Tactical Information Systems
Biometric Identification Software
SERVER.png

Tactical Information Systems Blog

Identity & Technology

Online Identity & Trust

We've blogged about the problems associated with online reputation and online trust before, and we used to think (like most people) that it was a problem of identity. We know anonymous people behave poorly, create fake reviews, etc. So a strong online identity will solve that, right?

Well, not so fast.  

Let's look at a hypothetical situation with a hypothetical collaborative consumption site I call "Air CnC" - Air Cash n Crash - a site that lets you pay cash for a place to crash.

Let's start with Alice, who has a room she can rent out to make a little extra money. Bob is a member of Air CnC and Alice wants to know whether Bob can be trusted. Air CnC uses an identity verification system that requires Bob to fax in a copy of his driver's license as well as undergo a background check. Furthermore, Air CnC has an extensive reputation system and Bob has many glowing reviews. Great!  Now Alice knows she can trust Bob, right?

Well, not so fast.

The problem with driver's licenses

First, how much do we trust the system Air CnC uses to verify Bob's driver's license? Is it an electronic system like Jumio? Those kinds of systems are pretty easy to defeat because they rely upon you showing a driver's license to a webcam. Really good fake driver's licenses are available for less than $100. 

These are obviously fake because iron man would have a license plate on his butt, not a driver's license

These are obviously fake because iron man would have a license plate on his butt, not a driver's license

If you are a little handy, you can make any number of "scannable" driver's license fakes without having to spend $100, or even $1. (sorry, kids I am not going to do a blog post on that one). So a driver's license check will make it hard for at least the clueless scammers, right? And we still have background checks, right?

Well, not so fast.

The problem with background checks

You might be shocked to learn that background checks are WAY less complete than most people think. People think a background check queries some Federal database and out pops every crime ever committed by a person. Well, it isn't like that AT ALL. There is a Federal system called the National Crime Information Center (NCIC), but regular companies can't query NCIC, only law enforcement can do that. A thorough background check involves sending "runners" (people) to various county courthouses for everywhere a person has lived and get arrest records. And that isn't complete either, just because there is such a hodgepodge of records. Plus it is expensive - a comprehensive background check costs around $100/person. And to add insult (and expense) to injury, how do you know you are running the background check on the right person if you don't even know who they are in the first place?  

So background checks are a problem. But we have the reputation system to help. Since Bob has a great reputation system, we can use that instead, right?

Well, not so fast.

The problem with reputation systems

A reputation system is only as good as the integrity of the people using it. Unless you know the people doing the reviews are real, unique, and have actually used the service then their reviews don't mean anything. Furthermore, if you don't know that the people who are being reviewed are real and unique then you can't trust that either. It is too easy for someone to get a few negative reviews, create a new identity and start all over again. Most online reviews are effectively useless because they don't meet either of these criteria.

So review systems are not going to help us much. But companies run lots of sophisticated algorithms to detect fraud, spending $10's of thousands of dollars per month. That has to help, right?

Well, not so fast.

The problem with back-end fraud detection

 All back end systems are relying upon information about an online transaction - things like IP address, geolocation, cookies, browser fingerprinting, behavior, etc. It isn't that those things can't catch fraud - they absolutely can. The problem is that all of the things they measure are provided by the web client. And any web developer who has been burned by this (and most of them have) knows, you can never trust anything provided by the client. Web browsers are really open things. You want a different IP address? You want to look like you are coming from a Mac when you are on a PC? You want to have a certain cookie that says you are a good guy? All of those things are very trivial with the right bit of code on the client side. And when your fraud revenue relies upon this, you are very motivated to find that bit of code.

The data breach problem

As we all know, companies have a stellar reputation when it comes to protecting sensitive personal data, just like a picket fence would make your yard an impenetrable fortress. I do actually think companies try, but their efforts look like this:

picket-fence.png

They have really tight security in one place, but the rest of their security can be knocked over by a toddler using a speak-n-say as a hacking computer. It's a really hard problem - the government can't do it well either. The only real answer at this point is to assume that any private data you upload will eventually be leaked, and the only way to keep personal data private is to not upload it at all.

The fundamental problem

Air CnC is trying to eliminate bad guys through identity measures. That's how a hotel might operate in the real world. They would ask for Bob's driver's license and if he kept coming back and trashing the place or stealing from other customers they would ban him from the hotel or call police and the problem of Bob would go away. But that approach doesn't scale to the Internet where identities are so ephemeral and easy to fake. An Internet identity is a tiny signal in a sea of noise. And it is actually worse than that. The systems we have in place can be considered to be worse than nothing because they generate a false sense of security - background checks in particular. This makes people less cautious, and that is a bad thing.

So what's the right answer? Give up and accept that we are going to drown in a sea of fraud? 

Well, not so fast.

Accountability without the illusion of real identity

Let's look at Air DnD (dollars and dreams), a site where you can spend a few dollars for a bed that will ensure pleasant dreams. (forgive me, D is a hard letter). Air DnD doesn't try to solve the identity problem because it is too hard and they don't want to try to protect sensitive customer identity data. They educate their customers on the futility of trying to do real identity online, and educate them on safe practices when dealing with strangers - the same safe practices dealing with strangers in any venue.

However, Air DnD can make a different assurance. They can ensure that all their accounts are backed by real, unique people - one account per person. That has a lot of interesting implications as we will see.

Now let's look at a slightly more complex situation. Alice and Bob have rooms to rent, while Charlie and David are looking for rooms. Charlie and David both have great reputations on the site, as does Alice. But Bob's place is brand new - the first listing. Although Alice and Bob's place are about the same, Alice can charge more for her room because she has an established good reputation. Bob charges less because he is eager to build up a good reputation.

Charlie is in a hurry, so he is glad to pay more to Alice and not have to do any work to figure out whether she is legitimate or not. David is cost-conscious, so he spends some time checking up on Bob, and meets him if a coffee shop for a short meet-and-greet. Reassured, he rents Bob's room and saves some money. Now Bob has the start of a good reputation on the system and will eventually be able to charge more.

What makes this scenario different from the conventional one is that we have a legitimate reputation system, because we know it is backed by real people. We don't have any personal data about the people involved, and we don't even have to know their real names. We just know that they are real and can be held accountable within the context of the site. If they behave badly they will gain a negative reputation that actually means something because they can't just create a new identity and start over. Or they can be banned and not come back. But ultimately it is all about accountability, not identity.

This is the kind of stuff we live and breathe. We'd love to chat with you about your online fraud/accountability problems, identity, or even beekeeping!