Let’s say the internet gets so bad that it becomes almost impossible to carry on a civilized conversation on a social network or to avoid a flood of anonymous emails. The people become fed up and can’t take it anymore. A revolution takes place and a miracle happens: every one is required to get a real id that can be traced back an actual person. This id is then required to do anything on the internet.

How many people are going to still post death threats, character assassinations, or make racist or sexist comments. How many people are are going to email you saying they’re a Nigerian prince that wants to give you money. It would sure go a long way to cleaning up some of the cesspools that make up social networking and the garbage pit that is email today.

Knowing who you are cuts both ways. A woman trying to hide from an abusive boyfriend or husband would want to keep her identity unknown. People facing political persecution would like to keep a low profile.

Perhaps the biggest hurdle to setting up ids would be verification. How do you prove someone is who they say they are when documents can be easily forged and fake identities created. You could use finger prints or eye scans, but the effort to set up the infrastructure to do so would be massive.

Then there is the issue of maintaining the information in a safe and secure manner. We couldn’t rely on any countries government. They wouldn’t be able to resist the temptation to use it to track people. It would have to be an independent agency.

Is setting up such a system unfeasible? Even if all the hurdles could be overcome and a real id system could be created, is that something we would want? Are we better off with the way it is today and just live with its ills or relying on mods and spam filters to keep thing somewhat under control.

I’m aware that Web 3.0 is making strides in this area. It remains to be seen if it will be viable.

  • Onihikage@beehaw.org
    link
    fedilink
    English
    arrow-up
    0
    ·
    1 year ago

    Everyone knowing your identity? The drawbacks would far outweigh the benefits. However, there may be a path to the benefits of a Real ID sign-up system that mitigates the possible harms.

    First of all, let’s get this out of the way - this “minimal harm” approach would only be feasible if the government could either reach some level of technical competency or farm out the task to heavily restricted private corporations that do have that competence. If we presume that’s the case (unlikely), the question becomes whether the people would be willing to accept it. If we presume the majority of citizens also want such a thing (a tall order to be sure, I certainly don’t want it), then the question becomes what sort of system would be able to maximize privacy, and thus safety, while still requiring your real identity to be involved in creating online accounts? What would that system look like?

    (Collapsed for your convenience because I wrote way too much about this hypothetical)

    We’d absolutely need a level of abstraction. The government knows who you are anyway, but the business entity you’re interfacing with would get a unique token from the government that is not your actual Real ID number but which is a hash generated from the business’s (salted) ID number and your own salted ID number (idk I’m not a cryptographer).

    Signing up for an account would resemble using Google or Facebook to create an account; you’d be redirected to some third party Identity Verification System (IVS) which would handle identity verification and redirect you back to the account creation with the extra piece of information provided by the third party. You’d still pick a username, password, etc.; the government database would only be used to generate that unique token.

    More specifically, the website or service would only be passed a token from the IVS, uniquely generated based on the company ID and the person’s ID, and the government database would only keep the token, not any of the data used to compute it. (That’s not counting China and other authoritarian states, of course - they’d definitely retain all that information and have a list of all the sites you have accounts with. This wouldn’t solve that problem.) This would make the IVS database virtually useless on its own, as an attacker who compromises the database has no way of knowing which token is associated with which website, and cannot derive it themselves unless they’ve also compromised one or more target websites at the same time. The cryptographic stuff would be rotated once it’s known that a breach has occurred, so such breaches would likely be limited to state actors or black-hat groups that hoard zero-days.

    Now, what would all this accomplish? What would it make possible that currently isn’t outside of China?

    • Unique website signups - one person, one account, and if it’s banned, that’s it, you don’t get to log in to that site ever again until you’re unbanned. Your only option to get around a ban would be to commit identity fraud, which would be quickly traced back to you if everything really was using this system.
    • If you block someone, they can’t just make a new account and keep harassing you; they’d have to start committing crimes, and the pattern of behavior would be easily traced back to their original account, and with it, their original identity.
    • No more sock puppets. If you say something on a platform, you only get one account to say it with. Troll farms would have to openly pay thousands of people to support a particular view, which many websites would likely consider a bannable offense. Troll farms are non-viable.
    • A website doesn’t need your email address or any personal information from you in order to verify your identity for password resets. If the IVS returns the correct token, that’s good enough.
    • If a user has committed a crime, and evidence of this is visible on a website or platform, a government with jurisdiction can, with a warrant, request that user’s token. That gives them a specific identity in the ID database to investigate further.
    • If the government is investigating a particular individual over whom they have jurisdiction, they can query websites or businesses over which they also have jurisdiction for information on whether any of the tokens in their database match a user account’s identity token, and request data from the matching account. It would be a much more focused process than queries based on IP addresses which judges keep having to say are not proof of identity.

    What would this system not do? What doesn’t change compared to now?

    • Companies using this system would still only know for sure who you are if you tell them; at most, they know with certainty what country your identity is associated with, but little more.
    • Companies could still coordinate information on data such as which accounts sign in from the same IP addresses, which would tell them more about specific users and potentially let them profile you.
    • Companies will still give up any information they have on you to the government if compelled by a warrant, sometimes even without one.
    • Websites can be hacked and your data on that website exposed to the world, requiring you to reset your password, etc.
    • The government can be hacked and information about your identity exposed
    • Accounts can be hacked, and nefarious people can do nefarious things under your name without having to commit identity fraud (though this act could itself be considered a crime under such a system)
    • Stalkers can still figure out who you are based on information you post, and go after you in the real world
    • The government doesn’t know which websites you visit unless they’re actively spying on you.
    • Oppressive governments can and will continue to monitor and log everything they can about you, and attempt to weaponize this against dissenters or those otherwise deemed “undesirable”

    Even in the grandest, best-possible-case scenario I can think of, it still comes down to “Can I trust my government to not take more information than they’re allowed to, and can I trust that they will not abuse the information they do obtain?” For many, I suspect the answer to both questions is no.