Online Identity

posted by on 19th May 2011, at 3:03pm

In the modern age everyone has multiple online accounts, Google, Twitter, Facebook, MSN Messenger, Tumblr, Formspring, various forums, etc. Back in the early part of the 2000s online accounts were mostly used for housing an avatar of yourself, not your real identity. This avatar would be used on message boards and maybe an ICQ or AIM account. There was no reason to be your actual person online unless you were shopping online, this was usually done with your real identity; it still is today. The avatar model still exists today with all of the social media websites and online services that we use.

The avatar model created a sense of anonymity and freedom, some say this is what the internet was originally designed to do. Along with this the idea was also implanted for some people that they could do anything on the internet and get away with it, to a large extent they have. Whether it be a teenager browsing some message board to get their daily kicks, someone taking part in bullying someone else online, or someone posting a review of a movie on YouTube these communities need to be moderated kept clean one way or another. For petty crimes like mass spamming or just being annoying in general there’s really not much law enforcement could do. However, if something more serious is taking place such as bullying, verbal assault or infringing laws, law enforcement must get involved. This is a scenario that is almost impossible since a court order is required to get the information of someone behind an IP address, the address that identifies you online. Even with an IP address there’s no guarantee the person you are looking for is at that IP address. This is why a new online identity model is needed.

This paper is going to be as realistic as possible in regards to methods. The best method to ensure identity is maintained online would be to provide every person with a single IPv6 address and have that follow the person wherever they go online. This would work since the IPv6 address space provides upwards of 3.4 x 1038 addresses. This is not realistic since IPv4 will not be disappearing any time soon. A new solution to provide identity online must be one that allows any corporation or website to adopt it. Most importantly the solution must be nimble enough to suit the needs of different countries. The United States would take the lead on something of this nature but there’s no guarantee it would suit the needs of other countries. The solution must also provide concrete proof that the person using an online account is who they claim to be. Finally, privacy must be respected meaning that website owners or corporations would not be able to freely look up the details of a user without just cause.

Now that we know what this solution must look like let’s take a look at what we have right now to see if anything could be adapted to work in such a manner. We’ll be looking for a solution that with a few modifications can encompass our requirements.

The first service I would like to talk about in relation to identity is OpenID. OpenID provides website owners with a template to perform authentication. OpenID operates with OpenID providers, the providers provide authentication for any websites that choose to operate using OpenID. Once a user has an OpenID account they are able to use it to log in anywhere that supports OpenID. OpenID is great in that it anyone is free to implement it, however, very few mainstream users use OpenID. You can link your Facebook account to OpenID by adding it as a linked account under your account settings.

The next provider that could morph itself into a force for a new identity framework is Google. Everyone who uses Gmail has a google account, everyone who uses YouTube has a Google account. Google accounts are available in mass quantities, they’re easy to create and they have a good deal of information tied to them. Personally my Google account has all my email messages, a good selection of documents, and about 6 years of web search history. Google is also available to be used to log in to other websites, Facebook for example. This makes Google a prime contender for this space since Google accounts exist in mass quantities and Google is the company that has always touted its “do no evil” message.

The third and perhaps most shocking contender is Facebook. Facebook is the biggest social network to date and almost everyone has an account. As with Google Facebook offers a similar solution for connecting to other websites, Facebook Connect. This means that one could easily log into other websites using Facebook and their identity would continue to revolve around this profile. Facebook also offers the ability of having strong identity, meaning that the friends list can be used as a method of authentication. Send a message to friend X of user Y and you will get a yes or no answer if this person is real. Continue this 10 times and you can get a fairly good idea of who a person is.

Each of the above mentioned providers have their benefits and downsides. When I started building this article over a month ago I had thought Facebook would be a clear winner since I had never used Facebook before. Once I took a look inside a Facebook account I discovered I was plain wrong. From the first creation of an account it became clear that Facebook is too corporate amongst other things to provide a standard form of identity. This lead me back to the very first that I mentioned here, OpenID. OpenID is great in theory but the problem is that not everyone is aware of it and websites do not implement it in massive numbers. Google was included as a possibility in this list because Google has a track record of undertaking ambitious projects such as the Chrome browser to change the web and Gmail to change the concept of web mail as we know it. If Google wanted they could create a service for online identity easily. Google also has the benefit of being generally viewed in a positive light.

As it stands right now there is no ideal solution. OpenID provides the closest but it lacks a form of government authority and it’s not widely used. Google could handle implementation but once again there’s no general framework for providing a wide net that would encompass all cases. Facebook would be useful in such a situation to provide a network of friends to spread the new authentication method around the web. A new framework must be provided for authentication, using something each of these companies has here to make it work. The general non-affiliated base of OpenID, the trust and implementation services of Google, and the vast network Facebook provides could create a valid identity system that would be widely used.

The first and most important aspect of our system must be its decentralized nature. OpenID provides this by allowing anyone to become an OpenID provider. The second roadblock is authenticity. Everyone has some form of government identification whether it be drivers license, passport, or birth certificate. Once the framework is provided in an OpenID style system we must turn to the government, the government of your country. Any modern government in the developed world is trustworthy enough to handle authentication of this nature, it would be similar to setting up a business license. A user would first go to a provider, such as Google to get their account linked to a third party such as OpenID. The user would then fill out a form online providing credentials for their Google (or other provider) and then also providing information found on a piece of government ID to create the link. This would result in the user becoming verified much in the same way websites are able to purchase secure certificates to get the green badge on the address bar. The user could then head on to Facebook and login with this new verified account and push their friends to become verified as well. The log in account would work on any website that chooses to implement it. There would be no penalty for not implementing but over time it would become natural to support verified accounts to bring another level of legitimacy to a web site or online service.

As mentioned earlier the new login system would provide a greater degree of legitimacy and would make tracking troublemakers easier. Let’s be clear once again that a single website owner would not be able to access personal contact information for a user without just cause. If something were to happen regarding the behavior of that person the case would be able to be turned over to law enforcement with the verified user ID. Website owners could take away a new level of pride if they only allowed verified users. It would be limiting in regards to allowing mass account creation but it would greatly enhance the experience online. It would create the feeling of being apart of a true community with people you know are real and people you can start to forge new friendships with because it’s known that they will be held accountable for their actions.

Such a system would be ideal as we continue to use the internet more and more in our daily lives. The internet wasn’t designed for massive amounts of people to congregate and share videos with each other. The internet was designed for communication between branches of the military and later, educational institutions. We use the internet as if it was a part of the real world, we need to treat it as such. I am a firm believer that we should treat people online as we would if we were sitting next to them in a coffee shop. I also believe that the internet needs law, just like we have in the real world. A person can’t verbally abuse someone in a coffee shop and physically assault someone without answering for the crime. The online world is a completely different story, something like a verbal assault is very easy to get away with. We’re living in 2011, not 1995 and the internet needs to change to serve the world around it.


This article is filed under Tech. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

2 Comments

  • Ben L. Says:
    19th May 2011, at 4:46pm

    The problem with using OpenID, or any easily obtainable method of identification, is that a malicious user would almost definitely create a new identity specifically for the purpose of whatever action they wish to do. When they’re done with this action, they can simply discard the account and repeat.

    A system that required a cell phone to identify wouldn’t work either – I don’t have a cell phone, and I don’t use a landline phone unless it’s an emergency. Requiring more forms of identification simply reduces user base. Even if you’re removing 60% of malicious users, you’re also getting rid of at least 30% of your legitimate user base.

  • Shane Says:
    19th May 2011, at 6:15pm

    Every person would only have one account verified by government. You’d only be allowed one. The idea in general is to prevent fake identities from being created and then create more trust with websites that only allow verified identities. This setup aims to fix the problem you put forward.

    In time it’s hoped that websites that value their legitimacy (Facebook, Twitter, Google, etc.) would only support verified identities while websites that are somewhat more freestanding (RSBandB, Digg, Reddit, etc.) would run both systems. While on the other end, untrusted websites would have no desire to support this system. With this, verified identity = trust = safe experience.

    Cell phone auth is best saved for multi-factor authentication.