From: Hal <hfinney@shell.portal.com>
Date: Thu, 16 Nov 1995 10:07:03 +0800
To: cypherpunks@toad.com
Subject: Anonymity and Intellectual Capital
Message-ID: <199511160148.RAA18908@jobe.shell.portal.com>
MIME-Version: 1.0
Content-Type: text/plain


Here is a draft article by David Post of Georgetown Law Center.  He
offered it on the Cyberia list and it includes permission to
redistribute.  I thought it had some interesting ideas on anonymity and
pseudonymity, as well as our old bugaboo "reputation capital".  I have
reformatted it slightly to improve readability but made no changes to the
content:


Pooling Intellectual Capital: Anonymity, Pseudonymity, and
Contingent
Identity in Cyberspace    

DRAFT OUTLINE
October 31, 1995
David G. Post [NOTE 1]

	  Most discussions of "anonymity" in cyberspace focus on
whether or not to regulate the availability of "untraceably anonymous"
messaging functions -- anonymous remailer services and the like -- and
the related question of how, in the special circumstances of
cyberspace, one might accomplish such regulation).  To be sure, this is
an important perspective; although we are embedded in a world in which
anonymous transactions are pervasive, we have never before been able to
manipulate anonymity, or to undertake as wide a range of anonymous
transactions, as cyberspace allows us to undertake (and we have,
therefore, only begun to think about the implications of being able to
do so).  At the same time, however, the technology offers, it would
seem, new prospects for eliminating anonymous communication, i.e., for
requiring (and enforcing the requirement for) completely "traceable"
communication.

     We need, in the first instance, to understand more about the costs
and benefits of anonymity in this new environment before we can
sensibly talk about the best way to regulate it (or whether to regulate
it at all).  Harms associated with an anonymous messaging  regime
include, notably, the inability of "law enforcement" (broadly defined
to include both public and private enforcement) to obtain information
on persons responsible for harm perpetrated by individual actors;
benefits include the ability of individuals to engage in communicative
activity without putting any aspects of their "identity" at risk (see
below for additional discussion of the reasons for the quotation marks
here).

	  My thesis here is that, because of the close links
between anonymity and pseudonymity in cyberspace, new elements need to
be added to this equation -- primarily on the benefits side.  This
requires disentangling, at the outset, three related concepts:
anonymity, pseudonymity, and traceability.  We can define an
"anonymous" communication as one in which the message itself contains
(and hence the recipient of the message receives) no information
regarding the identity of the sender.[NOTE 2]  Although there can be
truly anonymous messages even in this strict sense -- messages
containing no information about the originator -- it makes more sense
to talk about anonymity as a continuous rather than a binary attribute
(present/absent) of messages:  even messages we ordinarily think of as
"anonymous," after all, contain some information about the author
(e.g., graffiti scrawled on a subway platform informs us that the
author was literate, and was geographically located in a certain place
within the last x months/years, all of which probably effects a
significant reduction in the reader's uncertainty about the identity of
the author by ruling out the vast majority of individuals in the world
as possible authors).

     Messages, however, rarely contain a fixed amount of information
about the sender's identity; [NOTE 3] the degree to which a message may
be considered "anonymous" is rarely (if ever) an inherent
characteristic of the message itself.  Relevant information about the
originator's identity may well often be available, but only at some
additional cost.  For example, an "anonymous" note slipped under the
door may be covered with fingerprints from which, were we able easily
to access both a fingerprint reader and the FBI's fingerprint database,
we could obtain significant information about likely originators.
"Traceabililty" measures the cost of obtaining information about the
identity of the sender in addition to the information that is "readily
apparent" -- i.e., obtainable at (virtually) no cost -- from the
message itself.[NOTE 4]

	  Finally, we can define a pseudonymous message as one
that contains information (of varying reliability, to be sure) about
the identity of the originator -- the cognizable entity responsible for
transmitting the message -- without simultaneously providing
information about the actual, biological, individuals responsible for
transmission of the message.  Pseudonymity, like anonymity, shields
aspects of the identity of the "real" actor from view; information that
a book was written by "Mark Twain" by itself gives you no more (or
less) information about the true identity of the author than does the
information that it was written by "Anon." Indeed, if Samuel Clemens
had chosen to publish each of his novels under a different pseudonym,
that would have been the essential equivalent of publishing all of the
novels under the pseudonym "Anon.," or "John Doe." Pseudonymity allows
each message to carry additional information, cumulative over time,
about the pseudonymous actor; i.e., the difference between pseudonymity
and anonymity is that the former, but not the latter, allows the
accumulation of reputational capital in the pseudonymous entity.  The
use of the a single pseudonym "Mark Twain" allowed Clemens to invest a
single entity with reputational capital, built up over time and across
different novels; "Anon." will not serve that purpose, primarily (if
not exclusively) because it is unprotected and used by any number of
other authors (many of whom might not be quite as talented as
Clemens).[NOTE 5]

	  In other words, pseudonymity, like anonymity, allows
individuals to act without putting at risk any aspects of their own,
personal identity (including their physical assets, reputational
capital, financial capital, and the like); pseudonymity differs,
however, from anonymity in that it allows the accumulation of
reputational capital in the pseudonymous entity.  Both anonymity and
pseudonymity are thus forms of "limited liability," and the extent to
which they serve that function effectively is determined, in both
cases, by whatever traceability requirements are imposed.  To
illustrate, take the extreme case, e.g., a requirement that all
messages contain certain information about specified aspects of the
originator's "identity."  This would not only eliminate anonymous
messages (at least to the extent it could be enforced), but it would
make certain forms of pseudonymity effectively unavailable as well; the
reputational capital belonging to "Mark Twain" and to "Samuel Clemens"
would be identical, and whatever aspects of Clemens' identity had to be
revealed would no longer be shielded in the course of any transactions
in which "Mark Twain" was involved.

     Most discussions of "the regulation of anonymity in cyberspace"
are really discussions about traceability requirements.  The potential
benefits and harms that accompany an anonymous messaging regime are
directly related not to the availability of "anonymity" per se, but to
the availability of untraceable anonymity.  I know of no serious
proposals, for example, to prohibit individuals from leaving their
electronic mail messages unsigned; the hard questions all concern the
nature of the traceability requirements that will be put in place in
regard to those messages, i.e., how easy or difficult will it be for
the recipients of such messages, third parties, or law enforcement
officials, to obtain additional information about the identity of the
message originator.

	  But traceability requirements will have an impact --
possibly a profound impact -- not merely on the availability of
anonymous communication, but on the availability of pseudonymous
communication as well. For example, a sufficiently high degree of
traceability eliminates both anonymous and pseudonymous messages;
requiring all authors to provide information about their "real"
identity not only makes it impossible for them to communicate
anonymously, it is, in effect, impossible for them to communicate
pseudonymously as well.  Analyzing the consequences of a "ban on
anonymity" in cyberspace needs to take more than the benefits and costs
of anonymous messaging into account; it needs to be evaluated in light
of the benefits and costs of pseudonymous communication as well,
considerations that have received less attention from those looking at
these questions. So the question "what is the best traceability
requirement to apply to electronic communication" needs to consider not
only the harms and benefits flowing from anonymous communication but
these additional considerations as well.

	  Because all communication in cyberspace is entirely
machine-mediated -- i.e., because the "identity" of the relevant actors
in a biological sense is necessarily at one remove from the
communication itself -- everyone acts "pseudonymously," at least in the
sense that you can only be identified by a stream of bits when you act
in cyberspace [NOTE 6].  The prospect for more creative uses of
pseudonymous action -- the ability for individuals to pool their
individual intellectual capital with great flexibility and with very
low start-up or transactions costs, into a wide range of new kinds of
actors and entities, each capable of accumulating reputational capital
-- is a profound and exciting feature of this environment.[NOTE 7]

	       The "limited liability" metaphor now becomes a bit
more useful.  Just as limited liability in the corporate context was
designed to encourage the pooling of physical and financial assets into
corporate entities, assuring investors that their personal assets would
not be placed at risk, so, too, should protection against traceability
(i.e., protection for pseudonymous action) encourage "investors" to
pool their intellectual capital into pseudonymous entities, assuring
those investors that only the reputation of the pseudonymous actor, and
not their own personal assets, are at risk when the entity acts.

     This approach probably answers none of the hard questions about
the proper scope of regulation; it may, hopefully, lead to a
consideration of those questions that need to be answered before any
regulatory actions are undertaken.  If there are benefits to be gained
from the actions of these entities -- if the pooling of intellectual
capital into entities leads to new and valuable forms of intellectual
undertakings (itself a question open to discussion) -- we should seek
to design our rules of limited liability to simultaneously induce
"investors" to form these new entities while minimizing the costs that
may be associated with their formation?  Analyses of corporate limited
liability are useful analogues for this inquiry; when should "piercing
the veil" of pseudonymity be permitted or required? Can we disaggregate
the various aspects of personal identity that should receive more, or
less, protection from disclosure?

************************************************

NOTES.

	  1.   Visiting Associate Professor of Law, Georgetown
University Law Center, and Co-director, Cyberspace Law Institute.
Email:  Postd@law.georgetown.edu or DPostn00@counsel.com.  Permission
is hereby granted to freely copy and distribute this paper; please
retain the "Draft" designation as well as attribution to the author.

	  2.   I use "information" in the information-theoretic
sense, in which information is measured as a reduction in uncertainty;
that is, a message that contains information about the identity of the
sender is one that, by definition, lowers the recipient's uncertainty
concerning the identity of the sender.

	  3.   "Identity," of course, is not a static,
context-less piece of information, but is, rather, a complex cluster of
characteristics attributable to an individual, subsets of which may be
more or less relevant in particular contexts (and information about
which may be differentially transmitted in particular messages).
Consider the graffiti again -- even assuming that this may be an
"untraceable" message, in what sense is it an "anonymous" one?  The
reader may obtain a great deal of information relevant to (certain
aspects of) the originator's "identity" -- information about the
originator's political views, perhaps, or familiarity with certain
historical events.  On the other hand, the original message provides no
information (i.e., it is "anonymous") with regard to the originator's
state of domicile (or where the originator went to school, or how many
children the originator may have -- all attributes relevant, in other
contexts, to the question of the originator's "identity").

	  And while we ordinarily think of "identity" in the
context of individual biological persons, that is far too restrictive a
view.  Consider my receipt of an (unsigned) notice from the Department
of Motor Vehicles, or an (unsigned) advertising flyer from my local
McDonald's restaurant.  Each of these messages is "anonymous" in one
sense: I obtain virtually no information about the "identity" of the
(biologically-relevant) individual who typed the notice or otherwise
caused it to be transmitted to me (if indeed there is any such
person).  But it is hardly anonymous in another (and probably more
significant) sense: the letterhead clearly identifies the "identity" of
the more relevant actor (the DMV or McDonald's).  The relevant actor
here, i.e. the DMV or  McDonalds, has a reality unconnected with the
physical "identity" of any of its individual constituents (employees,
officers, etc.); indeed, a notice from the DMV that is mistakenly
placed on non-letterhead stationery (but that is signed by the typist)
surely has less reliable information about the originator's "identity"
than the reverse (i.e., an unsigned note placed on DMV letterhead).

	  4.   Traceability itself is highly context-dependent,
insofar as both the cost of obtaining additional identification
information, and the value of that information in reducing uncertainty
regarding identity, will vary, possibly greatly, from one situation to
another.  It may, for example, be relatively easy for a law enforcement
official to obtain information regarding the identity of the individual
who placed a particular phone call; the same information may be
prohibitively difficult for other individuals to obtain.  Traceability
is also affected by the (1) whether or not relevant identification
information exists in the hands of third parties (i.e., parties other
than the originator and recipient), (2) the third party's duty (or lack
of a duty) to keep the information secret, and (3) the ease with which
disclosure can be legally compelled (by process, subpoena, etc.).

     5.   Anonymity can thus be regarded as a subset of pseudonymity,
with the critical difference being, for my purposes at least, that
pseudonymity allows the accretion of reputational capital in the
pseudonym.

	  6.   This stream may have a high degree of traceability
-- if my electronic mail address is "Postd@law.georgetown.edu," for
example, there at least appears to be information allowing the message
to be traced to a real individual (though query, as always, how
reliable that information may be).  Or it may not -- the use of a
screen name on America Online, or, in the extreme, the use of anonymous
remailers.

	  7.   Examples: the Cancelmoose; the Cyberspace Law
Institute.

     8.   I use "regulation" in the broad sense, to include not only
State action but the "regulatory" activities of e.g., individual system
operators.

	  9.   Note, in this regard, that protecting the "limited
liability" features of pseudonymity does not necessarily mean that
harms imposed on third parties by pseudonymous entities must go
unredressed (as is the consequence of limited liability in the
corporate context); because reputational capital is not transferable,
i.e., is not useful for the purpose of compensating victims of harms
perpetrated by pseudonymous entities, redress can be achieved by
exposing individuals' financial assets, though not necessarily their
personal identities, to risk when the pseudonymous entity acts, and
there are various insurance and authentication/certification regimes
that I will discuss to accomplish this.