According to the wise men of Slashdot we bring you the following belated news story:
Man Accused of Attempting to Extort Google
A programmer has been arrested on charges of attempting to threaten Google with a software program he devised that creates phony clicks on pop-up advertisements delivered by Google.
This suggests that there is a market need for what you might call "negative digital identity". Rather than demanding to know exactly who you are and compromise privacy (full digital identity), it would only try to establish who you aren't. Confused? OK, here's how it works.
When you click a link at Google, they want to know if you've clicked it before. Advertisers will not use Google if they believe they are being gamed into paying for fake clicks by fraudsters or competitors. Are you not one of the people who've been here before? Yes, my head hurts too.
Google can try to fake negative identity through things like requesting IP address, but that fails in the face of so many proxies and NAT boxes. Two identical requests from the same IP address could indeed be from two different people. Cookies aren't secure in the face of fraud because of the client is untrusted.
I guess the technology would center around a third party who would have to issue the user with redeemable tokens. Your ISP would be the natural source. The tokens would be unique and do not identify the requesting individual or enable tracking of repeat individual visits. However, the issuer would offer a (paid for?) service that would test for set membership. Is this token in this set? (In other words, is this user in the set of users who have clicked this link? Google doesn't care when you clicked before, if you did.)
An economic incentive is required to encourage user and ISP participation. I guess the value this provides to the end customer (advertisers with Google, sellers on eBay, etc.) is the economic pull that can make the value chain work. Maybe kickbacks to the user from the ISP. There needs to be a way to associate the tokens with HTTP requests. Plus disincentives to users to share their identity (due to potential personal financial or reputational loss.)
Ta da! Preblem solved. Anonymity preserved, abuse of service curtailed. Except the minor detail of about twenty years waiting for the infrastructure to catch up. Yes, the system might leak a bit if you keep swithcing ISP and identity providers. But it's about managing fraud, not eliminating it.
The same technology could be applied to other sensitive situations like account registration. Have you already got an account? Only people whose negative identity is "not in the set of people who've registered before" are let through.
There surely must be a way of preventing repeat fraud without forcing everyone to reveal their true identity all the time. We have to find a way of enabling people to create digital identities at will, but not abuse and abandon them without consequence. Technologies like Project Liberty just aren't going there -- it's all about centralized (but distributed) corporate control over who you are, not personal control over who you might be. We need something better.
Posted by Martin Geddes at 10:05 AMTrackBack URL for this entry:
http://www.telepocalypse.net/cgi-sys/cgiwrap/mgeddes/MT/mt-tb.cgi/185