The Case for Ending Anonymity, Strong Authentication, and Granting Permission

The Case for Ending Anonymity, Strong Authentication, and Granting Permission

By Peter Bernstein November 30, 2017 1 Comments
Peter Bernstein png
The Case for Ending Anonymity, Strong Authentication, and Granting Permission by Peter Bernstein

Let me start by asking for reader indulgence for a few paragraphs. What follows may seem too personal and a digression from the title above, but bear with me since it is critical context.

For those of you who live in the U.S., it is likely you are aware that a few weeks ago a person using the made-up name “Bernie Bernstein,” posing as a reporter from the Washington Post, was making robocalls to people in Alabama. This impersonator said they were willing to pay people up to $7,000 to dig up dirt on senatorial candidate Roy Moore. 

Fortunately, this was exposed as a blatant attempt to discredit the Washington Post, flame distrust in the news media and state the appetites of white supremacists and anti-Semites. Unfortunately, because of sloppy journalism, and Twitter being less than responsive, the situation was temporarily exacerbated.  An Internet troll using a now-suspended account of the supposed Bernie Bernstein stirred the pot along with a Tweet from Conservative columnist Bill Kristol presented below.

I bring all of this up for several reasons. The first of which is that my nickname since elementary school has been “Bernie.” In addition, while I am a relatively light user of Twitter my handle has been @BernieBernstein since 2011. A fake Bernie Bernstein account was created. It had a handle very similar but certainly not identical to mine.

I should note I reached out to @BillKristol after an amazing spike in mentions and a big spike in my account, via Twitter and email, that if he had actually gone to the above Twitter address he would have learned that the robocaller and troll were not me. He is yet to apologize for his journalistic recklessness. It is interesting that the editor at large of The Weekly Standard is now an exhibit of the corrosive diminution of fact checking and truth seeking in certain parts of the media. He was not alone. Several other media outlets including the New York Times, MSNBC and The Times of Israel were also guilty of not doing their homework. 

My first reaction was to rage against the social media machine via postings and email. My second was an inclination to discontinue my Twitter account. After calming down a bit I realized that anyone going to my @BernieBernstein account could go through my timeline and see I was not the imposter. While this was not quite a case of any publicity is good, reality is that while my identity was momentarily sullied due to confusion, my reputation has suffered no long-term harm and I have picked up several new followers whose support I appreciate.  

What does this have to do with the death of anonymity, the requirement for enhanced authentication, and the need to move to a permission-centric approach to online interactions? In a word, “E”verything.

Let us start with acknowledgement that nobody’s online personal information, profile or even (maybe especially) his or her surfing habits is or ever will be totally safe and secure. That is just a “fact of life.” 

That said, if social media wants to clean up its act before policy-makers around the world decide to do it for them, allowing people – whether speaking fact, fiction, hate or community, etc. – to stop hiding behind aliases and avatars is a great beginning.

We all should know in some detail whom we are interacting with in real-time as well as time-shifted. 

After all, identity is the foundation of trust. The lack of authentication is the basis of distrust. In short, be it for personal or business interactions, knowing whom we are interacting with, to the extent feasible, possible and reasonable, is what enables the Internet Age to move forward in hopefully more beneficial rather than harmful steps. The challenge is obviously in authentication.

At least on the authentication side of things there is hope. Biometrics of all types need to be employed up and down the interaction value chain with easy and non-intrusive (from ease-of-use and time perspectives) multi-factor authentication being the most desirable approach. The good news is the tools are now available. Now we need them to be universally disseminated and applied in conjunction with the use of advanced data protection capabilities. Checking a box on a website that says “I am not a robot” is hardly sufficient. 

Will strong authentication solve the identity/trust problem? No. I am painfully aware of the depths those with malicious intent will go in creating fake people with fake credentials and the ability to interact with humans as well as machines is a way that can fool any person or system. However, making it hard for bad guys is the objective with the goal being exponential decreases in risk over extended periods of time. 

Finally, a few words on the point about the granting of permission.  

People can say who they are, and present the proper credentials to prove it. However, as anyone who has looked at their caller ID info this holiday season knows the rules about direct marketing calls (human and inhuman) in the U.S. are largely ignored. Indeed, because of a fear that an innocuous charity call is actually a phishing expedition or worse, I advise never saying YES on the phone to any question from somebody you do not know well for any reason. The YES can be recorded. It subsequently can be used as proof of a preexisting relationship between caller and called when/if things turn ugly.   

Establishing the ground rules for what constitutes permission, and establishing liabilities for when in dispute, is one of the major challenges of the Internet Age as the world becomes more connected, visual, and personally and professionally intrusive.

Creating “E”vironments based on permissions, particularly for all transactional and collaborative applications and services, is critical for trust to be maintained so ecommerce and social interactions flourish. How we get there and how fast we can overcome what is already a case of policy lag and industry disinterest is something we all need to be thinking about.

In the meantime, do me a favor and tweet @BillKristol and tell him you know me and that he still owes me an apology. Thanks.☺

 

1 Responses to "The Case for Ending Anonymity, Strong Authentication, and Granting Permission" - Add Yours

Gravatar
Alan MacLeod 12/4/2017 7:52:38 AM

The lack of Identity, or more accurately, the lack of verification of identity is undermining the very bedrock of society as you say - but its hardly fair to blame social media. Social media is just the latest platform - spying has relied on anonymity and fake identities for 100s if not 1000s of years. When it comes to the online world, email identities have been unverified for as long as we've had public email servers, and we had anonymous chat rooms before that.

I'm not sure we have the technologies yet either. Biometrics are good for local verification, i.e. between you and the device/service to which you've shared your biometric, but it doesn't make for a good "general" verification in an online world, yet. PKI has relied on verified identities and has largely landed in a solid place in terms of the initial verification, but ultimately certificates are for services: the business model and technology doesn't scale to humans and devices. Where we have "got it right" is the protocols that rely on that trust. Hashing and encryption are all good enough, as long as we continue to evolve the algorithms as flaws are discovered - but we've yet to address the identity issue.

While I agree, Identity is the root of trust, its also important to understand that trust is the root of identity. Only if we can trust the source of verification, can we trust the identity and thus trust the identified. Its no different human to human - if you can absolutely identify the person you are interacting with - then the level of trust is established. If someone you trust vouches for someone else, then the level of trust can be established - apart from that, its down to your ability to assess the risk. And while we don't have a valid trust model, we need to rely on ourselves, and sadly, that is the thing that social media is really exposing, we're so busy reacting and posting, we forget to think and analyze and "check our source

To Leave a Comment, Please Login or Register

UC Alerts
UC Blogs
UC ROI Tool RSS Feeds