Twitter showcases the need for Verifiable Corporate Digital Identities
With the Twitter acquisition by Elon Musk, we have seen a whirlwind of changes to the website. The most controversial change was the new Twitter Blue subscription program allowing anyone to gain the previously trusted “Blue Checkmark” next to their Twitter account that used to indicate they were a verified account. This promptly led to many new Twitter accounts, parodying important people or brands. The jokes were often liked and retweeted so often that the reach of these new accounts became as significant as the real accounts. It was no longer possible for users to distinguish real from fake accounts by checking for either blue check marks or the number of followers, likes, and retweets.
The fake accounts ended up being taken seriously and it didn’t take long before companies got severely affected. Several companies have seen their stocks plummet as fake accounts tweet out information that provides false information that would be bad for their image/brand or business model. Eli Lilly and Company, an American pharmaceutical company, lost Billions in market cap due to a fake account tweeting that insulin will from now on be free, which is normally a major source of revenue for the company.
The situation is only one of many examples of damage created by the impersonation of companies. It joins the long list of phishing emails, phone scams, fake customer service websites, and impersonated invoices. This highlights the need for a verifiable digital identity for any organization to combat these scams and protect both the brand and the customers that are frequently the victims. Any interaction with the company should be preceded by an identification mechanism that provides certainty for the user that they are indeed interacting with the correct entity.
Decentralized Identities
The recently approved Decentralized Identifiers (DID) and Verifiable Credential standards by the World Wide Web Consortium (W3C) offer a potential solution to this problem. These standards are most often applied to help people create their own digital identity and give them the ability to provide verifiable proof about different aspects of their identity. But these same standards may even work better for a verifiable digital identity for corporations.
A digital identity for organizations allows them to create a profile that is published on a Distributed Ledger Technology (DLT), such as Bitcoin, Ethereum, or IOTA. Through a simple cryptographic operation, only the owner of the profile can prove they control it. But owning a random identity and being able to prove that you control it doesn’t on its own create any trust. The trust is grown as the identity starts to gather and present evidence about who they are and what they are linked to.
Building a Trusted Corporate Identity
For a corporate identity, this can start with a link to their website. The company can simply list its website in its digital profile while adding a place on its website which list the identifier of this digital profile. Through a very basic process, any program can quickly validate that both the digital profile points to a domain and that the domain links to the same digital profile, creating a bi-directional link that can only be achieved if the same entity controls both the identity and the website.
A similar process can be done to link the corporate identity to a series of social media accounts, such as Twitter, LinkedIn, and Facebook. Now if anybody wants to verify the corporate digital identity, they can see a verifiable link to a domain name and various social media accounts with a (hopefully for them) significant amount of followers. Due to the compounding effect of the evidence that is provided, fake accounts will have a significantly harder time impersonating a company. They’ll need to set up and control a domain name that looks real enough to the company website, they’ll need to create several social media accounts with real-looking names, and acquire a significant following on all of them.
But this only scratches the surface of what can be validated. Companies could be validated by their government company registries such as the Company House, they could acquire and present ISO certifications they have acquired, and they can be validated by their B2B customers or partner organizations. Anything that could be used as evidence can be presented in this format.
Providing Evidence of your Identity
Now, let's compare how an impersonated account might look compared to the real account in a simple example. While both accounts have a real-looking Twitter tag and the same amount of followers, the real account is able to provide much stronger evidence, while the impersonated account can easily be identified as fake by a quick glance.
One Identity used in many scenarios
These identity verification services can naturally also be offered by Twitter. But this system isn’t just for Twitter. Why not show the same evidence when you receive an e-mail? Why show a phone number when you are called and not a company name and the evidence? By utilizing the W3C standards, the information isn’t just shown to you as a user but rather presented. The difference is that a program can verify the cryptographic evidence and scrape additional information such as follower numbers on the user’s side. It allows us to create software with the simple yet effective principle of “Don’t Trust, but Verify” which can be implemented in many platforms, protocols, and products.
While it doesn’t become impossible to impersonate a corporate identity, it does make it much more difficult. And as the technology gets adopted, more sources of evidence can be utilized and shown making it even more difficult to impersonate. This creates a new problem of overwhelming people with evidence and data that they simply can’t or even want to see and read, luckily by applying a bit of clever design and by creating smart validation software, the evidence can be combined into something as simple as a trust rating in the future.
Digital identity is quickly becoming an important topic for many businesses. Recent developments include the approval of the DID standard, the development of new ISO standards, the progress of the EU eIDAS 2.0 regulation, and the maturing of Self-Sovereign Identity frameworks such as IOTA Identity. Learn more about these technologies, standards, and regulations and how they can be applied to your business by contacting Impierce Technologies or visiting impierce.com
