An Online ID Registry 278
Neil Gunton writes "Over the years I have had a few ideas for websites which would allow for free registration and trial, but I always ran up against a brick wall with regard to how to stop people from re-registering as someone else once the trial was up, or registering multiple times for abusive purposes. The question of how to verify online identity has been bugging me for a while now, so eventually I just sat down and wrote a prototype for an Online ID Registry. There's a white paper explaining what it's all about. I am curious to know what the slashdot crowd thinks of all this, whether I am on the right track, and what to do next. Should it be for-profit or non-profit? Is the whole thing pointless and stupid, or a cool idea? I don't really know where to take it next, because I don't really want to be sitting at home verifying people's documentation for free, and I am nervous about the security and legal aspects if I do it for money. I have no clue how to set up a non-profit organization, and my business knowledge is almost non-existent. I am sort of stuck with a working website but nowhere to go with it... that is, if it's even worth going anywhere. Perhaps it was just an interesting exercise... thoughts and ideas welcomed. (Note: The server may get a little slow, since while I have a caching reverse proxy front end, people will inevitably be trying out the registration, which involves key generation and other cpu intensive activities, so I don't really know how well the mod_perl backend will stand up...)"
My random thoughts.... (Score:4, Interesting)
Well, first and foremost: Get a fire extinguisher handy for the slashdotting you're about to receive. Hmmmm ... I have a
compute-intensive application I'm playing with ... I think I'll talk
about it on slashdot. What's that crashing sound I hear?
As to the premise: I actually think it is a moderately valuable idea, but you are going to find yourself heading into a strong wind of distrust. "Who is this guy that I want to give him information that has extemely high identity-theft value?" - Your first major obstacle is not technological at all, it is going to be image: How do you present your bona-fides. Can you afford a seven figure surety bond?
Finally, the ultimate question, when you decide how to make the business model work: Who wants the product? If you can get pr0n sites to accept your say-so as an adult-verification entity, then you will have people beating down your door to sign up with your service.
What I'd have to know to use it: (Score:5, Interesting)
Second, can site A find out that I also use site B?
Third, is there any more information stored than my credentials? (for example credit card #s, SSN etc.) Not only that, but will sites use this as a key for tracking additional information? (perhaps you should consider returning an "identified" or "not identified" response, with no additional information.) (Sites that keep my CC# without giving me a way to delete them piss me off. This means you, Amazon, you and your collection of every expired CC I've ever used there.)
I think thats a pretty good start. That pretty much covers my privacy concerns as well as exploit/misuse concerns.
Re:It's been done (Score:5, Interesting)
Re:Appeal to authority (Score:4, Interesting)
Think about it.. that leads to claim of identity theif immedatily.
Better question why offer 30 day demo software, or crippleware in the first place?
Why not offer lower cost software, so it can be tossed if the customer does not like it.
Or required the software to phone home every few days while in demo period. This why you can use embedded id of software / IP of coonection to determine if linesse is valid... but that will label you with SPYWARE instead.
I hate ti drive the nails in the coffin, but... (Score:2, Interesting)
Trust, and the 'trustworthy computing' (Score:4, Interesting)
First of all, if you're really worried about people abusing a trial service, maybe you could track things via IP, or, even subnet masks. If your application is specific enough (or just geared to one industry in general), try doing the "Thanks for requesting information, we're going to *MAIL* you your login information the next business day."
Second...how do I as J6P know that you're going to handle my data correctly? No matter how many times you tell me on your website that you're handling my data in a secure fashion, I can't actually see it. Am I suppossed to just trust that you'll keep my information away from everyone? Including yourself, your marketing droids, and maybe the FBI should they come knocking on your door?
If you or company are worried about people abusing a trial service...well, get over it. It's bound to happen, no matter how you try to stop it. Just use common sense (don't allow signups from Open Proxies, maybe ask for a credit card number if you're looking for a paid service in the future), and realize that you're going to have online 'shrink.' Every company has shrinkage...why should an online company be any different?
I can only see where this is going in the "trustworthy computing" area. In order to get a computer, you're going to have to show your computer maker an ID, they'll seal your computer so you can't install devices (they'll send a technician out to do it), and tell you what you can and can't do with your data, your time, and ultimately, your hardware.
Ian
Re:Beware of Big Brother... (Score:3, Interesting)
Nobody is forcing you to look at the information.
But if you need the information, you have to play by the rules of the provider.
Re:I don't like it (Score:2, Interesting)
In Finland banks do this (Score:2, Interesting)
You receive the users's social security number and other important information, and the protocol can be customized for companies to give custom information too.
So I think this system (topic) is quite useless. It really needs some authority to trust.
Do you have this kind of stuff?
I suggest a simpler way... (Score:3, Interesting)
Have a central registry with only an ID and a phone number. To activate your ID, the system calls you and tells you a number which you subsequently type in a web form. The "ID" is then considered "validated".
Your initial web app can now call the DB and ask if the ID is validated. If it is, everything's fine.
Advantages: Less privacy intruision (people only have to trust that the central registry won't tell the phone numbers anybody). Simple to set up for both the central registry and any service. Quite efficient (most people don't have access to more than a few phone numbers).
Case solved.
If you implement it, don't forget us poor buggers from Europe who would like to use the app too!
Using the exploit against the exploiters (Score:3, Interesting)
If you keep track of IP addresses and do a little research at netcraft - you can really expose someone for being a fraud.
On my website, I have followed such a person [adzoox.com], and exposed that he was registering as different aliases and agreeing with his own posts pretending to be other people. In some cases, just so he would look like he wasn't the same person he would criticise his previous comments.
Re:Just to be clear... (Score:2, Interesting)
Let's reply to this...
a) Prove this. You probably can't, you'll have to develop a track record of behavior ... good luck on a) and b)
b) Is it encrypted on my computer before getting to your database? Or am I supposed to assume that you'll be honest and you'll 1) actually encrypt the data and 2) won't keep the password?
c) OK, so you're asking the slashdot crowd to help you play and test
(Everytime you attempt to quickly placate the fears of your potential audience, you risk weakening the system. I'd recommend staying away from debate until you've received some valuable comments and really thought out a response.)
Personally, I feel the system is too complex and resolves a problem that I, as a 'Net citizen, don't have. I've had visions of grandeur in the past for notarizing PGP keys using real notaries and replacing paper signatures with digital ones. I think it'd be great to walk into the bank, hand over a digital file (on a USB key?) for opening an account, taking out a loan ... I hate the paperwork. Although the technologists would love this, the average citizen doesn't get it and can't imagine using it. OK, you're audience is the technologist: well, frankly I (a technologist) am not interested in going through any of this trouble because no site has asked for such tight verification of my identity. And when porn sites tell me to use the adult verification service for a one-time fee of $5 or $20, I start surfing someplace else. Competition will probably drive out any site requiring your authentication services.
Use multiple sources of trusted authorities (Score:5, Interesting)
Points can be earned by:
Depositing 2 random amounts of money into the person's checking account (like PayPal)
Verifying their address with the address on their credit card
Matching their phone number to their address through a phonebook (anywho.com/rl.html)
Have an automated call placed to the phone number listed and ask the person to input his/her date of birth as digits
Have X other registered users verify that the person signing up is real
Have the person fax in a notarized document of identity
Send a letter/postcard in the mail with a code for the person to use to verify his/her address
Have the person call a toll-free number and input their birth date and using caller id to verify the source of the phone call
There are probably more ways, but like others said, if you're serious about this, you may want to look into starting a non-profit or LLC.
Nice Idea But... (Score:2, Interesting)
Certificates? (Score:5, Interesting)
As everyone has this trusted party's public key (ie Verisign), they can verify the information.
All the same benifits, without the need of some central database. If you dont trust verisign, or don't like their business practices, then just become a CA yourself and work in exactly the same way. It is much more flexible than a central online database.
Step One: Use a Secure Server... (Score:2, Interesting)
Re:Certificates? (Score:3, Interesting)
Of course, the problem here is the only 'unique' thing in the certificate is the name, which their can be many duplicates.
The solution of course is still to be a CA, but issue certificates with a property which gaurantee uniqueness to an individual - ie do it in exactly the same way as you suggest, but issue certificates as well as database lookups.
Re:Who said anything about "Truly verify identity" (Score:1, Interesting)
They are issued by the banks, just like the normal ID cards.
Of course, if you have your passphrases stolen for the certificate keys it is bad... But then again someone can easilly steal your credit card numbers whenever you use it.
My advice (Score:3, Interesting)
The second is to write a business proposal to online companies to sell them on your idea and why it is better than MS Passport, KeyType, MyUID, and others.
So what is to prevent someone from creating a fake Yahoo or Hotmail mail account, and then using it to create a mail account somewhere else that requires email verification. Then use the other email which passes the free web email checks that other sites use? Once they got an account in your database, they can enter fictatious info, and repeat this many ways. If you filter by IP or subnet, what prevents them from using a web proxy?
People won't want to enter their SSN, and what about someone not from the USA, what do they enter? What about people who can generate fake SSNs, or fake passport numbers, or fake driver's licenses? How do you check for all that?
If you require them to enter a valid credit card number, what about those who do not have a credit card? Can they enter a checking account number? What if someone does not trust you with this information or they use fake or stolen accounts? Someone with a program that uses the same formula to check credit card numbers can reverse it to create a fake number that passes your check. What then?
The best way to deal with this problem is to change the software on the end of the service that is providing the content. Maybe trial users can only read so many pages, or get a ton of more advertising and pop-ups than if they had subscribed? Or maybe requiring the trial member to wait 3 minutes before a page loads, and show them a page of benefits should they pay to register? The trial registration, maybe, has a large survey that they must complete, so that creating a new account is going to be more trouble than it is worth. Also limited trial memberships will be issued to subnets per month. If a subnet has over a certain number, they must wait until the next month to register a trial. There needs to be a way to limit trial memberships to prevent abuse.
Re:Interesting choice of words... (Score:2, Interesting)
Re:Just to be clear... (Score:3, Interesting)
Also, I assume it's possible to check up on a NP via some kind of registration of the fact that they are a NP. But if it's as easy as you say to become a NP in some parts, then are you (or anybody else) aware of other people who can act in a trusted proxy capacity? How about other "respected" members of the community? This is a problem, it seems, but I'm open to ideas...
-Neil
Re:It's been done (Score:3, Interesting)
for example I can open a passport with a fake address like "root@slashdot.org" assigining a password. Of course an email will be send to this address, but just a few seconds after registering, you can connect to MSNM for example with your email and password, and it will works.
Passport does NOT wait for the confirmation link being clicked in the email, and as long as nobody deny it, you can login.