The press, the blogosphere, CircleID - everybody has been discussing Craig Mundie’s comment on the need for an “Internet Driver’s License”.

Most of the reaction has been from privacy advocates fearing that this is simply another way to kill anonymity on the Internet. Oh well… that’s the usual set of reactions.

Now… the fun part is, a driver’s license also shows that you have the competence to drive. So, Mundie seems to have been expressing the idea that it’d be great to train people in using the internet productively and safely, before actually letting them on the internet.

As Mundie put it —

“If you want to drive a car you have to have a license to say that you are capable of driving a car, the car has to pass a test to say it is fit to drive and you have to have insurance.”

Susan Brenner on CircleID did say something about K12 students having to display their licenses online having been trained in using the Internet safely and responsibly, and that licenses could be revoked for inappropriate use of the Internet.

She then went on about how a license wouldn’t be very useful or effective in an open, unstructured internet.

If she’d googled back for some older history she’d have found that Mundie was simply channeling a trope that’s over a decade old. It isn’t something that he came up with all by himself.

The concept of an “internet driver’s license” is an old usenet trope—dating back to the time when people spoke of an “eternal september” (referring to when, earlier, newbies would only come into usenet every september as the term opened in colleges, but after 1993 and aol, compuserve, juno etc, more and more people entirely new to the Internet kept coming in, in droves, exasperating the regulars on mailing lists and usenet groups). The concept of needing a driving license to use the internet was a running joke that dated back to the same period.

My good friend and maawg senior tech advisor Joe St.Sauver (of UOregon, EDUCAUSE, etc etc etc) put the need for a driver’s license in a much more security aware context back in 2007 —

There’s nothing inherently wrong with offering people a quick training course in using the internet safely and responsibly when selling them an internet connection. Several ISPs already distribute videos on install CDs and maintain support FAQs, online help forums etc.

The smaller ISPs (such as the community internet / freenet networks that are sadly dying out these days) used to reach out much more actively to their local userbase with face to face training courses. People new to the network in a university or a corporation routinely do receive a quick security briefing on safe and acceptable use of the Internet.

Yes - the concept of revoking an internet driver’s license does seem unworkable, doesn’t it?

There’s something called a Walled Garden, that’s quickly becoming established network security practice.

If there’s a computer on a network (whether an office network, or a large ISP’s DSL pool) that’s infected and emitting malicious traffic, it can be detected, and once detected, moved into what is called a “walled garden”—a safe area or sandbox from where the user can only access the ISP helpdesk pages, windows update and antivirus update servers, till such time as he clears up the infection on his PC and either automatically releases himself from the walled garden by clicking a button (which can happen the first two or three times) or calling the ISP’s helpdesk to let him out.

Several large DSL networks have already implemented this, and MAAWG has a best practice document that recommends it, along with other measures to mitigate botnet infections on a ISP network.

Two documents from the OECD and the ITU put this into context, discussing the threat posed by malware, and the political/administrative, technical and social measures needed to mitigate it. They both cite the MAAWG best practice documents, by the way.

I’ll conclude by saying that a lot of this is simply to protect the ISP’s users from the personal consequences (ID theft, phishing etc) of an infection on their PCs, as well as to protect the ISP’s other users as well as the internet at large from the malicious traffic emitted by malware.

Note to some people reading this: Thank you. Yes, I’ve heard the Ben Franklin quote about sacrificing liberty for safety. I’ve also heard the Pastor Neimoller quote about “first they came for ...” (though I always think people who use that quote have automatically lost their argument, having violated Godwin’s Law by comparing the other side to the Nazis). I’ll still stand by what I said. Thank you.