Google Plus Realnames are Solving the Wrong Problem. We Need Signatures.

I sympathize with Google’s efforts to prevent impersonation on plus. But I didn’t think the real names policy was the right approach, and I don’t think the verification badge approach addresses the right problem either. Taking a concrete example, my real name is David Karger, and I can certainly get that verified. But there’s another David Karger out there (my doppleganger, film critic for Entertainment Weekly). If I get my name verified and then start posting “my draft movie reviews for Entertainment Weekly”, how exactly is name verification going to help people not be deceived?

They problem is that name is a (poor) proxy for identity. If Google wants to prevent me from impersonating that other David Karger, they need to demand something that only that David Karger can offer. And there’s an obvious approach that has been used in the past by Google. In order to prove that I manage a given web site, Google makes me modify a page on the site. This has general use. To prove that I’m the David who posted that EW article, I just need to put a signature on that article, and give google the public key needed to verify that signature.

This only offers “relative” identity, showing that two entities (the plus user and web page owner) are the same. But that’s all you can ever do—the the current “verification” scheme just aims to prove that a given plus user is the same as the holder of a particular name (and that comes with the problems mentioned above). Its main limitation is that it only allows you to associate two digital identities; associating to a real-world identity requires connection mechanisms outside the Internet (for example, I authenticate that I own a given phone number by receiving a call on that number that conveys a secret key I type back into the computer).

Perhaps google could use their weight to give a nice push to a general public key infrastructure. Imagine if every plus user automatically got a public/private key pair they could use to sign other digital artifacts, and google provided web-based software to verify those signatures? Besides providing (positive) identity verification on my Google plus account, this would also start to offer (negative) impersonation protection, as signing my artifacts would provide proof that I made them.

5 Responses to “Google Plus Realnames are Solving the Wrong Problem. We Need Signatures.”

  • Sling Trebuchet says:

    Signatures would be good provided that pseudonyms can have them.
    If not, all the very sensible and sane #nymwars objections to the Google Plus ‘real names’ insanity still remain.

  • David Karger says:

    Agreed. My point is that a signature system would eliminate most of the justifications for requiring real names, allowing pseudonyms to be used without concern.

  • Justin Huang says:

    Google has a way of declaring authorship of content on the web by adding a code snippet to your content. So at least, someone looking at EW search results in Google would see “by David Karger,” with a link back to the other David Karger’s Google+ profile. Is that what you were talking about proving that you manage a web page?

    It doesn’t solve the problem of impersonation of content on Google+, though, as you mentioned.

  • Bruce van der Kooij says:

    You’re absolutely spot on. Especially with your last paragraph.

    It’s all about making the signing/verification process easy (user friendly, nicely designed, well integrated). The core technology to do this has already been out there for decades.

    Besides signing I do think we need some sort of system that allows people to manage their relations more easily. Think reputation systems like in use on StackOverflow. The systems commonly in use today (that includes Circles) are no better than the traditional address book.


    Perhaps also relevant: WebID Even though I don’t really understand it.

  • Bruce van der Kooij says:

    Actually, now that I think about it. I think Google is trying to:

    1) Make sure that there are only unique identities on Google Plus (e.g. no duplicates/sockpuppets)

    2) Eliminate anonymity by linking your Google Plus account to your “real” identity (e.g. the one mandated by your nationstate).

    Ignoring for the moment that their verification process apparently sucks from what I remember (I recall somebody creating a completely fake drivers license and having it accepted).