A Date with Identity – Dave Birch

Written by editor,

A great many years ago, long before the Internet, the media theorist Marshall McLuhan said that in the always-on interconnected future there would be new ways to be evil that we hadn’t thought of before. This prediction seems to have come true in spades at the intersection of social media and democracy, where Twitter, Facebook and the others are waging a war against bots. It’s a serious issue and something needs to be done. But what? The noted entrepreneur Mark Cuban caused some debate on this topic earlier in the year saying that…

“It’s time for @twitter to confirm a real name and real person behind every account, and for @facebook to get far more stringent on the same. I don’t care what the user name is. But there needs to be a single human behind every individual account .”

Mark Cuban (@mcuban)

January 28, 2018

He’s wrong about the real name, because anyone familiar with the topic of “real” names knows perfectly well that they make online problems worse rather than better. He’s right about the real person though. Let me use a specific and prosaic example to explain why this is and to suggest a much better solution to the bot problem: Internet dating.

Internet dating is at the sharp end of digital identity. It is rife with fraud and a laboratory for experimenting with issues around anonymity and pseudonymity, it is a mass market for identity providers and it is a better test of scale for an identity solution that logging on to do taxes once every year. Now, I am not the only person who thinks this and there are already companies exploring solutions. And you can see why they want to: online dating is a huge business. A third of the top 15 iOS apps (by revenue) were dating apps.

So, how to bring the benefits of digital identity to this world. One way not to do it is that Mark Cuban way of requiring “real” names. It’s already been tried and found wanting. The dating platform OKCupid announced it would ask users to go by their real names when using its service (the idea was to control harassment and promote community on the platform) but after something of a backlash from the users, they had to relent. Why on Earth would you want people to know your “real” name? That should be for you to disclose when you want to and to whom you want to.

In fact, this is a good example of a transactional environment where the necessity to present a real name will actually prevent transactions from taking place at all, because the transaction enabler isn’t names, it’s reputations. And pretty basic reputations at that. Just knowing that the apple of your eye is a real person is probably the most important element of the reputational calculus central to online introductions, but after that? Your name? Your social media footprint? (Look at the approach of “Blue”, https://www.theguardian.com/commentisfree/2017/jul/27/online-dating-twitter-unverified-app-blue-tick.)

If I were to be on an Internet dating site, I would want the choice of whether to share my name, or Twitter identity, or anything else with a potential partner. I certainly would not want to log in with my “real” name or any information that might identify me. This environment does not need “real” names at all. “Real” names don’t fix any problem. Your “real” name is not an identifier, it is just an attribute and it’s only one of the elements that would need to be collected to ascertain the identity of the corresponding real-world legal entity anyway. Frankly, presenting “real” names will actually make identity problems worse rather than better since the real name is essentially nobody’s business and is not necessary in order to engage in the kinds of transactions that are being discussed here. Forcing the use of real names will mean harassment, abuse and perhaps even worse.

What internet dating needs, and what will solve Mark Cuban’s social media problem as well, is the ability to determine whether you are a person or a bot (remember, in the famous case of the Ashley Madison hack, it turned out that almost all of the women on the site were actually bots). On Twitter it’s not quite that bad yet, because there are still many people posting there, but with bot networks of 500,000 machines tweeting and re-tweeting it is not in good shape. The way forward is surely not for Twitter to try and figure out who is a bot and whether they should be banned (after all, there are plenty of good bots out there) but Twitter to give customers the choice. Why can’t I tell Twitter that I don’t want bot followers, that I want a warning if an account I follow is a bot, that I don’t want to see posts that originated from bots that I don’t follow and so on. Just as with internet dating, the problem is not real names but real people.

Now, working out whether I am a person or not is a difficult problem if you are going to go by reverse Turing tests or Captchas. It’s much easier to ask someone else who already knows whether I’m a bot or not. My bank, for example. So, when I go to sign up for Internet dating site, then instead of the dating site trying to work out whether I’m real or not, the dating site can bounce me to my bank (where I can be strongly authenticated using existing infrastructure) and then the bank can send back a token that says “yes this person is real and one of my customers”. It won’t say which customer, of course, because that’s none of the dating site’s business and when the dating site gets hacked it won’t have any customer names or addresses: only tokens. This resolves the Cuban paradox: now you can set your preferences against bots if you want to, but the identity of individuals is protected.

One of my acid tests of whether a digital identity infrastructure is fit for the modern world is whether it can offer this kind of strong pseudonymity (that is, pseudonyms capable of supporting reputations). If we can construct an infrastructure that works for the world of internet dating, then it can work for cryptocurrency, cars, children and all sorts of other things we want to manage securely in our new always-on environment. We have to fix this problem, and soon, because in the connected world, if you don’t know who IS_A_PERSON and who IS_A_DOG and who is neither, you cannot interact online in a functional way.

Author: Dave Birch is an author, advisor and commentator on digital financial services and a member of the EEMA Board of Management

2 thoughts on “A Date with Identity – Dave Birch

  1. Hi Dave
    There’s some good and clear thinking here. I agree about the importance of knowing you’re interacting with real people, and the futility of trying to use real names.
    However I wonder whether our ability to distinguish between bots and people sufficiently for dating websites to be viable will always be strong enough to preserve transactional integrity for all those other purposes you’ve listed. AI is getting better all the time at impersonation and will surely continue on that trajectory. But it seems to me the ultimate reason why it really matters whether an actor can be proved to be a bot or a person (irrespective of the nature of the service) is that criminal sanctions are ineffective against bots unless law enforcement can prove who controls the bots and bring them to justice. Asking the banks to verify “liveness” is looking like a short term solution only, as presumably bots will soon have bank accounts, if they don’t already.
    I admit I don’t have an alternative suggestion. But I wonder whether in the longer term there will be a role for Government to help assure real living identities online, albeit that line of thinking is not in fashion just now and we all want to find another way if we can.

  2. I agree to some extent – certainly there is no such concept as a “real name”.
    When I speak on this I try to distinguish between “Identity”, which can be anything – but normally provable by things like biometrics, passports, birth certs, etc., but we all know they can all be faked.
    I use the concept of “persona(e)” to describe the face of your identity you use in a particular context – i.e. there is the you who is a spouse, the you at work, the you on the rugby pitch, the you on a dating site, the you…
    Then there is an “authority” that goes with each persona – “he has the right username/password, so we will give access to the system”; “he has the right key, so we will let him into his car”.
    Then authorizations – “he is a firefighter, but is he allowed to drive the fire engine?”; “RO vs RW access to specific data”.
    Hope that is a useful addition to the discussion.

Comments are closed.

Please note, your comment will only be shown once we have approved it. Please be respectful of other people's views.