An Online ID Registry 278
Neil Gunton writes "Over the years I have had a few ideas for websites which would allow for free registration and trial, but I always ran up against a brick wall with regard to how to stop people from re-registering as someone else once the trial was up, or registering multiple times for abusive purposes. The question of how to verify online identity has been bugging me for a while now, so eventually I just sat down and wrote a prototype for an Online ID Registry. There's a white paper explaining what it's all about. I am curious to know what the slashdot crowd thinks of all this, whether I am on the right track, and what to do next. Should it be for-profit or non-profit? Is the whole thing pointless and stupid, or a cool idea? I don't really know where to take it next, because I don't really want to be sitting at home verifying people's documentation for free, and I am nervous about the security and legal aspects if I do it for money. I have no clue how to set up a non-profit organization, and my business knowledge is almost non-existent. I am sort of stuck with a working website but nowhere to go with it... that is, if it's even worth going anywhere. Perhaps it was just an interesting exercise... thoughts and ideas welcomed. (Note: The server may get a little slow, since while I have a caching reverse proxy front end, people will inevitably be trying out the registration, which involves key generation and other cpu intensive activities, so I don't really know how well the mod_perl backend will stand up...)"
It's been done (Score:5, Insightful)
I wonder how hard it would be for an independant website to use passport for id?
Anyway, making your system for-profit would be kind of pointless, since there are already much larger commercial offerings. I'm not aware of many non-commercial ones, though. oh well.
Appeal to authority (Score:5, Insightful)
Re:Interesting choice of words... (Score:5, Insightful)
Lets see, a central repository of peoples personal data, so someone can verify that we are trying a program for the first time ? Oh, yeah, I can see that flying.
Sarcasm aside, I just don't see it happening, too much potential for abuse. Imagine if this repository was hacked ?
Centralization (Score:5, Insightful)
The internet was designed so any number of nodes could go offline and all the other nodes could still talk to each other. This has largely been kept true, even in the application layer, where your stuff would be taking place. I think that requiring a central database for people to use to register for websites would be unwise.
Also, you have any number of privacy concerns here. Do you really want a database of everything that everyone registers for? Do you want it to be possible for your boss to find out that you subscribe to an atheist news letter of he's a hardcore christian?
always a way to subvert it. (Score:5, Insightful)
Hell meet the right people and you can get multiple Social Security number, drivers licenses, and passports.
ALL identification systems can be subverted and online ones that do not require a large amount of 3rd party and usually highly reliable data backing up your claims to be you is really easy to subvert.
I tried to find a solution like this over 7 years ago for the company I work for. it is impossible to make a foolproof system and I proved it to the board of directors that trying to do this will only piss off the customers and give us nothing but a false sense of security that really does not exist.
Beware of Big Brother... (Score:4, Insightful)
Peace
Privacy policy? (Score:5, Insightful)
Privacy - users will be entering very sensitive, personal data which they do not want passed on to anyone without their permission. People want to maintain full control over their own information, and not be used as pawns in marketing games
Until privacy is addressed with a lock tight policy, like, "We'll never give out your info." I will never become a client.
A matter of trust (Score:5, Insightful)
This is not meant as an insult -- it cuts to the heart of the matter. A user is thus relying on you for secure storage of all of his or her personal information, and also relying on you that none of the information will ever leak. This is both leaks to the outside world in general via website spoofs, phishing, and the like, as well as internal leaks where an individual's information is inadvertently revealed beyond what he or she intended (e.g. I only meant to give out my address, not my credit card number).
You would do well to read up on the design documents and white papers from the Liberty Alliance [projectliberty.org]. This is a hard problem to solve and simply using a centralized data store does not address any of the real privacy and security issues inherent in the field of identity verification and personal information management.
--Paul
And how the hell... (Score:4, Insightful)
Given That... (Score:2, Insightful)
My solution: Everyone gets an implanted RFID grain with a unique 128-bit identifier + a public encryption key with cheap readers everywhere they will ever need to establish identity. And anyone caught faking an identity goes to jail for life to deter such attempts.
It won't happen. The privacy advocates would be up in arms against this before the ink was dry on the proposal. And someone would still manage to beat it -- though probably very few. Someone will manage to make his ID grain rewritiable, or some such nonsense.
Conclusion: I don't feel this problem is solvable through any measures current society will accept, but I'd love to be proven wrong. I look forward to seeing what solutions are proposed.
Re:My random thoughts.... (Score:5, Insightful)
Another thought: How do you solve this problem?
Re:Interesting choice of words... (Score:2, Insightful)
Your idea is hopeless. Identity can only be "verified" using something that's difficult or expensive to fake. Nobody is going to trust you with information that can be used for identity theft, so you can't rely on the government to do the enforcement for you. You can't afford enough private investigators to check up on every new account, and users wouldn't tolerate that anyway. Your only choice is to create a system that costs the user something to enter, so they incur greater costs if they enter multiple times. That's how game companies do it, they ban abusers and let them buy a new copy of the game with a new cd key for $50. If the initial registration is free, there's no way to do it. Either give up, charge a fee, or settle for allowing only some multiple registrations while blocking a lot of legitimate users.
Why? (Score:4, Insightful)
What problem does it solve?
I already do online banking, shopping, bill paying, etc.. What additional service could I get from registering with you?
Who said anything about "Truly verify identity"? (Score:3, Insightful)
The problem he's trying to solve is people avoiding paying for a service that offers free trials simply by creating multiple user IDs when the free trial is over. To prevent this, he doesn't need a foolproof system...
He just needs a system where it is EASIER TO PAY FOR THE SERVICE than it is to get another ID, for MOST people, MOST of the time.
If 1-5% of people still go through the bother of getting extra IDs, but 95-99% of people who would otherwise just keep abusing free trials end up paying for service instead, then the system might have value.
Whether that's enough value to justify the system however, I don't know. It seems a lot of places that have free trials actually BENEFIT from the "abuse" - take matchmaking sites for example. The larger a site is, the more value there is in a subscription. It's probably better for them to charge people willing to pay in order to keep the same login/profile and also have a buncha people who just keep doing free trials than it is to just have people who are willing to pay and get rid of the "leeches". Same reasoning as the "Pirated copies of Windows are good for microsoft" (market dominance) argument.
Re:Interesting choice of words... (Score:5, Insightful)
The step that you're missing is not that xeroxes of these documents are hard to fake (they aren't) but that they are verifiable. If Mary Marsupial has a passport, the government can verify whether or not the information that she entered is correct. If there really is a Mary Marsupial with passport ID #15857287382748 VX123, with birthdate etc etc, they can verify that. Now, that doesn't necessarily mean that the person on the other end of that communication is actually Mary Marsupial, and the following step is to MAIL a confirmation code of some kind to the address of Mary Marsupial as listed by the passport. If you have that, you know that either A: this is really Mary Marsupial or B: Mary Marsupial is totally Owned.
Of course, all of this is hard work, and therefore would take paid registrations and a profit motive to achieve.
Re:Interesting choice of words... (Score:4, Insightful)
Sure, some people have access to multiple addresses but this would largely address the problem.
Sounds like the cure is worse than the disease (Score:5, Insightful)
So, people don't want to give out their credit card numbers for free trial... But they will want to give you their DOB/Address/Passport/etc? Sure, the individual site wouldn't be the one causing the immediate nuisance, but you still have the problem of getting people on the system to begin with. If they were loathe to provide you with a credit card number, what would make them more willing completely hand over their identities?
Also, you're being incredibly disingenuous with statements like this (in the Quick Tour section):
But, the registration is non-SSL and requests name/DOB/address. I see that buried in the "Terms and Conditions" and "Implementation" section, but, saying "nobody but you can ever see it" anywhere on the site when you're not even using SSL in transit shouts loud and clear that you aren't the one to trust with any sensitive data.
You should have a big highly-visible warning on the registration page about being a prototype and that there is no SSL, and that having no SSL means all information is sent insecurely to you. Not statements that "no one but you can ever see this information" in big print, and "Oh, I was lying about that" in small print.
Stating "no one but you should ever see it" regarding the database being encrypted is also a big false sense of security. Since the password is being given to your server, it can be intercepted on the server. If someone has access to steal the database, they've most likely got access to harvest some passwords first, too. Of course, since you're doing everything in cleartext in-transit right now, it could be intercepted over the network, too.
Re:Beware of Big Brother... (Score:5, Insightful)
Here is a slashdot anomaly: the parent post would have more credibility had it been posted as anonymous coward.
-jim
Re:Interesting choice of words... (Score:2, Insightful)
Destroy that documentation (Score:3, Insightful)
> the documentation that has been sent in. I think
> that for security and audit purposes, we do need
> to keep it in some form.
On the contrary. Yot need to *destroy* those documents for security and audit purposes.
passport, birth certificate, drivers license, util (Score:3, Insightful)
Re:Who said anything about "Truly verify identity" (Score:3, Insightful)
- each build / install of the application should stop working after a while for evaluation purposes forcing the user to download a new copy
- email a demo key to the user, only one allowed per email address
Of course you're software could still be cracked allowing anyone to use the evaluation version / key as if it was registered.
There will always be a small percentage that find a way around whatever you try to do. So don't make it too hard for legitimate users, or you shoot yourself in the foot. No matter how difficult the protection method is, someone will crack it.
The problem is simple (Score:3, Insightful)
This might surprise a lot of people, but the majority of credit card fraud is not carried out by shoulder surfers, packet sniffers, l33t hackers, or any other third parties. It's done by the merchants themselves, or by their employees. Yep: the people most likely to misuse your CC info are the people you voluntarily give it to.
You're planning to ask people to give you information that can positively identify them in a non-face-to-face environment. Which means that you, your eventual employees, the investigators you hire to verify that the documents people send you are real, etc., will all potentially have access to that information. You first have to work out a bulletproof means to protect that information, even from yourself, and then you have to convince prospective users (remember, these are the people who are afraid to send their CC info over the Net) that you've protected it adequately. You can convince yourself . . . you might possibly be able to convince me . . . but it'll be a cold day in hell before you convince my mother-in-law.
There are a lot more mothers-in-law who have heard scary news stories about identity theft than there are Slashdotters.
Re:Just to be clear... (Score:3, Insightful)
Also, Virginia doesn't require seals on notarized documents; all they require is signature of the notary and commission expiration date. And basically anyone can buy a notary seal for $20 from a mail order company if they wanted to impersonate a notary. (Or get a friend of theirs to pay the fee to get a commission; in most states getting a notary commission is no more complicated than filling out a form and paying $10 to $40.)
The only way you can be certain the notary really is one is to verify their signature with either the county clerk where their commission indicates it was issued from (in county-based notary states, like California) or with the Secretary of State at the state capital (in state-based notary states, like Virginia). And that doesn't guarantee the notary was honest.
Re:Interesting choice of words... (Score:3, Insightful)
From the article:
Even if hackers stole the entire database, they couldn't read it because all the data is encrypted using individual users' passwords.
So hacking is not a massive threat, just have to be careful with your own password.
Re:Appeal to authority (Score:2, Insightful)
I'm not saying this simply to bash you, just to say it needs more thought than that.
Re:Sounds like the cure is worse than the disease (Score:3, Insightful)
That out of the way... What appears to be the lynchpin of your model is false:
Three simple and likely ways for Bad Guys to get the data immediately come to mind:
For this data to be safe, it has to be safe from the moment the user enters it on the keyboard until it is stored onto the disk of the database server.
A true statement might read:
Your information is encrypted in the database using your password, so only you can read it -- unless a keylogger has found its way onto your computer (eg., by a worm or that creepy guy who showed up at your party last week), or our system is backdoored to harvest your password, or your information is pulled out of our server's system memory or swap.
This plan looks like an attractive nuisance - giving people a false sense of security so they give information over the net. And it would be gathered all in one place to create the juiciest of juicy targets.
Beyond the issue of the basic security of the users' data, your system will never be able to prove the user is really that user as long as worms are around installing keyloggers.
Since we know it will never be airtight, why gather such a large amount of personal data to begin with? You seemed to think giving a credit card number for a free sample was adequate to discourage duplicate requests. Why not do something like paypal, and get a bank account or credit transaction? That way you could offer a database of checking account/credit-card authenticated users.
I see in your whitepaper that you're worried about credit card fraud. Sure, that's a possible problem. But, afaik, the most you would be out is whatever the fees you charged to that credit card. And, a chargeback would work as a measure to weed out bad records. As it stands now, you're asking the users to shoulder all the risk by sending their identities to you.
If they send their credit card number and it's compromised, they might have a few charges to dispute and a week or two to wait while their bank issues a new card. If they send you their identities, and something goes wrong, they're in for what I've seen calculated at over $1000 in direct monetary expense and over a year to clean up.
With further regard to storing data, all you're doing by holding more data is creating more risk. When you do the bank transaction, the bank information should be completely separated the your authentication system that users touch. It shouldn't even be an option to retrieve it over the web.
The more valuable your data, the more resources the Bad Guys will spend to crack it, and the less your effective security will be. And the more personl information you request, the more trust your users will have to place in you. At the current level that would likely lead to near-zero adoption.
Re:And how the hell... (Score:2, Insightful)
I would rather send in a subscription fee of discontinue use of a product if it is not worth the fee to me than dig through the neighbors trash for utility bills. I would also rather subscribe than go through the trouble of buying a $50 fake SS card.
He states right up from what the purpose of the proposal is. It is not intended the be the ultimate authentication product. It is to help the web content publisher minimize the number of freebie trials given out.