I am looking for thoughts, advice or just plain chatting about some issues I think are important around startups/entrepreneurship and the problem of online identity.
It seems we're way ahead of ourselves in terms of spreading information, but way behind in terms of knowing if the person speaking is truly who they say.
This has created a situation where armies of fake profiles are collectively acting like masses of individuals spreading news and information on a personal level.
My work on this is just getting started, but I can already see there are thousands and thousands of fake accounts all parroting the same perfectly articulated political propaganda and it is all coming from large centralized sources.
These are profiles masquerading as citizens who live nearby to you, and share the same values and interests.
But they are not.
I'd like to exchange some thoughts, advice and others interested in this very important topic. Online Identity Verification is a 10B plus business today and I think it is just the start of solving the problem.
There are two fundamental challenges to this:
Part 1) how the original registration is handled, and
Part 2) how the subsequent access control is handled when the person wants to assert their identity to a given service.
The registration part (Part 1) is tough in that you need to rely on some confirmable evidence and trust the true/false comparison with the user registering -tough to prove and sending scans of IDs online doesn't really cut it.
Part 2 is actually more abused by the industry as typically relies upon an initial, poorly verified Part 1 and just uses a token ID and PIN (if that) to allow access by that person (or bot). Both are fallible, and with criminals getting better at AI and focused attacks, they will stay ahead as long as these two "parts" are separated and not using the best available technologies. The my-token-is-me approach is easily faked as well, in both Parts. Incorporating a blockchain technology can be helpful, but the credibility of the chain is only as good as the trustability of the first link (see Part one above).
Many industry players are making up their own definitions (5, 10-factor authentication -LOL), leading to confusion and poor intel for the buyers. I am mostly referring to B2B buyers, but exponentially more difficult for the consumer to understand. I believe this is hampering the improved IAM that you are looking to experience in the marketplace.
I will stop ranting before I get carried away... just my observations.
A partial Solution would be to:
a) leverage federated IDaaS registration using a trusted regulated authority,
b) eliminate anything static about the credential (PINs, passwords, token), and
c) use all three factors of authentication as defined by NIST during BOTH Parts.
EOR (end of rant)
This is a topic of genuine interest to me. I've been doing identity/security work for over a decade now. Happy to share some analysis, ideas, thoughts and potential POCs with another genuine entrepreneur.
This is something I battle with given I have a majorly remote working style of functioning-from hiring to clientele to marketing to even payments. Ultimately I don't proceed even if there's a slight doubt, especially when people are interested initially and then suddenly vanish; as if they just wanted information and nothing else.
People use the liberty of anonymity to lie (for lack of a better word it seems appropriate) however it doesn't mean all do & it also doesn't mean that those in person always speak the truth. All this is fine up until it starts to pose a troublesome problem of identity theft, incorrect profiles, malicious cybercrime.
Same in the case of spreading news. Journalists can verify facts as per their taught research methodologies, however if an informer does offer them incorrect news pieces; there's little that they can do too. Fake news is even more jeopardising given there are several masses affected by it.
However do note that newspaper ads are never vetted for authenticity. Once a reader goes by the ad and is duped; well the very same journalists want a bite. How about verify everything before you publish & save the crime from occurring in the first place?
Fake job scenarios, money swindling schemes and get rich quick schemes are around galore.
If there's any way you think you can salvage this entire background check & authenticate the person's identity & verify the integrity on the basis of credentials for any other parameters, then I'm all ears (for the first case of businesses) & for fake news well, there are many firms that are working on it. I think it's dutiful for every individual to know right from wrong & once identified-block, report & make it known to the site owners; so remedial steps can be undertaken-of course the assumption here is that some remedial action is actually undertaken (that's a different story whether it is or isn't)
Amit -- ShoCard is very interesting! And I've seen some neat stuff from keybase.io as well. Blockchaining and basically tying down to the metal is a solid way to ensure private communications, and therefore identity assurance.
apologies for anyone trying to message me - for some days now, I have not been able to respond! The messages present but then it seems they are never delivered and I can't see them when I log in later. So, if you are wondering write to email@example.com and we can connect there as well.
Jesse- happened to watch a crime show, weeding out criminals and rather detecting crime in the first place in reality or in the virtual world would both have a similar approach.
Try reading up research papers on identifying fakes (in reality and virtually), it could aid in your algorithm.
My personal opinion is that no one has solved this problem for a couple reasons. One, people like the ability to publish with few personal consequences. Two, people don't really want to be scrutinized (submit to verification) unless there is a very specific personal benefit to doing so. Three, people aren't very interested in the truth. What they're interested in is information that supports their personal beliefs, regardless of whether it's truthful or not. And lastly, your personal truth is not necessarily the same as THE truth. That's very hard for most people to see.
A fluid identity is something that has appeal, and like putting in a timeclock at work after people have been able to come and go without punching the clock for years, those people who like a change/changing identities are going to resist things that try to limit the fluidity of identity now that they've had freedom.
Paul, true people don't much like to do stuff without benefit, but if one could share a set of verified personal information on say, a dating service - it would be a way to share verified personal information without giving away personally identifying information which is useful. Certainly a lot of people would LIKE to be verified by Twitter, but their process is really only for famous people.
Come see me pitch tonight in NYC a new unique and never before possible self-serve identity verification for business.