Thursday, September 07, 2006
US v. Naughton: One-Off Criminal "Fantasy Defense", or Turning Point for the Jurisprudence of Online Identity?
In 2000, Patrick Naughton, vice president of Internet search company Infoseek, was arrested for traveling across state lines with the intent to have sex with a minor. He had corresponded extensively with an FBI agent impersonating a 13-year-old girl in an AOL chatroom and had made plans to meet her and have sex. When he showed up, the FBI arrested and charged him.
At his criminal trial, Naughton employed what has come to be known as the "fantasy defense": citing his technical sophistication and the adult tone of his interlocutor's conversation, he claimed that he believed her to be an adult woman playing the role of a teenage girl... which, indeed, she was, although for different reasons from those Naughton claimed to have believed.
The defense managed to hang a jury, resulting in a retrial. Naughton pled guilty the second time around and took a reduced sentence, serving no prison time. [1]
I think this more than just a story about slick trial lawyer tricks. Naughton's case might be remembered primarily as a tortured application of the reasonable doubt standard, like the O.J. Simpson trial, or a wacky legal theory like the Twinky Defense, but it might also say something more profound about changing social and legal attitudes toward the perception and performance of online identity. Naughton claimed that what he perceived and participated in in that chat room was not a straightforward exchange of truthful personal information, but a ritualized sexual role-playing exercise conducted using masks and alter egos. He convinced half of a jury that, first of all, only an unsophisticated Internet user would trust someone else's assertion of real-world identity without some way of authenticating it, and second, that adopting an false online persona is a common practice in chatrooms.
Since 2000, a lot of things have changed. There are a lot of people in this country who know as much or more about Internet culture and technology as Patrick Naughton did in 2000. Does this mean that it's reasonable to expect skepticism about anyone's unauthenticated assertion of identity online? If such a theory were successfully used today, it might spell big changes for online defamation and fraud. But it might also signal an impending clampdown on online anonymity.
----
The performance of online identity has been tackled by psychologists and technologists [2], but not so much by legal scholars. The disconnect between what is stated and what is understood has long been a distinctive feature of online culture. Chatroom participants adopt imaginary personae. Parody websites adopt outrageous political positions and revel in the ensuing hate mail from "clueless" visitors. Blogs and Friendster profiles are maintained in the name of famous or fictional characters. Email hoaxes and April Fools jokes gone wrong circulate endlessly through the mail exchanges of the net. Recognition of the malleable, performative nature of online identity would clear up some of the legal absurdity surrounding defamation and unfair competition cases based on casual or facetious online speech.
But this disconnect between actual and performed identity also has what the New York Times would call its "sinister" side. Phishing, fraudulent personal ads, system cracking, and anonymous harassment are all as serious online as are offline con games, fraud, trespassing and stalking. On the Internet, no one knows you're a dog... or an FBI agent, or an eBay customer service representative asking for a user's password. Seasoned users take this uncertainty for granted and manage their trust accordingly.
But as newer users become more sophisticated and begin to understand the unstable nature of online identity, they may, paradoxically, develop anxieties about the inapplicability of their realspace intuitions to social interaction on the Net. If the legal system begins to see reliance on someone's online representations as unreasonable, businesses and individuals may react badly. Fear of fraud and impersonation could trigger a demand for reliable online identity authentication systems. Which, in and of themselves, might not be a bad idea, as long as they use decentralized, user-controlled, open-standard technologies like PGP or OpenID [3]. But another scenario goes like this:
1. Users flip out over unverifiable online personae.
2. Microsoft and AOL revive their identity-management systems "Hailstorm" and "Magic Carpet" [4] (has anyone heard anything about either of these in the past five years?), and Google and Yahoo join in with their own Mail/Calendar/Chat/Phone/WiFi centralized accounts. MySpace, Amazon, and everybody else try to jump on the bandwagon.
3. Incompatible standards lead to consolidation of these systems into one or two proprietary standards.
4. People start emailing, chatting, and shopping using secure, authenticated channels.
5. People's web browsers broadcast their authenticated identity information by default, keeping them logged into all their personal accounts at all the websites they visit.
At this stage, problems begin to arise:
6. The owners of these systems have perfect control, not only over everyone's personal information, but over their purchasing power, and they leverage that control to make cutthroat deals with merchants and media outlets.
7. The Net starts to balkanize as individual website operators make exclusive deals with one identity manager or another and sites begin to refuse access to anyone without an authenticated identity.
8. Online anonymity becomes an anomalous, conspicuous, and largely unworkable condition.
9. Online commercial activity become impossible without an account on one of these systems.
10. 1984 and the Book of Revelation act themselves out simultaneously.
----
This sounds like an unlikely set of consequences for a case that was decided six years ago and has garnered little attention since. But the identity-management wars have come close to boiling over periodically over the last six years, and Google's strong entry into the space, combined with the emergence of a new legal standard for reasonable care online, could spark a desperate grab for users by the handful of major players in online identity management. It would be a winner-take-all game, and the Internet - and society - that emerged might not look very familiar or comforting.
[There, how's THAT for Internet alarmism? New York Times, eat your heart out.]
----
[1] US v. Naughton: http://www.cbsnews.com/stories/2000/05/24/eveningnews/main199192.shtml
[2] Sherry Turkle is a pioneer in this field (http://en.wikipedia.org/wiki/Sherry_Turkle), but Judith Donath's stuff is more sophisticated and a better read (http://smg.media.mit.edu/people/Judith/). See, e.g., http://smg.media.mit.edu/people/Judith/Identity/IdentityDeception.html
[3] OpenID: http://openid.net/
[4] Hailstorm and Magic Carpet: http://www.betanews.com/article.php3?sid=995975421
At his criminal trial, Naughton employed what has come to be known as the "fantasy defense": citing his technical sophistication and the adult tone of his interlocutor's conversation, he claimed that he believed her to be an adult woman playing the role of a teenage girl... which, indeed, she was, although for different reasons from those Naughton claimed to have believed.
The defense managed to hang a jury, resulting in a retrial. Naughton pled guilty the second time around and took a reduced sentence, serving no prison time. [1]
I think this more than just a story about slick trial lawyer tricks. Naughton's case might be remembered primarily as a tortured application of the reasonable doubt standard, like the O.J. Simpson trial, or a wacky legal theory like the Twinky Defense, but it might also say something more profound about changing social and legal attitudes toward the perception and performance of online identity. Naughton claimed that what he perceived and participated in in that chat room was not a straightforward exchange of truthful personal information, but a ritualized sexual role-playing exercise conducted using masks and alter egos. He convinced half of a jury that, first of all, only an unsophisticated Internet user would trust someone else's assertion of real-world identity without some way of authenticating it, and second, that adopting an false online persona is a common practice in chatrooms.
Since 2000, a lot of things have changed. There are a lot of people in this country who know as much or more about Internet culture and technology as Patrick Naughton did in 2000. Does this mean that it's reasonable to expect skepticism about anyone's unauthenticated assertion of identity online? If such a theory were successfully used today, it might spell big changes for online defamation and fraud. But it might also signal an impending clampdown on online anonymity.
----
The performance of online identity has been tackled by psychologists and technologists [2], but not so much by legal scholars. The disconnect between what is stated and what is understood has long been a distinctive feature of online culture. Chatroom participants adopt imaginary personae. Parody websites adopt outrageous political positions and revel in the ensuing hate mail from "clueless" visitors. Blogs and Friendster profiles are maintained in the name of famous or fictional characters. Email hoaxes and April Fools jokes gone wrong circulate endlessly through the mail exchanges of the net. Recognition of the malleable, performative nature of online identity would clear up some of the legal absurdity surrounding defamation and unfair competition cases based on casual or facetious online speech.
But this disconnect between actual and performed identity also has what the New York Times would call its "sinister" side. Phishing, fraudulent personal ads, system cracking, and anonymous harassment are all as serious online as are offline con games, fraud, trespassing and stalking. On the Internet, no one knows you're a dog... or an FBI agent, or an eBay customer service representative asking for a user's password. Seasoned users take this uncertainty for granted and manage their trust accordingly.
But as newer users become more sophisticated and begin to understand the unstable nature of online identity, they may, paradoxically, develop anxieties about the inapplicability of their realspace intuitions to social interaction on the Net. If the legal system begins to see reliance on someone's online representations as unreasonable, businesses and individuals may react badly. Fear of fraud and impersonation could trigger a demand for reliable online identity authentication systems. Which, in and of themselves, might not be a bad idea, as long as they use decentralized, user-controlled, open-standard technologies like PGP or OpenID [3]. But another scenario goes like this:
1. Users flip out over unverifiable online personae.
2. Microsoft and AOL revive their identity-management systems "Hailstorm" and "Magic Carpet" [4] (has anyone heard anything about either of these in the past five years?), and Google and Yahoo join in with their own Mail/Calendar/Chat/Phone/WiFi centralized accounts. MySpace, Amazon, and everybody else try to jump on the bandwagon.
3. Incompatible standards lead to consolidation of these systems into one or two proprietary standards.
4. People start emailing, chatting, and shopping using secure, authenticated channels.
5. People's web browsers broadcast their authenticated identity information by default, keeping them logged into all their personal accounts at all the websites they visit.
At this stage, problems begin to arise:
6. The owners of these systems have perfect control, not only over everyone's personal information, but over their purchasing power, and they leverage that control to make cutthroat deals with merchants and media outlets.
7. The Net starts to balkanize as individual website operators make exclusive deals with one identity manager or another and sites begin to refuse access to anyone without an authenticated identity.
8. Online anonymity becomes an anomalous, conspicuous, and largely unworkable condition.
9. Online commercial activity become impossible without an account on one of these systems.
10. 1984 and the Book of Revelation act themselves out simultaneously.
----
This sounds like an unlikely set of consequences for a case that was decided six years ago and has garnered little attention since. But the identity-management wars have come close to boiling over periodically over the last six years, and Google's strong entry into the space, combined with the emergence of a new legal standard for reasonable care online, could spark a desperate grab for users by the handful of major players in online identity management. It would be a winner-take-all game, and the Internet - and society - that emerged might not look very familiar or comforting.
[There, how's THAT for Internet alarmism? New York Times, eat your heart out.]
----
[1] US v. Naughton: http://www.cbsnews.com/stories/2000/05/24/eveningnews/main199192.shtml
[2] Sherry Turkle is a pioneer in this field (http://en.wikipedia.org/wiki/Sherry_Turkle), but Judith Donath's stuff is more sophisticated and a better read (http://smg.media.mit.edu/people/Judith/). See, e.g., http://smg.media.mit.edu/people/Judith/Identity/IdentityDeception.html
[3] OpenID: http://openid.net/
[4] Hailstorm and Magic Carpet: http://www.betanews.com/article.php3?sid=995975421
