The Challenge of Authentic Identity

This morning, I got into a bit of a debate with my friend Duane, the result of a comment about how we need to find a way to tone down the rhetoric and prominence of racist shitheads and state-sponsored lies that are conniving to ruin online civility.

Now, I’m old. Well, “old” to anyone born after 2000. Which seems really, really strange to me, only because it’s both not that long ago and holy crap it’s been over 20 years?! ago. But it means I’ve also experienced the internet when the worst thing we had to deal with was the odd self-important moron who stepped into a newsgroup and intentionally started a fight for shits and giggles.

Back then, people were known by their email addresses, given to them by their companies or their universities. It was difficult to get access to the internet otherwise (home dial-up wasn’t quite yet a thing). Even when the telecommunications companies stepped into the mix, offering email accounts as a part of your (extremely paltry) home dial-up, you usually got saddled with something that still pointed to a real person, because you couldn’t get more than one address and you didn’t want to mess it up.

Then came AOL. Suddenly, you could sign up with whatever email address you wanted. You could, in fact, have several. You could hide. Hotmail and Yahoo! and Gmail and and so many others all did the same thing, requiring next-to-no validation for creating email addresses. (I know; I’ve had accounts with multiple services over the years.) The requirement for an email address to equate to a real person waned, quickly.

Social media only made things worse. While Facebook did try at the beginning to encourage people to be honest and truthful about themselves, things went decidedly sideways. The only time you must provide any kind of hard identification is if you’re using Facebook Business Manager and you haven’t been on the platform for years. Twitter is so full of numbered accounts that even the blue checkmark is turning into an accoutrement rather than an assurance.

Getting back to the opening statement: how do we know when we’re dealing with a real person? How do we filter out the fake accounts (and fake news) that embolden people who really shouldn’t be making targets of themselves with their vitriole? How do we return some level of sanity to the internet?

We would need some way to absolutey and unquestionably know who is behind an account.

Read that, then re-read it. It means that there’s no place to hide. Right now, we have the equivalent of a free-for-all, where you are allowed to do pretty much anything you want without repurcussion (except, maybe, threaten heads of state) because there’s no certainty that it’s actually you. Take a bunch of accounts saying horrible, evil things – whether or not it’s real people behind them saying what’s truly on their mind – and even the real people who’ve kept their heads down and avoiding saying horrible, evil things will start to feel empowered to say such things. That empowers others, and before you know it the world is seemingly full of horrible, evil people. But it isn’t – the few are empowered by unknowns, egged on with false confidence and assurance that there are people who will support and defenc them if things turn ugly. And, certainly in the last couple of years, that’s been the truth – the horrible, evil people will come out of the woodwork because they think they’ve got support.

So imagine that everything you say, everything you do, every act you take online is directly attributable to you in the real world. No place to hide, no place to escape.

One way to do that, like Facebook Business Manager attempts, is to provide a scanned image of your government-issued identity card to your account’s provider. Now, if you’re in any way aware of privacy concerns, this should be sending a chill up your spine, if not soiling your underwear. Who sees that information? What’s to prevent them from copying it and using it for nefarious purposes? Facebook isn’t exactly known for being transparent and forthright on a good day, let alone what happens to information like this. Now, are you going to do this for every account you have? Might as well kiss your identity good-bye, you’ll never be able to control it after that.

We could consider a centralized service that provides authenticity, much like how ICANN (originally) defined the core systems that provided authenticity for the Domain Name System (DNS). In theory, you’d have a single organization that says: “Yes, you can trust that this is a legitimate person”. (Whether they’re acting well or not is irrelevant in this context, but at least you’ll know it’s ot a bot or a secondary troll account). This organization would manage and verify identities and assure authenticity. But even if it’s a non-profit (or not-for-profit) organziation, who ultimately owns and funds it? Whose laws do they follow? What’s to prevent other organizations from copying it and diluting the idea, or invalidating it by producing completely false information?

When you think about it, having any non-governmental agency prove that you are who you say you are is ridiculous. Because the government has already done that: you have a birth certificate and almost certainly a social security number of some kind. (Whether or not you have a drivers license would be secondary, since you technically don’t need either of them to be identified.) So why wouldn’t we have a government agency, one per country, provide such an authenticity service? Provided there’s a commonly-used request/response – defined through, say the International Organization for Standardization – we could easily implement “IsThisPersonReal” functionality.

Except.

That assumes the Government in question is acting honestly. For the vast majority of people in most responsible countries, it would probably work. But what about military-driven countries or ones with significant spy networks? And then there’s places like North Korea and Russia that have extremely poor reputation online for aggressive and criminal activity, which suggests that their authenticity service would be less trustworthy than others. And then there’s the potential erosion through influence and power that the rich often wield, wishing to protect their activities.

Maybe governments aren’t the right approach. What if we go to the opposite end of the spectrum, where authenticity is distributed across the planet, there’s no one agency, no one government in control of the “proof”. Yes, this where blockchains would rear their heads as a potential solution: effectively unalterable as (we assume) the majority of the world wishes for legitmacy and would deny updates with invalid information. But that would also place people’s private information in the hands of bad actors worldwide; even if the information were encrypted, the sheer nature of blockchains and open source software says that anyone could implement a decryption with minimal effort.

Not great options, are they?

We’re left with the problem of misinformation and deliberate hatred, uncontrolled and directed at the world. There are people who wish to see nothing more than the destabilization and collapse of society for … someone’s benefit? If ever there were a conspiracy theory about someone trying to take over the world, this might be a good argument for it.

However, we are regrettably left with the truth: the disenfranchised and uninformed are encouraged to act in ways that ultimately benefit those in control of the messages who are financially benefitting from discord. And until that balance is fixed, we will not have authenticity.