AssertID in the Identity Assurance Ecosystem

“Know who you are dealing with online”

AssertID’s promotional slogan warns social media users against online fraudsters and criminals. It contains an implicit message: before entrusting others online with sensitive information or goods, verify that their self-assertions (i.e. self-representations) are true. Known entities are generally more reliable than unknown -- or even worse, faked -- ones. The goal of all online identity assurance is for the interacting parties to know who they are dealing with, to reduce the potential for fraudulent behaviors.

This dictum applies across an astonishing variety of online applications, from online banking to Facebook relationships. When I log onto the Bank of America website, I am verifying that I am who I say I am -- the owner of my (miniscule) bank account -- so that the bank prevents random people from taking money out of my account. Simultaneously, the bank is verifying that it is indeed my bank -- and that I can entrust it with personal financial information -- at least, to the degree outlined in the Terms of Service.

Making a Facebook connection may appear very different, but actually operates through the same concepts. Before I request someone to be my “Facebook friend”, I review the person’s credentials (name, photo, and shared “friends”) to check if this is the same person I was thinking about, whom I can trust to some extent. When I go ahead and make a “friend request”, I provide the same credentials so that the “friend” can verify my identity. Once again, the idea is to deal with known entities -- even if the consequences of fraud (simply socially unacceptable behavior) are considerably lower.

These examples are conceptually different in one crucial respect. The online banking example focuses on verifying the current user as the owner of the account/profile -- without necessarily verifying that profile’s accuracy. A person can put technically-incorrect information on his bank account -- like a work or permanent address instead of an actual home address -- without anyone caring. For instance, I still have my parents’ address listed as my home address, although I have not lived there for years. In contrast, the Facebook example focuses on verifying profile accuracy, not verifying the current user being the owner of the profile. It is not unheard-of -- especially at the high school level -- for someone to log in as their friend for the express purpose of sending out friend requests on behalf of the actual profile owner.

Of course, Bank of America and Facebook would both prefer that users maintain accurate profiles, and log in only as themselves. Yet, this example illustrates the need for more conceptual distinctions between different types of identity assurance. The purpose of this blog post is to propose such a conceptual framework, and examine AssertID’s place in this Ecosystem of Identity Assurance.

The end-to-end process of identity assurance has five closely-linked components. Most people consider identity assurance to have three parts: verifying that a profile accurately depicts the account holder (profile assurance); verifying that the current user is the account holder (current user assurance); or conversely, locking out users other than the account holder (unauthorized user lock-out). Yet, two more components play a critical role in identity assurance. Identity assurance begins with a security infrastructure known not to be corrupted (system security), and ends by preventing unauthorized actions from being taken with any specific profile. Note that preventing unauthorized actions is all everyone really cares about; nobody really cares if Joe Schmoe asks his wife to log into his NetFlix account to choose the next movie they will watch together. Identity assurance is important mainly as a tool to ensure that profiles are acting as authorized.

Below is a framework showing the five links in the online identity assurance chain:

Regardless of their specific focus, all online communities use each of these components. However, depending on the specific context, some components may be much more important than others.

This post concludes with a more in-depth discussion of each of these components.

System Security

Identity assurance is meaningless unless it is built on a solid foundation -- a solid security infrastructure. The most powerful identity assurance systems would be wasted if built on an underlying infrastructure that does not adequate protect its data.

Specifics regarding system security are beyond the scope of this post. Some examples of best-practices in security include regular software updating and patching, encrypted connections, and strong password/second factor requirements, vulnerability scanning and network security management.

Verify Profile

Profile assurance -- verifying that an online profile accurately and truthfully represents the account holder -- reduces unauthorized behaviors in two ways.

First, profile content functions as a signal that builds trust between two interacting users, or warn users against interacting with specific individuals. For instance, an online vendor with a verified US-based mailing address might be considered more trustworthy than another based in Nigeria or Russia -- home bases for many online scams. By providing users with more information about each other, profile assurance enables them to make better judgments about whom to trust. This cuts down on undesirable and unauthorized actions like e-commerce fraud.

Second, profile content determines the number and type of interactions between users in certain contexts. For instance, factors like gender, marital status and photo attractiveness drive user interaction patterns on online dating websites. A person lying about himself would generate dates under false pretenses -- a behavior that is undesirable to all other users. Profile assurance would reduce the scope for such behaviors.

AssertID’s core competence is profile assurance.

Verify Current User/Lock-Out Unauthorized Users

Although profile assurance fills the needs of some online social communities, it does not represent an end-to-end identity assurance solution by itself. Often, the service provider must verify that the current user is actually the account holder, or conversely, lock out anyone other than the account holder.

There is a distinction between verifying that the user currently logged into a profile is actually the account holder, and that no other users can gain access to the same profile. Consider an illustrative, real-life example. Facebook viruses use a given profile in tandem with the registered account holder, allowing the account holder to continue using the profile normally, while the virus spreads itself by sending additional messages. In many situations, the account holder has no idea what is going on. A process that verifies the current user as the account holder would give the user access to additional resources that would remain unavailable to the virus. In contrast, locking-out unauthorized users would focus on preventing the virus from accessing the profile in the first place.

AssertID is currently being expanded to fill this role.

Prevent Unauthorized/Unsanctioned/Undesirable Actions

The prevention of such behaviors relies heavily on identity assurance processes. Consider an example that proves the point. Credit card companies rely heavily on sophisticated algorithms that detect credit card fraud based on the behaviors/actions generated using a given card. Note that the credit payment system involves little or no identity validation. Store purchases can be made using a stolen card and a forged signature. Furthermore, online purchases can be made without either of these identity credentials. If offline and online purchases involved stronger identity assurance, like placing the account holder’s photo on the physical card and mandating clerks to match the photo with the person who presents the card, such sophisticated algorithms would not be as necessary because identity assurance would (largely) take its place.

Coming Attractions

This is the first of a series of posts looking at the broader identity assurance ecosystem. My next post will focus on one particular niche: age assurance for the purpose of protecting minors against sexual predators, kidnappers and cyberbullies. In stark contrast with existing approaches, an end-to-end process would be required to solve the problem.

Verifying Self-Asserted Identity Data

In my prior post, I introduced how an online credential could help people trust each other in online communities. Such a credential, however, would only be as good as its reliability. An offline passport or driver’s license contains reliable information that is verified by governments, though two strong forms of validation: in-person registration and difficult-to-forge documents. Without access to either validation technique, how can we verify identity data?

As a point of departure, consider a typical profile on a social network (e.g. Facebook, MySpace or LinkedIn). If reasonably complete, such a profile provides all of the identity data needed to establish someone’s identity online -- first name, last name, photo, age, location, etc. However, a social network profile cannot work as a passport for the Web -- not without modifications. Why? Not everyone self-asserts truthful information about themselves. For instance, a RapLeaf study found that 69-year olds are disproportionately highly represented in social media sites. As this instance indicates, many untrue self-assertions are entirely harmless. Yet, they prevent social network profiles from being used as an online identity credential -- not without some means of validating their data.

Our approach is designed to transform social network profiles into a reliable online identity credential, by verifying key identity attributes like age, gender, etc. and presenting them in a standard format across various types of social media.

Here, the trickiest part is to verify self-asserted social network profile data -- there is no data source that can authoritatively bind a profile (or any other virtual identity token, like an OpenID or even an email address) to a legitimate off-line person and his/her identity attributes. Public records databases can verify many US-based adults. However, this approach has two major problems. Public records databases are often inaccurate -- and subject to the John Smith problem. People who share the same names (i.e. the gazillion John Smiths in the US, UK and other English-speaking countries) are easily confused with each other. Credit reports are an alternative, but financial identities often the subject of targeted identity theft. Even if they worked perfectly, they cover only US-based adults -- although people of all ages all over the world use the Internet.

AssertID uses a completely different approach, which takes advantage of the duality of online social network profiles. On one hand, these profiles present the information people provide about themselves -- age, photo, name, etc. On the other hand, these profiles provide information about people’s connections with other people -- in other words, each individual user’s unique Circle of Trust. The AssertID approach asks users to vouch for each other -- or verify that their friends are who they say they are. By analyzing the number and structure of these verifications (the “social graph”), AssertID can assess the legitimacy of individuals’ self-asserted social network profiles. In a very simple analogy, AssertID provides something that looks like a credit rating (e.g. FICO) using a process that somewhat resembles Google’s PageRank algorithm.

Skeptics would undoubtedly note that people can ask their friends to verify fake attributes. For instance, a married man might ask his drinking buddies to verify that he is single, for the purposes of moonlighting on online dating sites (as so many people actually do). Similarly, teenagers might verify each other to gain access to adult-only sites.

AssertID defeats such attempts by adopting the following principles:

-    Attributes that have been verified by a greater number of people can be considered more reliable.
-    Attribute verifications made by people whose own attributes have been verified by many other people carry greater weight.
-    Verifications of the same person by two people who know each other carry less weight than verification of the same person by two complete strangers.

These principles are based on 50 years of research by social network analysts, borrowing especially heavily from Mark Granovetter’s concept of embeddedness.

AssertID has created a proprietary algorithm that combines these social network analysis principles with best-practices in the online security world. This algorithm, and associated process, is patent pending.

Using the intellectual property that we have developed, the AssertID team is currently designing an embedded Facebook application that transforms profiles on Facebook into verified online identity credentials. My next blog post will provide more information on this project.

The Online Identity Credential as a Solution

Although anonymity is a cherished part of Internet tradition, it contributes significantly to the problem of Online Trust outlined in my previous post. Anonymity eliminates signals that online community users could use to gauge each other’s trustworthiness.

A trusted credential would re-establish signals for trustworthiness, without completely eliminating anonymity. In the offline world, people use passports (or driver’s licenses) to establish their identity—or verify that they are who they say they are. Banks, schools, foreign countries and individuals alike can trust passports because they are issued by a trustworthy central authority—in this case, the government. A similar online credential could be used to establish someone’s identity online. Using this credential:

• Users with verified ages could gain access to age-restricted sites, much the same way that adults gain access to offline bars using their driver’s licenses.
• Users with verified ages, marital status and photos could present this credential to potential dates on online dating sites.
• The online credential could be one of many tools that e-commerce sites use to reduce fraud. Similarly, peer-to-peer auction and exchange sites can reinforce their ratings systems with an online credential.

Important differences are needed to accommodate the nature of the online world, however. People online have come to expect anonymity in their interactions. A passport or driver’s license would reveal unnecessary information -- home addresses and often social security numbers. This would not be advisable.

Thus, unlike a passport, an online credential should be customized by its user, to reveal only the aspects of his identity he is comfortable revealing towards particular audiences. The user retains all other aspects of his anonymity. For instance, the user would have no reason to reveal his last name on an online dating site.

There are three objections about an online credential that appear plausible at first glance -- but are actually trivial. First, a critic might argue that an online credential would not “eliminate” online fraud. More specifically, an online credential does not directly address online fraud as a problem -- just because someone has a credential does not mean that that person is trustworthy. This critique, however, misses the point. A credential may not directly target fraud, but it provides a tool that works in combination with human judgment. A credential provides online clues that replace offline non-verbal cues. It levels the playing field between fraudsters and honest netizens. Overall, in combination with human judgment, this credential could help significantly reduce malfeasance, reducing low-effort fraud opportunities generated by the lack of any system whatsoever.  This moves fraudsters into detectable exceptions -- instead of not knowing if any particular person having equal probability of being good or bad.

Second, an online credential would have to be relatively frictionless. No one would use a credential that is monumentally difficult to establish. For instance, consider a credential that is generated by showing up in-person at a government office with official documents, waiting in line for three hours -- and then having to be fingerprinted. The government office is only open 9 to 4, so people would have to take time off of work or school. No one would go through this hassle unless they absolutely had to. This experience describes what legal immigrants go through to gain permanent residency (i.e. a Green Card). It is doubtful that people would jump through the same hoops simply to establish an online credential. Thus, an online credential would have to be established through a relatively pain-free process -- preferably generated from the comfort of peoples’ own homes, during their own time. This is certainly possible (as I will outline in a future post).

Third, an online credential provider would have difficulty verifying identity credentials. Offline government entities use in-person identification, combined with difficult-to-forge documents, to verify people’s identities. This is difficult in the online setting, which provides neither in-person identification nor high-security documents. What if a person lied about his age, location, etc. to the credential provider? As the Internet is global, how do you provide a universal solution that can verify anyone, anywhere? Considering that many children use the Internet, how do you identify this age group -- which does not show up in public record databases or credit bureaus?

The final concern is indeed valid – and difficult to solve. Thus, it has been the focus of our research. My next blog focuses on this issue: verifying self-asserted identity data.

The Problem of Online Trust

Successful online communities embody an internal contradiction. They facilitate “anonymous” social interactions, helping users make friends, find jobs, date potential mates and conduct transactions. Such facilitation, however, creates ideal conditions for abuse. Online communities have difficulty reining in this dark side as the factor making Web 2.0 useful also makes it dangerous. Thus, sexual predators are prowling the social networks, while bigots troll the forums and con artists haunt the marketplaces.

I explore this problem in this post. My next post will focus on a solution.

Why is online trust important? Without trust, online interactions could not occur. For example, I joined eHarmony (doesn’t everyone nowadays?), and started communicating with women on the site. I found someone who seemed to have a great personality -- and had movie-star looks. We ended up going on an off-line date. For this to happen, she and I needed to take a leap of faith -- that we were pretty much the people we purported to be on our eHarmony profiles.

Trust made this interaction possible. Such leaps of faith underlie all online interactions. E-commerce buyers trust sellers to deliver a product as advertised, and sellers trust buyers to deliver payment. TripAdvisor users trust each other to post correct information. These and other communities work as most users do not betray each other.

The Internet has had a culture of unconditional trust since its origins. Offline, people distrust strangers, preferring to deal with reputable acquaintances. Yet, the same people routinely trust online strangers. This is especially puzzling as face-to-face interactions provide far more signals about trustworthiness than online interactions: body language and tones of voice (Kollock 1999). Why is this? The answer is a longstanding Internet culture characterized by mutual trust. Fichter (2006) suggests that the Internet was founded by a close-knit elite community that knew each other by reputation. Even though the Internet is now populated by individuals with unknown reputations, a culture of unconditional trust still remains. Online communities nurture this tendency.

Although unconditional online trust has wonderful consequences, it also creates the conditions for its own abuse. If community members trust each other to behave according to established norms, unscrupulous wolves amongst the sheep can surreptitiously violate these norms for personal gain. For instance, my eHarmony date turned out to be going through a divorce, even though she had said she was single. It mattered not that she seemed to be a nice person that I might have normally befriended -- a breach of trust had occurred. I could not see myself spending more time with this person. In fact, the incident soured my feelings on online dating in general. My female friends have complained about similar online dates with “single” men on the prowl.

Although my experience was little more than an annoyance, other encounters have had more serious consequences. For instance, Katherine Ann Olson answered a babysitting ad on Craigslist, and paid with her life. Although the 23-year old valedictorian noticed something strange about the ad, she trusted the poster enough to show up at his house—alone. Jones (2007) suggests that: “Answering an ad for babysitting may not have seemed like a high-risk move to an adventurous and open person with plenty of positive experiences and online interactions through sites like Facebook and Craigslist.” Even more disturbing is 13-year old Megan Meier’s death via MySpace hoax. When her daughter had a falling-out with Megan, Lori Drew created a fake MySpace account as a 16-year old boy, and initiated an online relationship with Megan. Eventually, she terminated the relationship, writing: “The world would be a better place without you.” Megan, struggling with depression, took her life that day.

These cases share a basic similarity; both victims placed trust in online community users, who proved untrustworthy. They show that trust creates the conditions for its own abuse. For an interaction to occur, at least one of the two parties must take a leap of faith, trusting that his partner will honor promises. However, this makes the first mover highly vulnerable to malfeasance (Kollock 1999).

People deal with this kind of problem on a daily basis, across all sorts of communities:

User-Generated Content: Collaborative filtering sites and message boards assume that content users can trust content providers to post accurate information. Yet, many people have an incentive to provide misleading information. For instance, finance message boards are reputed to be flooded with hedge fund employees that spread false rumors.

Online Dating: Online dating sites also depend on users to provide accurate information. However, many online daters have incentives to lie about important details (e.g. marital status, age or appearance). Thus, they post misleading information about themselves.

Social Networking: Facebook, MySpace and other social networks also depend on their users to post accurate profiles. However, some people (like Lori Drew) sometimes disguise themselves for illegitimate purposes.

Economic Transactions: Online transactions are only possible if sellers trust buyers to pay, and buyers trust sellers to deliver. However, both sellers and buyers face strong incentives to cheat. Although online marketplaces (notably eBay) have instituted countermeasures designed to punish cheaters, some types of abuse have nevertheless become commonplace. Shill bidders register fake bids on their own item to push buyers into submitting higher bids. Likewise, people sell high-reputation accounts on the black market, for purchase by fraudsters looking to make a quick hit with an expensive product.

Online communities are a wonderful thing. They bring people together for activities ranging from social networking to online dating. However, the social web can be dangerous, because we are asked to trust strangers that we know nothing about. Although most people are trustworthy, a few weeds in the lawn present problems. Since most people are trustworthy themselves, they expect the same of others. This opens them up to abuse.

My next post will begin outlining a solution to this problem.

The AssertID Blog

How do you know who you are dealing with online? In the weeks ahead, I will be writing a series of blog posts that explores this problem -- and propose a solution.

I am working with a team of dedicated individuals who are working to build a solution. Initially assembled for a study at Stanford’s Graduate School of Business, this team combines expertise from several different fields -- Internet Security, Social Network Analysis, Online Social Network Architecture and Product Management. We believe that we have a solution to The Problem of Online Trust -- and we have started a company, AssertID, for the purpose of building this solution.

In the coming weeks, I will post blog entries on the following topics:

• Introduction to The Problem of Online Trust
• The AssertID approach to solving this problem (part 1 and part 2)
• Specific use cases (e.g. age verification, online dating, spam filtering)

In the meantime, here is a description of the AssertID Team. Since September 2007, my colleagues and I have been building a verified online identity credential system at AssertID, an early-stage company based in San Francisco. We just made our first public disclosure at the Internet Safety Technical Task Force meeting at Harvard last September.

As Chief Scientist, I have been spearheading AssertID’s intellectual property and research efforts centering on social network analysis.  This work is related to, but distinct from my academic research on social networks of trust in the economic and political spheres.  I am joined by Kevin Trilli (Founder), who has an extensive product background in identity security and authentication from nearly 8 years at VeriSign. Also, Murali Vivekandan, who has extensive experience designing and implementing online community applications, is building our high availability consumer service.

We are advised by highly-experienced members of Silicon Valley’s online security and Web 2.0 communities. Nico Popp is currently VP Innovation at VeriSign responsible for new product initiatives for VeriSign’s corporate business units.  Prior, Nico served as VP and General Manager, Authentication Services at VeriSign, where he was responsible for all authentication products. Stewart Bonn has been Senior VP and General Manager of Electronic Arts, the largest interactive media company in the world. Stewart also has experience being a serial entrepreneur, having founded startups purchased by Yahoo and other large Silicon Valley players. Francesco Zappacosta helped found BioQuiddity, a medical device startup focused on disposable infusion devices, and then worked as Director of Investment at an early-stage VC firm focused primarily on high-tech and consumer products. Jonathan Solomon also has an entrepreneurial background, having co-founded JD Logistics and the Tablogix Group, successful logistics companies overseas.

Please see our website for more details about our team.

My next blog post will take a deep look at The Problem of Online Trust -- something you are probably familiar with -- from sociological and security angles.