Tactical Information Systems
Biometric Identification Software
SERVER.png

Identity & Technology

Tactical Information Systems Blog

Online Identity Verification

One of the tropes in the field of identity is "I need to know you are who you say you are". This phrase has always bothered me and it's not really true. People don't want to know who people are (online anyway). They want to know that they can be held accountable if they behave badly. Anonymous people behave badly - we've all seen this. It's so prevalent that people are now writing books on public shaming

But let's say someone contacts me online and says he is Bill Gates. And then he has documents to prove he is who he says he is - his name is actually Bill Gates. Well, if he is Bill Gates the former CEO of Microsoft, then that is very interesting and I will certainly make time for him. But if he is just one of the many people named Bill Gates then the fact that he can prove he is Bill Gates is not all that valuable.

I hope I am this happy if I get arrested.

I hope I am this happy if I get arrested.

When someone says "I want to know you are who you say you are" they don't usually mean that literally. That's why online identity verification is hard. There is always some other implied condition in that statement. I would contend that the statement really means "Are you going to hurt me or my community?" where "hurt" is context dependent.  For a merchant, hurt is a chargeback or credit card fraud; for a dating site it might be defrauding other members; for an online discussion group it might mean being rude to other members.

Effectively, it means "Is there some way I can hold you accountable for your actions?" Identity is a proxy for accountability. If I don't know who you are, then I can't hold you accountable. Anonymous people cannot be held accountable for anything which is why there is no trust online. 

Buy an anonymous mask and fight corporate power!

Buy an anonymous mask and fight corporate power!

When my co-founder and I worked in Iraq helping them develop a modern identity system, we ran into this problem. How do you establish an identity for someone without a foundation in place to build on? In the US, our identity is founded on the notion of a birth certificate from an authoritative source. Every other aspect of identity flows from that. It is not perfect, but it works pretty well. Iraq didn't have anything quite like that. But we used biometrics as a way to "fix" identity. With biometrics, names and documents aren't quite so important.

The basic idea is that you fix an identity once you use biometrics to establish it. In Iraq, we didn't have a way to validate that someone actually owned the name they claimed. But once they established biometrics tied to a name, that is all you need. From that point forward, they are tied to that name. The biometrics actually establish the identity (and uniqueness) - the name is just a convenient label.

Even a solid credential doesn't tell you anything about the person

Even a solid credential doesn't tell you anything about the person

Our new selfie authentication product works the same way. When you use our online identity authentication you are providing two biometrics - a face and a voice sample. These are both strong biometrics, and used together they also provide liveness detection - we know you aren't using some pre-recorded video or stock photograph. In effect, you are fixing your identity when you authenticate, but we don't actually care or need to know what label you are associating with that identity. We don't really need to know anything about you at all. That preserves your privacy. We just need to know that you only have one identity in our system. It turns out "one identity" is the most important part of a system, not the random labels we associate with that identity.

When we authenticate someone, we can't promise they will behave "properly" because all we are doing is fixing an identity. However, we can ensure that they will only behave improperly once in any particular context. That's because of the one-identity function. If you want to ban them from your online community you can do that and they can't come back with another identity. Scammers are able to operate with impunity because they can continually create new identities and re-use scams. Good people, on the other hand, can use their one-identity to build up a positive reputation.

sam76@gmail.com, you have been voted off the island.  Hopefully you won't come back as sam77....

sam76@gmail.com, you have been voted off the island.  Hopefully you won't come back as sam77....

If you think about it, trust in real-life social groups works the same way. When someone new comes into a group they may have limited trust (however you define trust) until they establish a reputation. If they break that trust, they can be banned from the group, and unless they break the law that is about all you can do. In a real-life social group they can't put on a new mask and come back to try again. But online, they can. We are building the core lightweight foundation for trust, but trust itself has to come from a community and their own standards for trust.