Last week Elon Musk bought Twitter for $45b. His goal? Make the platform “free speech friendly.” But he faces a tough challenge: how to enable free speech without letting bots and bad actors run amok. Musk’s solution: “authenticate all real humans.”
But what does authenticating all real humans mean? During my nearly 20 years in identity technology I’ve worked hard to help educate businesses about what “authentication” means. So naturally when I heard Musk use the term authenticate I began to think of his true meaning, and how he might implement a strategy that makes Twitter open, usable, and bot-free. Or how he might take it one level further to match individual identities to each Twitter user.
Bots Vs. Humans
A very simple way to keep the bots off Twitter is to force users to perform a liveness check using facial recognition. Liveness checks are a feature of our Age Restricted Vending product, and are used in that instance to check that someone is not holding a photo up to a camera to scam the system. A liveness check can include actions such as:
- Turn head side to side
- Remove glasses
- Remove mask
Liveness checks can be performed via selfie. The user simply uses the backward facing camera, and places their head inside an oval that is overlaid on the screen. They are then prompted to perform between 1 and 3 liveness checks. The program can then virtually confirm that they are a live human.
Liveness checks can be performed and liveness can be validated in <5 seconds. This step could be done as a pass fail with no other identity verification or authentication checks. It would simply confirm that a real human is associated with the account. It would, however, exclude potential Twitter users who do not have access to a camera. Live humans would also, theoretically, be able to be verified on multiple accounts. So it would not necessarily solve the issue of call centers or troll farms where real humans are acting as bots.
Mobile ID Validation
Liveness checks are a great option to ensure that Twitter users are real humans. But they don’t actually tie a user to a real human. To do this, Musk would need to perform some type of ID checking. The information on the ID could then be checked against self-reported information. Mobile ID validation is commonly used by banks and financial institutions for loan origination, and for online gaming to verify age.
To perform ID verification remotely, the user would need to take front and back photos of their ID. Then two key things occur. One, the information on the front of the ID is read using optical character recognition, and matched to the information stored in the barcode. Then the barcode is scanned and reviewed for any issues, as many fakes contain issues inside the barcode itself.
PII could be flushed after front and back matching, and/or checking against the existing Twitter database is performed. Or some combination of information could be retained. It all depends on the policies created when the system is set up.
When combined with a selfie, mobile ID verification is a great way to match a digital identity to a real human, and perform some basic checks to ensure the ID is real. However, because phone cameras can’t perform UV/IR scanning, or look for holograms, they won’t be able to perform more stringent authentication.
ID verification is one of the three methods Twitter currently uses to confirm identities for the blue checkmark for verified accounts.
So as I mentioned, authentication needs more sophisticated, powerful hardware such as the E-Seek M500 (used by the TSA) or the CR5400. These ID scanners include powerful cameras with high image resolution and several different types of light, so they are great at catching fake IDs.
However, it isn’t practical for Twitter to physically authenticate everyone. A mobile solution is required. So to truly check for fakes and authenticate identity, a mobile authentication solution would be required. This is accomplished by checking identities against a third party database. It is a similar solution to what we provide for our cannabis delivery customers, who need to authenticate IDs in a mobile environment.
Twitter would simply scan the back of the ID, containing the barcode, and then run a check against a trusted third party database (we offer both US and global checks). This would match a real individual to the account, confirming that the individual exists, and could perform additional checks such as location, which could mitigate foreign call centers using IDs.
Mobile authentication is typically priced per scan, with volume discounts applying at the scale in which Twitter would be operating. They would likely want to implement a stepped approach, in which their most high risk or controversial accounts are forced to go through the mobile authentication process first, or accounts are forced to undergo mobile authentication after a ban or a warning.
In the end, it really comes down to the nuance of what Musk said. Does he want to match every Twitter account to a real human? Or does he just want to block obvious bots? If the former, will this information be public, like Facebook? Or will only Twitter know the true identities of users? And how will this work for companies? If removing bots is the true motive, then how will he eliminate call centers and farms that are behaving like bots?