Web 2.0 Blog – Discovering Innovation Opportunities using Social Media

Posts Tagged ‘authentication

Postscript:  Another example of government spoofing was a prank cell phone call from India to the Pakistani Defense Minstry the day after the Mumbai terrorist attack.  The called claimed to be an Indian Defense Ministry Official and was claiming that India was going to retaliate. Planes went up in the air on both sides and the US had to intervene to prevent further escalation.  The call was taken seriously because normal authentication procedures were not followed or did not exist.

Hot off the press: Another spoofing incident which alleges civil damages involving Twitter the St. Louis Cardinals’ manager Tony La Russa.

While in general I dont think western Democracies have a lot to learn from the North Korean Government, I think in the case of Gov 2.0 spoofing there might be an exception.  The North Korean Central News Agency was recently impersonated on Twitter in a way which might have fooled a lot of people.  The twitter feed was made to look realistic because it used actual articles released by the Central News Agency. The prank was pulled off by a parody website called Stupidedia and they didn’t seem to intend to create any harm with it.

But this points out how easy it is to pretend you are an official government agency on twitter.  Recently I advocated for a simple reciprocal link authentication policy which would place a link on any official government web 2.0 account (twitter, facebook fan page etc) to a .gov or .mil page which would then give a link or list of links to the official social media account for that agency.  Then anyone could with 2 clicks verify that a social media account is authentically coming from an official government source.   As government presence becomes more common on social media, we will likely see more attempts to grab attention through this type of impersonation.  While it doesn’t seem like much could come of this, all it takes is one person believing one source is the voice of a government and acting on it to cause at the least embarassement and at the worse some harm.

The future of the internet will involve more authentication than it does today but here is a potential interim solution to provide some level of authentication for Gov 2.0 presence on online social networks such as facebook and twitter. standard policy of having a reciprocal link back to a facebook fan page or twitter account on a .Gov/.Mil website which the social network page points to could be a simple interim solution. I call it Reciprocal Link Authentication.

Government 2.0 includes a government presence on non-government websites such as online social networks (OSNs) (think facebook fan pages and twitter accounts) so that citizen’s can encounter government guidance and assistance where they ‘live’ in cyberspace.  But how can citizens be certain that the government account/representative is authentic?    If you run into someone in the street and they say they are working for the government, how do you know for certain?  They provide you will a badge or ID right at the beginning of the conversation.

If we encounter government workers as official government representatives in non-government cyberspace, should we also be able to see some sort of identification?   Since cyberidentity is more easily assumable in many cases than aliases in real life (especially on social networks), shouldn’t there be a way to verify the authenticity of someone claiming to represent a government? Often times government officials on OSNs such as agency fan pages on facebook or informational twitter accounts will have an official seal or emblem. The problem with this is that it is trivial and relatively low-risk to copy or create an image of a seal or official looking emblem and put it on an anonymous OSN account compared to duplicating a paper credential which someone might show you in person.

The commercial solution for authentication won’t work on social network pages. Here’s why.

Commercial websites sometimes provide SSL encrypted links to independent authentication websites (Verisign, Godaddy, among others) to prove their authenticity.  The problem with the government using this method is that it would add paperwork and costs to implement SSL badges or require changes in existing online social networks profile options.  Also I don’t think there are products which work with OSNs and the authenticators to verify anyone on social networks yet.  Perhaps more importantly, the government would be then depending on a commercial company to prove its authenticity.  Basically it’s a non-starter if you want to actually achieve a Government 2.0 presence online in the near future for several reasons ranging from practicality to policy to politics to costs.

But wait, there may be a much easier and better way. .Gov and .Mil web sites already are monitored and checked for authenticity unlike .com and .org sites.   So you don’t need an independent cyber authenticator such as Verisign because any .Gov or .Mil site can serve as that authenticator.

Reciprocal Link Authentication.

Why not have a simple policy that any online social network account or non-.Gov/.Mil online presence have a link to a .Gov/.Mil webpage which then links back to that same OSN account?   So if someone wanted to verify a government twitter account, they could simple click on the URL provided and easily find a linkback to that same twitter account on the .Gov/.Mil webpage they landed on.  If the account is hijacked then a notice of the problem could be put up until the account identity is secured again.  If this is done on all federal OSN accounts, the cybercommunity will become quickly accustomed to the authentication method and if a hijacker removed the authentication link, the visitors will know to dismiss the account.  And if they see something which sounds a bit off, then can instantly verify it by following the link back to the OSN account.     It would not mean much work since online government representatives at non .Gov/.Mil sites almost always have some .Gov/.Mil landscape under their control.

Reciprocal Link Authentication seems easy, low cost and instantly provides a universal method to authenticate any online government representation without much effort.  Sure its not perfect from a cybersecurity point of view, buts it goes a long way to addressing several important concerns about government representation on non-government websites.