1. 46
  1.  

  2. 14

    I may have missed something, but what’s the problem with just having multiple accounts? I get that accounts tied to phone numbers are annoying, but that’s a problem with or without phone numbers (I for example would like to have no phone at all). The solution seems to be making accounts cheap (eg. via cryptography) that can be mapped on to complex identities, instead of basing everything on a complex system.

    That being said, in most cases identities/accounts are superfluous, and shouldn’t exist in the first place.

    1. 10

      Not the author, but my own biggest challenge is that most services make multiple accounts difficult and/or expensive to use in a lightweight fashion. In short, they’re a pain.

      I.e., the clients for most services don’t support being signed into more than one account at once; it’s not supported to run more than one active client at once; and if I’m running multiple clients, they’re really resource heavy. When I’m using multiple accounts, I usually want to use them more or less concurrently. I’d like to have just one client open, and toggle between accounts at will.

      Also, even when a phone number isn’t required, many services also require that each account be associated with some external resource like an email address, which means I need to manage those as well. (Some services even collapse plus-addresses, so I have to actually create separate email accounts, or do weird forwarding stuff, or whatever.)

      1. 7

        Some services even collapse plus-addresses

        Ugh, that’s downright evil.

        At least with your own domain you don’t have to use the plus scheme, you can make whatever scheme you want :)

        1. 4

          But then you have to use your own domain :D

        2. 3

          I think it’s obvious to everyone, that the system of accounts is broken, because it has been constructed in such a round-about way, on top of systems that weren’t meant for it, but are expressive enough for implement some kinds of identities. Email, for example, has been reduced to a (questionable) foundational-identity, that most people don’t even bother to use as Email, because all they get “click-here-to-confirm” links at best, and outdated notifications at worst. But for most clients, switching between identities is pretty easy, as it’s just changing what’s in the From field (eg. I automatically detect if a To, Cc or From field is from a university address, and let Emacs replace the To field for me).

          But most “platforms” have to re-implement everything from the ground up, accounts, passwords, backup systems, systems to reset passwords, usernames, etc. Just consider how a problem as simple as sending a text message has resulted in so many mutually incompatible solutions. As such, it’s not a surprise that systems of identification don’t cover all use-cases.

          Generally: The more I think about it, the more I believe that most of these problems should be solvable on a “lower” level, instead of making the towers we have built on top more and more complicated. Communication and identities should be primitive concepts in networked systems, that then ideally should be cheap and interchangeable. But all of this are just unfinished ideas.

        3. 14

          Here is a screenshot showing how many instances of Discord I have open right now: https://i.imgur.com/6yitn61.png Discord’s UI doesn’t easily allow for creating and using multiple accounts. I have to run things like Rambox that make me end up dedicating about 5 GB of ram to that whole mess in addition to my primary account (Yes Discord really uses that many resources). This is even worse on my iPad because I can’t just have multiple accounts active at once.

          I currently have to keep track of over 12 email addresses between the various separations involved.

          in most cases identities/accounts are superfluous, and shouldn’t exist in the first place

          They are superfluous to you because you haven’t experienced the kind of realities that would demand you to have thought about this. This is as useful to parents that want to have a social life while having children as it is to others like plural systems.

          1. 18

            I mean, I agree that discord is terrible, and it’s a tragedy that it has become as pervasive as it is. But I’m not sure what that has to do with my point? Maybe my other comment in response to @ajdecon clarifies what I am talking about.

            They are superfluous to you because you haven’t experienced the kind of realities that would demand you to have thought about this.

            I’m not sure how you came to this conclusion, but all I can say is that it is not true, and that my experiences with the problems you have enumerated, have led me to the opposite conclusion. Please do not assume that everyone who has a different stance is ignorant or inexperienced, it comes of as quite arrogant (this applies to your post and your comment).

            Thank you.

            1. 2

              Discord’s terribleness is far from unique. The Google account switcher is basically the current best-of-industry on this problem, and it’s not exactly amazing..

              1. 1

                Not sure what makes you think that, but I found the ones in Reddit and Twitter far better.

            2. 4

              Interestingly, official Telegram clients have a very easy account switcher.

              Even though Telegram is one of those phone-number-based messengers.

              1. 2

                Isn’t that a problem with Discord that is largely orthogonal to the identity problem? That is, why do you still need an identity-management system if Discord was super-low-resource-usage, allowed you to run multiple instances signed into different accounts, and let you use a single phone number/email address for multiple accounts?

              2. 2

                in most cases identities/accounts are superfluous, and shouldn’t exist in the first place.

                Why? In what way? I can’t tell if you’re saying “people shouldn’t have multiple identities” or just “accounts on computers and websites are often not really needed”.

                1. 2

                  The latter.

                  1. 2

                    Um, really? “Extraordinary claims demand extraordinary evidence.” I can think of some valid nuanced points about identity and security you might be making, but on face value your statements seem obviously wrong. If for no other reason, shared systems need identity/accounts just to distinguish between people’s content in a situation without total implicit trust.

                    1. 2

                      Looking through my password manager a solid third of them are for random websites that I had to create an account with just to access some content or make a one-off comment or purchase. I think there is a good claim that a lot of times identity/accounts are unnecessary.

                2. 2

                  The solution seems to be making accounts cheap (eg. via cryptography) that can be mapped on to complex identities, instead of basing everything on a complex system.

                  This just shifts the domain modeling problem from the system to the user. Users would end up having to keep a private dictionary of identities which they map to cryptographic identities. Managing a single cryptographic identity is difficult as it is, and shifting the burden of management to the user makes this even more difficult and error prone.

                  TBL’s Solid project envisions a system of identity providers whose some job it is to offer a UX to managing user identities, and I think this is an interesting solution. You pay/host (or let them mine your data) an Identity Provider that lets you manage multiple identities, and use that identity provider across the web.

                3. 12

                  Fantastic post. Programmers assume falsehoods all the time (I, myself, am still often bitten by required binary gender-selection boxes), and I don’t think any developer can be an exception to this.

                  Separating facets of one’s identity seems really cool to me, and I know that I’m going to be thinking about it in all of the systems I build from now on.

                  1. 12

                    I read the article twice and the only justification for why multiple accounts don’t work already is “discord takes all my ram” (then don’t use discord?) and “it’s hard to remember multiple emails/passwords” (why not a password manager?). The multiple account model already works, even for edge cases like the ones discussed in the post— it’s just webshit apps like Discord that fail to function under the load.

                    If all of this is coming as a shock to you, you have probably had a much more privileged/socially advantaged life that has protected you from having to think about these things. This is okay. Ignorance is the first step to understanding. Don’t be afraid to find out more. This is not new either. Identity has probably always been this complicated, but facts and circumstances have prevented it from being discussed as openly as a blogpost such as this does.

                    This has nothing to do with the technical content, but getting lectured about privilege by a software engineer is lol. I don’t think this adds anything to the article and just made me feel slightly annoyed.

                    1. 8

                      but getting lectured about privilege by a software engineer is lol

                      Not all software engineers come from privileged backgrounds. Some have lived extremely unprivileged lives before working their way into the software industry.

                      1. 3

                        I’m not talking about their backgrounds, I’m talking about their current material position. (And, I’d easily wager that most SWEs at major companies have privileged backgrounds, and that this effect increases the further back in time you go). Regardless, it’s not really a big deal and it doesn’t have anything to do with the article’s content, which was interesting.

                        1. 6

                          I’d easily wager that most SWEs at major companies have privileged backgrounds

                          True or not, I know more than one software engineer embarrassed to talk about their past because of this attitude.

                      2. 7

                        In my experience, Discord deliberately tries to detect if you are using multiple accounts, and prevents you from logging in or asks you to verify your identity with real-world items like phone numbers if it thinks you are doing so. I was trying to use multiple Discord accounts a while ago, and I eventually gave up on this because I could only get one account to reliably log in. This entailed me having to reveal that my identity in one community using Discord was the same as another identity in another community using Discord, which I would rather not have done.

                        I assume the reason Discord cares about this is a combination of wanting to have accurate real-world information about their users in order to monetize it more effectively, and thinking that part of their role as a chat platform provider is to discourage sockpuppeting and making bans stick.

                        Personally I think this makes Discord a profoundly user-hostile chat platform, and I think every single community using it should cease doing so.

                        1. 5

                          chat platform provider is to discourage sockpuppeting and making bans stick

                          Why shouldn’t they be?

                          1. 4

                            Yeah, this is one of those frustrating double-binds. There are so many valid needs for multiple identities, but also many ways to abuse them. I believe the abuses tend to be a higher priority in most social systems, because they make things dramatically worse for more people, so those systems are incentivized to err on the side of restricting multiple accounts/identities.

                            That P2P System That Must Not Be Named bakes in a deliberate limitation of the number of accounts/addresses, in order to make sure that identities have a cost and can’t be generated with abandon. (At least that’s their public story.) Other people have proposed other creative solutions like “Sybil Parties” (look it up.)

                            1. 2

                              That P2P System That Must Not Be Named

                              Note for anyone reading who is confused: said P2P system is called Urbit. Urbit also has support for “sub-accounts” (moons, I think they’re called) and the kind of anonymous, easily generated identity that might be useful for the purposes discussed in the article (“comets”). The political aims of the founder are the more obvious source of the limitation on accounts, though. A read of “Neoreaction, A Basilisk” by Elizabeth Sandifer would fill you in on the details of that IYI.

                              1. 1

                                The article goes into this:

                                An advantage of this being baked into the substrate of platforms means that moderators aren’t shafted by this either. If you ban one of someone’s identities from a place, you should ban them all from that place to prevent fractal sockpuppeting.

                          2. 6

                            then don’t use discord?

                            That would be great advice if the communities I am in didn’t also use Discord. It’s a network effect thing. If I was God I would make everyone use something much more lightweight (or even email!) but I do not have that power so I need to suck it up and adapt to what others are comfortable with.

                            Besides, with Discord we at least got everyone off of Skype.

                            why not a password manager?

                            Password managers help you remember what the passwords are, not that the accounts exist at all.

                            but getting lectured about privilege by a software engineer is lol

                            A lot of my style for these posts is based on the idea of making you think for yourself without necessarily telling you what to think. This part was added as a more wordy way to say “yes this may sound absurd to you, but it is very not absurd to others that life shits on”. It maybe was a bad idea to use the word “privilege” in there at all (it passed the review that I do with others to make sure I don’t try and push one view too hard, but that may be because the kinds of people that would object to that word aren’t generally people I’m friends with enough for me to think about asking them to review blogposts for me), but the general sentiment was intended to be a destigmatizing one. And whenever you are trying to destigmatize something you do generally need to start with a “yes this is actually a thing for some people so let’s respect that as we continue in this train of thought”.

                            I will definitely try to rethink how I do the phrasing around this stuff if you think that I could express that in a better way that also retains a lot of the candid seriousness I was trying to convey.

                            You never know what kind of background someone comes from.

                            1. 5

                              Password managers help you remember what the passwords are, not that the accounts exist at all.

                              My password manager shows passwords as a username/password pair, so if I need to see which accounts I have for a given site it’s all right in front of me. It’s not exactly streamlined or anything, but I don’t think it has to be. If I want to use a different identity, I log out and use my password manager to find the alternative.

                              second part

                              It’s not really a big deal, it’s ultimately an argument about tone and it’s probably the case that I took it in the worst possible way. It’s definitely sensible to have this “yes this is actually a thing for some people” forward for topics like these, as it might be the case that someone is entirely unaware of issues like this.

                              1. 3

                                My discord & slack use is pretty-much-exclusively via the browser (works for everything other than screensharing, firefox containers let me log into multiple accounts, and resource use is minimal across the board).

                            2. 9

                              I am reminded of Chris Poole’s concept of prismatic identity when reading some of this, especially bits like:

                              There should be a “bank” of identities that you can pick between in contexts where those identities are relevant.

                              This was the same idea that Poul-Henning Kamp had had for changing how identity works in HTTP. Rather than the user agent storing cookies which correspond to server-side storage, the user agent makes a choice of asymmetric keypair and then uses the pair’s public key as identification. Indeed, he said directly in his commentary on HTTP:

                              Most notably HTTP/1.1 lacks a working session/endpoint-identity facility, a shortcoming which people have pasted over with the ill-conceived Cookie hack. … In my view, HTTP/2.0 should kill Cookies as a concept, and replace it with a session/identity facility, which makes it easier to do things right with HTTP/2.0 than with HTTP/1.1.

                              From a completely different direction, we should also consider identifiers as capabilities. Quoting from Chip Morningstar’s introduction to capability theory:

                              The capability paradigm is about access control. When a system, such as an OS or a website, is presented with a request for a service it provides, it needs to decide if it should actually do what the requestor is asking for. The way it decides is what we’re talking about when we talk about access control. If you’re like most people, the first thing you’re likely to think of is to ask the requestor “who are you?” The fundamental insight of the capabilities paradigm is to recognize that this question is the first step on the road to perdition. That’s highly counterintuitive to most people, hence the related controversy.

                              And putting this all together, we find the Reputation Problem:

                              If you ban one of someone’s identities from a place, you should ban them all from that place to prevent fractal sockpuppeting.

                              This is the road to perdition; we asked people who they were and tried to use that in order to gauge community reputation. The capability-theoretic lesson is that the act of extending an invitation to an agent is itself a delegation of authority. (For example, Lobsters policy allows folks to be banned for inviting folks who also get banned; this allows for us to trace the delegation of reputation and authority up to potential sockpuppeteers.)

                              I am not optimistic for any corporation-controlled system, including Discord, to improve in any dimension mentioned here. The proper delegation of authority would reveal them to be middlemen who are only useful for bootstrapping conversations; everything else that they do, like managing moderation hierarchies and filtering spam, are responses to self-inflicted problems inherent to their corporate design. Discord in particular are allergic to third-party interoperability efforts, which should signal to you that they are not interested in catering to your needs for identity management, since identities are not confinable to a single application or view.

                              1. 8

                                Here’s a coincidentally related article you all might find interesting: https://tejpochiraju.in/decoupling-authentication-identity.html

                                1. 4

                                  Very interesting. ^^ It reminded me of Gibson’s SQRL.

                                  1. 3

                                    you have a “Identity stuff Awesome List” to put on github right there

                                  2. 6

                                    This was really interesting, thanks! I was peripherally aware of plurals before, but the linked doc was full of useful stuff there.

                                    Any thoughts on the other problem of identities: linking them. Context: I was speculating at some point about the idea of a non-Facebook personal events system (so I could setup shared events without requiring FB accounts) and had the notion of single accounts for people, but multiple identities primarily for the “here are my groups that I don’t necessarily want to know about each other” and then the idea of linking identifiers from other systems (e.g. accounts from social networks, email addresses, or anything else that can enable “you can prove you own other account”) to one of those identities per identifier (at most).

                                    This was so that if you know someone in context X (e.g. you are friends on FB), then you can invite the identity that’s tied to that context, without needing to know any of the other identifiers, but being able to invite other people by other identifiers (e.g. email address) without needing them also needing to share a context with the first group.

                                    Other fun case: non-single bodied identities e.g projects/businesses, but also relationship groups. I have the fun that myself and my spouse want to share some accounts on sites (e.g. online groceries), and we had to make a shared email address for the case that many things want a single email to send stuff to, but we want it to get to both of us. The name we provide as “name of account” on such matters varies somewhat :)

                                    1. 2

                                      I have no idea what to do there lol. I don’t think there’s an easy way to generalize the solutions in question, or if there is one at all. Maybe there should be some form of “just ask the person” and get explicit permission to connect the dots. I don’t know. This is a sociology question at that point and I am not a sociologist. I’m a shitposter that moonlights as a philosopher purely for my own entertainment. This kind of solution needs a lot more input than one shitposter can give on their own.

                                      We choose to go to the moon. We choose to go to the moon in this decade and do the other things, not because they are easy, but because they are hard, because that goal will serve to organize and measure the best of our energies and skills, because that challenge is one that we are willing to accept, one we are unwilling to postpone, and one which we intend to win, and the others, too.

                                      JFK, in his famous moonshot speech

                                      1. 1

                                        :-) There are good reasons this project idea is in my “probably won’t get around to building it, hope someone else does so” list rather than my “I intend on building this at some point” list!

                                    2. 6

                                      Cadey is talking about the relationships between Users, Identities, Personae, and Circles. Google Plus was close to getting it but that was for sharing, not for identities. This is a conclusion that a lot of people come to but not too many make something after understanding the relationships. ¯_(ツ)_/¯

                                      Here’re the actual model fields btw:

                                      User: The embodiment of you. The flesh or source so to speak.

                                      Identity: The name that you respond to. A User can have multiple of these.

                                      Persona: The role you have. Each Identity can have multiple of these.

                                      Circle: The social grouping. Each identity can belong to multiple circles but they interact with the circle and other identities via their personae.

                                      If it were going to be decentralized the way to prevent sock puppeting is via invites and tree lineage or branches like the lobster invite tree. Each circle has an owner and an admin and they approve all incoming members. They know the core identities of each persona, the members only see the personae themselves but under the same name. If someone is a total waste of computing resources you ban them. If multiple people on the same branch are also complete wastes of time then you tree ban them and work out the details from there.

                                      You could put that in an SQL table and make it work with Users being accounts or something for a centralized approach. If youtube were to do it they could call it moods or something so my recommendations aren’t screwed up by watching two similar videos.

                                      I’m close to releasing something that will incorporate what I think is a reasonable way of handling it. It’s still a kludge of stuff without much direction and it doesn’t work yet but you can check my profile if you want to see what I mean about the relationships between each of the model fields. I won’t link it here.

                                      1. 5

                                        Serious Data and Reality vibes from this. Great post!

                                        1. 1

                                          I’m gonna have to go read that book now aren’t I lol. I’ll be sure to write something about how I like it if I do!

                                        2. 4

                                          An advantage of this being baked into the substrate of platforms means that moderators aren’t shafted by this either. If you ban one of someone’s identities from a place, you should ban them all from that place to prevent fractal sockpuppeting.

                                          I was surprised by this. I can imagine mods asking for this behavior, but it seems a bit at odds with the rest of the piece.

                                          1. 3

                                            Same here. This in the same article making a case for multiple identities for the safety of political dissidents. If there’s an underlying “super-account”, there is always a way to tie different identities together for those willing to go far enough (which in some cases can simply be a matter of “view source” or opening the network tab, because we all know how fallible we software developers are even in the best of moments).

                                            1. 3

                                              Yeah, this is something that feels a bit out of place but it is from hard-fought experience moderating communities. If you allow people to just be able to spin up new identities, it is going to be easy for them to be used to evade bans. There’s no good solution though.

                                              1. 1

                                                The Reputation Problem does loom large here, but we might be able to carefully sidestep it. Allow karma to be a natural number representing each account’s reputation. We want to allow accounts to start with non-zero karma, having existing users vouch for them. We also want to cap the amount of karma that can be donated through vouching, to prevent easy creation of valuable accounts.

                                                I think that it will just about work to allow account invitation to include an amount of vouch karma which is debited from the inviting account, and for vouch karma to be capped at a logarithm of the total karma available. This should just barely meet both goals. The actual amount of karma assigned this way might not be very much, though; being technically non-zero does not help if there is karma-unlocked functionality which takes a long time to reach.

                                            2. 4

                                              The implicit assumption here is that users will trust the software to handle the identity separation instead of the air-gapped hardware. I doubt this is the case for journalists and activists. Non-technical users is another category that might find easier to use two computers for example, instead of one. Elderly online banking users, commonly use different laptops: one for banking, one for everything else.

                                              Another assumption that I would challenge is that the industry at large doesn’t understand the problem, thus making naive assumptions. I find that hard to believe since most companies are in the user profiling business model.

                                              I understand the use case and I could use a mobile software-level separation of IDs for mobile apps. A user mentioned that Telegram supports this. I had no idea.

                                              1. 3

                                                One point I am very shaky on here is: if I try to make software flexibly accommodate multiple identities, I’m more likely to write a bug which accidentally discloses information from one of them to the social circles of another. If I make client software lightweight enough that you can happily run many copies of it, that seems safer.

                                                I strongly agree that identities should be allowed to be m:n with verification criteria such as phone numbers. I’m also in agreement that banning verification criteria rather than identities is a great plan.

                                                1. 3

                                                  Sounds like usernames should not be assignable, instead just chosen per written text.

                                                  Nice post.

                                                  1. 4

                                                    Ironically enough 4chan actually gets this kind of thing really right. It’s a shame that it’s…well 4chan. The overall model could really be refined on in the future to make things a lot nicer.

                                                  2. 3

                                                    One of Google Plus’ distinguishing features was the the concept of circles

                                                    Yes! Didn’t Diaspora also implement that?

                                                    1. 2

                                                      And LiveJournal had it, as far back as 2001, in the form of “friend groups.”

                                                      (There’s an alternate history where LiveJournal didn’t completely fuck up its transition from barely-self-supporting tech-driven open source startup to Big System. If they had, we wouldn’t have Facebook, and (I suspect) social software would be a lot better. Instead they got acquired, blew their wad on Second System Syndrome, failed to improve and polish the site, lost most of their users to Twitter and FB, and fell into the arms of a shady Russian BigCo.)

                                                      1. 1

                                                        I think so, but I have never really used Diaspora so I can’t really comment on that for sure. I think that it may have ended up falling into the same trap Google Plus did, where there was only one “you”.

                                                      2. 2

                                                        This is all well and good, but most platforms have an explicit goal of one account per meat-sack, because five-nines of multiple account use cases are malignant, being used for astroturfing, vote rings, ban-dodging, and the like.

                                                        edit to add: almost all (current) forms of “democracy” for choosing winners and losers (community moderation included) require at most one vote per meat-sack-per-topic, which requires a single identity to which to tie them.

                                                        1. 2

                                                          An advantage of this being baked into the substrate of platforms means that moderators aren’t shafted by this either. If you ban one of someone’s identities from a place, you should ban them all from that place to prevent fractal sockpuppeting.

                                                          1. 2

                                                            How without a single identity though?

                                                        2. 2

                                                          Have you looked at the Sovrin self sovereign identity network?
                                                          Some of the goals seem similar.

                                                          1. 2

                                                            Coming back after a day of thinking about this, and I’m reminded of a post at https://dustycloud.org/blog/identity-is-a-katamari/ .

                                                            The [Katamari Damacy no] ball at the center is much like an identifier. But over time that identifier becomes obscured, it picks up things [… which] metaphorically map to “associations”

                                                            I like this idea for thinking about Google’s circles (or, ‘identity facets’, as it’s put in the main article).

                                                            Our identity-katamari changes over time. It grows and picks up associations. Sometimes you forget something you’ve picked up that’s in there, it’s buried deep (but it’s wiggling around in there still and you find out about it during some conversation with your therapist). Over time the katamari picks up enough things that it is obscured. Sometimes there are collisions, you smash it into something and some pieces fly out. Oh well, don’t worry about it. They probably weren’t meant to be.

                                                            1. 1

                                                              Very well written, thank you! This is definitely something I’d like to see improved in our software, eventually.

                                                              1. 1

                                                                Yes, this would be a hard thing to implement given existing technical debt. It throws a lot of assumptions about identity on these platforms out of the window

                                                                …in favor of a bunch of new assumptions. More inclusive ones, sure. But how much longer would they last?

                                                                Not an argument against doing it, nor for; just a case for why there might be opposition. I’m still making up my mind about some new stuff I read about in this post, so I don’t feel confident talking about the merits of such a change yet.