Fake Identity, coming to a lawsuit near you

It’s been building for a while, but here’s the best example I’ve seen so far: a group of teens have been sued for impersonating another.  Basically, the four teens created a Facebook profile for their target, putting a lot of work into making it look real, and then used it to make their target look like a racist ass.  This probably isn’t unusual by now, but they went far enough to cause demonstrable harm to the kid, resulting in a defamation suit that sounds like it has a good chance of winning.

It does lead me to wonder where this is all going legally.  When we talk about “identity theft” today, we’re usually talking about schemes designed to steal your money or credit.  But this is a different sort of identity theft, perhaps even more damaging in the long run — taking control of your public profile and changing what people believe you to be.

I’m struck by the fact that, when this did turn into a lawsuit, the suit was defamation.  This seems to imply that the basic action of impersonation either isn’t illegal, or at least doesn’t result in a harsh enough punishment.  My gut says that it probably ought to be quite illegal, although my head says that it’s always difficult to write laws like this without pretty severe unintended consequences.

Opinions?  Do you think there should be harsh laws against this kind of identity theft — designed not to steal, but simply mislead?  Do you think it’s possible to write such a law well?  What sort of consequences is it likely to have?  I’m chewing this one over myself…

More on the legal limits of anonymity

Serves me right for letting myself get behind on my blog reading.

Yesterday, I talked about the need for clearer standards on when a publisher gives up an anonymous poster’s identity.  As it happens, there was progress on this front just a few days ago: Ars Technica posted a good article on almost this subject.  It’s not about blogging in this case, it’s about an apparently-false anonymous whistleblowing claim, but the basic principle is close — someone is claiming to have been defamed by an anonymous claim, and wants to find out who made the claim in order to sue them.

This time, the case apparently made it up to the appeals court, which has taken the contradictory previous decisions and attempted to craft a reasonable compromise.  The article gives the exact wording, but it basically boils down to requiring the plaintiff to demonstrate both that there are reasonable grounds and that they actually need the person to be unmasked.

So yay for intelligent judges, and at least a little progress towards laws and precedents that make sense in the modern age…

The inevitable limits to anonymity

I suspect that most folks will have heard about this, but I’ll refer my readers to this good article in SFGate about the “Skanks in NYC” case.  (Thanks to Aaron for the link.)

The short version: we’ve finally gotten a court case that came out with a ruling I’ve been expecting for a while, saying that there are limits to what you can get away with in blogging.  For a long time, there’s been a tacit assumption among many bloggers that they can say anything, and would be legally invulnerable — they saw that the system treated them as anonymous, and kind of figured that that meant they were untouchable.  This case ruled otherwise: it says that this particular blog crossed the line into defamation (at least, enough so to get a subpoena).  Moreover (and much more seriously), it ruled that Google has to turn over what records it has about the “anonymous” blogger.

Like I said, I’ve been expecting this.  The lines between blogging and publishing have long been blurry, and some blogs are obviously treading in libel territory.  I don’t see any real reason why the court would consider an op-ed column potentially libelous, while ignoring blogs like this.

Is it a good thing or bad?  Hard to say.  Anonymity does have its place, and is occasionally deathly critical; OTOH, 99% of uses of it (at least in the US) are simply venal.  IMO, this is an area where the law really needs to grapple with the problem seriously.  In particular, we need crystal-clear rules for when a “publisher” (such as Google in this case) can be coerced into turning over an anonymous poster’s information.  In this particular case I happen to think that it’s reasonable, but it’s the top of a slippery slope to more questionable requests.

In the meantime, keep in mind that your anonymity is not legally protected, at least not to an absolute degree.  So if it really matters, make sure that your tracks are well enough covered that the publisher’s contact information isn’t enough to track you down.

Opinions?  How do you feel about the legal lines here?  Is the demand to Google reasonable in this instance?  Where would you draw the line?

When does posting become publishing?

A news story made it onto the news wires yesterday, that illustrates one of the coming tensions in online communication — a real estate company is suing one of their tenants, who complained about the company on Twitter.

The case illustrates a tension that I expect to become ever-sharper in the next few years, between “conversation” and “publishing”.  Defamation suits are probably where the problem becomes most stark.

Say that I post something defamatory to my blog, which in this happy hypothetical universe has a hundred thousand readers.  As I understand it, it’s becoming fairly clear that the law thinks of that as “publishing”, and I’m just as legally liable as I would be if I published in a local newspaper.

Say that I say the same thing in a locked post on my LJ, visible only to my friends.  This is clearly a private conversation, not “published”.  It’s hard to predict the courts, but I find it unlikely that one would find this a matter worthy of a lawsuit, and I’d argue strongly that it shouldn’t.

Now, take the case at hand.  The post in question was to Twitter.  The woman reportedly only had 20 followers, and probably thought of this as a private conversation.  Indeed, a lot of people are laughing at the realty company, for turning a mountain into a molehill.  But their contention is that this was published to the public, and that’s kind of true: Twitter is a global feed, and lots of people mine it quite randomly.  So at least technically, it kind of was “publishing”.

So how do we draw the lines?  In an age where “conversations” can be visible to the whole web, and posts are just part of the larger conversation, what is publishing?  How can the courts distinguish between libel and simply someone spouting off to their friends?  It’s not a trivial matter — while the difference might be obvious at the gut level to you and me, the law likes clear lines, and I’m not seeing many of them.

I don’t have answers here, but I welcome thoughts on the matter.  It’s a problem that is likely to feed back into the technology and social conventions of online conversation — potential lawsuits are good for chilling free expression, so these lines really matter in practice…

Conversational Feedback

I’d like to spin off of a recent conversation over in dsr’s journal.  He pointed out that non-realtime online conversations suffer badly in terms of feedback: when you do something inappropriate, it takes a while to get feedback, and once the feedback does come, it tends to be in the form of a tsunami.  Siderea then pointed out some of the failings of text as a form of feedback in general, compared with face-to-face.

Okay, so let’s explore that a bit.  What could we provide to make feedback more effective?  To put it more specifically, what might CommYou do to provide good tools for social feedback?  It is probably impossible to make online feedback as effective as the face-to-face kind, but can we make it better than it usually is?

Let’s look at a few of the common problems:

• Text tends to have a different subject than face-to-face indications.  When someone does something inappropriate in person, I indicate *my* discomfort, and leave it to empathy to provide the feedback.  Textually, the point tends to be “You did something wrong”, which is a much sharper and more direct criticism.
• Text is often too blunt and explicit — it’s hard to say that someone has been inappropriate without stepping on social taboos and being rude yourself.
• In non-realtime conversations, when someone says something inflammatory, it tends to produce a response of “I Must Respond!” in all the readers.  Even if I know there are a lot of responses, which might already take this person to task, the desire to say something can be overwhelming.  By contrast, in a real face-to-face situation, everyone might start shouting at once, but it usually quickly dies down to one person making the point first and everyone else hearing it; this cuts down somewhat on the dog-pile effect.

So the question is, can we improve on this?  I have a few off-the-cuff ideas, but I don’t know if any of them are reasonable.  For instance:

• Provide built-in concepts for emotional expression that are subtler than text.  Shadings of color are potentially expressive, but not universal — they’d probably require social convention to have any effect. (Emoticons are essentially an attempt at this, and illustrate how hard the problem can be — they are often badly misused.)
• Roll up these expressions onto the message being reacted to, possibly as a single cumulative effect, to reduce the verbal onslaught.  (Slashdot kind of does this in its karma system.)
• Distinguish between “near-real-time” and “later” in conversation; (subtly?) discourage this sort of emotional feedback more as things go along, to avoid the syndrome of people beating the dead horse.

Of course, these are still in tension with the problem of “I” vs “You” — done naively, these still come across as “you did something wrong”, since they adhere to the posted message, whereas the ideal would seem to have a connotation of “I’m uncomfortable” instead.  I’m not sure how to express that notion of discomfort in a way that is as subtle but effective as facial expressions in real conversation. The heart of the problem is that (especially in non-realtime conversation) the rest of the audience doesn’t have a good way to provide the sort of ambient feedback they do face-to-face.

Ideas?  I think this is a terribly interesting problem, and I suspect there are a bunch of experiments worth trying. (Note that dsr has a couple of good ones in the linked conversation — I’m especially intrigued by the general notion of participants being able to add what amounts to typed metadata.)

Trust and Impersonation in social networks

[A quick meta-note upfront: I haven't been posting much lately, because I started a Real Nearly-Full-time Job a few weeks ago.  I'm continuing both CommYou and Art of Conversation, but my time is now much more limited.]

My friends mindways recently posted a link to an interesting but not surprising article about the growth of fraud in social networks.  The idea is quite simple: since Facebook verifies nothing but your email address, it is terribly easy to pretend to be someone else.

I’m not talking about fancy high-tech breaking of security here — it’s simply that, if I was to claim to be Bill Gates, how do you know that I’m not?  (In practice, a quick search turns up a bunch of them.)  More to the point, how do you know whether or not I’m your buddy Jim?  If I have Jim’s picture, and a little of the right biographical information on my profile, I sure look like Jim.  Do you vet your Facebook friends carefully, to see if they are who they say they are?  Would you even really have a way to do so, short of calling Jim and asking if he friended you on Facebook yesterday?

This is all the flipside of the “pseudonymity” question that comes up from time to time.  If you have a lot of persistent information online, that is all strongly linked together in a secure way, that counts as a fairly clear identity — perhaps not an identity linked back to the real world, but an identity.  OTOH, if all you have is a bunch of information about a real world identity, but no secure relationship between that and the online one, you don’t really have anything meaningful.  But most people are still used to thinking in terms of real names and faces, so the gut reaction is to believe the latter more than the former, even though it’s actually much easier to fake.

Curiously, I suspect that LiveJournal is actually less prone to this problem than Facebook is, precisely because it does not use your real name as your handle.  (And many/most people don’t use their picture for their icon.)  This preconditions people to be just a hair more suspicious: there isn’t the knee-jerk, “Oh, look — it’s Jim’s picture so it must be Jim.”  And on LJ, Who You Are is mostly determined by What You Say.  If you post a lot of things that only Jim would say, you’re probably Jim.  But just asserting your identity and friending people is more likely to make them suspicious: there is more burden of proof.

At least, that’s my guess.  I don’t know that anyone’s really studied the matter yet — it would be interesting to see what came out of such a study.

What do you think?  Have you found yourself more apt to simply friend someone on Facebook than on LJ, because they have the right user name and photo?  Do you think the rise of OpenID and other online-identity-linked mechanisms will gradually reduce this threat, by raising expectations of a deeper, richer and more consistent online profile?

Autopilot and Social Networking

I’m sure that, by now, you’ve all heard about Google’s new Autopilot extension to Gmail, which was announced today.  Obviously, Autopilot represents a major leap forward in conversation technology.  (Yes, yes — CommYou will begin letting users appply Autopilot to conversations, as soon as Google opens up the APIs.)

Let’s talk instead, though, about the potential of this technology for social networking.  Autopilot is doing a good job of easing the burden of conversation, by removing the need to read and reply to your email.  But really, that’s the easy bit.  Nowadays, the really challenging problems are all coming on the social networking side.

So I’m going to propose two products that I think Google should be working on.  (And given how fast the CADIE project is evolving, probably will have finished by tomorrow.)

First up is AutoNetwork.  This would monitor your existing social network, as well as all aspects of your real life, integrating your calendar, your phone calls and your emails to derive a complete picture of who you are and who you know.  (Google already knows all of this anyway, so it’s just a matter of putting the pieces together.)  Then, when you apply AutoNetwork to a given social network, it chooses who you should friend and who not.  It will automatically add friends, decline invitations from people you don’t know *that* well, and unfriend people who you really shouldn’t be talking to.  This will remove the burden of keeping track of your social network, by doing all the heavy lifting for you.  In release 2.0, it will decide which social networks you should be on in the first place.

Second is AutoTweet.  This is simply a logical extension of AutoPilot, aimed at broadcast media.  It will use its advanced heuristics to decide which elements of your life are worth talking about, summarize them, and post them automatically to Twitter.  On the other end, it will keep track of which tweets you’ve responded to in the past (as a measure of what you are interested in), and use that as a basis for filtering which ones from your friends you will see.  After a few days of evolving the heuristics, it will simply provide you with a running commentary of everything interesting that is happening to everyone you know, in realtime, in a convenient 140-character form.

While none of this was announced today, I think it is safe to assume that we’ll be seeing it by — oh, next Monday at the latest.   Given that CADIE already has her own blog and Twitter feed (granted, she needs a couple more days to evolve decent taste), they’re clearly moving in this direction already.

So I figure that, by around next Wednesday, the entire Internet will be taking care of itself, leaving us humans to ignore it and go back to focusing on the real world.  Really, it’s about time…

Information Shadows, and the Difficulty of Anonymity

Chris Herot wrote a very interesting short post yesterday, with some of the ideas coming out of Foo Camp East.  Some of it will be unsurprising to folks here (most of whom, I think, have long since lamented how inadequate the word “friend” is for most social networks), but there are some neat references.

One point isn’t exactly surprising, but worth noting nonetheless: see this PDF, which argues for a formalism of “information shadows”.  (The PDF is 74 pages, but it’s actually not very long — it’s essentially a slide show, in the breezy Head-First style.  The file is large, but it’s mostly pictures.)

The initial argument is that, as we move into a world of ubiquitous computing, it will become more and more essential to have data that corresponds to real-world objects, and therefore we need ways to refer to those objects.  It’s not rocket science — indeed, it’s almost exactly why the URI standard is as ridiculously flexible as it is — but he makes a good argument that steam engine time is here for this idea.

Stick around to the final third of the document, though, which is where it gets really interesting.  He generalizes the concepts of “serials” and “services”, and explores how real-world and digital concepts are mushing together, to produce new models of ownership that simply couldn’t work before ubiquitous computing.  While the facts contained in it are well-known, it shows that there are some new emergent concepts in the air, and we should start thinking about what we can really do with them.

Also, Chris points to a paper that I’m sure will disturb a lot of people here (although, again, I suspect many will be unsurprised).  De-anonymizing Social Networks demonstrates that, if you simply know that somebody is on two different anonymous social networks (they use Twitter and Flickr), you can relate their handles together with a decently high degree of confidence simply by analyzing the topology of the social graph.

I haven’t read the paper in detail yet, so I’m not sure how well it generalizes, but it does illustrate that our cozy notions of anonymity aren’t as secure as we might wish.  Modern data-mining techniques are powerful, and keeping multiple identities truly separate is harder than it looks…

Portable Contacts gets a big boost

I’ve mentioned the Portable Contacts (PoCo) project a few times in the past — it’s the group that is trying to do for contact lists what OpenID is doing for identity, allowing you to use a single contact list across the Web.

That’s been growing steadily in recent months, with a lot of small players and several mid-level ones picking up on it.  And as of yesterday, it’s gained another significant supporter: Google Contacts has begun to support PoCo.  This means that any PoCo-enabled app can now make use of contact lists from Google, if you give it permission to do so.

No, it’s not Facebook — if that ever happens, you’ll know that PoCo has well and truly won as a standard.  (Nor is it LJ, which matters most to a number of my readers here.)  But it’s a fine step in the right direction, moving from social-network “walled gardens” to a more open and consistent infrastructure…

Fine- vs coarse-grained group management

There’s an interesting discussion going on over on the Portable Contacts mailing list right now, that seemed worthwhile to bring up here.

Portable Contacts (or PoCo for short) is the standard brewing up for how you share contact lists.  It fills a gap in the “Open Stack”, which already had things like OpenID for sharing your identity (so you can log into various places with a single ID) and OpenSocial (so you can plug various applications into your social network).  PoCo provides a standard way for you to let an application (or another social network) see who your friends are, so you can use your flist for various purposes.

(CommYou doesn’t yet support PoCo, but that’s solely because I haven’t gotten around to it yet — once I’m done with the current rearchitecting, it’s medium-high on the priority list.)

Anyway, today’s conversation brought up the point of how you share that flist.  Currently, it’s mostly being done all-or-nothing — you tell your social network that app A can see your flist, and it gets access to the whole thing.  Which works fine for me personally, but as was pointed out in the discussion, won’t work for everyone.  The point came up that your custom friend lists can and should be used to manage which contacts get exposed.

In particular, Martin Atkins argued for finer-grained access controls:

The sort of uses I’m imagining are, for example, importing my business contacts into LinkedIn without giving LinkedIn access to my personal contacts, or conversely pulliing my close friends into SomeEmbarassingSocialNetwork.com without pulling in my business connections.

That makes sense, and while I tend to be fairly loose about letting my networks and identities slosh around between each other, I know that many of you are much more careful about it.

So I’m curious: how do you think you would approach these access controls?  Do you believe that you would use fine-grained controls, to make sure that certain apps only knew about a subset of your social network?  Do you think you’d do this generally, or only for certain apps and networks?  And do you see handling this differently between, say, LJ, Facebook and LinkedIn?