Every identity everywhere all at once
Welcome back to my ongoing series on real-world identity online. I’ve made it clear in recent weeks that I believe the current platform model is tilted too far toward anonymity. Easy, anonymous signups lead to large-scale fraud and harassment, the use of mass surveillance to find violations, and a justice system that terminates real people’s accounts without due process. We deserve better.
On the other hand, I am unwilling to sacrifice the benefits of online anonymity. Marginalized communities need a way to build safe spaces online, and we shouldn’t be handing any government a tool that makes it easier to suppress dissent.
I think this debate runs onto the rocks when it’s treated as an all or nothing proposition. It’s hard to find common ground when the only choices are Instagram allowing five accounts on one device, or the UK making Digital ID mandatory for Right to Work checks.
Fortunately, some brilliant colleagues at Google showed me a path forward a few years ago, which I’m going to use to build a generic model that I think could help us start to make progress toward the choice and control we deserve.
Standing on the shoulders of giant brains
First, some background. Early on, Google had a product philosophy of focusing on power users first, i.e. people who use your product heavily and have the highest requirements. This is why early Gmail packed the screen densely and focused on search to help people who processed a huge volume of email every day.
Unfortunately, bad actors learned to use these power features, too. Since they were all available the moment you logged in, the bad guys could exploit the power features faster than Google could detect and block the abuse. Combine that with easy access to fake accounts, and every day would bring a new avalanche of (inadvertently) Google-powered supervillains.
Enter Judy Sun and Brad Chen from Google’s Counter-Abuse Technology team. They needed to figure out a way to stop bad actors from abusing powerful features, but without damaging the experience of the real power users who needed them.
They created a model based on two things: a continuum of risk organized around public versus private behavior, and a set of escalating trust requirements that would be applied based on the level of risk. Here are some examples of how this could be applied within Google.
Using Gmail to read your email is a private activity, so it shouldn’t be gated at all, but sending thousands of emails in a short time period could mean you are a spammer.
Maps reviews are public, creating the risk of a legitimate business getting brigaded with false low ratings.
Android developers can reach millions of phones with potentially malicious apps.
Bulk-uploading many YouTube videos a day could help you reach a nation, for good or ill.
Judy and Brad and their team took this insight to products across Google, including YouTube and Android, who introduced new trust requirements at strategic points. Their work has reduced abuse and to my knowledge, has been fairly well-accepted by users of those products, a sign that they got the balance right.
A generic model: stakeholders and channels
To scale this model from one company to the broader Internet, we need to consider a wider range of stakeholders. Let’s start with four:
Individual - one person
Community - a specific subgroup of people
Platform - the service that is enabling an interaction
Government - authorities based on real-world citizenship and/or physical location
We also need to redefine the public-private continuum using product categories, rather than specific products. Here’s a starter model with five channels:
Consumption – one person acting alone by reading a book or a social media post, watching a video, playing a (one-person) video game, and so forth
One-to-one – two people communicating over any format (text, voice, video, online gaming, VR, etc.)
Community – multi-directional interactions within a defined subgroup. Anything from a small family group chat up to a Discord server or Telegram group with 100,000+ members.
Mass messaging - a content creator uses one-to-one channels to reach many people at once via email lists, bulk texting, and so forth.
Broadcast – a content creator posts something on a platform that is potentially available to anyone online. Social media updates, videos on TikTok or YouTube, and so on.
Identity context matrix v0.1
Put these together and we can start to have more specific conversations about what kind of identity requirements (or protections) a given stakeholder needs in a given channel.
Individual | Community | Platform | Government | |
|---|---|---|---|---|
Consumption | 1 | 2 | 3 | 4 |
One-to-one | 5 | 6 | 7 | 8 |
Community | 9 | 10 | 11 | 12 |
Mass Messaging | 13 | 14 | 15 | 16 |
Broadcast | 17 | 18 | 19 | 20 |
For example, consider box five: Individuals having one-to-one communications. Most of the time, you expect to know something about the identity of anyone you are texting or emailing with. This is why pig butchering attacks have to send a lot of messages in order to find someone they can fool. It would be even harder if people had a way to lock down their most private communication methods to require senders to have a valid identity credential.
A caveat is needed, however, for sensitive interactions like a suicide help line or an intimate conversation between two consenting adults. But allowing anonymity would become a choice those specific situations could make, rather than everyone’s mandatory default.
It’s pretty easy to use this matrix to find where more work is needed. In particular, box ten, communities managing communities, contains multitudes. A support group for marginalized youth or government dissent will rely on robust mutual anonymity for safety from doxxing, but on the other extreme there are documented cases of violence in places like India and West Africa that started from rumors, disinformation, and hate speech in WhatsApp groups. Community managers need a more diverse set of tools to manage different identity requirements for different circumstances.
This matrix could also use a third dimension for the relationship between categories of stakeholders. A platform wants to know a lot about the identity of their users when it increases the value of advertising, but as little as possible when it comes to account terminations. And conversely, an individual probably wants to be pretty anonymous for advertising purposes, but expects publishers to treat them as real people before cutting them off.
We need a web of trust
This is all purely theoretical at the moment, because there is no consistent feature on the Internet to even give us the choice of when to use or require verified identity. It’s all being determined by platforms and governments, and our wishes seem to be barely considered.
This may be about to change. Two weeks ago, a group called the First Person Network issued an 80-page white paper that proposes a set of standards to a verifiable trust layer to the entire Internet. The Linux kernel project intends to implement this to prevent another supply chain attack like XZ Utils, where an unknown hacker gained control over an open source project that almost injected a back door into Linux systems worldwide.
Next week I’ll try to distill this beast of a white paper into a short overview to give you a flavor of what could be coming.
Ideas? Feedback? Criticism? I want to hear it, because I am sure that I am going to get a lot of things wrong along the way. I will share what I learn with the community as we go. Reach out any time at [email protected].
