Martin Zwilling (@startuppro) wrote about opportunities to tackle Internet privacy and I posed a question to him – “how do you authenticate an online something with an offline entity?” The reason being that I’ve been thinking about privacy on the Internet as well, but from a slightly different perspective. I’m not so concerned with things like the seemingly infinite lifetime of something said/posted to websites, or identity theft, or the resale of customer information that lots of shady companies and websites are engaged with. Well, I am personally concerned about my own information of course, but not in the sense of the business problem. I’m more interested in authenticating actions, statements, uploads and everything else an “offline entity” could do online. By “offline entity” of course I mean everything from a teenager who’s friends post as him or her when they forget to lock their computer and ruin their reputation – to a public figure or celebrity being impersonated – to a corporate entity like CNN purchasing @CNNbrk (which some people thought was run by CNN in the first place).
Several things have prompted this line of thought for me. First, a friend of mine asked me how to mitigate negative press about a design brand he runs. He was asking if it was possible to get things off the first page of a google search about this brand. Of course, thats not something that can be solved, but an authenticated coherent statement from this brand regarding bad publicity might actually help mitigate the situation. There’s been several incidents of this type, for instance the Domino’s video prank incident and its effect on the value of the brand for instance.
Second, for a recent project I’ve been thinking about how to authenticate somebody that comes to complete and manage an online listing for an offline company. In this scenario, listings are created for companies, the initial information is populated from an existing public records database. These companies have a vested interest in expanding their listing and participating on the website. However, how do you invite them to participate – who do you email or send a postcard to, and once they come to the site, how can you be sure that somebody appropriate at the company got that postcard and that its not a mail clerk from their building that’s signing up to destroy their reputation on this listing site?
I guess what I’m getting at is this – how do you know that something done by me online is really done by me? Do we take PGP signing to the next level and set up a company that can authenticate a signed post online based on the assumption that only the real me has my private PGP key? Do we set up a company that allows mailing of secret information to physical addresses that then authenticate an invitation to a website via this shared secret “token”? I’m sure there’s opportunities to start a company that would do something interesting in this space. Perhaps even tackling the problem Martin is talking about in the process – what if we could submit our private data to websites in an encrypted packet that can only be decrypted by entities that we give permission to? Something that tracks how many times something’s been decrypted and used for instance, perhaps an intermediary or an escrow sort of service for information?
Any ideas? Its hard to resist signing this blog post with my PGP key, but perhaps a Wordpress plugin to authenticate posts that way isn’t that hard to make and maybe that’s a small step I’ll take in this direction sometime soon.