Here’s an interesting new problem for us conversation facilitators to deal with: what do you do when you are legally mandated to contact your users, and can’t?
This is inspired by a recent court ruling, described in Ars Technica. The upshot here is a pretty reasonable decision: before revealing the identities of anonymous commenters who are being sued for defamation, the plaintiffs must make a good-faith effort to contact them and give them a chance to respond before they are outed.
The court said that posting on the message board in question should suffice, but I don’t expect that to hold up in the long run. As we move towards more community-oriented and filtered communication systems, the fact is that posting something publicly just isn’t going to be a plausible way of getting the message through.
In a traditional system, there’s an obvious fallback position: require the messaging system to pass an email through to the users in question. (Assuming the messaging system has some idea who these users are; if not, the case is meaningless.) It does put more onus on the messaging provider than the current ruling does, but I won’t be surprised to see that happen.
But what if the users joined the system through OpenID? In this case, there might well be no means of contacting those users other than partly outing them. At the least, the front-line messaging system would have to bring the identity provider into the loop, and things could get complicated and messy.
It’s just an example, but it illustrates a tension that’s going to be coming up more in the coming days. The new identity environment — especially the Open Stack — is all about spreading identity out, and making it easy to keep it a bit opaque. But a lot of laws and customs assume that identity is fairly easy to penetrate. I suspect we’re going to find all sorts of places where those come into conflict, especially as “publication” and “identity” become entirely separate functions. Any bets on how messy things will get, or how far the law will fall behind reality?
The Art of Conversation 
March 10, 2009 at 9:19 pm |
That implies I should be looking for an OpenID service provider who is A. not me and B. trustworthy, to the extent that they have a public commitment, preferably backed by a large bond, that they will not deliberately reveal real-world identity information to anyone without a court order. Oh, and they should be located in stable jurisdiction without too many weird laws.
March 11, 2009 at 3:24 pm |
Quite likely, yes. In general, as we move away from purely ad-hoc identity into a more organized system, I think that trust in your identity provider is going to become an important issue. (Indeed, that’s probably worth a posting unto itself…)
March 11, 2009 at 4:13 pm |
So following on that logic, what happens if you have an identity provider in a diffrent country that isn’t bound by US laws and court orders?
March 11, 2009 at 4:42 pm |
Serakit: you’ll need to understand the laws and political climate of where ever your identity provider is located. There might be a business opportunity for a Switzerland or a Channel Island business here. Or Iceland, perhaps.
March 11, 2009 at 10:48 pm |
Trust in your OpenID provider is going to be built the same way we trust our email provider not to post our email everywhere, etc. It’ll be strongly reputation linked. But the requirements may not evolve very far from where they are now; there are lots of precedents where what the law considers notice and what you or I consider notice might not meet. Look at trademark and patent law, where often the only notice issued is a compilation every quarter or so of all the awards, and if you wish to voice an objection, you must find the notice. Or some class action lawsuits where the only notice might be a small posting in the local newspapers. The law can sometimes put the onus on the audience to be alert for notifications, and ignorance of the notice is no defense in the eyes of the law.