honestlyreal

Icon

Verification: I can’t even

I can’t even – and neither can they…

Yes folks, it’s back again! The Queen’s Speech today promises yet another Mumsnet/Mail pleasing crackdown on one-handed websurfing – age verification!

Ha, brilliant – so obvious – all we have to do to send the kids back to the era of damp grotmags in the bushes is do a bit of proving-who-you are when someone clicks their way to a nacky site. No proof, no nacky.

Couldn’t be easier!

So how are they going to make it work then?

Short answer: they can’t.

Longer answer: they’d have to solve the Big Problem, and also some Littler Problems.

The Big Problem is an ancient conundrum: how do you build a checking system that’s solid enough to be worth doing, but not so solid that it doesn’t immediately bugger up the life of someone who loses access to their digital self?

Solid example: imagine you have a password that will ‘prove’ who you are wherever you use it, to anyone (we gloss over here how that trust might actually be set up). Lovely! But anyone who nicks that from the Post-It on the side of your monitor can then start buggering up your life. So you add a special chip they have to hold at the same time, and a scan of their toeprints that has to match, and…and…you’ve got something that’s so clunky that no one will be able to use it reliably.

Less-solid example: you have to upload a paper document of some degree of ‘officialness’ – perhaps a driving licence or similar – or type in some reference number from it – and someone on the other end agrees to let you in. Cue instant exchange of document scans – anyone’s will do – and reference numbers between bulging-balled/clitted teens.

Or you could try and connect identity to payment; the “credit card as key” approach – cue even more bad things happening involving credit cards and real hard money.

So that’s the Big Problem: any system with very strong trust is a magnet for people who want to do bad things with it. And I’m not talking about watching-porn-bad-things. Because that’s not bad. But that’s a whole different (mass) debate.

But let’s assume we do want to have some system that’s worth doing: we have two options – build a central identity register (think of it as a single digital “you” that can be checked, tracked etc.) and have you prove your right to be identified as that person; or establish the trust in other ways.

Without rehashing all the central registry arguments – though you can check out Achilles & the Tortoise for a bit of light relief (tl;dr vulnerable to attack by undesirables, or misuse by a State gone Bad, all eggs in one basket) suffice to say that government thinking of late has steered away from such a thing. For now.

The alternative approach rests on a nice workaround: if you can prove who you are to organisations that already know about you – and they do their job to an agreed quality standard – then that trust can be taken, well, on trust by other services. Your bank went to huge amounts of trouble to find out who you were, so if they say you’re you, you probably are. And actually, for age verification, they don’t even need to say much about you to the porn-keepers – merely confirming that someone’s at the door with age >= 18 (or whatever) will do the job.

The great Dave Birch has done the most elegant job I’ve seen of describing how you’d do this.

All neat and compact and a whole lot less terrifying than having a great, groaning Database of Everyone sitting in a Cap Gemini data centre.

This is essentially what the government’s Verify programme of identity assurance is currently trying to do. It involves solving a number of Littler Problems.

– what sort of organisations know enough about enough of the population to be able to accurately and reliably work at the scale of millions of people?

– how good is their data, and might they have to ship in data from other sources to fill in any gaps?

– what’s in it for them? i.e. what’s the business model for them to do all these verifications?

– how’s everything going to be kept safe, and how can that be shown to everyone’s satisfaction?

– how much risk should we plan in? Identity is never ‘proven’ as such; merely claimed within an accepted range of risk. Otherwise systems would be unusable by normal humans, and break all the time.

– who picks up the bits when things go wrong? (which they will – no system is 100% safe) – this of course harks back to the Big Problem – if you really want a universal key to lots of services through a simple interface, have you also opened up a bottomless pit of liabilities when that trust is compromised?

and so on. Incidentally, all that while facing the spectre of individual government departments who have their own wide-ranging databases about us and who may continue to itch, as they’ve always itched, to use those databases to vet you against. Why rely on transferring trust from a third party when you can assure it in-house, they might say?

So that’s a crash through what’s involved as a result of today’s declarations. Not really that easy, huh?

Oh, and you do all of the above and you still have to do some incredible amounts of Whack-A-Mole to stop other porn sites springing up that you might not know about, and who might not give a stuff about these crazy UK requirements to prove age oh dear me hahahahaaaaa… That’s why it’s a “they can’t” overall – damn ‘inter’ bit in internet again. Gah!

Or maybe this isn’t about the porn sites at all – but about seizing control over everything that’s pumped out to us! HAH! You may choose your own favourite conspiracy at this point. (But yeah, quite possibly some elements aren’t mere conspiracy.)

You’ll hear people saying that other countries manage central registers, and why can’t we? You’ll hear people saying that we just need to trust the state a little more – and of course will someone think of the kids? You’ll hear armchair service designers telling you that it really isn’t all that difficult, and politicians saying “well of course we now hand this one to the clever technologists to implement; we know their grate branes will Find a Way…”

We’ll see, won’t we?

But as I say, don’t go thinking this is in any way real policy. It will keep a lid on tabloid outrage, hopefully, perhaps for a bit, just until something more distracting comes along.

Category: Other

Tagged:

3 Responses

  1. Kenny Campbell says:

    Like it.
    The other problem is that anyone using a VPN can access everything anyway. Let’s face it, if the TV moguls can’t stop people watching US Netflix, ain’t nobody going to be able to stop people watching naughty stuff… especially given that the websites want people to watch the naughty stuff.
    If you want to control what people watch on their home computers, you’ve got to have mum and dad camped right next to the PC. And keep your paws crossed that mum and dad are playing by your rules…

  2. Guy Chapman says:

    Step 1: Uninvent TOR.

    Oh.

    Well that’s that brilliant idea buggered then.

Leave a Reply

Flickr Photos

Fish

Fish

Fish

Seahorses

Iguana

Iguana

Iguana meme

Iguana

Iguana

_PB_8201

More Photos