A Web of Trust for Twitter

This week I gave a presentation to London’s Twitter Developer Nest (DevNest), and soft-launched a new app that is currently in a prototype stage.

Spoiler alert: The project I demoed is a Web of Trust for community-verified Twitter accounts. The site is called cert.me.uk – it’s invite-only at this very early stage.

You can see my less-than-beautiful slide deck here. As it has no bullet points, there are notes for each slide below.

Who are you?

Back in Web 1.0 I used to sign up to ‘community sites’ under a pseudonym and would generally use a silly avatar that in no way represented my ‘real world’ identity. This wasn’t some attempt at being enigmatic, it was just what people did all those many years ago.

Some people still choose to do this on occasion, but for the most part the social web has done a very good job of persuading us to represent our true identities online. In the case of Twitter, this identity is public. Many of us see benefit in asserting our identity through our Twitter account – the most obvious reasons being professional reputation.

Are you who you say you are?

This is trickier.

If you don’t see the problem, consider the little-known case of Australian politician Bronwyn Bishop. A Twitter account was fraudulently set up in her name, and accrued a reasonable following before slipping in some outrageous remarks that no doubt endangered her reputation.

Twitter have guidelines on impersonation, but enforcing them is another matter, and as with the case of Bronwyn Bishop, it’s not always as blatant and easily detectable as the infamous BPGlobalPR profile.

Impersonating another person online was criminalised early this year in California, and has been illegal in Texas for a while longer. This is a new problem, so it’s resulting in new crimes, and no doubt new criminals.

Verified Twitter accounts.

Twitter deal with this problem by providing a Verified badge indicating that a Twitter account is held by THE Justin Bieber, not just A Justin Bieber, and more importantly that it’s not a spoof, or unofficial account representing said pop star.

But ..

Twitter’s original Verified accounts beta programme is now officially “closed to the public”. Translation: you’re not going to get one. There is actually no publicly accessible method of requesting one. Bronwyn Bishop didn’t stand a chance of getting verified by Twitter.

I was amused to see how swiftly Charlie Sheen got a verified when he joined Twitter this week. Proof, if proof be needed, that he meant business.. literally. In Twitter’s own words, this makes Charlie Sheen either an advertiser, or a ‘partner’ .. whatever that is.

So, what was wrong with the verified accounts programme?

It didn’t scale

Although Twitter’s processing of verified account applications is rather opaque to me, it seems fairly obvious that it is/was a human-powered system. Flying in Oprah Winfrey for a coffee and a urine sample (or whatever they do) is not going to scale up to the countless people and businesses that can benefit from a verified account.

In fact, the exact words from Matt Harris when I asked him about this over a DevNest Skype session were “it didn’t scale” … clearly.

It’s corporate owned

Whether you consider this is to be a problem is somewhat a matter of personal opinion.

The ‘corporate way’ to verify user accounts tends to be to verify and store your credit card or mobile phone number. This is how Facebook do it. It’s voluntary of course, but the Facebook kind of voluntary; like breathing is voluntary.

Recently Google  introduced mandatory verification of Gmail accounts by mobile phone number. Who knows what system Twitter will implement for verified accounts in future? But if they want my phone number, I’m going to grumble about it.

Regardless of how safe your data may be from commercial third parties, look at what happens when government authorities want it. (disclaimer: not that I’m planning on committing any crimes).

Decide for yourself where this is going, but if there’s a better way to do profile verification that respects your privacy and doesn’t involve storage of clear text data on servers in California, then I’d say it’s worth exploring.

Centralised authority

The way in which you place trust in a verified Twitter account is somewhat like the way you place trust in a web site when you’re online shopping. It’s an almost implicit trust in a single party.

Behind the scenes there’s a lot more to this trust model. Your browser vendor trusts the root certificates issued by a company like Versign (Symantec), and they have gone to sufficient lengths that they trust the owner of the website. As to who verifies Verisign? I have only the vaguest of ideas, and that’s way more than the average consumer.

Web of Trust

There have been some admirable attempts at undermining the seemingly self-regulated certificate authority industry. The most notable is perhaps cacert.org. CACert implements a Gossamer Spider Web of Trust. As opposed to a linear hierarchy of trust (with a certificate authority at its root), the Web of Trust is less centralised in that it has many, independent members at its virtual ‘centre’ . These members have all been assured of one another’s identity sufficiently that they are trusted, but not by a single entity – by each other. Once a member has been assured sufficiently by others, the member may then certify the identities of others.

It’s worth noting that Thawte used to operate a Web of Trust programme for personal email certificates, but they shut it down in 2009 citing some ambiguous references to ‘standards’ and ‘quality’ that I’d imagine the industry has imposed upon itself to ensure their £1,000+ price tags.

Trust is Relative

Although this Web of Trust may be preferable to a hierarchical, corporate model, it still suffers from one problem – that when it comes to people, it doesn’t reflect the way trust works in real life. You may have been certified by hundreds of trusted members, but if I don’t know those members, then their endorsement of you is not worth anything to me. In fact it’s little better than being certified by a faceless corporation.

The Web of Trust is actually a concept that stems from PGP (Pretty Good Privacy) Ironically now owned by Symantec. The Web of Trust used with PGP (and GPG) provides a relative trust model. You, the observer of a user unknown to you, will place trust according to how much other members that you may trust have trusted them. For example: If I completely trust Jack and Jack completely trusts Jill, I can place a certain amount of trust in Jill despite not knowing her myself.

In this way it is much like a social network. It seems like the prefect way to replace verified Twitter accounts would be a distributed trust model that used the network itself as the Web of Trust.

An Experiment

This was a very long way around of explaining why I made cert.me.uk.

It’s a rough prototype. There’s a lot of work to do, and a lot of problems to solve. I will no doubt blog about these things in weeks to come.