What if I need to show my ID to use the Internet?
That’s the premise of a new paper by AI researchers from prominent institutions including OpenAI, Harvard University, and Microsoft, advocating a new way to prove humanity online: proof-of-humanity.
Researchers argue that increasingly capable AI that can take on human-like behaviors, including simulating people in video chats, expressing human-like experiences, and figuring out how to bypass security measures like CAPTCHAs, could allow bad actors to orchestrate more effective and nefarious schemes.
“The biggest concern with this paper is that, frankly, there’s no magic solution right now, because bots can impersonate people on the internet,” said Tom Zick, a project fellow at Harvard’s Berkman Klein Center for Internet and Society and one of the paper’s authors. “The solutions we have may not work for more advanced AI systems.”
According to the nonprofit Identity Theft Resource Center, there will be more than 3,200 data breaches in the United States in 2023, a whopping 72% increase from 2021. Most of them were cyberattacks. As cybersecurity incidents become more common, researchers say AI-based activities are at risk of taking over the internet. And they argue that the best tool to tackle this challenge while balancing anonymity with trustworthiness of the participants is to provide entirely new human credentials.
If you’re wondering what these certifications are and how they can affect you, here’s what you need to know.
What is a personality certificate?
The identity certificate will be proof that you are a human and not a bot. You can then use this certificate to access online platforms and digital services.
“There are two things that AI can’t do right now,” said Wayne Chang, CEO of digital identity startup SpruceID and another of the authors. “One is showing up in person. The second is that it can’t break encryption as we know it.”
Personal credentials can come in many forms, but they all verify you by generating a cryptographic proof. (Crypto proofs use cryptography (a secure method of communication using algorithms and secret keys to encrypt data so that it can then be decrypted) to verify the authenticity of the data.)
It could be a certificate from your web browser.
It can be linked to biometric data such as fingerprints, irises, face, or voice.
Or it could be a blockchain-based token, such as a Nonfungible Token (NFT). (A blockchain is a secure database that maintains records called blocks, which can be used to make data immutable or unchangeable. An NFT is a digital asset stored on a blockchain.)
Why do I need a personality certificate?
The argument for proof of identity stems from the need to determine who created online content, or whether it is a bot.
Bots have disrupted the internet by spreading misinformation, committing fraud, and disrupting services. According to the paper, there is a significant risk that fraudulent AI activities will eventually overwhelm the internet, as AI helps make these activities more convincing with human-like content, avatars, and behavior.
Being able to distinguish between people and bots would reduce fraud, such as fake accounts on social media or dating platforms, as well as online marketplaces where bots buy products like tickets or sneakers and resell them at higher prices.
“These identity credentials help ensure that only real people can create accounts, which increases the integrity of the community,” said Jason Allen Snyder, global chief technology officer at ad agency Momentum Worldwide.
There is also a training data angle.
AI and machine learning models rely on human-generated data.
“If bots are contributing to that data, the quality of the model is going to suffer, and the model is going to make really poor decisions,” Snyder said. “Personal credentials can filter out all that bot-generated data and improve the accuracy, ethics, and fairness of AI.”
So how can we get them?
Credentials can come from multiple sources.
One is a government agency, such as the DMV or post office, which can verify your identity with a government-issued document and then issue you a digital ID or passport.
Other options include banks, colleges or workplaces, and theoretically even retailers like Costco if you have a Costco membership, Snyder said.
Tech companies like Apple and Google can also issue personal credentials that are tied to existing identity systems, such as your Apple ID or Google account.
“Most authors of the paper would agree that we don’t want to talk about it. [one source like] “The Post Office will stand for humanity for all,” Chang said.
Do I need just one identity card or multiple ones?
It’s still unclear.
According to Zick, a single, universally applicable personality credential would be easier to administer than multiple credentialing credentialing, but no one has fully figured this out yet.
What about privacy and security?
The paper’s authors want credentials that can be kept private, so they don’t share anything about themselves they don’t want to, but Zick said he hasn’t found an existing option that walks the line between privacy and identity verification.
This is another detail that still needs to be worked out.
“I would be happy to just use the fact that I bought eggs and made breadcrumbs, and still have my privacy,” Chang added. “I would be able to say, ‘I was a human in a grocery store. I can’t tell you which grocery store it was, but I was there,’ and that would be enough to post a comment online.”
Is this phenomenon unique to the United States or is it a global phenomenon?
Bots can be launched from any country.
According to software company Netacea, the UK, the US, Russia, China and Vietnam are the countries that create and distribute the most bot attacks. In addition, IT company Thales Group found that malicious bots now account for about a third of all internet traffic.
Snyder said the best way to distinguish humans from bots in a global context would be to adopt a universal identity credential. But that would be a difficult task that would require some kind of universal standard, not to mention trust between nations.
“If every country adopted identity credentials, it would be much harder for bots to cross borders because they would lack the credentials needed to interact with systems and platforms,” he added. “It would provide all kinds of inclusivity and fair access, and it would provide a global platform for social media networks and e-commerce and everything else.”
What are the legal and ethical considerations?
Adoption will also require new regulations to ensure that personal credentials respect privacy, security, and human rights.
Snyder admitted it was a pipe dream, but said, “It would be really cool if we could create something like that, because it would cut down on a lot of this nonsense and make AI a lot safer for the world.”
How far is this?
Most of the technology needed for identity verification already exists, he says, but he estimates it will be two to 10 years before we see it in the real world.
Chang said the problem lies in the details of implementation.
“I think a lot of it will happen when there’s actually a demand for it,” he added. “We haven’t seen the internet flooded with AI yet, so I think it’s going to be a reactive thing, like a lot of things.”
Snyder predicts early adoption in sectors where secure identity verification is critical, such as finance, healthcare, and government, within the next one to three years. In closer to a decade, it will be the standard on par with today’s two-factor authentication.
“It’s not an immediate problem, but we think it’s an immediate problem,” Zick added.
What do critics say?
Not everyone is on board with this.
Jacob Hoffman-Andrews, a senior technologist at the nonprofit Electronic Frontier Foundation, called the identity verification system “completely dystopian,” saying it would potentially allow the government to dictate who can speak online.
“The paper suggests that there are multiple potential parties to whom person rights could be granted, but in the context of the paper, it seems like the primary target is the government, and historically, governments have been very poor at granting person rights to everyone,” he said.
He called for better solutions to the problem of misinformation about AI.
“To some extent, everything is in the name,” Hoffman-Andrews said. “No one should be a certificate of their own personality. Your personality is an innate characteristic of your being. No one else can give you that.”