Twitter CEO Jack Dorsey Says Biometrics May Defeat Bots

Trailrunner7 shares a report from Duo Security: From the beginning, Twitter's creators made the decision not to require real names on the service. It's a policy that's descended from older chat services, message boards and Usenet newsgroups and was designed to allow users to express themselves freely. Free expression is certainly one of the things that happens on Twitter, but that policy has had a number of unintended consequences, too. The service is flooded with bots, automated accounts that are deployed by a number of different types of users, some legitimate, others not so much. Many companies and organizations use automation in their Twitter accounts, especially for customer service. But a wide variety of malicious actors use bots, too, for a lot of different purposes. Governments have used bots to spread disinformation for influence campaigns, cybercrime groups employ bots as part of the command-and-control infrastructure for botnets, and bots are an integral part of the cryptocurrency scam ecosystem. This has been a problem for years on Twitter, but only became a national and international issue after the 2016 presidential election.

Twitter CEO Jack Dorsey said this week that he sees potential in biometric authentication as a way to help combat manipulation and increase trust on the platform. "If we can utilize technologies like Face ID or Touch ID or some of the biometric things that we find on our devices today to verify that this is a real person, then we can start labeling that and give people more context for what they're interacting with and ideally that adds some more credibility to the equation. It is something we need to fix. We haven't had strong technology solutions in the past, but that's definitely changing with these supercomputers we have in our pockets now," Dorsey said. Jordan Wright, an R&D engineer at Duo Labs writes: "I think it's a step in the right direction in terms of making general authentication usable, depending on how it's implemented. But I'm not sure how much it will help the bot/automation issue. There will almost certainly need to be a fallback authentication method for users without an iOS device. Bot owners who want to do standard authentication will use whichever method is easiest for them, so if a password-based flow is still offered, they'd likely default to that."

"The fallback is the tricky bit. If one exists, then Touch ID/Face ID might be helpful in identifying that there is a human behind an account, but not necessarily the reverse -- that a given account is not human because it doesn't use Touch ID," Wright adds.

Uhm, no

[Necron69]

Being an old school fart, the vast majority of my Twitter usage comes while I'm sitting at my computer, not on my phone.

- Necron69

That's incredibly stupid.

[fuzzyfuzzyfungus]

Does Dorsey not understand how 'biometrics' are used in this context? You don't send a picture of your fingerprints/retina/whatever to the remote host(indeed, doing the processing on-module so that the main OS never gets a crack at the data is a feature you typically brag about on your spec sheet if you've avoided cheaping out enough to support that).

The biometric widget is just used by the local device as a mechanism for controlling whether or not to unlock the actual authentication material(whether it's just a tepid shared secret in the case of a password manager or one of the fancier FIDO/etc. cryptographic things).

Now, the part of this plan that might work would be coupling it with a platform that (in a feature technically unrelated to biometrics but probably implemented in the same securi-SoC) doesn't use something generic like a password; but includes an element that's hard to spoof without access to a slightly expensive device. Like, not terribly hypothetically, a private key or device certificate signed by the platform vendor. This has nothing to do with biometrics whatsoever; but it could make it much harder to just spam new accounts without also finding a source for extremely cheap TPMs or iphone secure enclaves or the like to pop up as a new device.

Re: That's incredibly stupid.

[GrahamJ]

You seem to be the only commenter that understands the technology. The problem with current authentication APIs is that all they can do is store and compare provided tokens. Itâ(TM)s up to the app to report back to servers what the result was, and thereâ(TM)s no way for the server to verify that any of it actually happened.

What would be needed is a new API where the app makes a call and receives back a unique token (perhaps a random per-app ID signed with an Apple private key). The server could then make a call to Apple servers to verify the token is authentic.

This way Twitter receives no user-specific information but can verify that a biometric capture took place.

Re:Use the Force, Twitter

[rtb61]

The reality of twitter. It only gains attention when it leaves twitter, whilst on twitter no matter the appearance of interaction, just one bird screaming to see how many other birds are listening and every twit lost in the din, as millions upon millions of birds, 'er', idiots scream for attention, most not listening to each other. Hey get one to leave twitter it has some tranction but whilst on there just another empty scream. Which shows you the real value of twitter, basically zero, it is meaningless until it leaves twitter and get broadcast beyond one empty worthless platform.

Most the the bullshit coming out of Dorsey mouth is just marketing crap to try to inflate the worth of twitter, to create the illusion of meaning in those idiot tweets, it wake makes the lame arse rich.

You still use twitter than you are a twat. Grow up, it is the internet for screaming kiddies, it has zero worth or social meaning, an advertising platform, whose content is largely ignored, until it is shifted off the platform and they pay people to do that, marketing.

Re:Which part of Privacy does he not GET?

[Rockoon]

Biometrics are widely deployed.

So was snake oil.

Biometrics implies ePassport identities

[ezdiy]

The thing on your phone will happily say gummy bear or a sausage is "human". New identities there those can be also trivially conjured by the simplest of generative models, with no tissue or hardware to scan it. See, real, bot-proof biometrics means government authenticated biometrics. A fingerprint scan digitally signed on your ePassport is a pretty decent proof that you're alive somewhere, and probably paying taxes. And our social network overlords are itching to get hands on that data.

That is, until someone dumps a public torrent full of scans of a whole country of real people, along with the CA private key, and hilarity ensues. Reminder that privacy preserving biometric schemes (PIR) exists to avoid catastrophic failures like this, but so far no government has been competent enough to be bothered. Why prevent identity theft, when you can just outlaw it?