Go to the profile of Tim Pastoor
Tim Pastoor
Rants about Bitcoin, P2P Identity & Reputation, and Intermediaries

Don’t Verify Your Twitter Account

When looking at the requirements to verify your Twitter account, one of the first things we see is all the Personally Identifiable Information (PII) they require from you, that -from a risk perspective- you shouldn’t want to share with anyone, unless it’s absolutely necessary.

Before you can start applying for one of those fancy blue check marks, they require your phone number, email address (probably already linked to your account, since it’s needed for password resets anyway), birthday, website, and that your tweets are set as public in Tweet privacy settings (verified private accounts don’t seem to exist). They also require you to have a bio, profile photo, and a header photo, but those don’t necessarily contain personal information, so I’m going to leave that there.

A ‘verified account’, according to Twitter, is that it “lets people know that an account of public interest is authentic.” We could now argue over what “public interest” or “authentic” means, but I’ll briefly summarize it to: “Ensuring that the name on the Twitter account relates to a person with that same name, and other characteristics (profile photo, URL, statements made in tweets, etc.)”.

After having done this, they ask you to make a copy of one of your legal documents (passport or drivers license), and send that to them, to prove that you are you. There are a few issues with this approach.

First of all, the primary security feature of any analog legal identity document, is an anti-copying mark. This way, any copy will always be rendered useless. Both legally and technically, a copy can never be verified, since we’ll never know if it’s a Photoshop or the real thing.

Second, a digital copy of an analog document still contains a lot of personal information, and it must now be sent over a communications channel. The problem here, is that communications can be intercepted.

Third, even when it isn’t compromised along the way (which is rather likely), once it arrives, the data will be stored in a database. When such databases are compromised, all the information contained in those databases could be exposed to an adversary. This is also something we shouldn’t want.

From start to finish, what could possibly go wrong? And why go through this process if the first step doesn’t make sense anyway?

What -finally- inspired me to write this article, was the following tweet:

So, yeah. This case also makes it kinda iffy, but @jack might disagree.

Apart from that, I heard from several people already that they have received their fancy blue mark (authentic!), without ever having asked for it. But you’re going to have to take my word for that (I’m not naming them), because the Twitter police can as easily take them away from you. Ask Milo, he can attest to this.

Last but not least, so far, I haven’t seen an identity expert, guru, or swami, with a verified Twitter account. Maybe it has to do with my limited visibility on the world, but when I look at well-respected and well-credentialed folks within the ‘identity space’, neither Dave Birch (known as “validated @dgwbirch” at the time of writing — heh), Steve Wilson, nor Douwe Lycklama, have verified their accounts. We can only speculate on why not, and I can’t speak for them, but maybe Dave is trying to prove a point?

So, don’t verify your Twitter account. Or do. Whatever tickles your itch. I’m not going to, and I don’t want to. Perhaps, one day, when they’ve implemented a more sound alternative …