A couple of articles grabbed my attention today. First was one over at the Washington Post regarding Sue Scheff and her bouts with some aggressive online bashing she took. The second is over at franticindustries which highlights some of the emerging difference between Twitter and Pownce. How do these to things fit together? Security and your identity.
I recently started using LinkedIn, Digg and a brief bit with Twitter just to see what all of the hype was about. There's no doubt that these applications can be beneficial, and I am certainly no extracting the most out of these social networking tools. I can readily see how building a network of other developers, system admins or other groups could really be a boon for a small web development shop. You suddenly have a network of trusted, fellow developers to tap into for expertise, which is much better than sifting through forums with irrelevant posts.
However, I do see the dark side and it has nothing to do with The Force. Sue Scheff's reputation was ruined with some trivial online tactics. The more you expose of yourself online the easier and more believable these attacks can become.
For example, suppose you use someone's MySpace page to create fake Twitter, Facebook and similar accounts. You build trust with these sites and build your network. Then you turn the tide and start acting in a way that earns you a bad reputation. Imaging if you were a teacher and a fake twitter page mentioned you just got back from the "All Male Revue" and a night of drunken debauchery -- actions that could certainly stir some issues amongst parents.
The industry needs to push for better online identification management techniques. There have been some attempts at this by SSL vendors but there needs to be much greater control. The core issue will always be establishing that first link in the chain of trust. The existing public key infrastructure may be a good start, but it needs to be more user friendly.
It would be terrific if you could ask someone on a Facebook, Twitter or other social networking site to prove who they are. With PKI, you could send them a message and ask them to send it back to you. Provided your private keys have not been compromised, you could verify the identity of the account holder. The problem with PKI in this context is that if you cannot trust that first link in the chain of trust then you are back to square one. And mistrusting someone after you've "confirmed" their identity could be worse than no confirmation at all.
