(This is the second post of a multi-post series on the relationship between the real and digital world. To read them all, start here.)

Last year I attended a session at the Aspen Institute featuring John Clippinger of the Berkman Center for Internet & Society. His book, A Crowd of One: The Future of Individual Identity, was about to hit the shelves and so a conversation ensued about how digital identity (in the technical sense) was transmitted and authenticated in digital environments. What struck me about the group, however, was the absence of discussion about protocols and authentication schemas. Instead, this group was looking for examples from outside of technology (policy, biology, psychology, etc.) to help guide technical efforts. It was not an easy conversation.

“The problem with identity on the internet,” Clippinger said, cutting through the palatable frustration in the room (and paraphrased of course), “is the same as going to a bar.” The room held its breath, waiting to see the connection. “When you hand the bouncer your driver’s license, how much of that information does he need?”

He continued to point out that the bar only needs:

1. your date of birth, to prove that you are of a legal drinking age, and
2. your photo, to authenticate that you are the owner of the license.

Your name, address, blood type, social security number – these are all unnecessary. “If you stop and think about it,” he said, “even your date of birth is too much information. The bar really only needs some True or False indicator of your legal right to drink.

“This is the problem with digital identity,” he summarized. “When you provide your digital identity, too much information is being shared.”

This might seem obvious, and the status-quo response to his complaint sounds something like “So what?” When I use my Gmail account, I use the same account as on Blogger. That is kind of nice. When I first commented on a friend’s blog I didn’t have to set up one more account. If they get my date of birth when all they need is my zip-code, is it really that bad? Using the bar example, what bouncer has the time to write down my address for later stalking?

About a year later, however, revisiting Clippinger seems erie. That “So what” position isn’t nearly as comforting as it used to be. Personally, I can see three things that have happened over the past year to move his theoretical problem into firm reality.

I joined Facebook (and del.icio.us, and Flickr, and Friendster, etc.)

While our driver’s licenses are somewhat limited in the information they carry, our digital identities have become bloated with information ranging from my mobile number to the color of my emotional parachute. Moreover, the information included extends beyond the demographic information on your driver’s license and captures life’s most trivial and malleable aspects. To some level our digital profiles are always misrepresenting us.

Google created OpenSocial and Facebook created their application platform.

Clippinger’s bar analogy is now better expressed as “stapling your driver’s license to your shirt so that everyone can stare, including that creepy man sitting next to you.” Don’t get me wrong, I am in favor of breaking down the barriers around the data warehousing of user information, but with all of these applications, the number of players on the field has skyrocketed.

In a surprising reversal, bars in the real world are now digitally scanning IDs, recapturing that information with presumed consent.

The only thing worse than the creepy guy knowing where you live is the owner of the bar who let’s the creepy guy hang out knowing as well. What’s to keep that bar owner from selling your information to all of his creepy friends?

It is exactly this last point that has been a topic of conversation in the Washingtonian area lately.

A new gay club has opened in DC named Town, and while quite popular, individuals in the m4m section of craigslist Missed Connections have raised concerns about the scanning of driver’s licenses at the door. They are concerned about how their information is going to be used (mailing lists seem to be the prevailing example), but it points to the larger issues that Clippinger outlines. What is ostensibly an artifact of your real world self is now digitally captured in exchange for the right to participate in the real world. It seems that the real world is taking some tips for the digital ones. The privacy issues related to public availability of Facebook profiles are no longer limited to online.

For those who would argue that digitally capturing information about real world consumers is nothing new, I am inclined to agree. Afterall, this is just business replicating what the government has been doing for over a century (Foucault did call it governmentality after all). But governments struggle with the controversial nature of data collection as well. Over the past several years Utah has struggled with a proposal for a unified identification system, a proposal the legislature recently struck down. Government aside, clubs around the world already do what Town has just introduced in DC. Clearly patrons at Town have a unique relationship with Town’s business owners which begs for further consideration.

I would argue that the concerns raised in DC arise from the amount of sensitive information disclosed for what is a recreational activity. This contrasts with the government id scenarios in which high privacy information is used for “official activity.” It also is distinguishable from recreational behavior in which information with less privacy concerns is captured (your Netflix movie rental history, for example). Town’s scenario is further complicated by capturing more data than is necessary for admittance, and not providing any disclosure about their privacy policy and personal information practices.

How does this compare to privacy policies and disclosures online? Let’s be honest: nobody reads them. When was the last time you read a EULA? Websites always make the links to their privacy policies 6px, leaving me wondering if this is because nobody reads them or because websites don’t want anyone to read them. Either way, they are no longer a emotional requirement for our user/consumer behavior on the anonymizing internet.

Back in the real world, Town’s business certainly doesn’t seem to be hurting due to the scanners. Patrons are either 1) trusting the business owners with their information, 2) deciding that their information is not valuable enough to be protected, or 3) not considering the issue at all. When I think about the relationship between the real and digital world, personal privacy serves as a useful example. Simply asked, has the established practice of repeatedly providing personal information online numbed us to the significance of that same act offline?

(Next on the agenda: What happens when craigslist Missed Connections don’t need craigslist anymore? Stay tuned!)