Index: [thread] [date] [subject] [author]
  From: Matt Norwood <mrn2101@columbia.edu>
  To  : CPC <cpc@emoglen.law.columbia.edu>
  Date: Sat, 29 Apr 2006 01:49:42 -0400

[CPC] Paper 2: Legal Treatment Of Online Identity

US v. Naughton: One-Off Criminal "Fantasy Defense", or Turning Point for
the Jurisprudence of Online Identity?

In 2000, Patrick Naughton, vice president of Internet search company
Infoseek, was arrested for traveling across state lines with the intent
to have sex with a minor. He had corresponded extensively with an FBI
agent impersonating a 13-year-old girl in an AOL chatroom and had made
plans to meet her and have sex. When he showed up, the FBI arrested and
charged him.

At his criminal trial, Naughton employed what has come to be known as
the "fantasy defense": citing his technical sophistication and the adult
tone of his interlocutor's conversation, he claimed that he believed her
to be an adult woman playing the role of a teenage girl... which,
indeed, she was, although for different reasons from those Naughton
claimed to have believed.

The defense managed to hang a jury, resulting in a retrial. Naughton
pled guilty the second time around and took a reduced sentence, serving
no prison time. [1]

I think this more than just a story about slick trial lawyer tricks.
Naughton's case might be remembered primarily as a tortured application
of the reasonable doubt standard, like the O.J. Simpson trial, or a
wacky legal theory like the Twinky Defense, but it might also say
something more profound about changing social and legal attitudes toward
the perception and performance of online identity. Naughton claimed that
what he perceived and participated in in that chat room was not a
straightforward exchange of truthful personal information, but a
ritualized sexual role-playing exercise conducted using masks and alter
egos. He convinced half of a jury that, first of all, only an
unsophisticated Internet user would trust someone else's assertion of
real-world identity without some way of authenticating it, and second,
that adopting an false online persona is a common practice in
chatrooms. 

Since 2000, a lot of things have changed. There are a lot of people in
this country who know as much or more about Internet culture and
technology as Patrick Naughton did in 2000. Does this mean that it's
reasonable to expect skepticism about anyone's unauthenticated assertion
of identity online? If such a theory were successfully used today, it
might spell big changes for online defamation and fraud. But it might
also signal an impending clampdown on online anonymity.

----

The performance of online identity has been tackled by psychologists and
technologists [2], but not so much by legal scholars. The disconnect
between what is stated and what is understood has long been a
distinctive feature of online culture. Chatroom participants adopt
imaginary personae. Parody websites adopt outrageous political positions
and revel in the ensuing hate mail from "clueless" visitors. Blogs and
Friendster profiles are maintained in the name of famous or fictional
characters. Email hoaxes and April Fools jokes gone wrong circulate
endlessly through the mail exchanges of the net. Recognition of the
malleable, performative nature of online identity would clear up some of
the legal absurdity surrounding defamation and unfair competition cases
based on casual or facetious online speech.

But this disconnect between actual and performed identity also has what
the New York Times would call its "sinister" side. Phishing, fraudulent
personal ads, system cracking, and anonymous harassment are all as
serious online as are offline con games, fraud, trespassing and
stalking. On the Internet, no one knows you're a dog... or an FBI agent,
or an eBay customer service representative asking for a user's password.
Seasoned users take this uncertainty for granted and manage their trust
accordingly.

But as newer users become more sophisticated and begin to understand the
unstable nature of online identity, they may, paradoxically, develop
anxieties about the inapplicability of their realspace intuitions to
social interaction on the Net. If the legal system begins to see
reliance on someone's online representations as unreasonable, businesses
and individuals may react badly. Fear of fraud and impersonation could
trigger a demand for reliable online identity authentication systems.
Which, in and of themselves, might not be a bad idea, as long as they
use decentralized, user-controlled, open-standard technologies like PGP
or OpenID [3]. But another scenario goes like this:

1. Users flip out over unverifiable online personae.

2. Microsoft and AOL revive their identity-management systems
"Hailstorm" and "Magic Carpet" [4] (has anyone heard anything about
either of these in the past five years?), and Google and Yahoo join in
with their own Mail/Calendar/Chat/Phone/WiFi centralized accounts.
MySpace, Amazon, and everybody else try to jump on the bandwagon.

3. Incompatibilities lead to consolidation of these systems into one or
two proprietary standards.

4. People start emailing, chatting, and shopping using authenticated
channels.

5. People's web browsers broadcast their authenticated identity
information by default, keeping them logged into all their personal
accounts at all the websites they visit.

At this stage, problems begin to arise:

6. The owners of these systems have perfect control, not only over
everyone's personal information, but over their purchasing power, and
they leverage that control to make cutthroat deals with merchants and
media outlets.

7. The Net starts to balkanize and fence itself off as individual
website operators make exclusive deals with one identity manager or
another and sites begin to refuse access to anyone without an
authenticated identity.

8. Online anonymity becomes an anomalous, conspicuous, and largely
unworkable condition.

9. Online commercial activity become impossible without an account on
one of these systems.

10. 1984 and the Book of Revelation act themselves out simultaneously.

----

This sounds like an unlikely set of consequences for a case that was
decided six years ago and has garnered little attention since. But the
identity-management wars have come close to boiling over periodically
over the last six years, and Google's strong entry into the space,
combined with the emergence of a new legal standard for reasonable care
online, could spark a desperate grab for users by the handful of major
players in online identity management. It would be a winner-take-all
game, and the Internet - and society - that emerged might not look very
familiar or comforting.

[There, how's THAT for Internet alarmism? New York Times, eat your heart
out.]

----

[1] US v. Naughton:
http://www.cbsnews.com/stories/2000/05/24/eveningnews/main199192.shtml

[2] Sherry Turkle is a pioneer in this field
(http://en.wikipedia.org/wiki/Sherry_Turkle), but Judith Donath's stuff
is more sophisticated and a better read
(http://smg.media.mit.edu/people/Judith/). See, e.g.,
http://smg.media.mit.edu/people/Judith/Identity/IdentityDeception.html

[3] OpenID: http://openid.net/

[4] Hailstorm and Magic Carpet:
http://www.betanews.com/article.php3?sid=995975421


-----------------------------------------------------------------
Computers, Privacy, and the Constitution mailing list



Index: [thread] [date] [subject] [author]