Had a bout of blog spam to deal with today and that brings the commodus vicus of recapitulations back to the environs of identity and trust online.

It is, I suppose, inevitable -- a great unspoken fear of the bloggerville that just as we of the great Internet frontier circa 1989 had thought our little enclave of decency and trust could never crumble to the unwashed masses, so too is the blog space just a little too welcoming and blossoming because of it, but it's a party that, in the reality of our times, probably cannot continue. We're still wrestling with what to do about email where we can remain contactable by Strangers yet not be deluged by offers of all-natural investment scams, and now, to our distain and dispair, the same is happening in the blog space, and with increasing frequency.

the western frontier was a beautiful place, but before long, drawn by our romantic cowboy tales of endless space and bountiful freedom, the covered wagons arrive, bringing with them their sherrifs, lawyers, barkers and other priests.

the rise of the blog vandals

It was months ago when I got my first blog-spam. You've all had them: Comments that say nothing intelligent, but link their names to their scumbucket websites (mostly for "zipcodes") -- dutifully to my readers, I trap these in the email alerts, go through the webform MT admin panel, delete them and regenerate the story as if nothing happened, but that's feasible because they are still not a daily thing, more like a weekly thing, so it's annoying but manageable.

What I got today may be an omen that someone is upping the ante: Today's blogspam comment didn't even pretend to comment, it was a dump of prepared text listing dozens of porn/viagra affiliate-commission websites, and the block of it made me wonder if, dare I imagine, it had been posted by a robot.

Not that this would be so terribly difficult. I'd been programming Perl only a matter of days before I knew how to use the libwww package to manipulate websites; for almost a year I used that method to auto-renew my 'free' web-email accounts on those sites who demanded you visit the ad-laden web interface to renew; so how far from feasible would it be for some enterprising spam scammer to do the same to troll for the ubiquitous comment link, spidering the blogs on weblogs.com and do the nasty on every site that leaves their commentary open?

I don't think it's happened, but the prospect doesn't please me. A good deal of the power of weblogs is in the open commentary, and I know myself that I tend to shy from sites who require YAFA before I can offer a few words to correct, extend or congratulate their post. To lose that freedom would be a terrible loss, not unlike the very reasons I won't require pass-codes or handshake confirm messages to gateway my emails, but ...

when a stranger calls

MT has only one defense: It can ban any specific IPs. This strikes me as singularly naive and impractical because a good deal of the world, especially the desperate sort of world that would dream of riches through spam, lives on dynamic IP pools or behind NAT'ed addresses -- you can block an IP, but you can't rightly block an entire ISP's DHCP pool, and that spam-ass is going to dial back in just a moment later and appear to MT as someone completely new and totally trustworthy.

MT also records the IP of the comment and while that's not without merit, it's tedious to track them back to the block-owner and then try to lobby the ISP to dig out their TACAC/RADIUS records to nail them with a breach of the AUP -- and like email spammers, they'll just choose cheap ISPs and flit between them unrepentantly.

So what's left?

There's Trackback, and this is in some ways a very useful solution since the spammer can only post the crap on their own site, but considering old ZipCode, all they really need to grasp is the essence of Trackback to know they can plunk their reflexive backlinks on thousands of sites a second; they don't even need the bother of visiting them, they just have to trade in blackmarket Trackback ping address lists. So it seems Trackback is not only out, it may even harbour a worse risk.

Whether or not we like our neo-Orwellian cashless society where bounty hunters trace your drift by surfing your VISA transactions (cf. Minority Report and the much better Until the End of the World), a similar sort of online PIN identity may be an inevitability for the web to survive. In this scenario, each of us would have some traceable PIN that would work like a Drupal login, one identity record kept somewhere that can be used anywhere it's honoured, and where the receiver of the PIN has that option to track you back to your site of origin and shut you down.

And we also know that, just as every digitalized service loses all sense of leniency, while the real world seems to accommodate both strangers and hard currency, the digital world is far more likely to go all or nothing ...

the cures worse than the ailments

bq. There's a scene in Until the End of the World where our heroes attempt to buy a car with cash; the dealer first freaks ballistic at the suggestion of sticking him with mugger-magnet anonymous cash ... then he whips out a gun to rob them of it.

We all know how it would go. It would be like a personal Verisign certificate, and the assurance of it's credibility would probably be the same: The trustworthy, and richer, clientele, who are not the problem anyway, would be paying big dollars to some central trust authority who'd grow rife with corruption while, just like most every HTTPS site I seem to visit, the vast majority would present certificates with no reliable basis, self-asserting themselves, self-validating themselves, and, in short, oops ... it's no better than no certificate at all.

Besides, there is a different sort of identity concept at work online. I'm not the same mrG here as I am when I give you my business-face or even my business networking face or my social service face ... and if you think about it, the same is true in the real world as we are all of us defined at the moment by the interactions we engage in -- personality, the who in who we are, is situational, it's effervescent, it's sometimes this, sometimes that; anyone who wants to experience multiple personality syndrome need only go home to visit their parents for a week!

We gell what we need of who we are to create the I in a context. I&I -- the who of who we are is only an artifact of a relativistic relationship with the where and when and with-who. Online is the same. For a long time, the only ID I carried was my VISA card, but then it became the drivers' license too, and today, I have a pack of ID cards, but I walk about with different sets of them depending on where I'm headed.

So the singular identity scheme seems fundamentally wrong-headed, maybe on the right road, but definately headed in the wrong direction. So what's left? There's my idea of a trust network identity but with the tensions between existing trust networks growing ever more xenophobic I don't see that as any reality any time soon.

Is blogspace doomed to go the way of Usenet? I don't have any answer. All my answers seem to converge on situations of more risk and a loss of power to this medium. I know that I'd like the answer to look like the answer to vandalism where those who are caught are made to face the damage and pressed into cleaning up the mess, or an answer like drunken driving or even the growing pressures on smokers to just instill the sensibility that the behaviour is unacceptable, but in a global online world of anonymous ends and no pathways between them, no sure course to that reality presents itself.