Identity: Our Last Stand
Linux has built countless cathedrals, but still no bazaar.
By that I mean every corporate cathedral you can shake a mouse at is full of Linux, yet Linux has not yet enabled a free and open marketplace for every business and every customer. Instead, every human being on the commercial net remains trapped in corporate cathedrals, many of which are ravenous for the blood of personal data, most of which is acquired by surveillance. In fact, nearly our entire existence in the commercial world is inside cathedrals where we have near-zero autonomy and great exposure to whatever those running the cathedrals wish to know about us.
The wide-open bazaar—the open public marketplace—where we can roam free, as anonymous or selectively know-able as we please, still doesn't exist online. And it should, because the internet protocol was built to support it. Just because it isn't there yet doesn't mean we shouldn't build it. Hell, commercial activity has existed on the internet only for 21 years so far. (Starting on April 30, 1995—that's when the NSFnet, the last of the internet backbones that forbade commercial traffic, stood down.)
I know this isn't what Eric S. Raymond was talking about in The Cathedral and the Bazaar (his landmark book about software development, published back at the turn of the millennium). Eric was talking about development styles, contrasting closed "cathedral" environments with open "bazaar" ones. Linux was, and remains, the greatest exemplar of bazaar-style development at work: a fact owed in no small measure to Eric's evangelism of Linux and open source, much of it on these very pages.
I'm borrowing Eric's metaphors here for two reasons. One is that I hope it motivates some readers to admit that Linux has been used at least as much to build corporate (and government) cathedrals as to liberate the geeks who continue to write open-source code that makes building anything possible. The other is that we need another coterie of alpha geeks working today on creating an open marketplace, setting everyone free from the countless closed ones that have become the norm and have made the surveillance economy possible.
"Give me a place to stand and I can move the world", Archimedes said. Each of us has that place with the internet. What we lack is a fulcrum.
That fulcrum isn't a machine. It's identity. We need to have root for our own identities online. We have it in the offline world, but not yet online. Getting that root is our challenge. With root for our own identities, we will be able to go about our business anonymously by default, and identify ourselves selectively on a need-to-know basis. That includes being able to call ourselves whatever we please when dealing with other entities in the world, and then engaging administrative systems—such as those in the world's many cathedrals—in full control over what we share, what we don't and how we leverage the same data, and attached permissions, across all those systems.
Let's look at the physical world for a moment. By default, we are anonymous to others there—literally, nameless. For example, when we walk down a city street, we do not want or need everybody we pass or encounter to know who we are, or anything about us, other than the fact that we are human and participating in society. When we meet somebody, we may introduce ourselves by our first names or nicknames. Or, we may give somebody a business card. Asked for our name at the counter of a coffee shop, we can tell them anything. I've met more than one guy named Mike who uses a different name—Clive or something—because the name Mike is so common. At a conference, we may wear a name badge, but even in those cases, some people still just use their first names or turn their badges around.
What happens in all these cases is data sharing on a need-to-know basis that we control. Being able to do so is a grace of civilization. Not being able to do so is a curse of celebrity, and a useful case in point. Being known by all is a Faustian bargain. And we are all Fausts online today, whether we like it or not.
Faust was the scholar in German legend who sold his soul to the devil for unlimited knowledge and worldly pleasure. The difference with us is that we don't sell personal data about ourselves. We don't even give it away. We just acquiesce to ubiquitous surveillance, through which all kinds of personal data gets snarfed up without our knowing much, if anything, about it.
The bishops in charge of personal data acquisition in today's corporate cathedrals are the Chief Marketing Officers (a title that hardly existed in the pre-internet world) or their equivalents. They and their many agents believe it is both possible and desirable to know everything about users and customers, either by direct surveillance through browsers and apps or indirectly through access providers and other third parties.
Thanks to growing Big Data budgets and appetites, and absent legal and technical restraints, the market for personal data has become vast and complex beyond any one party's full understanding. It even includes real-time data, harvested from cookies and other tracking files, sold by auction to help guide advertising messages directly toward crosshairs on eyeballs and eardrums.
As if all this were not bad enough, everybody interacting with these cathedrals online has the added burden of needing separate passports—logins and passwords—to clear customs at every entrance.
In "Doing for User Space What We Did for Kernel Space" (published in LJ two months ago), I gave the examples of what a few startups are doing to give us identity root. There are, and should be, many more working on the same case. And soon. Because identity is our last stand. Making it ours, finally and absolutely, is the only way we secure our independence and liberty online. It is the only way the world's economy becomes a true bazaar.
It's a handy thing that we can get together soon to talk about it and work on code: next month, at the next Internet Identity Workshop, on October 25–27, 2016. I have co-hosted these with Phil Windley and Kaliya Hamlin (aka IdentityWoman) since 2005. IIW, as it is best known, is a three-day unconference held twice a year at the Computer History Museum in Silicon Valley. It's cheap as conferences go. The charge just covers our expenses; we don't make money off it. (In fact, if you can send sponsors our way, that'll help too. Sponsors pay for the food, which is always good.) Register here.
And see you there—as whatever you want to call yourself.