Security News

How Elon Musk can securely achieve his mission of authenticating Twitter users

Jamie Smith 28 Apr 2022

Elon Musk doesn’t need to know WHO the millions of Twitter users are — just that we’re not unverified bots.

Elon Musk is set to spend billions of dollars to acquire Twitter and control its destiny. And he’s already making promises about how he can create a more open, free, and authenticated Twitter experience.

While many have focused on how Musk plans to promote free speech on Twitter, his promise to authenticate all users on the platform is arguably as important. And as he works to achieve that lofty goal, he may quickly find that authenticating users — and doing it securely and privately — will take quite some work.

The social media identity problem

Musk is far from the first person to call for authentication in the social media industry. Indeed, since their earliest days, social media sites have desperately sought ways to verify users. Facebook, for instance, found itself in a dust-up with users back in 2012 when it wanted to identify people by their real names. In 2009, Twitter itself sought ways to verify accounts to reduce bots and address many other social media woes.

But the number of fake accounts, bots, and pseudonyms on social media services continues to expand out of control. Along the way, bad actors are gaming algorithms, spreading misinformation, and engaging in abusive and concerning activities that sour otherwise civil discourse on social networks.

Social media sites have pitched ideas to solve those problems. Some have requested that users hold self-identifying documents, like licenses or passports, up to a camera to identify themselves. Others have gone so far as to say that fully verified identification would be a prerequisite for signing up for social networks. But none of those solutions has been workable for people. In one form or another, they violate citizen rights, inappropriately increase tracking, and generally harm privacy and security on the internet. Moreover, there’s an uneasy feeling about how these large data companies are using our personal data.

A path forward for identity verification

Look closely though, and you’ll see this isn’t about identity. It’s about authentication. We’re not splitting technical hairs here — the details matter. Musk doesn’t need to know who the millions of users are, just that they are not unverified bots (remember: many automated Twitter accounts are incredibly helpful. We just need to weed out the harmful, fraudulent, and spammy ones). 

Although several attempts have been made to solve this issue on social media platforms, it’s clear that some kind of globally acceptable approach is required to get a grip on these important issues around account fraud and spam bots. Whether it’s Elon Musk’s Twitter, Facebook, Instagram, or Snapchat, social media sites need smart ways to check who we are that don’t violate a person’s individual right to privacy and security.

A safe and proper solution will be able to prove a person is definitely human without the user revealing who they are. It will be able to prove that a user resides in a country without needing to say where. And even prove that they are a member of a particular group without revealing any more personal information than that.

But so far, these approaches have been extremely challenging, not least to those working on privacy and identity for decades. We don’t yet have a common, agreed-upon way for this to work. And individuals don’t yet have their own tools or software to help them prove who they are in a private and secure way.

A future of digital identity verification

It’s challenging, but not impossible. An approach that allows for both social media platforms and users to securely communicate and share verified identity information requires a few core things.

For one, a digital approach like this must be open. Its technology must be open source and transparent. It needs to enable people to choose their own tools, based on open standards and interoperability. And it should be part of an open ecosystem meaning people can prove who they are across different social networks (or any website or app, for that matter).

Secondly, and this goes without saying, it must be private and secure. We MUST ensure all users have full control over their data and the extent to which they share facts about themselves. There must be no central honeypot of data. Just as we use paper today to prove things about ourselves, any social media approach must be decentralized where possible and - by design - enable the data to be easily portable by the individual.

Lastly, the solution needs to be trusted by all participants. That means having trusted sources of data, but where those sources don’t know exactly what’s been shared by whom and where. It means having trustworthy data infrastructure that’s not tracking people around, or re-using data without the user’s transparency and consent. That means building new tools for people that can be used with confidence. Taking away that nagging sense of uncertainty when we’re asked to spill the beans on everything from our names and address to date of birth and citizenship.

A road ahead for Elon Musk and Twitter

Elon Musk’s desire to authenticate us on Twitter and develop a more trusted service is a sound one. But the path ahead is fraught with pitfalls around digital trust, privacy, and practicality. 

Avast knows this — we’re currently building it. A next-generation private and secure way to prove who we are, anywhere, that respects the privacy of people and still allows for trustworthy interactions.

Privacy experts are pushing for it, data protection regulators require it, and over 400 million Avast customers are demanding it. It’s a solution that Elon Musk must adopt at Twitter if the service ultimately becomes the first social media to get identity and authentication right.