Once in a while, big companies suggest that the answer to abuse is to ban anonymity and institute a Real Names policy. This time, it is Google's turn. They think that critical software should only be authored by people with "real names".
I don't want to go into whether this is a good idea or not. Nor philosophical discussions of what a "real name" is. I want to discuss how this would work practically.
Let's assume that a central website - like GitHub - decided to gather real names for contributors to critical software.
Let's also assume that every user has a passport, driving licence, or other suitable identification document.
How does a website:
- Determine the authenticity of the document?
- Match the user to the person represented on the document?
There are more questions - but those two will do to start with.
Let's take passports as an example. A website might be able to see the expiry date on a passport - but how can they spot whether a passport is a forgery?
The UK has a (pilot) service to allow businesses to check the validity of a passport. It's an API-based service which takes data from the presented passport and returns a simple yes/no to the passport's validity.
There are a couple of hundred different passports issued by a variety of countries and organisations. Does every passport have a simple way of checking validity?
The same is true of driving licences. The UK lets drivers share their licence information - but there are hundreds of different issuing organisations around the world. How do you integrate with all of them?
Even if we assume that there's a meta-service which connects to every single passport and licence database and can reliably give a website a reasonable assurance that the document is valid - that only solves half the problem.
How does a website know whether the person applying for an account is the same as the person on the document?
They can't accept a photo of the document. I've handed my ID over in a hundred dodgy bars and clubs around the world - I'm pretty sure plenty of people have a high-res scan of it.
Kids "borrow" their parents credit cards all the time for illicit Fortnite purchases. How can a website tell if the document has been briefly stolen from its owner?
Here are some things I've seen various services do:
- Ask for a photo of the user holding the document and a copy of today's paper.
- Take a selfie and compare it to the photo on the document.
- Get the user to record a short video of themselves reading the details off the document.
Those are all fairly intensive and rely on a service being able to accurately match a photo of a user to a photo on a document.
Even if we assume that we can correctly authenticate the majority of identity documents and match them to the user, that still doesn't solve the problem of verification.
What stops users from selling their accounts? Would a nefarious actor offer people a couple of quid to sign in to a website they've never heard of? High profile accounts get sold or stolen all the time.
Google suggests that Multi-Factor Authentication would also provide an enhanced level of trust. But that doesn't prevent someone acting maliciously, whether out of choice or if they're being coerced.
Users move county, ID documents get revoked, data leaks, and mistakes get made.
Sure, a policy like this would probably place a higher barrier to entry to a service - but that would only prevent casual misbehaviour. It would do nothing to stop determined actors. It also comes with some insurmountable implementation difficulties.
Even if you think that a real name policy would solve some of the problems Google identifies - and that everyone has ID which shows their name - how would it work in practice?