That's not my name! Practical problems in real name policies.
abuse security · 10 comments · 700 words · read ~1,522 times.
Once in a while, big companies suggest that the answer to abuse is to ban anonymity and institute a Real Names policy. This time, it is Google's turn. They think that critical software should only be authored by people with "real names".
I don't want to go into whether this is a good idea or not. Nor philosophical discussions of what a "real name" is. I want to discuss how this would work practically.
Let's assume that a central website - like GitHub - decided to gather real names for contributors to critical software.
Let's also assume that every user has a passport, driving licence, or other suitable identification document.
How does a website:
- Determine the authenticity of the document?
- Match the user to the person represented on the document?
There are more questions - but those two will do to start with.
Document Authenticity
Let's take passports as an example. A website might be able to see the expiry date on a passport - but how can they spot whether a passport is a forgery?
The UK has a (pilot) service to allow businesses to check the validity of a passport. It's an API-based service which takes data from the presented passport and returns a simple yes/no to the passport's validity.
There are a couple of hundred different passports issued by a variety of countries and organisations. Does every passport have a simple way of checking validity?
The same is true of driving licences. The UK lets drivers share their licence information - but there are hundreds of different issuing organisations around the world. How do you integrate with all of them?
Even if we assume that there's a meta-service which connects to every single passport and licence database and can reliably give a website a reasonable assurance that the document is valid - that only solves half the problem.
Person Authenticity
How does a website know whether the person applying for an account is the same as the person on the document?
They can't accept a photo of the document. I've handed my ID over in a hundred dodgy bars and clubs around the world - I'm pretty sure plenty of people have a high-res scan of it.
Kids "borrow" their parents credit cards all the time for illicit Fortnite purchases. How can a website tell if the document has been briefly stolen from its owner?
Here are some things I've seen various services do:
- Ask for a photo of the user holding the document and a copy of today's paper.
- Take a selfie and compare it to the photo on the document.
- Get the user to record a short video of themselves reading the details off the document.
Those are all fairly intensive and rely on a service being able to accurately match a photo of a user to a photo on a document.
Even if we assume that we can correctly authenticate the majority of identity documents and match them to the user, that still doesn't solve the problem of verification.
Account Authenticity
What stops users from selling their accounts? Would a nefarious actor offer people a couple of quid to sign in to a website they've never heard of? High profile accounts get sold or stolen all the time.
Google suggests that Multi-Factor Authentication would also provide an enhanced level of trust. But that doesn't prevent someone acting maliciously, whether out of choice or if they're being coerced.
Users move county, ID documents get revoked, data leaks, and mistakes get made.
Sure, a policy like this would probably place a higher barrier to entry to a service - but that would only prevent casual misbehaviour. It would do nothing to stop determined actors. It also comes with some insurmountable implementation difficulties.
Even if you think that a real name policy would solve some of the problems Google identifies - and that everyone has ID which shows their name - how would it work in practice?
Bonus track:
Dave Cridland says:
I will sign this comment with my name.
It is the name I work under. It’s the name I introduced myself to you under. It’s the name the vast majority of my publications (standards documents, and so on) are written under. The copyright notices on my code refer to me by this name. It’s on my Github account, my Gitlab account, my Twitter, and the vCard you can get over XMPP.
It’s not, however, the name on my passport.
The United Kingdom has a very flexible approach to names. It’s possible to have many of them, and by and large the state deals with this quite nicely. Software developers have enough of a hard time dealing with “Given Name” and “Family Name”, which aren’t really constant features of naming worldwide, and we mostly assume that people have one name per system – but the UK’s more esoteric forms do have slots for multiple concurrent names as well as previous ones. (I wonder, off-hand, whether I should include “dwd” on “Other Names I May Be Known By” bit on such forms. Maybe?)
I don’t even particularly dislike my “formal” name, and I use it quite frequently. But not professionally – professionally, I’m Dave, and quite happy with that thanks.
@Edent I would love to see tech thoughts on supply chain security turn into a more general urgency for consumer supply chain transparency though. There are similar issues around anything we buy, and knowing whether it's come from unethical or illegal sources.
JH says:
To implement and secure such a structure which would dwarf the application itself.It would take a scheme similar to the Chinese Bamboo curtain and even that despite its size, has holes. Even the tracing of I.P. addresses does not always get you to the same person/household and what system is to be put in place to stop spurious websites collecting great draft of user data for illicit use. The internet has only ever been semi secure itself so implementing any identification system over it is fraught with problems.
Also the assumption that someone's name will be a constant. Many people's name changes once or more in their life through a variety cultural institutions such as marriage. Suddenly someone's real name stops matching what the system considers their real name.
If only the people who bullied me at school has used their real names all that could have been stopped.
Pointed example, but if you can’t solve something face to face you can’t online either. They want to be able to trust without the safeguards they’d use on, say, employees
Phoenix Wright says:
Here's a fun one. As Dave outlined above, the UK is very flexible with naming. I'll add that the UK is also extremely flexible on titles. Anyone can use any social title (Mr/Ms/Mx et al) if they want to without putting it on a legal document. However, you can make a legal document (referred to as a 'change of name deed' or a 'deed poll' to legally change your name. You can then use this in combination with ID containing your former name, such as a passport, to identify yourself under your new name.
(It is however common practice to put your changed title on a deed poll document if you are changing your gender and also your title. This doesn't have legal significance but it does help communicate your intent when you need to change both name and title with a given service).
I am a trans man, so I've done both of these things. However, making a deed poll (which unlike many legal documents doesn't require a professional witness or to be registered at an office - you just need you and two friends who don't live with you) and having it accepted are two different problems.
Most places I've had to show my deed poll to have accepted it, but a good portion of them don't. There's been the medical receptionist who asked if I had "been through the whole process" referring to my gender and wouldn't change how I was registered. I came back with my (name already changed) driver's license and pointed out that the DVLA had accepted my deed poll and they begrudgingly put it through. Then I went to the bank and asked to change my name, where the person assigned to help me looked up "deed poll" on Google Images, pointed at a wax seal, and told me that because my deed poll didn't have that particular styling that it wasn't a legal document. I was able to change my name with the bank another day after calling a complaints line, but it was an infuriating experience.
There have also been less totally frustrating situations with people who were kind and fact-checked their assumptions when asked to, like someone who did right-to-work for me and asked whether I had gotten a letter back when I'd done my deed poll and if I could show them it. It goes to show that not nearly enough offices have HR or reception staff that know what to do when presented with a photo ID document containing a former name and a deed poll - because it's the wording and contents of the document that make it valid and not the format, quick visual checks like how you might check a different form of ID don't work well.
P.S. It gets even messier when you throw in dual nationality. At the time of writing, I'm legally male across the pond and legally female in the UK. Fun?
It’s quite possibly the worst proposal I have ever read. A truly terrible paper in so many ways.
Practical problems in real name policies: shkspr.mobi/blog/2021/02/w… Comments: news.ycombinator.com/item?id=260355…
@Edent Open Source already has a diversity problem. Requiring real names will effectively prohibit lots of disadvantaged groups from contributing – the kind of people who are already facing harassment. With real names this harassment will escalate into calls to one’s employer, threats of physical violence and maybe not only threats.
At the same time, it won’t really prevent any abuse as you explain. I mean, a state-level actor can even coerce a real open source contributor into cooperating. With the scene being so international, they usually won’t have trouble finding one that’s within their reach.
@Edent Real name policy always feels beyond impractical as you rightly say. But in this case an added complexity: what even is ‘critical infrastructure’? It seems like you can become critical infrastructure through someone else deciding to depend on your software, and then you have to comply with their real name policy against your will?
And which contributors would have to comply? Current, or all former? Only the latter would be sufficient, but would also be unworkable.