What exactly does “verified” mean? Well, whatever you want or need it to mean….

Unlike the telephone network as it was originally built, the internet was fundamentally built to be anonymous. To get a phone line, a physical wire had to be installed and a person or business had to pay for it. Any call could be traced to that person or business (or at least to the person paying for the line if not the actual person using it). On the other hand the internet was designed to allow anyone to attach to it from anywhere and to go anywhere within it. Imagine buying a tablet (for cash) and sitting outside a Starbucks or McDonalds and connecting wirelessly to the net. Fake email addresses are easy to get; building up a synthetic identity with no proof and no veracity is straightforward. Good tracking might be able to figure out where you are (until you drive to the next Starbucks) but there is almost no viable way to figure out who you are other than tracking you down and potentially accosting you based on your location. That is the nature of the world’s largest communications network that has ever existed. That is the challenge of being “verified”.

Of course for much of the activity on the network this may be ok. Looking up a Starbucks location or reading a restaurant review should not require anyone to share personal information. There is no doubt that those providing these services will do their utmost to gather as much data about you as they can. Beware! The latest Google settlement should be a lesson here: https://www.cnn.com/2022/11/14/tech/google-location-tracking-settlement/index.html

For the most part though, many services do not require any level of verification.

There is another side to this that is very different. Information services open to misinformation and disinformation can be mitigated by verifying the source. Financial transactions, banking, and commerce demand some level of veracity for the participants. 

So what exactly does verified mean? It depends on the circumstances.

For banking, the United States Banking Secrecy act defines 4 elements of verification required, SSN, Address, Name, Date of Birth (SAND).  This must be combined with some form of government ID to further prove the person providing this information is indeed the rightful owner of it. Known as KYC (Know Your Customer), every banking relationship in the United States is predicated on this level of verification. The institution is further required to do some level of diligence to ensure this information is accurate. For banking this is what you need “verified” to mean.

For credit card transactions, it may be something less stringent. Visit any gas station and verification is based on possession of the credit card and knowledge of the credit card billing address ZIP code. Some limits on transaction size limit the financial exposure in most cases. For online transactions, the seller may also require the CVV code on the card. “Verified” for the most part is taken at face value if the transaction is approved.

When it comes to social networks a whole new set of issues is confronted depending on the nature of the network. LinkedIn for example has both a free tier and a paid tier. Those that pay get “premium” service (and a premium label). This service opens up a set of services not available in the free tier. This service does not verify anyone except to the extent that they must provide some credit card information to pay for the service. This may (or may not) provide a means to track down the person behind the LinkedIn profile depending on the veracity of the card. Card theft is after all a big problem in and of itself and “transaction approved” is not a very high bar.

Twitter has of course also gone down this path recently and the results were less than optimal. By opening up a tiered service like that of LinkedIn but assigning the paid service the label “verified” rather than “premium”, Twitter users were misled into believing the names on these accounts were valid. https://www.washingtonpost.com/technology/2022/11/11/twitter-blue-checkmark/

Lebron James was not amused, neither was Eli Lilly. Equating a credit card payment of $8 with identity verification was certainly a misstep.

For all of this we can draw a reasonable spectrum of what “verified” needs to mean. At the one extreme, simply knowing the user is not a bot may be enough. At the other end of the spectrum a full KYC compliant verification is needed. Between these to extremes, the level of verification depends on the risks associated with identity verification. Attributing false statements to a celebrity, politician or company can do real societal and commercial harm. “Verified” in this case needs to be more than a credit card “transaction approved”.

Here at Journey, we understand this spectrum and have built products specifically to deal with this wide spectrum of verification in addition to other tools and network design  to protect the privacy of the individuals. The Journey Elevate platform is a flexible no-code approach to building the verification process that you want and need.

 

Michael Frendo Headshot

SVP/GM High End Security BU Juniper, EVP Engineering Polycom, VP Engineering & Advanced Product Development Cisco, Founder VoIP Forum. Executive leadership roles at: Infinera, McData, Avaya, and Nortel.