The absence of self-authenticating facts in cyberspace reduces its regulability. If a state, for example, wants to regulate obscenity or control children’s access to “indecent” speech, the Internet architecture provides no help. Both data and people are unidentified in this world, and while it is often possible to make good guesses, it is also easy to make good guesses impossible. With the Internet architecture of Net95, it is easy to hide who you are. Perhaps more important, it is difficult to assert facts about your identity in a credible way. On the Internet it is both easy to hide that you are a dog and hard to prove that you are not.

All this is true under one architecture of the Internet. Claims about the difference between real space and cyberspace depend on this difference in design. The lesson of the last chapter, however, was that architectures could be different. We could imagine different architectures that would better help us identify who individuals are and authenticate other facts about them.

In the balance of this chapter, I want to introduce one such architecture. I will consider questions—about its use or justification, its possible threats to privacy or anonymity, or the likelihood of its becoming a dominant architecture—in later chapters. My aim here is to convince you that there are such architectures and to sketch the regulability that such an architecture would permit.

Architectures of Identification

Consider three common techniques used today to identify someone on the Internet. There are others, and the description of these three will not be complete. But a sketch of these three reveals two features of a “pass-technology” that will be central to the architectures of identification that the Net is now building.

The first technique is a password. You have an account on a system; the account has your account name and password; when you access the system, you must provide both bits of information. The combination is what verifies that you are authorized to use the system.

There are any number of examples of identification of this sort. America Online (AOL) is a well-known one. You must type in a password associated with a particular “screen name” before you can enter AOL. Lexis—a provider of online legal resources—is a second, though Lexis requires only a single password (not an account name as well) to enter. Uses of the database are then charged to that password.

A password system has well-known advantages and disadvantages. The main advantage is its security—at least as long as the user keeps his or her password secret. The disadvantage is cost and the inconvenience of continually using passwords to move from one space to another.² If every site on the Net required some sort of password, then surfing would be as tedious as crossing Manhattan during Friday rush hour.

A second, and much cruder system avoids this inconvenience. This system uses verification through a “cookie”—a small entry made by your browser to a “cookie file” on your hard disk that allows a site to know who you are.³ When you first purchase a book from Amazon.com and establish an account, for example, Amazon.com’s server places an entry in your cookie file. When you return to that site, your browser sends the cookie along with the request for the site; the server can then set your preferences according to your account. Amazon.com can recommend books for you to buy, given the pattern of purchases you have made before.

Footnotes

¹ By “layering” I don’t mean that such architectures would change the basic TCP/IP protocol suite. The changes I am describing here are within the application space—not the application layer—of Internet applications. I define “application space” in chapter 8. Edit Delete

² There is also the disadvantage of securing the password, especially if the password is transmitted as plain text. I am simplifying brutally in my consideration of that issue here. Edit Delete

³ For a description of the privacy and security threats posed by cookies (“essentially nonexistent”), see U.S. Department of Energy, “Computer Incident Advisory Capability,” Information Bulletin, I–034: Internet Cookies, available at http://www.ciac.org/ciac/bulletins/i-034.shtml; see also Carl W. Chamberlin, “To the Millennium: Emerging Issues for the Year 2000 and Cyberspace,” Notre Dame Journal of Law, Ethics, and Public Policy 13 (1999): 131, 173; “Developments in the Law—The Law of Cyberspace: IV. Internet Regulation Through Architectural Modification: The Property Rule Structure of Code Solutions,” Harvard Law Review 112 (1999): 1634, 1644, n.57; Neil Randall, “How Cookies Work,” PC Magazine Online, available at http://web.archive.org/web/19990117023130/http://www.zdnet.com/pcmag/features/cookie/cks1.htm. Edit Delete