commonplace as to be part of the norm, obeying the rules of that norm is natural. And if a little less anonymity makes us all a bit more civil on the net, perhaps it’s all for the best. Isn’t it?

We know who you are

Over the past decade, researchers around the world have uncovered a variety of ways in which technology can exploit our uniqueness to identify us. The Nymi – a bracelet made by biometric security firm Bionym based in Toronto, Canada – reads the minor fluctuations in your heart rate to generate an exclusive identifier that authenticates the one and only you. Touché, , delivers a tiny electrical signal when you make contact with a touchscreen, which returns a unique measurement related to your body density. One day, you might even generate “passthoughts” with your brain waves.

It’s not just your body that can be mined for unique patterns: your behaviour also gives you up. One technique developed by BehavioSec, based in Palo Alto, California, identifies you from the way you move your mouse or use your smartphone’s touchscreen. Danske Bank, in Scandinavia, used it to differentiate 18,000 online users with an accuracy rate of 99.7 per cent. Another behavioural biometric, called , parses the way you use small words such as pronouns to zero in on what part of a country you come from, your age or career.

That gives broader implications to behavioural biometrics, because it might become possible to identify you without you even knowing anyone was looking and, unlike most biometrics, without your consent. “We all have our own fingerprints in language,” says James Pennebaker of the University of Texas in Austin, . “Let’s say on a news website: if I look at all the comments that people are making and I start tracking one particular person, then I can identify that person in other places. Making educated guesses, eventually I might be able to track down and figure out who that person is.” Unsurprisingly, many parties – from accounting firms to intelligence agencies and law enforcers – have asked Pennebaker for help to profile individuals.

Topics: biometrics / Brains / Computer crime / Psychology