![[UPDATED] Yet Another Cleaner, Yet Another Stealer](https://www.malwarebytes.com/wp-content/uploads/sites/2/2015/03/photodune-3595462-identity-theft-l.jpg?w=1240)
“Use real identities to reduce abuse online” is a talking point you’ve almost certainly seen down the years. It also seems to come around like clockwork every other month, and is currently a hot topic in the UK after prominent journalists / media personalities raised the issue.
It’s an interesting idea, but the devil is in the details. “Verified identities solve the problem” won’t address the new problems such an approach creates. Is it possible to make this work, or is it all just pie in the sky?
Real users still behave badly
Think back to some of the worst arguments you’ve seen on social media. They almost certainly involve verified accounts somewhere in the mix. Often they initiate the aggression, or wade into replies and make it worse.
They may also utilise platform features to spread the argument further afield. Accounts with large followings on Twitter will do this via quote tweeting. They may simply retweet a stance they disagree with to initiate a so-called “pile on“, or retweet other people arguing, or quote tweet adding their own commentary along the way. They may even retweet their own replies.
Once this happens, it’s often game over for the other person whose notifications are essentially ruined with a flood of angry responses. I could be wrong, but I don’t believe I’ve ever seen a verified account banned for causing a pile on. I have, however, seen small accounts targeted by such things delete their profile completely. On balance, this doesn’t seem particularly fair.
Realness doesn’t equate to accuracy
Going back to Twitter, this is somewhat a problem of their own making. Whether an accurate assumption or not, the verified system was originally where you assumed all the celebrities you liked ended up. Twitter expanded it to include other people of note, for example authors, athletes, scientists, and so on. Then lots of folks were handed verification simply for working in news / media orgs. Alongside this, for a period of time you could submit a request to be verified and if you passed the bar, you got your checkmark.
Already, you can see how the system was torn between notions of “Is this a badge of notability, identity, or something else altogether?” Things became even more confusing as for a few years, the Twitter verification information page insisted verification was not currently happening…while new checkmarks continued to be given out.
The scheme is currently undergoing renovation, but it remains to be seen what happens with it.
Whether intentional or not, people seem to trust verified accounts as trustworthy voices of reason. This is not sensible, as people will tweet whatever they feel like. If we’re asking, “Does verification help reduce abuse or misinformation”, it can be argued that no, it does not. A drop of 73% in election misinformation after Twitter suspended Donald Trump is a frankly staggering statistic.
This alone should be a fatal blow to the “Use a real identity and things will magically be better somehow” idea.
Facebook’s foray into real names
Facebook already requires you to register an account with your legal name. The problem is if they think your name is not real, you’re locked out and have to try and regain access. This has had very mixed results, causing problems over everything from “fake” names to Star Wars.
Consider all the effort involved in policing this, and the hassle for site users, and then compare that with the number of accounts who are happily pushing large-scale propaganda campaigns via fake profiles on Facebook anyway.
Is it really worth all that effort? Is it helping?
Access denied
If we want everyone online with a real ID, there’s many privacy issues up for debate if identity documents are involved. There’s also the massive problem of access. The international gold-standard for ID is your passport. Many verification schemes ask for scans of your passport at some point.
Problem: lots of people don’t have passports, because it’s not a mandatory document. Depending on country, it might be very expensive. It could involve a complicated process or have its own barriers to entry. Live in a different country to the one you were born in? You may only have a residence permit. It’s possible your passport has expired. Will they even accept an expired passport?
In 2018, around 76% of people had a passport in the UK. That compares with 42% of Americans and 66% of Canadians. That leaves an awful lot of people out of the loop across just 3 locations. This is before you factor the rest of the world in.
Unless passports are somehow made free worldwide, or a universal form of ID is created, people will lose out. When crucial services like banking, tax, municipal services, gas and electricity are all moved online, this seems irresponsible. We typically don’t need to show our energy company a scan of our passport to use their service online. Does it make sense that the bar to entry is so much higher to post on a social network?
There are limited circumstances where a social network currently may ask to see a form of identification. That’s mostly tied to issues of death and memorialisation. Similarly, some verification processes involve passport scans.
Scanning everybody, though? That’s going to cause additional problems…
All the eggs, in the biggest basket
Any social media app containing something approaching the whole world’s passports is instantly a massive target for hacks and scams. It’s debatable if they could keep it all secure and locked down—they only have to fail once. For comparison, the UK’s Home Office deals with a frankly unimaginable volume of personal data. Passports, birth certificates, wedding certificates, photographs, personal emails, biometrics, the works. Some of this is outsourced to third parties.
It is incredibly important this data is kept under lock and key. This is now the point where we mention a 120% rise in data loss incidents. With 4,204 incidents “in the last financial year” alone, that’s an awful lot of problems related to paper documents and electronic devices. If this is the scale of the issue for UKGOV despite their best efforts, imagine the problem for a much less wealthy social media site. It just seems too much of a leap of faith to think this would end in anything but disaster.
This leads us neatly on to…
Data theft fallout
When people say that losing their anonymity online “isn’t a problem”, or “wouldn’t bug me”, that’s great for them. But just because something isn’t in their threat model, doesn’t mean it can’t hurt someone else, as the EFF’s Eva Galperin pointed out on Twitter only recently:
Some people are at risk from domestic violence or racial abuse. For some, anonymity is built into aspects of their job. For others, their stay in a country might be. conditional but they’d like to speak up on the issues affecting them without feeling they’re jeopardising their status.
“You’re not living in a repressive regime” should not be the barrier to entry for privacy. Treating your right to keep yourself safe from data abuse isn’t a special exemption, kept out of reach except in the direst of emergencies. This normalises the idea of privacy and safety as an exception. You know who loves it when privacy and safety are treated as abnormal?
People who’d rather you have as little of it as possible, that’s who.
Same again next time?
I’ve seen this discussion come around many, many times now. No matter the circumstance, it tends to fizzle out and be resurrected a few months later. In the UK, at least, “everyone should supply ID” will collapse under weight of sheer impossibility. The task there is made harder by virtue of the fact there is no nationally issued, mandatory identity card system in operation.
Things are a little more complicated in the US, where anonymous online speech is concerned. The legal provision that protects free speech online—Section 230—is under increasing scrutiny. It remains to be seen how things will play out there.
Having said that, this talking point will return. When it does, you’ll be armed with the knowledge that data privacy is incredibly important. Due to a variety of social, legal, and practical problems in this particular realm, social media sites won’t be asking you for verification any time soon.
