August 08, 2004

Registration Systems for News Sites...

Robert Andrews commented on the Online News Association maillist, and on his blog about registration systems and users/readers frustration with online news sites that each require registration. His thoughts about a common registration system are understandable, but his suggestion that we get something similar to Passport (totally creepy) or Typekey (I have mixed feelings about it; see below) are problematic. Also, Adam Pennenberg has written something for Wired this last week on news site registration, where he admits to committing "..identity theft against my multiple selves..." as he tries to remember his many registration personalities across many news sites, while trying to protect his privacy by registering as people with wildly different demographics. I have to admit, I'm an 85 year old man living in Atlanta on the Washington Post's site, and have many other identities, for the Chicago Tribune, the LATimes, the Miami Herald... and for the NYTimes? I registered eight years ago describing my black lab, now deceased, which is still my login ID. So can totally identify with his story. Maybe I'm paranoid. Although I don't mind the targeted ads at all; in fact I prefer them, because if they are good, I actually want the information. But I hate the collection of my reading habits that are potentially available for some individual, company or government to sift through and put together. What do I have to hide? Nothing. But that's really not the point. People who have nothing to hide, start self-censoring when they know they are tracked and watched. And that corrodes the democracy and the commons. And it leads to totalitarianism. That's not the democracy I signed up for.

Identity Commons and Sxip are both working on creating a common user ID that could work across websites, including registrations, blog commenting, for reducing different kinds of spam and email including trackback spam. But there are problems and they are in development, so we have to wait to see what they come up with. But there are lots of security and privacy issues, like who keeps the data (Identity Commons is doing a distributed system) and for each instance where a system like this would be implemented, you have to think about who is using it, and what do trolls or spammers or other baddies have to gain from gaming the system. The controls that keep them in check may also be collecting information on the rest of us that as we learn more about the effects of our own online activites, we feel uncomfortable with and cause us to shift our intellectual consumption.

Adam and Robert both suggest a single registration system for logging into publishers sites. It would be great if publishers used a single system, for the convenience, but what happens when someone subpoenas the records of your activities across all those sites? How do you keep people's reading habits private? Sooner or later, it will happen. It's a matter of when and how the information goes out of the hands of the collectors, and into to other's hands.

Regarding Typekey, have you used it? I've installed a bunch of Moveable Type 3-series blogs recently, and set up Typekey both for the blog's back end and as a commenter, and find the whole thing disconcerting. First, as the blog owner, I have to connect myself via the blog to Moveable Type, by registering and giving my blog info. Then with that code they've given me on their site, I install it into the configuration on my blog's backend, which the system then syncs with MT back on their end. Then users come along, and when they want to comment, the blog redirects them to create a profile with Typekey if they don't already have one, which makes them able to post on any blog that require Typekey for comments. When a comment is made, the Typekey/MT site inserts an image on the comment located at the blogpost, linking back to the Typekey commenter profile located at the Typekey site. Each time *anyone* looks at the blog, MT gets a signal or ping, because that image has been called up from the Typekey site, as part of the opening of the weblog somewhere else, so MT could collect data about not just the blog and the commenter, but about everyone who visits that blog, somewhere out in blogland. And if you visit several blogs that all use Typekey and have these images planted there, even though you haven't signed up for Typekey as a blog owner or commenter, you can in a way be tracked, your reading habits recorded and strung together.

The upshot is that the three steps that Typekey and MT create to control comment spam also allow them to collect and use lots of data, beyond just the blog owner's registration or even commenter verification. I understand that they want to provide this service, and it's free, but it's disconcerting, Their privacy policy, that I can find, on typekey.sixapart.com concerns whether they will sell my email or other personal info not available on the web, as a commenter:

And their Typekey Comment Registration FAQ says this, though there is no link to the privacy policy and searches on the site turn up no privacy policy but this reference:



"

Fair enough, they won't share my info if I register, unless they get my permission. But what about my visits to blogs that have their profile image on them?

I did find, by googling "privacy typekey," this privacy policy and the key points for non-registered users and the collecting of info (from different sections) appears to be:

So what matters here is that not only is the Typekey system capable of collecting IP address information and the reading habits on registered users, both blog owners and registered commenters, but also anyone who accesses a blog that uses Typekey with a planted profile image. I would love to see Typekey's privacy policy state that it was not collecting my IP address across blogs; that it was deleting the last three digits from of the IP from it's system; that it was not available for subpoena. I understand they might want to crunch it for a week or two after collection, but at that point, deleting it would be great. And yes, IP is personal identification. A few mistakes not withstanding, just ask the RIAA how they are finding users they are suing for providing music uploads.... It doesn't take a rocket scientist to figure that one out.

Services and publishers that want to create single login registration need to think about the same issues, and make better systems than the current state of Passport or Typekey, so that not just the sharing of a registered user's email is addressed, but also what happens with the collection of reading habit information internally, what they will do when they get subpoenaed for the information they collect, or when the government comes along wanting a copy of the database under the Patriot Act, etc. One of the key tenants of freedom of speech is intellectual freedom, and the freedom to read in private, without fear of surveillance, because if people don't have that, they will self-censor. And it leads to corrosion of the intellectual and democratic health of the system.

Posted by Mary Hodder at August 8, 2004 11:10 AM | TrackBack
Comments

Definitely this subject is of major importance for the development of the internet and democracy, so hopefully this can be readed by as much people as possible.

Posted by: at August 9, 2004 01:34 PM

Mary, the PlaNetwork Journal article on The Social Web at http://journal.planetwork.net/article.php?lab=reed0704&page=1 covers in some depth how the OASIS XRI and XDI specifications Identity Commons is using can provide the persistent identifiers and trusted data sharing infrastructure necessary to assert identity and share data in a truly distributed fashion. It can support the strong security and privacy safeguards you advocate by following the same open standard and distributed architectural principles as the net and the Web themselves.

=Drummond

Posted by: Drummond Reed at August 9, 2004 01:45 PM