![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Authenticating humans
Apr. 30th, 2022 12:41 pmI’m attempting to figure out the current state-of-the-art on “authenticating humans”, since that is (a)(the) stated goal for The Acquisition.
I’m currently mostly ignoring everything about “storing identification on the blockchain” type discussion, in favor of focusing on the approach to ensuring that a human is involved, and the human is not already represented in the system. And — because Anecdata! — I’m starting with ID.me. I know it was used extensively by state unemployment agencies to deal with an avalanche of fraud. I know that the IRS is making use of it. And I know there are some issues with it.
https://www.theverge.com/2022/2/11/22928082/id-me-irs-facial-recognition-overworked-employees
This is February coverage from The Verge. It touches upon who facial ID systems tend to fail for (surprise! Ok, not a surprise. Women and people of color). It mostly focuses on the workplace experience at ID.me. It also spends a little time discussing leadership at ID.me’s response to the increased focus on them and criticism of them in general. And it mentions at least in passing competition for the service.
https://thedispatch.com/p/idme-and-the-governments-identity
(I am not familiar with this source, so link does not constitute endorsement!)
This article provides a survey of the backlash against ID.me. I really love this sentence; it is everything I am increasingly thinking:
“Still, it’s hard to shake the feeling that ID.me is the current scapegoat for a more systemic problem: The government has no good way to keep track of who you are online, even as knowing who you are online is becoming more important in every area of life.”
When I graduated from college, it was still hard to get email service / ISP service. It was a high priority to me to maintain this part of my life for many reasons. By the time I retired from work, it was super easy to get email service / ISP service at various levels, however, my efforts to fully transition my “real life” bills and statements and so forth to email were fraught at best — as late as 2004 or so, any tiny hiccup in emailing things caused a permanent reversion to paper mail. (Well, until you went through the process of switching back to e-everything again.) It would be a few more years before companies in general focused on convincing customers to “go green” by going online, as they saw the reduction in costs associated with customers receiving their statements and paying their bills online. At that point, I signed up with Catalog Choice and started actively resisting every single piece of mail I could. I was successful enough that to this day, a week-ish worth of held mail is often on the order of a dozen or so items, most of it presort (junk) mail.
The other perspective on this transition is that one’s e-life has become more and more central to one’s ability to function in the economy. Just about the _only_ remaining paper mail I receive that I care about at all is tax bills and other tax related communication _from the government_ (most tax things from banks and brokers now arrive via email, typically, or through both pathways). It is absolutely possible for someone to reach into your mailbox and steal your mail. It is _also_ possible for them to file a forward notification with the Post Office, and have the mail sent elsewhere. And it does happen — but there are significant penalties, which usually slows this down, and generally one does not need to worry about someone geographically located halfway around the world reaching into one’s physical mail box, and it is relatively unlikely that one’s mail will be forwarded halfway around the world without becoming aware of that in enough time to correct the situation.
And yes, there is all kind of hackery on the phone system as well, with physical phones being stolen (altho that’s a lot less of a problem than it was, it is still a problem), phones being cloned, numbers being illicitly ported, etc. While 2FA / MFA is a great way to increase security in online accounts, there are all kinds of often social engineering but sometimes other types of attacks on MFA that is based on SMS messages or push notifications to a phone.
This _is_ a problem. This _is_ a hard problem. This _is_ a problem that we need to tackle. There is NOT a way to fully automate the problem — the experience of ID.me makes that clear. Labor costs associated with using humans to deal with what the automation cannot is unlikely to work well in a twitter authentication context, because twitter does not make enough money to support much in the way of a labor cost on a per account basis. (This specifically is why I said that twitter as a public company was not at all in a good place, and had no apparent path forward as a public company.)
Throwing our hands up in the air and saying, well, no one has been able to solve it yet, and the bandaids are very expensive and human intensive is deeply unsatisfying and ALSO does not solve the problem. “We can put it on the blockchain” is every bit as fraudulent as everything _else_ about crypto, unless it comes along with a clear path for ensuring humanness and uniqueness BEFORE assigning that absolutely unique authentication token on the blockchain (and, honestly, you will have to make sure that it cannot be misappropriated / misused as well).
I’ll be back in a bit.
ETA:
OK, again, in a twist we all should have expected in a world in which W.’s administration introduced Real ID but never did bother to implement it, the Dispatch appears to be a conservative oriented source. I poked around a bit on things mentioned in that article (because it was a great quote!) and have come to several conclusions.
First, FIDO has limited utility in a world in which you can pay somebody a hundred bucks at a phone store to clone some poor rando’s phone. We really do need to clean up security on our phone system. We have all kinds of law surrounding mail boxes ; we should do the same for people’s phones.
Second, the folks pushing identity infrastructure at the federal level in the United States are still hung up on how people (ab)use SSNs. Which, fair! But also, so 1990s. These are not the people I trust to overhaul identification and authentication. Also, I came at this from the perspective of How Do We Spot Crypto Spam Bots on Twitters, so any solution that requires government ID for accounts in a way that harms activists … anywhere … in order to catch spam bots sounds like a less than optimal solution. Also, anything that requires a US specific solution is a non-starter for any global social media platform.
I’m currently mostly ignoring everything about “storing identification on the blockchain” type discussion, in favor of focusing on the approach to ensuring that a human is involved, and the human is not already represented in the system. And — because Anecdata! — I’m starting with ID.me. I know it was used extensively by state unemployment agencies to deal with an avalanche of fraud. I know that the IRS is making use of it. And I know there are some issues with it.
https://www.theverge.com/2022/2/11/22928082/id-me-irs-facial-recognition-overworked-employees
This is February coverage from The Verge. It touches upon who facial ID systems tend to fail for (surprise! Ok, not a surprise. Women and people of color). It mostly focuses on the workplace experience at ID.me. It also spends a little time discussing leadership at ID.me’s response to the increased focus on them and criticism of them in general. And it mentions at least in passing competition for the service.
https://thedispatch.com/p/idme-and-the-governments-identity
(I am not familiar with this source, so link does not constitute endorsement!)
This article provides a survey of the backlash against ID.me. I really love this sentence; it is everything I am increasingly thinking:
“Still, it’s hard to shake the feeling that ID.me is the current scapegoat for a more systemic problem: The government has no good way to keep track of who you are online, even as knowing who you are online is becoming more important in every area of life.”
When I graduated from college, it was still hard to get email service / ISP service. It was a high priority to me to maintain this part of my life for many reasons. By the time I retired from work, it was super easy to get email service / ISP service at various levels, however, my efforts to fully transition my “real life” bills and statements and so forth to email were fraught at best — as late as 2004 or so, any tiny hiccup in emailing things caused a permanent reversion to paper mail. (Well, until you went through the process of switching back to e-everything again.) It would be a few more years before companies in general focused on convincing customers to “go green” by going online, as they saw the reduction in costs associated with customers receiving their statements and paying their bills online. At that point, I signed up with Catalog Choice and started actively resisting every single piece of mail I could. I was successful enough that to this day, a week-ish worth of held mail is often on the order of a dozen or so items, most of it presort (junk) mail.
The other perspective on this transition is that one’s e-life has become more and more central to one’s ability to function in the economy. Just about the _only_ remaining paper mail I receive that I care about at all is tax bills and other tax related communication _from the government_ (most tax things from banks and brokers now arrive via email, typically, or through both pathways). It is absolutely possible for someone to reach into your mailbox and steal your mail. It is _also_ possible for them to file a forward notification with the Post Office, and have the mail sent elsewhere. And it does happen — but there are significant penalties, which usually slows this down, and generally one does not need to worry about someone geographically located halfway around the world reaching into one’s physical mail box, and it is relatively unlikely that one’s mail will be forwarded halfway around the world without becoming aware of that in enough time to correct the situation.
And yes, there is all kind of hackery on the phone system as well, with physical phones being stolen (altho that’s a lot less of a problem than it was, it is still a problem), phones being cloned, numbers being illicitly ported, etc. While 2FA / MFA is a great way to increase security in online accounts, there are all kinds of often social engineering but sometimes other types of attacks on MFA that is based on SMS messages or push notifications to a phone.
This _is_ a problem. This _is_ a hard problem. This _is_ a problem that we need to tackle. There is NOT a way to fully automate the problem — the experience of ID.me makes that clear. Labor costs associated with using humans to deal with what the automation cannot is unlikely to work well in a twitter authentication context, because twitter does not make enough money to support much in the way of a labor cost on a per account basis. (This specifically is why I said that twitter as a public company was not at all in a good place, and had no apparent path forward as a public company.)
Throwing our hands up in the air and saying, well, no one has been able to solve it yet, and the bandaids are very expensive and human intensive is deeply unsatisfying and ALSO does not solve the problem. “We can put it on the blockchain” is every bit as fraudulent as everything _else_ about crypto, unless it comes along with a clear path for ensuring humanness and uniqueness BEFORE assigning that absolutely unique authentication token on the blockchain (and, honestly, you will have to make sure that it cannot be misappropriated / misused as well).
I’ll be back in a bit.
ETA:
OK, again, in a twist we all should have expected in a world in which W.’s administration introduced Real ID but never did bother to implement it, the Dispatch appears to be a conservative oriented source. I poked around a bit on things mentioned in that article (because it was a great quote!) and have come to several conclusions.
First, FIDO has limited utility in a world in which you can pay somebody a hundred bucks at a phone store to clone some poor rando’s phone. We really do need to clean up security on our phone system. We have all kinds of law surrounding mail boxes ; we should do the same for people’s phones.
Second, the folks pushing identity infrastructure at the federal level in the United States are still hung up on how people (ab)use SSNs. Which, fair! But also, so 1990s. These are not the people I trust to overhaul identification and authentication. Also, I came at this from the perspective of How Do We Spot Crypto Spam Bots on Twitters, so any solution that requires government ID for accounts in a way that harms activists … anywhere … in order to catch spam bots sounds like a less than optimal solution. Also, anything that requires a US specific solution is a non-starter for any global social media platform.