Slashdot Mirror
Twitter CEO Jack Dorsey Says Biometrics May Defeat Bots (duo.com)
Trailrunner7 shares a report from Duo Security: From the beginning, Twitter's creators made the decision not to require real names on the service. It's a policy that's descended from older chat services, message boards and Usenet newsgroups and was designed to allow users to express themselves freely. Free expression is certainly one of the things that happens on Twitter, but that policy has had a number of unintended consequences, too. The service is flooded with bots, automated accounts that are deployed by a number of different types of users, some legitimate, others not so much. Many companies and organizations use automation in their Twitter accounts, especially for customer service. But a wide variety of malicious actors use bots, too, for a lot of different purposes. Governments have used bots to spread disinformation for influence campaigns, cybercrime groups employ bots as part of the command-and-control infrastructure for botnets, and bots are an integral part of the cryptocurrency scam ecosystem. This has been a problem for years on Twitter, but only became a national and international issue after the 2016 presidential election.
Twitter CEO Jack Dorsey said this week that he sees potential in biometric authentication as a way to help combat manipulation and increase trust on the platform. "If we can utilize technologies like Face ID or Touch ID or some of the biometric things that we find on our devices today to verify that this is a real person, then we can start labeling that and give people more context for what they're interacting with and ideally that adds some more credibility to the equation. It is something we need to fix. We haven't had strong technology solutions in the past, but that's definitely changing with these supercomputers we have in our pockets now," Dorsey said. Jordan Wright, an R&D engineer at Duo Labs writes: "I think it's a step in the right direction in terms of making general authentication usable, depending on how it's implemented. But I'm not sure how much it will help the bot/automation issue. There will almost certainly need to be a fallback authentication method for users without an iOS device. Bot owners who want to do standard authentication will use whichever method is easiest for them, so if a password-based flow is still offered, they'd likely default to that."
"The fallback is the tricky bit. If one exists, then Touch ID/Face ID might be helpful in identifying that there is a human behind an account, but not necessarily the reverse -- that a given account is not human because it doesn't use Touch ID," Wright adds.
Twitter CEO Jack Dorsey said this week that he sees potential in biometric authentication as a way to help combat manipulation and increase trust on the platform. "If we can utilize technologies like Face ID or Touch ID or some of the biometric things that we find on our devices today to verify that this is a real person, then we can start labeling that and give people more context for what they're interacting with and ideally that adds some more credibility to the equation. It is something we need to fix. We haven't had strong technology solutions in the past, but that's definitely changing with these supercomputers we have in our pockets now," Dorsey said. Jordan Wright, an R&D engineer at Duo Labs writes: "I think it's a step in the right direction in terms of making general authentication usable, depending on how it's implemented. But I'm not sure how much it will help the bot/automation issue. There will almost certainly need to be a fallback authentication method for users without an iOS device. Bot owners who want to do standard authentication will use whichever method is easiest for them, so if a password-based flow is still offered, they'd likely default to that."
"The fallback is the tricky bit. If one exists, then Touch ID/Face ID might be helpful in identifying that there is a human behind an account, but not necessarily the reverse -- that a given account is not human because it doesn't use Touch ID," Wright adds.
Being an old school fart, the vast majority of my Twitter usage comes while I'm sitting at my computer, not on my phone.
- Necron69
Also, biometrics are very very easy to defeat.
-- Tigger warning: This post may contain tiggers! --
i honestly feel like jack dorsey is just flailing at this point looking for a way to not pay people to just sit down and get rid of the creeps
biometrics won't solve anything. nobody has or wants the devices. i'll leave twitter before i start giving them my biodata, and i almost guarantee everyone else will
this just comes down to twitter can't accept that their absurd extremist free speech stance leads to constant abuse and a dramatically limited platform
StoneCypher is Full of BS
Why all the need by social media to control what people read and think in free nations?
People are sharing their own links and self publishing their own ideas.
The content on social media is user created.
Let the users create, share and link as they want.
Should a social media site want to be a news publisher they can do that and have no comments.
What happens when someone publishes a comment found to be blasphemy? A user who wants to publish about the 1989 Tiananmen Square protests?
To share a funny meme about a politician who gave a short speech?
Now that needs an ID approved by social media? An ad company gets to look after a persons ID?
How about going back to freedom of speech, freedom after speech and the freedom to publish on social media.
Domestic spying is now "Benign Information Gathering"
Think of the fun the ads will have with an account linked to a face :)
Domestic spying is now "Benign Information Gathering"
Good news for any moron who has a Twitter account and a phone with FaceID or a goddamn fingerprint reader, I guess?
It's not like Twitter (or anyone else) gets any face data with FaceID though... all they know is the system has used biometric authentication successfully with the user.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
But they know its one user and a very unique user :)
Domestic spying is now "Benign Information Gathering"
Does Dorsey not understand how 'biometrics' are used in this context? You don't send a picture of your fingerprints/retina/whatever to the remote host(indeed, doing the processing on-module so that the main OS never gets a crack at the data is a feature you typically brag about on your spec sheet if you've avoided cheaping out enough to support that).
The biometric widget is just used by the local device as a mechanism for controlling whether or not to unlock the actual authentication material(whether it's just a tepid shared secret in the case of a password manager or one of the fancier FIDO/etc. cryptographic things).
Now, the part of this plan that might work would be coupling it with a platform that (in a feature technically unrelated to biometrics but probably implemented in the same securi-SoC) doesn't use something generic like a password; but includes an element that's hard to spoof without access to a slightly expensive device. Like, not terribly hypothetically, a private key or device certificate signed by the platform vendor. This has nothing to do with biometrics whatsoever; but it could make it much harder to just spam new accounts without also finding a source for extremely cheap TPMs or iphone secure enclaves or the like to pop up as a new device.
Think of the sale of data correlated to users that goes _past_ anonymity efforts, that is tied to the same recognizable face even for different user accounts. Think of the sale of such data to foreign governments or criminal organizations, or even to domestic surveillance. Think of the poor security of such data against privileged technical or managerial staff at the companies where the data is gathered.
https://www.youtube.com/watch?...
Requiem for the American Dream
Now they want me to hand over biometric data to read bad bot posts?
Nah. Reading some bullshit from Twitter twats ain't important enough for this. Anyone know an alternative that doesn't suck?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I mean, please add all the methods possible to discriminate between bots and humans. For instance, if someone replies to a tweet in less than 5 seconds with a 200+ character response, mark it as a potential bot post. Other sorts of controls could be added too that mark potential tweets as sent by bots or automated accounts. With all the tools at Twitter's disposal, it seems that they are explicitly NOT looking for ways to discriminate between bots and humans. This is likely for commercial reasons.
Twitter can be a playground for both bots and humans, but detecting the bots and marking their tweets as such could be a great way to help level the playing field and would help humans understand how the information is really flowing through the site. It doesn't have to be all blue checks and biometrics, but those are good as well.
Twitter
Google
Facebook
Apple
ALL must be broken up into several companies.
Corporatism != Free Market
Creating computer generated realistic bio-metrics is not that hard. See link below filled with very real looking computer generated faces.
https://youtu.be/kSLJriaOumA
What Dorsey is saying is that they want to move to authentication based on whether you own a recent Apple device. Still not that hard to beat by a bot, but sure, will filter out low cost bots (and 80% of the smartphone market with it).
A company wants verifiable identities on the people who use their site, which will increase the value of the data that company sells to their customers.
Convincing the users (product) to go along is just marketing.
The reality of twitter. It only gains attention when it leaves twitter, whilst on twitter no matter the appearance of interaction, just one bird screaming to see how many other birds are listening and every twit lost in the din, as millions upon millions of birds, 'er', idiots scream for attention, most not listening to each other. Hey get one to leave twitter it has some tranction but whilst on there just another empty scream. Which shows you the real value of twitter, basically zero, it is meaningless until it leaves twitter and get broadcast beyond one empty worthless platform.
Most the the bullshit coming out of Dorsey mouth is just marketing crap to try to inflate the worth of twitter, to create the illusion of meaning in those idiot tweets, it wake makes the lame arse rich.
You still use twitter than you are a twat. Grow up, it is the internet for screaming kiddies, it has zero worth or social meaning, an advertising platform, whose content is largely ignored, until it is shifted off the platform and they pay people to do that, marketing.
Chaos - everything, everywhere, everywhen
The day Twitter requires biometrics in order to post is the day Twitter dies.
Biometrics are generally a bad idea anyway... but for Twitter? Hell, no.
The thing on your phone will happily say gummy bear or a sausage is "human". New identities there those can be also trivially conjured by the simplest of generative models, with no tissue or hardware to scan it. See, real, bot-proof biometrics means government authenticated biometrics. A fingerprint scan digitally signed on your ePassport is a pretty decent proof that you're alive somewhere, and probably paying taxes. And our social network overlords are itching to get hands on that data.
That is, until someone dumps a public torrent full of scans of a whole country of real people, along with the CA private key, and hilarity ensues. Reminder that privacy preserving biometric schemes (PIR) exists to avoid catastrophic failures like this, but so far no government has been competent enough to be bothered. Why prevent identity theft, when you can just outlaw it?
Try first with simple, easy biometric steps, no orange people allowed.
you can use a fake name to allow free expression, but you must use real biometrics.
On a long enough timeline, the survival rate for everyone drops to zero.