There have been two major issues in tech over the past couple of years which are highly related yet I haven’t seen much talk about their interplay: how to rid (primarily social media) from harmful/fake content and maintain people’s privacy. The former coming to prominence after the 2016 election “influence” campaigns and subsequent revelations around Facebook, YouTube, Twitter and others trying to deal with fake accounts.

Allowing users to mask their identities has been a hallmark of social networks and user generated content (UGC) sites since their formation. After some egregious cases of harmful and hateful content arising early on, each made tacit attempts to ensure identities. Bots and incentivitized users easily worked around them. Few — notably Airbnb after some high profile problems — went to a REAL ID system. This requires users to present multiple forms of government issued ID to establish their identity. REAL ID isn’t perfect, but it certainly reduces the number of fake/anonymous accounts.

On the other side, there has been concern around user privacy and the use of personally identifiable information (PII) that these sites collect. Once again, Facebook unfortunately took the lead here in allowing data to be used in malicious ways demonstrating how dangerous companies controlling PII can be. Since then, there have been many voices, including governmental, calling for significant privacy constraints and for users to “own” their data and identities.

These types of controls are easier said than done. However, it demonstrates that people are not comfortable with big tech (and others for that matter) having this information and, either through malicious or incompetent behavior, may misuse it. This, unfortunately, is in direct conflict with the desire to have more transparency and identity on social media to attempt to limit harmful/fake content so as to better police it. What to do?

My proposal is for a multi-layered system which addresses both issue:

1. Any internet property which allows users to post content (e.g. social networks and UGC sites) must verify their identity using a system like REAL ID.
2. The company may only verify the identification documents but may not store any PII information associated with them. They must keep their own internal ID for each users which has no way of being reverse engineered into PII.
3. Each company must ask (and give access to change at any time) users what information about them that they’re allowed to store. This includes what public persona/name/nickname the user wants displayed along with their content.
4. The government will establish a system for REAL ID based on the issuing entity. When an ID verification request is sent to the government API, valid requests will have a unique set of characters returned to the requesting company (we’ll call this encrypted ID) which they MUST store with the company’s internal unique ID for that user. The government entity must keep storage of all encrypted IDs and their association with REAL IDs. Each requesting company must get a different encrypted ID but a consistent one for the same user on subsequent requests.
5. If there is suspicion of a crime, a law enforcement entity with a subpoena can request the encrypted ID associated with any account. That can then be used to reveal the REAL ID already stored in the government database.
6. Each REAL ID API call by companies will incur a small fee so as to pay for scalable and secure data systems that the government must maintain.

This system isn’t perfect but will a) curb bad behavior online with the knowledge that if you cross a line, you could get a visit from law enforcement b) greatly restrict bots and malicious actors from gaining accounts c) support a government program to protect IDs but associate them with real identities they already issue and protect d) do not allow companies to hold PII which could be used maliciously or hacked.

Are there people who would lose their important anonymity under this plan? You don’t have to keep any PII with the company, only the government (and you do this today)?

What about authoritarian governments and how they could abuse this? Yes, that’s a concern but is also a larger issue. In any case, this does not address private messaging apps and other types of sites, only public content ones.

Thoughts?