I woke up in a Soho doorway

Standard practise in the “replies,” “comments,” or “discussion” portion of weblogs is to allow anyone to comment about anything, and to, without proof of identity, enter a name, email and sometimes a website address to attach to their comment.

While there are some systems that require readers to register, sometimes with an emailed password to verify the email address they enter, this is rare, and thought, I think, to be too much of an impediment to free-flowing discussion.

The result of this free-form approach to identity is that it’s impossible to know who is commenting about what. That many readers favour using pseudonyms, or short forms of their names, exacerbates this problem.

Take this thread of discussion about a recent post here: there are comments from “blair,” from me (or at least someone claiming to be me; I happen to know it was me), two from “Rob L.” and one from “Brian.”

Because I give readers the option of not having their email address (approximately 2/3 of commenters choose this option), often all the reader of comments knows is the “handle” the writer used. And there’s no assurance that even the same handle always identifies the same person.

Indeed there was an issue that arose here last year where comments from one reader were subsequently read by another reader, with the same first name and last initial. This person took umbrage, feeling that if the comments were seen to have come from him, he would suffer harm.

Mistaken (or hijacked) identity is only one of several ramifications of this situation: not knowing, with any certainty, who is the writer of commentary diminishes their authority, strips them of context, and makes for confusing lines of responsibility.

Another example: if an anonymous person, using a pseudonym, writes a comment here that defames someone, who is ultimately responsible? My first reaction is that everyone owns, and is responsible for, their own words. But what if the writer can’t be identified, either publically or privately?

What, if anything, should we do about this?

Comments

Jevon's picture
Jevon on February 18, 2004 - 16:00

I’ve thought about an e-mail or IM challenge system. Perhaps a little lofty, but why not use jabber to challenge the person via any IM system, and failing that, let them do it over email.

Peter Rukavina's picture
Peter Rukavina on February 18, 2004 - 16:24

We use an email challenge system on both Almanac.com and YankeeMagazine.com. Lately we’ve been running into significant customer service issues because the message containing the password that we email to new registrants is getting trapped as spam.

I think this is only going to get worse, and the “here’s how you can make sure our message doesn’t get trapped as spam” instructions are going to become too complicated to convey (they’re pretty complicated right now).

Here’s another thought: my impression is that most people start reading blogs because they know a blog publisher personally. So what about implementing some sort of decentralized “web of trust” system, where your identity is certified, and subsequently verified, by that person.

For example: I know Jevon personally, so there’s a record in Jevon’s authority database about me. When I post a comment on Steven’s blog, I somehow reference that Jevon will “vouch” for me, and because Steven trusts Jevon, my comment is authorized.

Another alternative is to simply have some sort of user registration system on each blog, but to also allow anonymous posts, and to simply flag authenticated writers as “we know who this person is and can vouch for their identity” and anonymous ones as “we’re not sure this person is who they appear to be.”

Ann Thurlow's picture
Ann Thurlow on February 18, 2004 - 17:28

If I was going to create an analogy here, I would liken this situation to leaving out an unattended bowl of candy on Hallowe’en — and assuming the kids would just help themselves in an orderly and fair fashion.

Alan's picture
Alan on February 18, 2004 - 18:21

I suppose it all depends on how restrictive you want to be. I have a couple of anonymous posters — by their IP one is from Peterborough, the other from BC — who are fairly entertaining and so far reasonably sensible who would be excluded from your proposal. As little turns on the integrity of a blog and, as I do, you can reserve to right to move comments to more relevant threads and delete the rude, what is the real mischief being protected against? Remember, there was a time no one knew who Wayne was. Now he has been encouraged to blog himself.

nathan's picture
nathan on February 18, 2004 - 18:58

Peter, the “web of trust” you describe above sounds alot like PGP or GPG systems [1]. For such a system to become successful, it has to overcome both technical and social problems. The social problems arise since it is impossible for the system to be fully transparent to the users… if it was you’d be right back to trusting identity implicitly.

Unfortunately it’s very difficult to get people to care about identification and verifictation issues when all they want to do is send a message. An identity verification system that is (for better or worse) transparent to users is SSL in the major web browsers. It’s interesting to look at the chain of trust there: user trusts the browser (Microsoft, Apple, Mozilla…) which in turn trusts a certificate company (Verisign or Soltrus) which in turn trusts the owner of the website.

[1] http://www.gnupg.org/gph/en/ma…

Peter Rukavina's picture
Peter Rukavina on February 18, 2004 - 19:17

I agree, Nathan.

There was a move, back in the days of 2.0 and 3.0 browsers, to have users install personal digital certificates. We looked at this mechanism when I was working with the Government as a possible replacement for, or addition to, username and password identification for applications that needed stronger authentication.

However the problem was that the process of applying for, receiving and installing a personal digital certificate was onerous enough that few actually did it, and thus support for it on the server side never got rolled out to match.

Peter Rukavina's picture
Peter Rukavina on February 18, 2004 - 19:23

By way of explaining Ann’s comment above, I should mention that we did exactly as described one year, and had all of our candy taken by the first group of kids that came along.

Steven Garrity's picture
Steven Garrity on February 18, 2004 - 19:41

Apparently the OSAF’s Chandler email app aims to do PGP or GPG (great acronyms) identification transparently.

nathan's picture
nathan on February 18, 2004 - 20:12

Steven, transparency is not the same thing as well integrated and easy to use solution. Full transparency is the wrong target. At some point you have to say “I trust person X” based on either outside knowledge or a chain of trust. A web of trust can make it easier to make the decision about people you do not know in person, but it still requires either explicit decisions (“I trust X since I’m his co-worker”) or general decisions (“I trust person Z since Z is trusted by two people I trust”).
Many email applications already provide some integration with with GPG. The email client I use, Evolution, handles both the signing and verification of messages with GPG quite well (no special setup). It does not provide a complete interface to the GPG operations, but I’m not certain that an email client is the correct place for all that anyway.

Steven Garrity's picture
Steven Garrity on February 18, 2004 - 20:22

true — I think what the Chandler project is aiming for is to sign messages without any special setup.

Add new comment