ALTER - EGOS

PHYSICAL SELF

PROFESSIONAL SELF

LEISURE SELF

PARTIAL SELF

FAMILY SELF

SHOPPING SELF
bl
bl

10010100100101
11000111101010
11000201110111

0011010101001
110011 000000
100101 010011

PROFILED SELF

bl
ANONYMOUS SELF

PSEUDONYMOUS SELF

ALTERNATIVE TECHNICAL STRATEGIES FOR THE PROTECTION OF PRIVACY AND FUTURE

MANAGEMENT OF PERSONAL IDENTITIES

Norberto Nuno Gomes de Andrade

(Team Lead)

ALTER - EGOS

ALTERNATIVE TECHNICAL STRATEGIES FOR THE PROTECTION OF PRIVACY AND FUTURE

MANAGEMENT OF PERSONAL IDENTITIES
Introduction
As we increasingly cast ourselves online i, the protection of privacy and the representation and
management of personal identities will only tend to assume greater importanceii. It will require
individuals to be able to manage how information related to them is used and how it endorses and
meets their preferences, contexts and values. This will become all the more challenging in the
emerging world of ambient intelligenceiii and big dataiv, where individuals may not be aware of the
majority of data that exists or can reveal information about them. Continuous technological
developments have equipped people with a new set of tools through which to express and represent
their identities, rendering the latter increasingly fluid and dynamic. Nevertheless, these technologies
have also aggravated the dangers threatening identity, intensifying the ways through which a persons
identity can be deleted, stolen, misappropriated, impersonated, falsified and misrepresented, rendering
it increasingly vulnerable. In order to address these challenges, the 'Alter-Egos' project sets out to
establish, implement and test an alternative technical framework for the protection of privacy and
management of identities.
The fundamental premise behind the conceptualization and implementation of this alternative
framework is the idea of contextual multiple identities. Embedded in a technologically mediated
environment, identity has become a multiple phenomenon. Personal identities are converted in
different digital representations, some created and developed by the individuals themselves, others
asserted and imposed on them from the outside. The digitization of information has not only
facilitated the establishment of sophisticated means of identification, it has also enabled both the
fragmentation and multiplication of identity. The various contexts within which we act and the
different roles we assume every day, exacerbated by technological developments which have only
increased and diversified the range of roles and contexts through the creation of new forms of
communication and identity expression constitute the main factors enabling and enhancing the
plurality of identities of each individual, fostering an unprecedented development of parallel and
multiple identities. While in the past people would be perceived as having only one identity, today it
is acceptable to maintain separate identities for different aspects of online interaction, as well as to
cultivate new and distinct identities. In the information age, the fascinating question about identity is
no longer "who are you" but "how many are you?"
This project departs from an alternative regulatory framework for privacy protection and identity
management that I previously developed and proposedv. This framework includes a new legal
taxonomy of identities and a new set of legal principles, concepts and rules, granting internet users the
necessary and operational means to create, manage, control, aggregate, disaggregate and delete
various identities. Based upon such previous research, this project sets out the following objectives:
1. Translate and convert the Alter-Egos regulatory framework, namely its legal principles, concepts
and rules, into design principles and code applications. Based on privacy by design principles, the
goal is to convert the legal framework that I previously developed into a technical and operational
reality. This new technical framework will involve the construction of a multiple-identities enabling
Firefox extension, titled the Pluribus;
2. Design, launch and conduct a series of behavioral experiments in which participants will be asked
to use, test and evaluate the newly deployed Firefox extension. Through this experiment, a set of

hypotheses regarding users' privacy behavior and attitudes in a realistic multiple-identities online
environment will be verified;
3. Based on the data gathered through the behavioral experiments, provide concrete legal
recommendations and public policy options aimed at improving and modernizing existing privacy
regulatory frameworks. The idea here is to provide policy makers with the necessary evidence support
to reshape the privacy and identity current regulatory landscape. Equipped with these pieces of
evidence, the final stage of this project involves a coordinated and intense advocacy effort, promoting
the idea of a multiple-identity based online environment to policymakers and legislators.
This project is thus supported by a multidisciplinary methodological approach, which combines legal
research, legislative drafting techniques, behavioral experiments and public policy recommendations,
together with the design and implementation of new software. As an output, the Alter-Egos
envisages the construction and massive adoption of a privacy-enhancing tool that allows internet users
to freely express themselves through different online identities, along with the provision of a concrete
set of legal and policy proposals aimed at pursuing this multiple-identity vision for the free and open
web.

Background: The Alter-Egos Regulatory Framework (Theoretical Part)

For the past five years, during my doctoral and postdoctoral studies, I have developed and proposed a
fully-fledged alternative regulatory framework for privacy protection and identity management. Based
on my comprehensive and in-depth research on the sociological and legal aspects of online identity, I
presented a new approach to privacy and data protection based on the fundamental idea of
multiplicity: a regulatory framework through which the user can articulate and use different identities.
In order to develop this alternative regulatory framework, I relied on a comprehensive set of legal
theories and legislative drafting techniques. Based on these methodological tools, I developed: a) a
novel set of legal principles which constitute the backbone of the Alter Egos regulatory
framework; b) a taxonomy of different identity categories and definitions; c) a set of operational rules.
The group of legal principles derives from the overarching principle of user-centricity, and is divided
into key principles and procedural principles. The key principles reflect the application of the
fundamental values of individual autonomy to the management of digital identities, allowing users to
act through multiple identities (including anonymous ones). The procedural principles operate at a
more technical level, allowing users to keep their contextual multiple identities separate (the principle
of unlinkability) and under their effective control (the principles of negotiation, portability and
authentication source principlevi). These procedural principles derive from the principle of
technological assistance, which underlines the important complementary role of technology in
regulating digital identities.

Alter-Egos Regulatory Framework Legal Principles:

USER-CENTRICITY
procedural principles
key principles
NEGOTIATION

PORTABILITY

ANONYMITY

PSEUDONYMITY

UNLINKABILITY

TECHNOLOGICAL
ASSISTANCE

MULTIPLE IDENTITIES

AUTHENTICATION
SOURCE

Further to this set of legal principles, I also engaged a taxonomical exercise, putting forward a legal
categorization of the different forms of identity that can be associated to the individual person. The
taxonomy starts with the 'holonym' (one's master identity), which comprises all of ones possible
nyms, i.e., all aspects, elements and attributes of ones personal identity. This macro-identity is then
composed of the following forms: 'lexonyms' (civil, legal identities); 'meronyms' (attributes, partial
and contextual identities); ''endonyms' (identities created by oneself), which include autonyms,

pseudonyms (concealed identities) and heteronyms (different identities); and, finally, 'exonyms'
(external and imposed identities).

Alter-Egos Regulatory Framework Legal Taxonomy of different forms and types of identities:

Lexonyms (civil id)

Meronyms (partial ids)
Holonym
Holistic / Master
Identity

Autonym
Endonyms

Pseudonyms
Heteronyms

Exonyms (profiles)
Based on this taxonomy, I then developed a set of operational rules in order to effectively enable the
Alter Egos regulatory system to grant the individual the necessary and operational means to create,
manage, control, change, aggregate, disaggregate and delete her contextual multiple identities. The
model ensures that identity-related information should only be processed with reference to the specific
identity created by the individual person or attributed to her, and only accessed in the context of, and
by the people attached to, that identity. This new regulatory model allows the data subject to control
the links and connections between her various nyms, encompassing, in particular, the right to keep
ones pseudonym separate from another one; the right to create and uphold heteronyms; the right to
avoid ones exonym from being traced to ones lexonym; or ones meronym separate from ones
autonym, among other possible set of connections and relations. The regulatory strategy focuses not
on the information itself (surpassing the personal/non-personal dichotomy), but on the sources of
information, i.e., on the various and separate identity categories to which different streams of
information would correspond to.
In this way, this novel regulatory framework ensures respect for ones privacy and for the free
development of ones identity, mitigating most of the threats that current data collection practices
pose to individual autonomy (such as the misuse of personal information, self-censorship, behavioral
chilling effects and misrepresentation of personal identity), while allowing the user to reap the
benefits of the massive collection and processing of personal information, such as improved search
engine results and relevant targeted advertising.
Next Steps: Design and Launch of a new Firefox Extension; Behavioral Experiments; Legal and
Policy Recommendations (Empirical Part)
Following the regulatory framework established before, and based on the lessons learned during this
process, the next step of the proposed research is to develop, test and evaluate a new technical
framework that allows users to create, display and control multiple identities in an actual online
environment. This empirical phase of the project will be structured in two parts: a) the design and
implementation of a web browser plug-in / add-on allowing the creation and control over multiple
identities the Pluribus; b) the launch and conduct of a behavioral experiment in which participants
will be asked to use, test and evaluate the browsers plug-in.
1. Design and Implementation of the Pluribus multiple identities enabling Firefox extension
The Pluribus will consist of a multiple-identities enabling browser extension (add-on), through
which the regulatory principles and rules underpinning the Alter Egos regulatory strategy will be

translated and applied to the online environment. The design of the Pluribus browser will a) be
informed by research and strategies drawn from social psychology, behavioral economics, design
principles and human-computer interaction literature; b) leverage existing Mozilla open source tools,
namely the Multifox extension and the Lightbeam, developing them into a more sophisticated and
fully fledged identity management system for the web.
Pluribus will enable users to switch between multiple identities one for work, another for creative
expression (blogging, etc), another for general browsing, and another for economic purchases, for
instance within the same web navigation experience. In addition, the multiple profiles feature will
allow the user to associate a specific identity with a specific set of browser windows, rather than with
an entire running instance of Pluribus. In allowing different windows to run as different Pluribus
identities, the user will be able to have different open windows associated with different identities,
and correspondingly different sets of preferences, cookies, apps, bookmarks, and so on -- all those
elements which are bound to a specific users identity. Through these specific identity-browser
windows, users will then be able to navigate and visit different websites under different identities. It is
important to note that the Pluribus will present features and functionalities that go far beyond the
Multifox or other existing web identity management tools. The Multifox extension, which allows
users to sign into multiple accounts for the same online service (e.g., 2 separate Gmail accounts)
within the same browser, assigns each identity profile to a number (placed in a blue square at the end
of the Address Bar). The Pluribus will allow for detailed customization of different identities,
assigning each one with different logos and images, as well as with their own IP address, keeping
them truly separate from one another (that is, non-linkable). Furthermore, the Pluribus will run
different instances of the Lightbeam to each online identity created, enabling users to see the first and
third party sites that each of their identities interact with on the Web. This feature will provide internet
users with an extra layer of control over their personal data.
While typical browsers operate under a single-identity condition, displaying the same IP address to all
interactions made through that browser (fact which allows for all different types of data arising
through our browsing of the web to be combined to create unique fingerprint of our browser ); the
Pluribus will implement an unprecedented technical way of creating and separating different online
identities, generating different (and permanent) IP addresses for each identity created and used, and
securing moreover the unlinkability between them. The "Pluribus" add-on, inspired by privacy
and identity design principles, will be important not only as an example of how to technically
implement the Alter-Egos framework, but also as a departure point to the implementation of a reconceptualized Internet identity layer and to the development of trustworthy user-centered data
ecosystems. In effect, and along the lines of the so-called Personal Data Management (PDS) and
Vendor Relationship Management (VRM) initiatives, the primary objective of the Pluribus browser
will be to endow individuals with easier access to and control over information about them. The
browser will also help to achieve a more desirable balance between information disclosure and
protection. The Pluribus, as a new technology, will offer individuals new opportunities and practical
options to participate in the protection of their privacy. In effect, the Pluribus will be much more
than a mere web browser; it will amount to a sophisticated identity management system, which will
include reputation management tools, privacy dashboards, anonymous and pseudonymous routing
series, amidst many other features and capabilities.
2. Launch and conduct of behavioral experiments
This phase of the project encompasses the design and launch of an online behavioral experiment in
which users will be asked to use and test the Firefox extension as their entry gate to the Internet.
The objective of this phase is not only to empirically test the feasibility and degree of acceptance of
the Alter-Egos technical framework, but also to measure and understand the participants privacyrelated attitudes, perceptions and behaviors in a multiple-identities online realistic setting. The goal of
this phase is to determine to which extent multiple-identities strategies prove more effective than
single identities at affecting users privacy-related attributes and behaviors and, in particular, at
enabling a less privacy concerned but more protective web navigation / interaction. This will be done

by comparing the web navigation / interaction patterns and datavii obtained through participants use of
standard web browsers (control group) with the ones attained through participants use of the
multiple-identities enabling Pluribus Firefox extension (experimental group).
In terms of methodology, this phase of the project will be based on behavioral sciences research
theories and findings, as well as on previous and successful behavioral experiments conducted in the
domain of online privacyviii.
In the second part of the experiment, participants will be asked to complete a questionnaire, divided
into two parts: the first part about the overall quality, accessibility and user-friendliness of the web
browser; and the second part about users feelings, perceptions, motivations and other observations
regarding their experience of navigating on the web via this new browser, as well as their reasons for
engaging in certain internet behaviors. The basic idea is to attain a better understanding of users'
privacy-related behaviors, perceptions and attitudes in multiple identity contexts, and namely to what
extent different contextual identities influence and change their behaviors and perceptions (vis--vis
single identity focused environments).
Through this behavioral experiment, we will develop, test (and then verify) the following list of
hypotheses:

H.1 Control group participants will demonstrate low personal disclosure and high privacy
concern;
H.2 Experimental group participants will demonstrate high personal disclosure and low
privacy concern;
H.3 Experimental group participants will make more online purchases than control group
participants;
H.4 Experimental group participants will engage more often in socially stigmatized behaviors,
such as downloading pirated music and movies than control group participants;

3. Policy and Legal Recommendations

The objective of this phase of the project is to streamline and convert the body of knowledge
produced in the previous phases (construction of a new and alternative technical framework for
identity management, behavioral experiment and understanding of human privacy behavior and
attitudes under an online real setting of multiple identities) into concrete legal and policy
recommendations aimed at improving the current and forthcoming privacy and online identity
regulatory frameworks. In this way, this last phase of the project seeks to bridge and introduce the
theoretical and empirical studies conducted throughout the project to concrete policy and law-making
processes. The idea here is to provide policy makers with the necessary evidence support to reshape
the privacy and identity regulatory landscape.
In particular, we will present the proposed Alter Egos regulatory framework and the lessons learned
from its experimental and empirical study as input to forthcoming legislative and policy-making
processes. We will thus focus on the actual policies needed to underpin the Alter Egos framework
and on the legal steps that will need to be introduced in order to implement it. Equipped with these
pieces of evidence, this phase of the project involves a coordinated and intense advocacy effort,
promoting the idea of a multiple-identity based online environment to policymakers and legislators.
i In a recent report entitled Future Identities. Changing identities in the UK: the next 10 years, the UK government has sought to
understand our contemporary expression of the self and, perhaps unsurprisingly, the findings indicate that we are what we tweet (or post,
like, tag and pin for that matter). The report draws evidence from a myriad of academic disciplines to suggest that social media is driving
radical transformation in human identity. See Foresight Future Identities (2013) Final Project Report, The Government Office for Science,
London.
ii In effect, the Seoul Declaration for the Future of the Internet Economy (2008) has called for the OECD to review the 1980 OECD Privacy
Guidelines in light of changing technologies, markets and user behavior and the growing importance of digital identities (emphasis
added by the author).

iii The European Unions Information Society Technologies Program Advisory Group (ISTAG), in its 1999 vision statement, coined the
term ambient intelligence (AmI) to portray the image where people will be surrounded by intelligent and intuitive interfaces embedded in
everyday objects around us and an environment recognizing and responding to the presence of individuals in an invisible way (see ISTAG,
Orientations for Work programme 2000 and Beyond, 1999). Denominated also by the terms Internet of Things, Every ware or
Ubiquitous, Pervasive, Proactive and Autonomic Computing, Ambient Intelligence constitutes a vision of a future technological
ecosystem; an idea of an aspiring reality automated, intelligent, imperceptible, and omnipresent; a foreseeable future stage in which the
internet, as we know it in the shape of a network of computers -, will gradually envelop the physical environment, distributing the
technological focus and its computing power from computers to an infinite multiplicity of everyday objects (see Norberto N.G. de Andrade,
Technology and Metaphors: from Cyberspace to Ambient Intelligence, in Observatrio (OBS) Jornal, 2010, vol.4, issue 1. Pp. 121-146).
iv Big data may be defined as high-volume, high-velocity and high-variety information assets that demand cost-effective, innovative forms
of information processing for enhanced insights and decision making, in www.gartner.com/it-glossary/big-data/
v Norberto Nuno Gomes de Andrade, "The Right to Personal Identity in the Information Age. A Reappraisal of a Lost Right." (European
University Institute, 2012).
vi As Jones and Martin observe: [t]he issue of what we consider to be the identity of a person has become increasingly complex as we have
made ever greater use of the facilities and services that have been made available by developing technologies and the Internet. In the past,
people normally had one identity, while in the current environment it is acceptable to maintain separate identities for different aspects of
our online interactions (Andy Jones and T. Martin, "Digital Forensics and the Issues of Identity" Information Security Technical Report
(2010): 1).
vii Posner, Richard A. "Are We One or Multiple Selves? Implications for Law and Public Policy." Legal Theory, no. 3 (1997): 23-35.
Nissenbaum, Helen. "Privacy in Context: Technology, Policy, and the Integrity of Social Life, Stanford Law Books, 2009. Leenes, R.E.,
Context is everything: sociality and privacy in Online Social Network Sites, in: M. Bezzi, P. Duquenoy, S. Fischer -Hbner, M. Hansen, G.
Zhang (eds.): Privacy and Identity, IFIP AICT 320, Heidelberg, Berlin, New York: Springer, 2010, pp. 48-65. Berg, B. van den, & Leenes,
R.E. (2011). Keeping up appearances: Audience segregation in social network sites. In S. Gutwirth, Y. Poullet, P. de Hert, & R. Leenes
(Eds.), Computers, privacy and data protection: An element of choice (pp. 211-232). Dordrecht | Heidelberg: Springer. Hildebrandt,
Mireille. "Privacy and Identity." In Privacy and the Criminal Law, edited by Erik Claes, Antony Duff and Serge Gutwirth, 43-57.
Antwerpen: Intersentia ; Oxford : Hart Pub. [distributor], 2006. Norberto N. G. de
Andrade, "The Right to Personal Identity in the Information Age. A Reappraisal of a Lost Right." (European University Institute, 2012).
viii Ricoeur, Paul. Oneself as Another. Chicago: University of Chicago Press, 1992. Lvy, Pierre. Becoming Virtual : Reality in the Digital
Age. New York: Plenum Trade, 1998. Kaufmann, Jean-Claude. L'invention De Soi : Une Thorie De L'identit, Collection Individu Et
Socit. Paris: Armand Colin, 2004. Giddens, Anthony. Modernity and Self-Identity. Self and Society in the Late Modern Age Stanford:
Stanford University Press, 1991. Richard David Precht, Who Am I? And If So, How Many? (Constable & Robinson Ltd, 2011)
ix James, William. Principles of Psychology, Dover Publications, Reprint edition (1950). EM Donahue et al., The Divided Self: Concurrent
and Longitudinal Effects of Psychological Adjustment and Social Roles on Self-Concept Differentiation, Journal of Personality & Social
Psychology 64, no.5 (1993). Carter, Rita. Multiplicity: The New Science of Personality, Identity, and the Self (New York: Little, Brown &
Co., 2008).
ix. LeDoux, Joseph E. Synaptic Self : How Our Brains Become Who We Are. New York: Viking, 2002.
x Schelling, Thomas C. "Self-Command in Practice, in Policy, and in a Theory of Rational Choice," American Economic Review 74, no. 2
(1984). Akerlof, George A. & Kranton, Rachel E., Identity Economics: How Our Identities Shape our Work, Wages and Well -Being,
Princeton University Press, 2010.
xi Pessoa, Fernando. "Letter to Adolfo Casais Monteiro: About the Genesis of the Heteronyms." (1935). Pirandello, Luigi. Uno, Nessuno E
Centomila. Milano: Garzanti, 2009.
xii Goffman, Erving. The Presentation of Self in Everyday Life. Garden City, N.Y.: Doubleday, 1959. Goffman, in his dramaturgical study
of the self, argued that every individual person comprises many different identities.
xiii This methodological structure follows, with adaptations, the one proposed and established by Hynes and Bishop. See Hynes, A. and
Bishop, P.C. (eds.) Thinking about the Future: Guidelines for Strategic Foresight, Social Technologies, 2007. Bishop, P.C. an d Hynes, A.
Teaching about the Future: The Basics of Foresight Education, Palgrave Macmillan, 2012. This structure, moreover, encompasses a series of
foresight methodologies and tools that have been successfully used by the foresight community of scholars and experts. For an executive
overview of each of these foresight methods history, description, primary and alternative usages, strengths and weaknesses, and use in
combination with other methods, see Glenn, J. and Gordon, T. (eds.) Futures Research Methodology, Version 3.0, Millennium Project,
2009.
xiv The scanning exercise will also take into account the potentially disruptive impacts of emerging technologies, such as big data and the
development of the already mentioned Ambient Intelligence.
xv See Porter, A.L. and Detampel, M.J. Technology opportunities analysis, in Technological Forecasting and Social Change, Vol. 49,
Issue 3, 1995, pp. 237-255.
xvi Regarding the interviews and consultations with top experts and professionals envisaged in the state-of-the-art assessment and scanning
phases, they will be conducted at the same time.
xvii R. Bill and Wilson, I., The Scenario Planning Handbook, Thomason, 2006Hines, & Collins, The Current State of Scenario
Development. Schwartz, P. The Art of the Long View, Doubleday, 1996.
xviii [T]his principle implies that for each given attribute (piece of identity data), one and only one source is considered to be authentic, i.e.
correct (Graux, Majava, and Meyvis, "Eid Interoperability for Pegs - Update of Country Profiles - Analysis & Assessment Report," 112.)

xix Rates of click-through, websites visited, eCommerce purchases, time spent on the web, chats and forum used, social networking
activities, etc.
xx Namely the experiments conducted by Alessandro Acquisti, Spiekerman and Ryan Calo.
.
xxi The IA, moreover, is now compulsory for major policy and legal proposals. See ALLIO, L. 2010. Keeping the Centre of Gravity Work:
Impact assessment, Scientific Advice and Regulatory Reform. European Journal of Risk Regulation, 76-81.

In a recent report entitled Future Identities. Changing identities in the UK: the next 10 years, the UK government has sought to
understand our contemporary expression of the self and, perhaps unsurprisingly, the findings indicate that we are what we tweet (or post,
like, tag and pin for that matter). The report draws evidence from a myriad of academic disciplines to suggest that social media is driving
radical transformation in human identity. See Foresight Future Identities (2013) Final Project Report, The Government Office for Science,
London.
ii

In effect, the Seoul Declaration for the Future of the Internet Economy (2008) has called for the OECD to review the 1980 OECD Privacy
Guidelines in light of changing technologies, markets and user behavior and the growing importance of digital identities (emphasis
added by the author).
iii

The European Unions Information Society Technologies Program Advisory Group (ISTAG), in its 1999 vision statement, coined th e
term ambient intelligence (AmI) to portray the image where people will be surrounded by intelligent and intuitive interfaces embedded in
everyday objects around us and an environment recognizing and responding to the presence of individuals in an invisible way (see ISTAG,
Orientations for Work programme 2000 and Beyond, 1999). Denominated also by the terms Internet of Things, Everyware or
Ubiquitous, Pervasive, Proactive and Autonomic Computing, Ambient Intelligence constitutes a vision of a future technological
ecosystem; an idea of an aspiring reality automated, intelligent, imperceptible, and omnipresent; a foreseeable future stage in which the
internet, as we know it in the shape of a network of computers -, will gradually envelop the physical environment, distributing the
technological focus and its computing power from computers to an infinite multiplicity of everyday objects (see Norberto N.G. de Andrade,
Technology and Metaphors: from Cyberspace to Ambient Intelligence, in Observatrio (OBS) Jornal, 2010, vol.4, issue 1. Pp. 121-146).
iv

Big data may be defined as high-volume, high-velocity and high-variety information assets that demand cost-effective, innovative forms
of information processing for enhanced insights and decision making, in www.gartner.com/it-glossary/big-data/
v

Norberto Nuno Gomes de Andrade, "The Right to Personal Identity in the Information Age. A Reappraisal of a Lost Right." (European
University Institute, 2012).
vi

[T]his principle implies that for each given attribute (piece of identity data), one and only one source is considered to be authentic, i.e.
correct (Graux, Majava, and Meyvis, "Eid Interoperability for Pegs - Update of Country Profiles - Analysis & Assessment Report," 112.)
vii

Rates of click-through, websites visited, eCommerce purchases, time spent on the web, chats and forum used, social networking activities,
etc.
viii

Namely the experiments conducted by Alessandro Acquisti, Spiekerman and Ryan Calo.