Tactical Information Systems
Biometric Identification Software
SERVER.png

Tactical Information Systems Blog

Identity & Technology

Peer-to-Peer Identity Verification

In the early days of the internet, identity verification wasn't an issue at all. Online privacy wasn't an issue either. The only people on the internet were researchers and professors and staff at universities and just the fact that you had the ability to be on the internet was all the identity validation that was needed. That's not the case today.

I actually remember when the use of images on the internet was new and you couldn't use it for anything commercial.

yahoo.png

The entire internet used to look like this, kids.

The internet allows us to interact with an enormous number of people, from many different countries, cultures and languages and often we don't even know their name or gender. Even back in the day, I was a member of a guild, playing an online game with a group of people who were very real friends of mine, even though I didn't know their real names, ages or genders. In fact, other than their ability to fight with me and have my back in battle, I didn't know them at all. It didn't really matter, because I didn't do anything with them except fight orcs.

But things changed. We started buying things and sharing our stuff. With this enormous growth, came the need for a way to verify the identity of a person online. We don't really have anything effective, so the result has been that there is an enormous amount of fraud, spam and abuse that comes from anonymity. Now, I'm a huge privacy advocate and in my opinion there will always be a place for anonymity online, but there are also plenty of times and places where you want to be able to identify yourself and be accountable for your actions.

And we do have some options:

Background Checks

There are some companies that are using traditional background checks to verify online identities. I've seen this in some conservative online dating sites and Uber does background checks on their drivers. It's currently considered the gold standard for online identity and the only thing I'm aware of that is more thorough is the background checks done before granting access to classified information by the military. I've been interviewed for clearances for friends and the questions are very extensive and often personal. But there are problems. Background checks are very expensive and they are very intrusive. You have to provide a lot of information about yourself - where you live, access to financial data, educational background, etc. To me, this biggest problem is that people have a general misunderstanding about how effective they are. Most people seem to think there is one global database of bad guys that gets checked. There isn't one. The FBI doesn't have everything - each state has their own records and even at the county level there are still a lot of paper documents that can't be searched electronically. You can pass a background check and still have a criminial history. It's just the best thing we have so far.

Transaction-Based Fraud Prevention

There are a large number of companies built on the concept that we can look at attributes of a specific transaction and figure out if fraudulent or not. One example is geolocation. You can tell where the computer creating the transaction came from and if the transaction comes from Nigera and the person says they are in New Mexico that is an indication of trouble. Once you identify a bad actor, you can take a note of the IP address and block it. You can even look at the browser configuration - the specific set of fonts, plug-ins and other things that a browser has and use that to identify the user. None of these are 100% accurate - you could have the same browser configuration of a scammer or use the same IP address and have good guys get caught in the trap. Plus, you have to have some fraud that is identified and reported in order to mark the bad guys transaction characteristics.

Government Issued IDs or Official Documents

There are even online services that have you hold up an official document to your webcam to verify your identity. Some services want to see a utilty bill with your address on it to prove identity. This technology isn't hard to fake because the fake ID I bought online looks great over a webcam. Plus, why do you need to know where I live just so I can join your Pokemon enthusiasts web site?

How Should This Be Done?

These techniques are cumbersome and intrusive and weren't really designed for the digitally connected world. The Internet structure itself is designed to not have central authority and we are crowdsource everything from our Encyclopedia to journalism to genetic research.

So we are taking the same approach with BeehiveID and creating a peer-to-peer identity validation (P2P) method. That way you can verify yourself and ask others to verify themselves without going through a central authority (as with Government issued IDs) and without revealing more information about yourself than is needed. Why should they know where you live or your credit rating? It's far less expensive than a background check and harder to fool than transaction based methods.