(C) Alec Muffett's DropSafe blog.
Author Name: Alec Muffett
This story was originally published on allecmuffett.com. [1]
License: CC-BY-SA 3.0.[2]


identity – dropsafe

2021-11

A few days ago I was asked some questions by Alex Hern, towards an article which came out in today’s Observer. In response, I sent him an essay, which I attach mildly edited and with entirely rephrased questions (to avoid quoting) attached below...

Question: what are the main challenges of online identity?

I’m going to try to maximise clarity, so: apologies for verbosity, if there’s anything inobvious then do ping me back; also I will reorder the questions a little bit:

“Identity” is a concept that is broadly misunderstood, especially online – because “Identity” actually means “Relationship”.

We love to think in terms of “Identity” meaning “Credential” such as “Passport” or “Driving License”, but even in those circumstances we are actually talking about “Bearer of Passport” (relationship) and “British Passport” (relationship), with the small mauve/blue booklet acting as a hard-to-forge “pivot” between the two relationships.

This true and subtle nature of “identity” is so widely misapprehended in the real world, that matters are considerably worsened when the same misapprehensions are applied online.

This is most obvious in a traditional online login: to pick a random vendor: Amazon mostly don’t need to care *who* you are in terms of your relationships to national governments or driving license authorities; from a business perspective all they care about is that there’s an “account” (relationship) to which (ideally) only one person/family has access, and in receipt of a consistent flow of orders and consistent payment they dispatch stuff to a consistent address and everyone generally remains consistently happy.

Problems arise when the “account” is open to access by undesired third parties by means of (eg:) “credential theft” (ie: theft of pivot) thereby diluting trust and enabling parasitising of the relationship, leaving the original parties (Customer, Amazon) both unhappy.

But the key point is: there’s no *essential* middleman required in a relationship; any legal-compliance age-checks can be done minimally, at the point of relevant delivery.

Admittedly: where there are non-cash payments required then the whole thing rapidly evolves into a complex web of Amazon-Customer relationships (ie: Amazon Identities) talking to Mastercard-Customer relationships (ie: Credit Cards Numbers) via Amazon-Mastercard relationships (ie: Payment-Processor Accounts) – but underlying it all is a stark end-to-end simplicity.

Aside: this is also why digital cash is, or was, quite so terrifying to both payment processors and governments. They fear disintermediation.

And now along comes the Government which now tries to demand that almost every relationship that you have, as a platform, is suddenly and legally obliged to be tied to … what? An arbitrary, legally-sanctioned third party? A government database? An uploaded photoshop of a driver’s license? An ill-defined meta-relationship? All “in order to filter-out children”?

Suddenly every simple relationship that you have, every simple username/password combination, becomes subjugated to cross-check and revocation from a cartel of third parties – because clearly not every platform is competent to manage sensitive data – and all gleefully rubbing their hands together at the monetisation opportunities.

The decentralised nature of the internet, revolts against such an obligation. No popular software stack natively supports the concept of “trusted third parties”. It has been rejected as an architecture several times before, during the first Crypto Wars. All purported “solutions” will need to be layered “over the top”, and all will be easily circumvented by (eg:) simply “using software that doesn’t bother to implement these notions”.

What then? Shall we ban software that is not properly plugged into the “British National Identity Grid”?

Further: you are more than familiar with the concept of “end-to-end encryption” – Tor, Signal, WhatsApp – all of which reflect the internet’s underlying “End-to-End Principle” genome. (cite: https://datatracker.ietf.org/doc/html/rfc3724)

End-to-end-secure technologies are on the rise, improve security, reduce cost, have no technical requirement to be referent to any third-party relationship… so of course the Online Harms bill is taking aim at those, too.

Aside: check out this tweet on how Google implement Age Verification for YouTube, and note that they place the burden upon *users* to not send them anything sensitive:

"YouTube are already doing it" – would you like to look into that, and the pros/cons?



Here's Google's guidance on "how to age verify" – how many people do you think manage to "block out" sensitive bits of their ID?



How many nick their Mum's Credit Card?https://t.co/m1rTgeMPTC pic.twitter.com/9EyDTq04LO — Alec Muffett (@AlecMuffett) June 19, 2021

Question: What are the consequences of Online Age Verification?

1/ Age Verification artificially requires platforms (etc) to demand *more* data about the people at the other end of their account relationships – even if the platforms lack any concept of “account”. This burdens the platforms, adds cost, reduces engagement, and reduces performance. It harms anonymity and the legitimate communities which benefit from that. It enables blocking and censorship. It proliferates private information, and puts sensitive personal data at greater and more focused risk of hacking (cf: The “Ashley Madison” hack) – yet the ostensible end goal (restricting access to porn, at least) is easily bypassed by motivated kids.

2/ The low hanging fruit of Age Verification is to “address the issue, not the medium”; and require (as now) online booze and knife sales to check ID on delivery, further educate kids how to spot abusers, further educate parents and teachers to be more engaged with their childrens’ online lives.

We should not conflate technical control with social integrity – the challenge is the people, not the platforms: folk need to be vaccinated against doing stupidly risky things online, rather than for the government to demand that all platforms must hire and deploy cyberbouncers everywhere in order to keep “the vulnerable” away from potential sources of harm.

A friend of mine – a consultant on security – once told me that he didn’t know whether to be annoyed or impressed at his then-14yo son buying a secondhand Android phone for 15 quid and thereby bypassing all his carefully set up parental controls. That might sound like an argument for moving the controls upstream, but all that will happen is the kids start using VPNs, Tor, and 4Chan.

Better, instead, to engage with your children as family members to be guided, rather than as prisoners and punters to be policed.

Moving one of your questions up to here:

Question: what is the likelihood & risk of (e.g.) Facebook, falling into the role of age verification, for want of a more focused / general solution?

From the preamble discussion: the point of a passport booklet is that it must be of high authenticity in order to be useful – this means that it must be high cost to create, hard to forge, well policed, and revoked at need.

These are also all characteristics of your account-relationships with Google and Facebook, and hence those account-relationships are viable for use as proxy-identities (Platform: “I have an account-relationship with *someone* who at Facebook has account-relationship number 12345678; they order pizza and give me money and we are happy”) for platforms which understandably don’t want to have to deal with fake humans (eg: food delivery companies)

This is in contrast to outsource identity-providers such as Yoti – or other, more narrow “age-assurance” providers – attempting to shoehorn themselves into frequent-use account-relationships (porn age-verification? neotenic adults attempting to buy booze/fags?) in order to gain enough market momentum to begin to make money from providing these services.

We have seen the same pattern in Government themselves: expensive, uneconomic, misconceived solutions looking for problems to solve, flailing, and dying. In the process the GOV.UK “Verify” system spent millions trying to federate (parasitise?) the incumbent account-relationships held by Barclays, Experian & the Post Office, none of which are remotely as “high cost to create, hard to forge, well policed” (etc) as the average Google account. Someone’s Barclays account might be close, but how often do you use your bank compared to Google, in respect of relationship freshness and therefore trustworthiness?

So I am generally in favour of (eg: food delivery) companies being free to choose to use Google and Facebook – and Apple, if you have an iPhone – as identity providers.

And I am utterly against such usage becoming obligatory. I literally worked at Facebook, and I would not want my Facebook account to be required by the British government, just as much as I would not want Facebook to collude with the Chinese government to know more about Chinese citizens.

And frankly – pardon the upcoming caps – I STRONGLY DOUBT THAT FACEBOOK WANTS TO GET INTO THE IDENTITY VERIFICATION BUSINESS; Facebook is an advertising company, and their literal terms of service forbid data use “to make eligibility determinations about people” (cite: https://developers.facebook.com/terms/dfc_platform_terms/ in section 3.a.ii) – something which I also pointed out in my 2016 evidence to Parliament, linked below.

The value of Google/Apple/Facebook accounts to third-party authenticators is NOT in the kind information which (some wrongly believe) GAF could bring to the table; the value is in the account-relationship as a hard-to-forge, regularly refreshed, globally-unique pivot-credential. The ostensible birthday that is associated with it, is likely evanescent, unverified hogwash.

Question: what are your perspectives upon the Digital Economy Act & the Age-Appropriate Design Code?

Part 3 of the Digital Economy Bill was awesomely misconceived, illiberal, and badly drafted. I eviscerated it in evidence submitted to Parliament (https://medium.com/@alecmuffett/on-the-digital-economy-bill-1df356862ac2) and I remain proud that this work, plus my commentary on the many failings of BSI PAS1296 (thread: https://twitter.com/AlecMuffett/status/788355102578966528) were cited to me by one peer as a major reason why the legislation was never enacted.

OMG – the reason that #PAS1296 says nothing useful about protection of porn-viewing data is BECAUSE IT IS DESIGNED FOR GENERAL PURPOSE pic.twitter.com/hWBRwqLkOk — Alec Muffett (@AlecMuffett) October 18, 2016

There’s a regrettable amount of well-intentioned but misconceived and ill-informed thinking out there, regarding how to protect children online. This goes for both the DEA and the AADC, most of which blithely assume that there’s some concept of “absolute identity” (there isn’t) which can (it can’t) somehow be imported into cyberspace (at best it would be yet another relationship, of dubious worth) in order to “solve” age checks.

Again: even if that were a thing (it’s not) you would still need to prevent the kid changing the timezone on their phone to be in New York, prevent the kid setting their phone’s geolocation to Australia, prevent the kid using a VPN so that their bits appear to come from Sweden, from somewhere, from anywhere that this burden, this cost, this friction does not exist.

The DEA and the (control aspects of the) AADC won’t deliver the ostensibly desired results, but the process of imposing it will harm *everything* because the necessary infrastructure is supported by *nothing* and the consequences of implementing it would be far beyond what is discussed.

Also: there is a slew of privacy and disabled-person-usability regulations which would rightly crush any platform which (eg:) required people to “log in” to their phones before they were permitted to amend the (eg:) timezone settings. Privacy and safety advocates have viciously competing motivations and goals.

Summary: It’s simply not feasible to stop people lying to computers, nor to stop people lying to each other via computers, and attempting to do so would be illiberal.

Question: Would Government-issued Digital IDs be able to step into this requirement?

Restating the above even more briefly:

Most people’s “Government Digital IDs” are-and-will-be used a fraction as much as their Google and Facebook accounts, and will equally be authenticated to a fractional extent. You’ve probably written something like “Facebook knows more about you than the Government, it’s on all your devices, tracks you everywhere”, etc, and the account-relationship (ie: “Identity”) that Facebook and Google have got for you is refreshed several dozen times a day.

How on earth would a “Government Digital ID” exceed the value of that deeply intimate account-relationship? And how would they exceed the reliability and performance of (eg:) Facebook as a solution?

As such: Facebook would be a far “better” third party to legally oblige everyone to have – but that’s a horrific prospect, not least because it proliferates personal data even further into more intimate regions of internet usage: banking and benefits, not just porn.

But then: if Facebook would be a bad choice solely upon *those* grounds, then why would *anyone* else be better, Government included? All you would be doing is handing the Government the ability to (a) track you online and (b) deny you access to a website.

Do we really want the Government to have those powers?

Question: When should children (e.g. 13-and-under) be permitted free access to the Internet?

Would you want me to tell you what your kid is capable of, and/or should be permitted to do, and with whom they are allowed (encouraged? forbidden?) to speak?

I doubt it.

In 2018 I attended a meeting on “children’s data and privacy online” at LSE, and ended up tweeting thusly:

Yet 15 minutes later the parents amongst the attendees were comparing notes re: how casually & often their children lied about age/etc "online", and in one case had taught [their parent, an attendee] how to sign up for [Facebook?] & to lie about their age in the process. — Alec Muffett (@AlecMuffett) September 7, 2018

…because it turns out that there is a comical amount of give-and-take regarding “what is acceptable” even amongst the most notable of child-protection advocates.

The joke used to be about getting your 13-year-old to program your VCR, but now it’s about asking them how to protect your identity online.

So: with curious and smart kids some form of “unsupervised browsing” is going to happen sooner than you realise. The proper question is not “at what arbitrary age should we permit this?”

The question should be “what have the parents and teachers done, from the outset, to avoid this eventuality somehow becoming a crisis?”

FIN
[END]

[1] URL: https://alecmuffett.com/article/tag/identity
[2] URL: https://creativecommons.org/licenses/by-sa/3.0/

BoingBoing via Magical.Fish Gopher News Feeds:
gopher://magical.fish/1/feeds/news/alecmuffett/

You are viewing proxied material from magical.fish. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.