The difficulty of proving who you are

So, who are you, and how can you prove it?

One of the biggest issues that campaigns such as Reclaim the Internet parade in their banners is the protection that anonymity affords on the internet. Force users to be associated with a proven identity, they claim, and a lot of abuse and other problem behaviour will vanish. Some have gone so far as to claim that a government-issued identity ‘number’ should be a major and effective tool in combatting abuse.

Paul Bernal has already pointed out that requiring ‘real names’ hurts the victims even more than the abusers, in preventing those who have been victims of abuse or stalking, whistleblowers, and others, from having any protection.

But there is an even bigger and deeper problem here: how do you prove that you are who you say you are?

If you use Twitter, Facebook, or any other ‘social media’, you will be only too familiar with the remarkable ability of some to assume the identity of others. The other day, I was surprised (and very concerned) to see that someone called Donald Trump had retweeted one of my tweets, until I discovered that it was, of course, not the Donald Trump who is campaigning to run for the US Presidency. I frequently see friends on Facebook warning that someone else is using an account which purports to be theirs – something that seems to bedevil the service.

For most systems, all you need to open an account is an email address or phone number. And we all know how easy it is to get those. Even if a system claims to require your real name, it doesn’t take a great deal of effort to create an account in almost any name that you care to choose, and so long as no one challenges your use of that name, you can keep it for as long as you like.

So why don’t governments issue ‘internet identities’ which can be used to prove who you say you are?

Some governments are moving in that direction, at least for the services which they provide. Online tax filing systems are a good, and fairly widespread example. But they only apply to a small section of the population with whom the government department already has a very close relationship, and cannot be extended more generally.

An example of a well-established framework for establishing identity for government purposes is given in the UK government’s guidance for applications for its Disclosure & Barring Service. This service provides employers and others with information about the individual’s criminal and other records. Proof of identity for such applications is based solely on physical objects, such as a passport, driving licence, etc., and is very elaborate and costly, as detailed.

Similar processes for the issue of passports and other identity documents are lengthy, complex, and expensive.

The UK government has set up GOV.UK Verify, a system primarily intended to verify identities for government services, such as filing tax returns. Identity verification for this is being performed by third party contractors, who typically require physical documents (or details of them) such as a valid UK passport and driving licence, UK bank account details, and financial statements which can be checked with a credit reference agency. Again, these are restrictive, complex, and expensive.

Don’t we all have social security or similar numbers already?

Yes, and they are regularly stolen in very large quantities. DataBreaches lists many of the most significant inadvertent releases and thefts of personal information, and demonstrates that no simple form of identity is in the slightest bit secure or reliable. Furthermore, validation of government identity numbers requires access to government computer systems, which adds cost and privacy concerns.

What about security certificates – surely they’re secure?

Anyone can purchase security certificates from very many providers across the world. Although the mechanisms which validate such certificates are secure, there is no single robust process which could associate a certificate owner with any personal identity.

The system, and its Certificate Authorities, handles millions of certificates; Facebook currently has well over 1.5 billion active users, and Twitter has more than 300 million. The existing system would never be able to handle the issuing of so many security certificates, let alone the burden of checking the identity of each applicant.

The more that you think about it, the more difficult it becomes to prove your identity in a way which is quick, simple, free (or nearly so), universally-applicable, but not open to abuse. Unless it is all those, the major social media would not accept the system anyway, as it would drastically reduce their user numbers, and seriously damage their business.

So the next time that someone starts to preach that verified identities will solve the problem of online abuse, and ‘reclaim the internet’, just ask them to prove online that they are who they claim to be.