I have an account on hundreds of sites. Most of them use my email as my identifier. Do they own my identity online? Does Google own it? Facebook? The government?
Who are we?
There's the typical questions of identity that creep up into the technical discussion here. My legal name is Tod Hansmann. I have a middle name, too, sometimes. I'm also TodPunk in most places. I'm also an email address, several in fact. I also often have a different work identity of sorts. I have a Social Security Number in the United States of America. These are all identifiers. I don't own my SSN, and if the federal government erased it from their DB, what does that do to who I am?
The philosophical stuff aside, my friends would still recognize me, my family would still be mine, but for most of us, if a single corporation decides to ban our account, it also bans our entire online identity, or much of it.
This is well known. What's not well known is this is totally solvable, with incentives for all parties, but we keep screwing it up because of ego.
Accounts are not Identities
First, I am not my Facebook account. Obviously. However, right now, my Facebook account and my Facebook identity are one and the same. If my Facebook account is banned, or taken over, I can no longer identify as my Facebook identity. There's also some trust lost, like even my mom would look at the Rayban Ad some bot would post on my feed with a great deal of suspicion, and then I could never post an actual product to my feed without suspicion from all of my friends.
Spam problems hurt everyone, but the point here is not that the hacking problems are real, it is that we build association between the person and the online identity just like we do with the person and the government identity, but the identity and the person are overlapping, not equal. This extends to the account. If someone else shows up to my wife with my body, if the brain is different, she's built the association with my body and my identity, and she will trust that body until suspicion is raised.
Just like my body is not me, even though it's an important aspect of how I present myself to the world, my online account is not me. Unlike my body, my online identifier can change all the time. My email, my username, my credit card number, all of these are ephemeral. Why don't we change our email more often? Why did we used to fear changing phone numbers much more than we do today? It's still a pain, but switching a less used and less trusted identifier of our identity is more acceptable.
Your account at the cellular provider is not as important as it once was. Your account at Facebook is much more so, sadly.
Separate IDs and Accounts
Just imagine for a moment that your phone number could move with you? That's exactly how we now know things to be, because we made it mandatory that I could "port" my mobile number to a different carrier. It made competition in mobile providers higher, so they had to convince you to stay with them not because of what associations you built with your number that they had all the rights to, but based on the value they provided to your number being with them.
That's a pretty important change that we all understand, but take for granted. We do that a lot with identity, just kind of roll with the tide we find ourselves in. That's fine, but we should do the same with our online identities, and getting people to care about that is super difficult, so we actually just need to change the tide to something easier to roll with. Make the optimal choice easy, but still a choice.
What we need to do is make identity and accounts different, so you can lose your account but not your identity.
Account Loss
I've yet to be banned from a store, or have my phone number filtered out, but I did build a whole company so I can filter out other people's phone numbers. That list of telemarketers would grow endlessly, so I actually just filter out everyone I don't know beforehand after business hours. If you filter out my phone number, I can still call my family. If Facebook were to ban my account, I would lose a lot of ability to communicate.
What if losing an account on Facebook just meant you lost that account on Facebook, and not your ability to login to everywhere else you log in with your Facebook account? That's more approachable. It just means that Facebook can't also be my identity. If I logged into Facebook with my identity, my Facebook account could still be everything Facebook wants it to be, and I could get the benefit of having the separation, while also being easier to login to everywhere. I login to MyFriendsStore dot com or whatever with my identity, and it creates an account automatically and I never have to know or care.
That prevents account loss from being identity loss, but what about people we want to have more widespread bans?
Associative reputation
Do you trust an email more from Microsoft.com or from Hotmail.com? Gmail? How did you decide that? The company you keep matters, both online and off. If your domain is known to be used by spammers, it gets a worse reputation. Not completely tarnished, it just depends on behavior. Did you know that we have reputation scores that people pay for to track email spammers? It's less common these days, but we do try to punish bad actors as accurately as we can.
If we have an identity you share across many accounts, we know that bad actors come from some providers more than others. That's valuable for us all, because if you have 1000 bot accounts on your domain, you're going to get seen pretty quickly that a lot more bots come from your domain than others.
Would you like fewer bots having power online? Would you like to not have to create new accounts with new logins/passwords to every site that doesn't have your favorite social media login? Your social media logins could provide you this ID if you want to trust Facebook. Now they're incentivized to keep spammers off their account lists, too, which means you care about their reputation because it is also your reputation.
This is tech as a tool people can just use naturally, not a tech solution solidifying what identity or reputation mean, just giving you the pieces to decide how you want to use them. Maybe you don't care if an email comes from hotmail or gmail. Maybe you do. Should a random company be deciding that for you?
I believe we can make those decisions separately.