Verifying identity online
Last month, one of the hot topics was the mess that was created in Twitter regarding their new Verified badge. I want to explore a bit what happened, what other options are available and why verification is such a challenging issue.
The Twitter model(s)
Before the mess of this month, Twitter had a verification model where certain people who matched criteria would get a blue "Verified" icon next to their name. The idea was to offer the users a way to know which of the popular, well-known or official accounts were legit and which were not.
This system wasn't without its flaws. There was a lot discussion every now and then about the criteria and the bias in the system. It seemed unclear to many what the real criteria were and if everyone was treated fairly.
And to many, the blue verification icon became a status symbol. When Musk took over the company and allowed anyone to buy a blue verified icon next to their name for $8/month, chaos ensued. People impersonated other people and organizations and there was no good way for users to know one from the other.
Even with the flaws of the original system, it did provide value, mainly through its lack of false positives. I haven't heard of cases where in the old system, someone was verified to be a person they weren't or organization they didn't represent.
The challenge is that if anyone can "verify" by paying (and not being checked if they are who they claim to be), the verification is completely pointless as we learned from the Twitter case. The problem with a real verification though is too that sending your ID to a company might not be at your best interest either.
The Mastodon model
In Mastodon, there's no authority to provide verification badges. There's no one to send your ID to ask for verification. The system works in a bit different way. You can verify a connection between two things online: for example, your website.
By listing your website in your profile and adding a
<link rel="me" href="[your mastodon URL"> to that same site, Mastodon will show a check mark next to it, verifying that the person who manages the Mastodon profile also manages or is able to edit the website they link to.
That's why in my Mastodon profile, this website is listed as green with a checkmark.
The important distinction is this: it does not prove that the Mastodon profile is managed by the real person Juha-Matti Santala. But if you trust this website, you can at least be somewhat sure that the profile belongs to me. Sure, there's a possibility of hacking a website to add that back link or buying an expired domain but it's still a nice way.
It's not always important that we are able to verify that Mastodon profile https://mastodon.world/@hamatti is me, the person. For me, it's actually more valuable to verify that it is maintained by the same online person who is writing this website. For example, you could be an anonymous writer or comic book author and want to make sure your website links to your authentic profile. In that case, the real person identity is not important nor valuable.
It's a very techie solution
To a techie, this model sounds amazing. Until we remember that not a lot of people actually have websites, meaning there's no way for them to verify their identity in Mastodon. There are some ways though: for example, a media company or a public government organization might have profile pages in their website that handle this verification. But for a non-technical individual who's not part of an organization or doesn't want to tie their profile to an organization, it doesn't provide much.
A big benefit of this model is that you don't need to send your ID to a commercial party. You can be in charge of what and how you want to verify your identity. The challenge is that you can only ever trust that the person with the profile has access to the website they link to.
Don't trust it blindly
There are ways to spoof an identity using this model. There are websites that use small differences with what is called IDN homograph attack. You could buy a domain to a website that looks at a glance like a real organizations website and verify through that. A regular user who expects no malice could be fooled by it easily.
So before you believe a check mark in Mastodon, follow through the website and confirm it is what it claims to be.
GPG - GNU Privacy Guard
Another way to verify (to sign) your digital messages is using GPG keys. I'm not an expert in cryptographic signing though so if you want to get a good primer I recommend checking out Paul Fawkesley's GPG For Humans blog series.
GPG works with two keys: your public and your private/secret key. When it comes to signing messages to confirm that they come from you, you sign them with your secret key and you give your public key to whoever you want to be able to verify the messages come from you.
The verification method here is similar to the one in Mastodon in that you still need another way to build that original trust. It works well for messaging with people you already know.
Verifying identity is always tricky because regardless of the method, you need to have a trust baseline: something that you trust in regardless of the methods. The government offers one way to identify through an ID (personal ID, driving license, passport, etc) and we've been relying on that for a lot of things.
When it comes to verifying your identity online though, you either
a) need to provide a proof of your identity to a company that then tells their users that the person is who they claim to be, or
b) you need to use a different kind of system that doesn't actually verify your identity, just that you have access to something that the users trust to be yours (e.g. a website or private key).
To some extent, I'm happier with the second option but I also do recognize that as a technical person, I'm at a very privileged situation offering me more ways to deal with that.
Sign up for Syntax Error, a monthly newsletter that helps developers turn a stressful debugging situation into a joyful exploration.