markpasc.org weblog

I'm rereading Code and Other Laws of Cyberspace (I found it used in paperback for $5), with an eye toward my plan to eliminate comment spam with PGP-signed comments. Lessig writes some things that make me deeply consider it, like:

At the start of this chapter we asked: What steps could government take, not to regulate a particular behavior, but to increase the regulability of behavior in cyberspace generally? My claim was that this goal could be achieved by increasing the capacity of sites on the Net to identify whom they are dealing with--to know either who the user is or what credentials, or features, he or she possesses.

Regulability then depends in part on identification--not perfect identification (the police do not need to know my name to tell me to slow my car down), but enough for the government to know what regulations the user is subject to and when he has violated them.

This is the point of throttling unsigned comments: site owners need to identify nonspamming commenters. Could pervasive use of PGP "certificates" be abused by government (or commerce; the combinatory power of government and business is a big point of Lessig's book)? Lessig argues that open source (that lack of commerce) is a protection against abuse of architecture. Movable Type isn't open source, though; it's published by a perfectly regulable company. If the feature were added to Movable Type proper, might Six Apart be coerced to tracking and providing data the government wanted?

I forget if I actually stated what I had in mind: the system would screen comments like LiveJournal can, if the author doesn't sign the comment with a key the weblog owner has approved for immediate posting. You could sign your key in the browser widget with the PGP software, or maybe have a convenient proxy server that would notice you're submitting a form with a signable entry widget in, and pop up a dialog for your passphrase to sign it between the browser and the server. The weblog owner would get to unscreen specific comments, and whitelist specific keys. Signed comments would be posted with the name associated with the key. (The original plan had a metadata file with name and URL and such at which the key pointed, but eh.)

Wait, yeah, I know signing every last comment is a pretty onerous requirement, but as Mark Pilgrim channeled Bruce Schneier, "Someone challenged me, 'Well, how am I supposed to continue hosting these low-barrier discussions?' I'm sorry, but I don't know." Raising the barrier is an option we as a community should consider. This is one way of doing that. Plus it's not that anonymous or untrusted comments are banned; they're just delayed until you can review them, so they don't contribute to a spammer's pagerank meanwhile.

A system like the "Web of Trust" would be useful for making a larger list of folks who can post freely, but I would want to be able to assert only that fact--the real Web of Trust asserts only that the key owner is who e says e is. Having a trust web only brings it more in line with what Lessig says, as you'd necessarily have to be able to assert a specific credential, "I am a responsible weblog commenter."

In fact, the PGP Web of Trust even counteracts what I want here, as I don't want to discourage pseudonymous comments. Lessig wrote about pseudonymity recently; comment posting isn't one of the traceable transactions he means, though. That's more financial transactions and larger, more involved processes. This transaction happens at one place and time: the weblog server, when the comment is posted. There can't be much of a paper trail, as there's not that much activity.

The bad scenarios are all wildly predicated on wide, eventually near total adoption of PGP signatures for anything and everything, which sounds silly. Weblog comments are tiny; but as Lessig writes, "Tiny controls, consistently enforced, are enough to direct very large animals [and] we are large animals." It's not impossible.

December 14, 2003 12:51 PM 1 comments