Recently Kunal started sending spoofed emails to the list, which appear to come from other people. This is quite easy to do, and is hard to spot if you can’t read email headers. It started as a way for him to post to the list after being banned, but turned into a full-on discussion of digital identity after he posted a link to the web interface he’s using, allowing anyone with the link to email the ITP student list as anyone who’s subscribed. The page is titled, appropriately, Chaos. (I’m withholding the link because, as you can imagine, there’s been enough uproar without having to worry if – gasp! – outsiders were mucking with our identities and list politics. Sorry to ruin your fun.)

Anyway, it tied in nicely with what I’ve been thinking lately about privacy, security, and identity online. I think 2007 will be the year in which the intersection of those three things hits home for the mainstream users, probably through a major breach of privacy. Hopefully it will be from something like Gmail, and Google will be forced to deal with the (somewhat unfair, I’d say) mounting wariness of all the data they possess on us. That would at least get fixed in a timely manner. I shudder to think of what would happen if it’s related to the new RFID passports.

In any case, my response to the discussion is after the jump. Much more on these issues next semester, too. After all, you can’t start 2007 with Chaos and expect an uneventful year.

Update: Here’s Clay Shirky’s article on the ITP student listserv.

I think this would be a good time to bring up points of how we assert our identities and how we assume certain things about the people we’re interacting with. I’m talking about this in both a “yes, person I’m talking to, I am Adam Simon, so sez this” kind of way as well as all the background associations that artifact (my name) calls into play.

For example, today Citibank asked me to provide answers to four security questions, which I could select from a list of a dozen or so. More than half of the questions were utterly subjective and changeable, such as my favorite food or my hobby. Even the better ones were not as factually-oriented as (I think) they should be: “What is the last name of your first boyfriend/girlfriend?” Depending on my mood (sentimental, horny, irate at my loan provider, etc), I could come up with a half dozen answers to that question. Do you want my first serious boyfriend, the first one I slept with, the first person I called “boyfriend”, the first person I called “girlfriend”, the first boy I kissed, the first girl I kissed…? You see where I’m going with this? There may be an obvious answer today, but will it be so obvious two years from now? Ten? And don’t even get me started on hobbies.

So, there’s that sort of identity, which banks and such are trying to be smart about verifying, and which would help with this email spoofing business. If Andy (or whoever it really was) is right about it being so simple, then it seems like this is a problem that should be addressed – we’re aware of what’s going on, but it’s ripe for abuse amongst most of the population. Perhaps we should be talking about identity verification?

And then there’s the issue of the social identity, and how spoofed email fits into that. danah boyd talks a lot about writing yourself into being – it’s usually not through email, but every bit counts toward an overall picture of what your name represents. On one hand, a well-spoofed email might go a long way toward altering the social identity of an individual by altering the receiver’s opinions of him/her. Of course, you’d have to both be unsuspecting of spoofing (or unaware of the possibility) and the email would have to be well-written in the style of the spoofee. On the other hand, this could be a good way to verify identity – if you know that I live off the R train, and the email mentions taking the F home, you’d probably note it.

The Citibank questions are attempting to simulate that level of social knowledge about me – the sort of things a good friend might know – to verify my identity, but they’re doing so rather clumsily. Citibank doesn’t know me at all, and is expecting my answers to their subjective questions to remain unchanged. An easy fix would be, in the case of the boyfriend/girlfriend question, to let me specify a first name and a last name when submitting the question, and then presenting me with the first name and asking for the last name when my identity needs to be verified. A better fix would be to ask me about the things Citibank already knows about me. They have my tax return from last year for loan purposes, so they know that I used to work for CBS. Why can’t they ask me the name of my primary employer in 2006?

So…How can we use what we already know about each other to verify our identities? And how can we get to know each other well enough to have information to verify? I like this notion for experimenting with less-critical things like the ITP listserv, too, because the people whose identities it matters most that we verify will be, presumably, the people closest to us, and thus the easiest folks to mark as authentic. It’s kind of elegant, at least in the abstract.

I don’t have any answers, I’ve just been thinking about this a lot lately, and Kunal’s Chaos page fits right into my recent thoughts, clearly.