Although this discussion has focused on whether people should be able to use pseudonyms online, there is a related issue that no one has raised. Using a persistent pseudonym like "Identity Woman" in effect becomes someone's personal brand. Since it's become your personal brand, you'd presumably like to prevent others from using that same pseudonym. What if someone else were to start identifying themselves as "Identity Woman" in blog comments or other online transactions? You could perhaps sue them, if you can legally claim some kind of ownership of the pseudonym. But that's a messy, inconvenient, and expensive remedy. Is this a real concern, or am I just inventing some new problem here? I think it's related to online identity theft, regardless of whether that identity is your "real" identity or some pseudonym that's become associated with one individual and represents that individual's personal brand. The issue is, how do you prevent someone else from claiming your identity (represented by some name or other set of attributes meant to uniquely identify you), especially when that identity is being used to obtain a high value service? This may not be a problem today with pseudonyms, but it's certainly a problem with "real" identities. The ability of an evildoer to use your personal information online to obtain a new credit card, or to access online financial accounts or medical records, or even to access your email (by using "social engineering" to do a password reset) has become a significant problem. Does NSTIC solve this problem? Not really. You could voluntarily seek out an identity provider that will vet your identity and issue you some sort of high assurance credential bound to that identity. [I have no idea how this would work with pseudonyms. What would be the criteria for asserting that "Identity Woman" belongs to you and no one else? There would need to be some rules defined for such things.] But even if you did this, NSTIC is voluntary. There is no requirement that all service providers authenticate an identity claim using such credentials before providing their service. So identity theft (using real identities or pseudonyms) is still a possibility. [I'm going to ignore privacy concerns for the time being.] There seems to be two possible approaches for preventing online impersonation. One is to require *all* providers of certain types of "high value" services to take "adequate" steps to authenticate an identity claimed by someone seeking its service. Such a requirement would not be able to mandate the use of NSTIC-compliant credentials, but presumably such credentials would serve this purpose more effectively than other methods. Another possibility would be to create incentives (legal, economic, or something else) that would motivate providers of high value services to perform these authentications. These incentives would need to be defined in such a way to encourage high assurance authentication for high value services, where harm could come to someone who is successfully impersonated, while specifically discouraging high assurance authentication for other kinds of services. Bob Pinheiro kantara@bobpinheiro.com On 8/1/2011 2:13 PM, Kaliya wrote:
The freedom to use a pseudonym online that is persistent and not a spammer and not spouting hate speech and not doing anything illegal is what this is about.