Cybersecurity and Authentication

Executive Summary

Anonymous speech plays a fundamental role in America’s political history. However, that long tradition of anonymous communications faces an image problem in today’s age of spam, computer viruses, spyware, denial-of-service attacks on websites, and identity theft. The criminals and hackers who perpetrate these insults on the commercial Internet are, for the most part, anonymous; we simply don’t know the identities of these bad guys. Yet the promise of anonymous communications is vital to the preservation of political liberty across the globe. So, how should we regard anonymity in a digital age? And how should we strike the right balance between security and anonymity online?

To begin, we should not consider the outlawing of anonymous communications as the answer to today’s cybersecurity threats. Commercial sector “regulation” of anonymity, so to speak, can play a significant role in combating these problems. Increasingly, online authentication has become important to both personal security and to cybersecurity in general. Some recent proposals toward bolstering security have included greater authentication of the source of emails to deal with spam, and the requirement that those who conduct transactions online reveal their identities—seeming violations of online culture. Policymakers also want a say in the matter, and as the process unfolds, they might feel increasingly tempted to intervene whenever issues impacting privacy and authentication emerge in debates over telecommunications, intellectual property, biometrics, cybersecurity and more. Regardless, government should not strip us of our anonymity online. Cybersecurity concerns may instead call for the marketplace—not regulators— to deal with the fact that many threats stem from that very lack of authentication. The inclusion of greater authentication standards into online services by private vendors will lead to their working in concert in unprecedented ways that may draw attention from regulatory and antitrust authorities. But these private, experimental efforts have no implications for political liberty—nor are they anticompetitive. Private solutions are the only real hope we have for decreasing cybersecurity threats, given that previous government efforts to regulate the Internet—for example, outlawing spam in 2004—have not lived up to expectations. Political anonymity and commercial anonymity are not the same thing, and the distinction requires better appreciation. Over the coming tumultuous period of dealing with online threats, policymakers should allow the experimentation necessary to cope with today’s lack of online authentication to proceed with minimal interference.