Verification on the open social web

What’s verification on the open social web for? Together with @emily.space and @sherifea.com I’ve put together a draft statement and roadmap for democratic account verification. For everyone, without government IDs.

We’d love to get your input on the draft statement, please contribute and comment. Open until 31 May

2 big problems we see with verification today:

1. It’s treated as a privilege for a small number of “notable” people. Most users have no path to ever becoming verified.
2. The assumed solution is ID upload. However, we do not think that social platforms should be in the business of asking for IDs.

We set out 6 principles and a high level roadmap for making it real. And we’re clear we’re not building a central identity authority, an ID pipeline, or a reputation score. We see verification as a public, scoped attestation by a known party about a specific claim.

We’re looking for more folks building and involved in the open social web to join us and co-sign the final version of the statement. The plan is to present it to European policy-makers as a credible and better alternative to building trust on social media.

We think this can be helpful for both app builders, but also for people creating upcoming legislation around online ID verification (specifically in EU in our case, but hopefully relevant elsewhere as well).

Oh one thing I wanted to add: yes this is partly a principled stand. We’re not naïve about the reality here… some apps need official ID verification (KYC, age gating, regulated sectors), and depending on jurisdiction the available providers are mostly US-based, data-hungry, or otherwise out of sync with the privacy posture an open social web should hold itself to.

But that doesn’t justify every app just rolling its own ID flow, or wiring up whatever cheap KYC service pops up first on Google… If anything, it’s an argument for the ecosystem to coordinate on something better, which is part of why we’re writing this and what we hope is what comes out of this.

Outstanding initiative. I don’t think I have much to contribute except for a few random thoughts for now:

1. I registered for Bluesky verification when it was first announced. Given how it’s going, I’ve lost all hope… So a way to self-verify would be awesome.
2. If I understand correctly, you’re saying that since my ATProto activity is publicly accessible, every single action could be used as proof that “this is the account that did that.” Genius side-effect of the open web—I didn’t realize this before.
3. What if I’m verified by, say, sifa.id and by my employer (“example.com”) but not by Bluesky—what is the recommended behavior when people view my profile on sifa.id versus on Bluesky? Should all ATmosphere apps display a UI mark that can be interacted with to reveal exactly who verifies me? Or is it left to the appview provider’s discretion?
4. The ill-designed EU approach to online ID verification came from a good intention: protecting minors. How is this approach a better solution to that problem? This is probably the one argument that, if well made, could really move the ball forward.

re 2: yes, and that is also something I think that can help us in the “battle” against AI content. On an individual content level it’s already near impossible to tell if content is created by AI or human, that battle seems lost.

But, if we take that detection to an account level… It’s going to be much more expensive for bot networks to setup and maintain believable long-lived accounts that shows cross-app behaviors. Not saying it’s impossible, but if it’s more expensive that it’s worth… than this could help.

re 3: for Sifa specifically, I have no plans to verify accounts. What I plan to verify is claims in the account. Like the claim that you finished a course. The claim that you published a scientific paper. The claim that you work somewhere.

And even within these, there might be several ways or levels of doing this: your work could be verified by yourself through work e-mail/domain/SSO, by colleagues, by the employer themselves etc etc.

That you are who you say you are is ok, but there are many scenarios where that is not relevant. Say I’m looking to add contributors to my open source project. If your account has done a lot of great open source contributions (and this is verified), that is much more valuable and telling about you than if your name is exactly the name in your passport. I couldn’t care less . But for someone else in other scenarios, your open source contributions might be totally irrelevant. Context matters, a single verification icon won’t solve you being verified in a single context or giving you a single score (what Klout once did/tried).

Well we can’t dictate what appviews do, but that is our proposal yes. It’s point 3 “**Issuer always named.”

re 4: I don’t know if this will protect minors, that’s not the goal (but if that’s the positive by-affect I’ll take it). I also don’t believe ID verification is the answer to “how do we protect minors online”: It’s not going to help much, and it has a lot of other negative consequences (see for example Why age verification misses the mark and puts everyone at risk - European Digital Rights (EDRi) ).

Many Thanks for this and every thread you’ve introduced @gui.do

I’m limiting my answer here to your original question.

What’s verification on the open social web for?

My answer is in the context of the theme for this year’s Publicspaces conference. Technology for Democracy.

I won’t attempt to understand what you might consider “the open social” web to be. That’s a long drinking session (hopefully, one day). But I can understand you are making the distinction between Online Identity and Digital Identity.

If we are working towards reforming access to the old public (broadcast) institutions (they are ALL broadcasters) and combining them with more social (interactive) media then, as democrats, we must conflate our two identities as a starting point, and ask the questions.

Who verifies the verifiers? And *how may this be enable most conveniently for/by a citizen, so they can retain their privacy and security? (*Inside, and outside, a public institution’s network)

N.B. “Assumed solutions” are always a distraction when inventing the future. (I see the fabulous Ian is speaking at the conference. No doubt he’ll be flashing his Buckminster Fuller quote.)

Another note. “Social media” startups these days seem to be storming the barricades. e.g. “As global platforms tighten their grip on content, data and distribution, collaboration is no longer optional – it is essential for survival”.

From what I have seen - while observing the bifurcation of public, and commercial, media since the web was invented - the only real barricades remain unbuilt by National public (Broadcast) institutions, which are so preoccupied on their own existence they haven’t had time to collaborate on building (Interactive) alternatives to International private media companies’ offerings.

Now they have woken up, due to all the talk about Digital Sovereignty, they reach out to “develop lasting relationships with big tech platforms to address the needs of future audiences”. Oy vey!

Today, we find ourselves in the position where we have private companies verifying citizens’ access to “their” social media networks, and increasingly, “our” public ones. Could we, at this conference, consider how to turn this around?

Technology for Democracy? I prefer the Swiss version. A bit/lot more direct.