http://www.sunshineweek.org/
‘March 11 marked the start of America’s third annual Sunshine Wee, a national effort to cast light onto the growing recesses of government secrecy’.

US News is offering up the latest information on the Freedom of Information Act, with links to filing FOI requests to US states, the federal government, and 67 other countries.

“Often the records can be obtained by simply asking for them, but since 9/11, federal agencies have grown increasingly stubborn about what they release. A just-released survey by the National Security Archive found that only 1 in 5 federal agencies meets congressionally mandated requirements for online information access. There’s hope, though: A new bill is making its way through the House of Representatives, with bipartisan backing, that would strengthen the FOIA, one of a host of open government measures being looked at by the new Congress.”

Here’s an online guide to getting what the government’s got:

• The Reporters Committee for Freedom of the Press has an easy-to-use FOI letter generator, for general requests under the Freedom of Information Act.
• For an individual’s files, people should make requests under the Privacy Act. Here are relevant forms from the Freedom of Information Center at the University of Missouri’s School of Journalism.
• Although access varies, every state now has open meetings or open records laws. The Reporters Committee has a handy guide on this, too.

The question you should be asking yourself is this……
“If I do happen upon a FOIA request, to any of the number of governmental agencies, will by inference this cause my file to expand?”

“Anonymity should be the default” doesn’t say what I mean. Sorry to have put it badly. “Defaults” come to us from the software world where shipping software with the right options turned on can make or break a product. It may be that anonymity is the right default option for digital ID management software, but that’s not what I meant. And if it is the right default, it will be due to anonymity’s social, political and personal roles. Those roles are what interest me.

I probably should have said “norm” instead of “default.” In fact, it’s helpful (I think) to put this in moral terms. Philosophers have the useful concept of the prima facie. (If you disagree with how I describe the prima facie, then skip the phrase and go straight to the concept.) Something is prima facie good if you don’t need a special justification to do it, but you do need a justification to do its opposite. Telling the truth is prima facie good because you don’t need a special justification to do so, but you do to tell a lie. Likewise, anonymity is prima facie good in our culture: We don’t need a special reason not to ask you to identify yourself and we do need a special reason to ask you to whip out your drivers license. There are places and contexts where this doesn’t hold, e.g., entering a nuclear facility or the Nebraska State Twine Museum (on Homeland Security’s Vulnerable Sites list) these days. But still, in general, anonymity is prima facie good and is the norm.

I don’t want that to change on line. Here’s why.

While obviously what we do — and who we are — on the Net keeps surprising us, we would be fools not to learn from our experience as selves in the real world. So, here’s something I think the real world teaches us. The term “anonymity” has a bad connotation because it’s used primarily where there’s an expectation of identification. We don’t say that someone entered a movie theater anonymously unless we’re implying that the person had reason to hide her identity, even though, in truth, anyone who pays cash for a theater ticket is entering it anonymously. So, because we use the term “anonymous” mainly where identification is expected, this may lead us to think that being identified is the usual state — the default state — in the real world. In fact, the rarity with which we use the term actually indicates that the opposite is the case: Anonymity is the norm in the real world.

That of course doesn’t mean that we’re always anonymous. There are zones where being identified becomes the norm by law or policy. And, in a small-ish town or within a work community, we may expect to know who everyone is. But, even so, the people in the small town are not entitled (by law or custom) to demand to see a drivers license of a visiting aunt walking down the street. You need a special justification (in the real world) for demanding ID, but you don’t need special justification for not demanding ID.

Of course that doesn’t mean that anonymity should be the default online, just as e-commerce sites shouldn’t replicate the real world experience of waiting on check-out lines. But, it’s worth looking at the real world in this case because it can help undo anonymity’s bad reputation, so that we can make a better judgment about what we want online.

Anonymity (including pseudonymity) does much good online. It also allows bad things to happen, but so does free speech. Before we tinker with the defaults, we ought to at least recognize what we may be giving up in the realms of (1) the political, (2) the social, and (3) the personal.

1. Anonymity allows people to say and do things that those in power don’t like. It enables dissidents to speak and whistleblowers to blow their whistles.

2. Anonymity allows people to say and learn about things from which social conventions otherwise would bar them. It helps a confused teen explore gender issues.

3. Anonymity (and especially pseudonymity) enables a type of playing with our selves (yes, I know what I just said) that may turn out to be transformative of culture and society.

Anonymity also allows some awful things to happen more easily, but we can’t fairly decide what we want to do about it unless we also acknowledge its benefits. Just as with free speech.

Some of these issues have to do with privacy. Since I’m interested in norms, I don’t want to stipulate definitions of “privacy” and “anonymity,” which is probably the only way to make their relationship crisply clear. The fact is that the two terms, as we use them in the real world, are murky alone and in relation. Roughly, when we talk about anonymity, we generally mean not knowing who I am, whereas when we talk about privacy, we generally mean not knowing things about me. (Logically, privacy includes anonymity since who I am is something to know about me, but in practice we use the terms separately.) In many instances, a strong right to privacy confers the benefits of anonymity. But, the real not-knowing of anonymity may be required in some regimes for people to feel free to speak. And it may have a subtle, liberating effect on the selves we’re building in the new connected public.

Worse — at least if you insist on clarity — both terms are complex and gradated. Privacy is obviously something we can parcel out in dribs and drabs; that’s what the new digital identity management systems enable. Anonymity sounds more binary, but because “who we are” is complex, so are the ways in which we can hold back information about who we are. An anonymous donor has probably identified herself to the organization that has agreed to withhold her name. An anonymous author may disclose that she has twenty years experience in the trade she’s writing about. An anonymous stranger who runs after you with the wallet you dropped makes no effort to hide her face, even if she refuses to give her name. And the range of ways in which we are pseudonymous is enormous.

We don’t have to sort this out entirely. Privacy, anonymity, publicness, responsibility, shame, freedom, self, community…these and other core terms are properly in a royal stew of meaning.

Before we have all this clear, we’re going to have to make some decisions. My fear is that we are in the process of building a new platform for identity in order to address some specific problems. We will create a system that, like packaged software, has defaults built in. The most important defaults in this case will not be the ones explicitly built into the system by the software designers. The most important defaults will be set by the contingencies of an economic marketplace that does not particularly value anonymity, privacy, dissent, social role playing, the exploration of what one is ashamed of, and the pure delight of wearing masks in public. Economics will drive the social norms away from the social values emerging. That is my fear.

I have confidence that the people designing these systems are going to create the right software defaults. The people I know firsthand in this are privacy fanatics and insistent that individuals be in control of their data. This is a huge and welcome shift from where digital ID was headed just a few years ago. We all ought to sigh in relief that these folks are on the job.

But, once these systems are in place, vendors of every sort will of course require strong ID from us. If I want to buy from, say, Amazon, they are likely to require me to register with some ID system and authenticate myself to them…far more strongly and securely than I do when I pay with a credit card in my local bookstore. Of course, I don’t have to shop at Amazon. But why won’t B&N make the same demand? And Powells? And then will come the blogs that demand I join an ID system in order to leave a comment. How long before I say, “Oh, to hell with it,” and give in? And then I’ve flipped my default. Rather than being relatively anonymous, I will assume I’m relatively identified.

Does that matter? I think it does, for the political, social and person reasons mentioned above. Don’t make me also argue against being on one’s best behavior and against being accountable for everything one does! I’m willing to do it! I will pull this car over and do it! Just try me!

The basic problem is, in my opinion, that the digital ID crew is approaching this as a platform issue. Most places on the Web have solved the identity problem sufficiently for them to operate. Some ask for the three digits on the back of your credit card. Some only sign you up if you confirm an email. Some only let you on if you can convince an operator you know the name of your first pet and the senior year season record of your high school’s football team. Sites come up with solutions as needed.

Good. Local solutions to local problems are less likely to change norms and defaults. But the push is on for an identity management platform. It’s one solution — federated, to be sure — that solves all identity problems at once. Because of Microsoft’s market dominance, its building identity management into the operating system is an important plank in the platform. Even the sprouting of multiple identity management systems results in a platform because they will make it possible for vendors to expect you to use one.

If you want to change a social default, build a platform. That’s not why they’re building it, but that will (I’m afraid) be the effect. It’s not enough that anonymity be possible or permitted by the platform. It’s about the norm, the default. If the default changes to being naked at the beach, saying, “Well, you can cover up if you want to,” doesn’t hide the fact that wearing a bathing suit now feels way different. Yes, there’s something wrong — and distracting — about the particulars of this analogy. But I think the overall point is right: We’re talking about defaults, not affordances.

There are serious problems caused by weaknesses in current identity solutions. Identity theft is nothing to sneer at, for example. But are we sure we want to institute a curfew instead of installing better locks?*

1. Anonymity isn’t just for criminals and terrorists.
2. You’d have to change the entire computing environment — hardware, software, operating systems, the network, the way Internet cafes work — to prevent bad people from operating anonymously.

This post is me blurting out that first point. The ground has shifted under the second point, however. Joho originally wrote a description of all you’d have to do to make it impossible for sufficiently motivated evil doers to act anonymously on the Net. The idea was that the list was obviously absurd. Now it is not. It is in fact the shape of the computing environment being imposed on us: Hardware with identifiers burned into it, operating systems that lock users out of their own computers in order to keep the computers “secure,” US government requirements for backdoor access to all software that talks on the Net, policies such as requiring showing a photo ID to use an Internet cafe (as I experienced in Italy).

The irony is that this will stop almost everyone from being anonymous except the people we’re trying to catch.

http://www.hyperorg.com/blogger/mtarchive/anonymity_as_the_default_and_w.html

http://www.newscientist.com/article/mg19025556.200?DCMP=NLC-nletter&nsref=mg19025556.200

“I AM continually shocked and appalled at the details people voluntarily post online about themselves.” So says Jon Callas, chief security officer at PGP, a Silicon Valley-based maker of encryption software. He is far from alone in noticing that fast-growing social networking websites such as MySpace and Friendster are a snoop’s dream.

New Scientist has discovered that Pentagon’s National Security Agency, which specialises in eavesdropping and code-breaking, is funding research into the mass harvesting of the information that people post about themselves on social networks. And it could harness advances in internet technology – specifically the forthcoming “semantic web” championed by the web standards organisation W3C – to combine data from social networking websites with details such as banking, retail and property records, allowing the NSA to build extensive, all-embracing personal profiles of individuals.

Americans are still reeling from last month’s revelations that the NSA has been logging phone calls since the terrorist attacks of 11 September 2001. The Congressional Research Service, which advises the US legislature, says phone companies that surrendered call records may have acted illegally. However, the White House insists that the terrorist threat makes existing wire-tapping legislation out of date and is urging Congress not to investigate the NSA’s action.

Meanwhile, the NSA is pursuing its plans to tap the web, since phone logs have limited scope. They can only be used to build a very basic picture of someone’s contact network, a process sometimes called “connecting the dots”. Clusters of people in highly connected groups become apparent, as do people with few connections who appear to be the intermediaries between such groups. The idea is to see by how many links or “degrees” separate people from, say, a member of a blacklisted organisation.

By adding online social networking data to its phone analyses, the NSA could connect people at deeper levels, through shared activities, such as taking flying lessons. Typically, online social networking sites ask members to enter details of their immediate and extended circles of friends, whose blogs they might follow. People often list other facets of their personality including political, sexual, entertainment, media and sporting preferences too. Some go much further, and a few have lost their jobs by publicly describing drinking and drug-taking exploits. Young people have even been barred from the orthodox religious colleges that they are enrolled in for revealing online that they are gay.

“You should always assume anything you write online is stapled to your resumé. People don’t realise you get Googled just to get a job interview these days,” says Callas.

Other data the NSA could combine with social networking details includes information on purchases, where we go (available from cellphone records, which cite the base station a call came from) and what major financial transactions we make, such as buying a house.

Right now this is difficult to do because today’s web is stuffed with data in incompatible formats. Enter the semantic web, which aims to iron out these incompatibilities over the next few years via a common data structure called the Resource Description Framework (RDF). W3C hopes that one day every website will use RDF to give each type of data a unique, predefined, unambiguous tag.

“RDF turns the web into a kind of universal spreadsheet that is readable by computers as well as people,” says David de Roure at the University of Southampton in the UK, who is an adviser to W3C. “It means that you will be able to ask a website questions you couldn’t ask before, or perform calculations on the data it contains.” In a health record, for instance, a heart attack will have the same semantic tag as its more technical description, a myocardial infarction. Previously, they would have looked like separate medical conditions. Each piece of numerical data, such as the rate of inflation or the number of people killed on the roads, will also get a tag.

The advantages for scientists, for instance, could be huge: they will have unprecedented access to each other’s experimental datasets and will be able to perform their own analyses on them. Searching for products such as holidays will become easier as price and availability dates will have smart tags, allowing powerful searches across hundreds of sites.

On the downside, this ease of use will also make prying into people’s lives a breeze. No plan to mine social networks via the semantic web has been announced by the NSA, but its interest in the technology is evident in a funding footnote to a research paper delivered at the W3C’s WWW2006 conference in Edinburgh, UK, in late May.

That paper, entitled Semantic Analytics on Social Networks, by a research team led by Amit Sheth of the University of Georgia in Athens and Anupam Joshi of the University of Maryland in Baltimore reveals how data from online social networks and other databases can be combined to uncover facts about people. The footnote said the work was part-funded by an organisation called ARDA.

What is ARDA? It stands for Advanced Research Development Activity. According to a report entitled Data Mining and Homeland Security, published by the Congressional Research Service in January, ARDA’s role is to spend NSA money on research that can “solve some of the most critical problems facing the US intelligence community”. Chief among ARDA’s aims is to make sense of the massive amounts of data the NSA collects – some of its sources grow by around 4 million gigabytes a month.

The ever-growing online social networks are part of the flood of internet information that could be mined: some of the top sites like MySpace now have more than 80 million members (see Graph).

The research ARDA funded was designed to see if the semantic web could be easily used to connect people. The research team chose to address a subject close to their academic hearts: detecting conflicts of interest in scientific peer review. Friends cannot peer review each other’s research papers, nor can people who have previously co-authored work together.

So the team developed software that combined data from the RDF tags of online social network Friend of a Friend (www.foaf-project.org), where people simply outline who is in their circle of friends, and a semantically tagged commercial bibliographic database called DBLP, which lists the authors of computer science papers.

Joshi says their system found conflicts between potential reviewers and authors pitching papers for an internet conference. “It certainly made relationship finding between people much easier,” Joshi says. “It picked up softer [non-obvious] conflicts we would not have seen before.”

The technology will work in exactly the same way for intelligence and national security agencies and for financial dealings, such as detecting insider trading, the authors say. Linking “who knows who” with purchasing or bank records could highlight groups of terrorists, money launderers or blacklisted groups, says Sheth.

The NSA recently changed ARDA’s name to the Disruptive Technology Office. The DTO’s interest in online social network analysis echoes the Pentagon’s controversial post 9/11 Total Information Awareness (TIA) initiative. That programme, designed to collect, track and analyse online data trails, was suspended after a public furore over privacy in 2002. But elements of the TIA were incorporated into the Pentagon’s classified programme in the September 2003 Defense Appropriations Act.

Privacy groups worry that “automated intelligence profiling” could sully people’s reputations or even lead to miscarriages of justice – especially since the data from social networking sites may often be inaccurate, untrue or incomplete, De Roure warns.

But Tim Finin, a colleague of Joshi’s, thinks the spread of such technology is unstoppable. “Information is getting easier to merge, fuse and draw inferences from. There is money to be made and control to be gained in doing so. And I don’t see much that will stop it,” he says.

Callas thinks people have to wise up to how much information about themselves they should divulge on public websites. It may sound obvious, he says, but being discreet is a big part of maintaining privacy. Time, perhaps, to hit the delete button.