Twitter CEO Jack Dorsey Says Biometrics May Defeat Bots

Trailrunner7 shares a report from Duo Security: From the beginning, Twitter's creators made the decision not to require real names on the service. It's a policy that's descended from older chat services, message boards and Usenet newsgroups and was designed to allow users to express themselves freely. Free expression is certainly one of the things that happens on Twitter, but that policy has had a number of unintended consequences, too. The service is flooded with bots, automated accounts that are deployed by a number of different types of users, some legitimate, others not so much. Many companies and organizations use automation in their Twitter accounts, especially for customer service. But a wide variety of malicious actors use bots, too, for a lot of different purposes. Governments have used bots to spread disinformation for influence campaigns, cybercrime groups employ bots as part of the command-and-control infrastructure for botnets, and bots are an integral part of the cryptocurrency scam ecosystem. This has been a problem for years on Twitter, but only became a national and international issue after the 2016 presidential election.

Twitter CEO Jack Dorsey said this week that he sees potential in biometric authentication as a way to help combat manipulation and increase trust on the platform. "If we can utilize technologies like Face ID or Touch ID or some of the biometric things that we find on our devices today to verify that this is a real person, then we can start labeling that and give people more context for what they're interacting with and ideally that adds some more credibility to the equation. It is something we need to fix. We haven't had strong technology solutions in the past, but that's definitely changing with these supercomputers we have in our pockets now," Dorsey said. Jordan Wright, an R&D engineer at Duo Labs writes: "I think it's a step in the right direction in terms of making general authentication usable, depending on how it's implemented. But I'm not sure how much it will help the bot/automation issue. There will almost certainly need to be a fallback authentication method for users without an iOS device. Bot owners who want to do standard authentication will use whichever method is easiest for them, so if a password-based flow is still offered, they'd likely default to that."

"The fallback is the tricky bit. If one exists, then Touch ID/Face ID might be helpful in identifying that there is a human behind an account, but not necessarily the reverse -- that a given account is not human because it doesn't use Touch ID," Wright adds.

Use the Force, Twitter

[SuperKendall]

By "Force" I mean the Shadow Ban engine.

If you are not a blue check, or not authenticating via touch/face, maybe you get some lower views on your tweets, maybe they only show for 10% of your followers.. something like that. Explain that and it doesn't matter how "easy" the other paths are.

I still feel like bots will figure out some way around those systems though... also not sure how that works in a world where Twitter themselves have driven people to use the web more by killing off as many native clients

Re:

[AHuxley]

Think of the fun the ads will have with an account linked to a face :)

Re:

[SuperKendall]

It's not like Twitter (or anyone else) gets any face data with FaceID though... all they know is the system has used biometric authentication successfully with the user.

Re:

[AHuxley]

But they know its one user and a very unique user :)

Re:

[Antique Geekmeister]

Think of the sale of data correlated to users that goes _past_ anonymity efforts, that is tied to the same recognizable face even for different user accounts. Think of the sale of such data to foreign governments or criminal organizations, or even to domestic surveillance. Think of the poor security of such data against privileged technical or managerial staff at the companies where the data is gathered.

Re:

[rtb61]

The reality of twitter. It only gains attention when it leaves twitter, whilst on twitter no matter the appearance of interaction, just one bird screaming to see how many other birds are listening and every twit lost in the din, as millions upon millions of birds, 'er', idiots scream for attention, most not listening to each other. Hey get one to leave twitter it has some tranction but whilst on there just another empty scream. Which shows you the real value of twitter, basically zero, it is meaningless unt

Re:

[Jane Q. Public]

The day Twitter requires biometrics in order to post is the day Twitter dies.

Biometrics are generally a bad idea anyway... but for Twitter? Hell, no.

Uhm, no

[Necron69]

Being an old school fart, the vast majority of my Twitter usage comes while I'm sitting at my computer, not on my phone.

- Necron69

Re:

[sunking2]

Being an old fart, nobody will miss you if you can't post any more.

Re:

[Mashiki]

Being an old fart, nobody will miss you if you can't post any more.

Well let's be fair. If you have a blue check mark, you're probably pining out to be added to a disability list anyway. At least that old fart, has useful skills they can pass down to another generation.

Re:

[AmiMoJo]

Javascript watches the pattern of your keystrokes to see if they are human-like or bot-like. Google Recaptcha does something similar with mouse movements.

Re:

[nevlow]

Yeah, same. Not to mention I have a tendency to *not* want my face and fingerprints associated with a service claiming to provide you an anonymous voice.

Which part of Privacy does he not GET?

[WillAffleckUW]

Also, biometrics are very very easy to defeat.

Re:

[gnasher719]

Also, biometrics are very very easy to defeat.

Says who?

Re:

[Bobrick]

Says research on the subject... do you have any other dumb questions?

Re:

[ShanghaiBill]

Says research on the subject... do you have any other dumb questions?

Biometrics are widely deployed. How many in-the-wild exploits have there been?

Despite the research, in practice biometrics have proven to be more secure than PINs or passwords. About 5% of debit card holders write their PIN on the card. Biometrics work well even for stupid and careless people.

Re:Which part of Privacy does he not GET?

[Rockoon]

Biometrics are widely deployed.

So was snake oil.

Re:

[Anonymous Coward]

Biometrics are widely deployed.

That says nothing. Windows is a bad idea done badly, and it's the widest deployed desktop emulation software around.

The popularity of biometrics is basically due to hollywood, blanket endorsements via vendors (and vendor-"knowledge"-certification), idiot politicians, lobbying, and all the rest of the zoo promoting bad ideas. There's money to be made selling the gadgetry. And it looks spiffy, with blinky lights and the memories of those dressed-up props in hollywood movies. Zoom-zoom your hand is scanned jus

Re:

[dissy]

Biometrics are widely deployed. How many in-the-wild exploits have there been?

So long as you are willing to count "incorrectly implemented" as an exploit, then there have been countless exploits.
This sounds like one of those times.

Think about it, he wants to take an actual biometric - something humans have but bots don't - and interpret that biometric through an electronic reader device (be it fingerprint sensor or camera or whatever) to convert it into a series of bits to transfer over a network - something bots can do perfectly well.

Biometrics work OK as a form of identification wh

Re:

[Torvac]

afaik only retina scan isnt defeated yet ?

lol what the fuck

[stonecypher]

i honestly feel like jack dorsey is just flailing at this point looking for a way to not pay people to just sit down and get rid of the creeps

biometrics won't solve anything. nobody has or wants the devices. i'll leave twitter before i start giving them my biodata, and i almost guarantee everyone else will

this just comes down to twitter can't accept that their absurd extremist free speech stance leads to constant abuse and a dramatically limited platform

Re:

[Narcocide]

Well if they just blocked all traffic from outside police jurisdiction, and blocked all traffic from known/obvious anonymous relay services like proxies and vpns, etc., whatever else slipped through would be within reach of either hiring staff to moderate by hand.

But then, advertising revenue would plummet too...

Censorship and an internet ID

[AHuxley]

Why all the need by social media to control what people read and think in free nations?
People are sharing their own links and self publishing their own ideas.
The content on social media is user created.
Let the users create, share and link as they want.
Should a social media site want to be a news publisher they can do that and have no comments.

What happens when someone publishes a comment found to be blasphemy? A user who wants to publish about the 1989 Tiananmen Square protests?
To share a funny meme

Great

[Bobrick]

Good news for any moron who has a Twitter account and a phone with FaceID or a goddamn fingerprint reader, I guess?

That's incredibly stupid.

[fuzzyfuzzyfungus]

Does Dorsey not understand how 'biometrics' are used in this context? You don't send a picture of your fingerprints/retina/whatever to the remote host(indeed, doing the processing on-module so that the main OS never gets a crack at the data is a feature you typically brag about on your spec sheet if you've avoided cheaping out enough to support that).

The biometric widget is just used by the local device as a mechanism for controlling whether or not to unlock the actual authentication material(whether it's just a tepid shared secret in the case of a password manager or one of the fancier FIDO/etc. cryptographic things).

Now, the part of this plan that might work would be coupling it with a platform that (in a feature technically unrelated to biometrics but probably implemented in the same securi-SoC) doesn't use something generic like a password; but includes an element that's hard to spoof without access to a slightly expensive device. Like, not terribly hypothetically, a private key or device certificate signed by the platform vendor. This has nothing to do with biometrics whatsoever; but it could make it much harder to just spam new accounts without also finding a source for extremely cheap TPMs or iphone secure enclaves or the like to pop up as a new device.

Re: That's incredibly stupid.

[GrahamJ]

You seem to be the only commenter that understands the technology. The problem with current authentication APIs is that all they can do is store and compare provided tokens. Itâ(TM)s up to the app to report back to servers what the result was, and thereâ(TM)s no way for the server to verify that any of it actually happened.

What would be needed is a new API where the app makes a call and receives back a unique token (perhaps a random per-app ID signed with an Apple private key). The server could then make a call to Apple servers to verify the token is authentic.

This way Twitter receives no user-specific information but can verify that a biometric capture took place.

Re: That's incredibly stupid.

[fuzzyfuzzyfungus]

Unless he's really just an idiot; or (probably correctly) assuming that this proposal sounds just plausible enough to be held out as a 'twitter, actually has a plan it's totally working on to not be a bit farm forever' fluff proposal to mollify people for a while; I suspect that something like what you propose is what he would really like(though biometrics would be of limited relevance of platform vendors were to give it to him: something that ties login/account creation attempts to relatively expensive har

Re: That's incredibly stupid.

[GrahamJ]

All good points, thanks. Food for thought.

I still think there could be benefits to the biometric option. If it was only a matter of creating an account on approved hardware I could imagine a truckload of iPhone 5Ss and a room full of cheap labour being an effective account generation scheme. If it was per-post but based on a per-install token that would solve that problem but would make using multiple devices difficult, especially while maintaining anonymity. And that's already possible.

A per-post biom

Sausage-auth

[easyTree]

https://www.youtube.com/watch?... [youtube.com]

As if the bots weren't bad enough

[Opportunist]

Now they want me to hand over biometric data to read bad bot posts?

Nah. Reading some bullshit from Twitter twats ain't important enough for this. Anyone know an alternative that doesn't suck?

It doesn't have to be all or nothing

[krakrjak]

I mean, please add all the methods possible to discriminate between bots and humans. For instance, if someone replies to a tweet in less than 5 seconds with a 200+ character response, mark it as a potential bot post. Other sorts of controls could be added too that mark potential tweets as sent by bots or automated accounts. With all the tools at Twitter's disposal, it seems that they are explicitly NOT looking for ways to discriminate between bots and humans. This is likely for commercial reasons.

Twitter ca

Re:

[c-A-d]

>detecting the bots and marking their tweets as such could be a great way to help level the playing field and would help humans understand how the information is really flowing through the site.

I thought that's what the blue checkmark was for.

Break them up

[WCMI92]

Twitter
Google
Facebook
Apple

ALL must be broken up into several companies.

Re:

[pauljlucas]

Since this article is about Twitter, I willl stick to that. How could Twitter be broken up? They only do one thing. Please enumerate what each of the 6 or so companies would do if Twitter were broken up into them.

It's not biometrics, it's having an Apple device

[misnohmer]

Creating computer generated realistic bio-metrics is not that hard. See link below filled with very real looking computer generated faces.

https://youtu.be/kSLJriaOumA [youtu.be]

What Dorsey is saying is that they want to move to authentication based on whether you own a recent Apple device. Still not that hard to beat by a bot, but sure, will filter out low cost bots (and 80% of the smartphone market with it).

User information is more valuable with ID

[joe_frisch]

A company wants verifiable identities on the people who use their site, which will increase the value of the data that company sells to their customers.

Convincing the users (product) to go along is just marketing.

Biometrics implies ePassport identities

[ezdiy]

The thing on your phone will happily say gummy bear or a sausage is "human". New identities there those can be also trivially conjured by the simplest of generative models, with no tissue or hardware to scan it. See, real, bot-proof biometrics means government authenticated biometrics. A fingerprint scan digitally signed on your ePassport [wikipedia.org] is a pretty decent proof that you're alive somewhere, and probably paying taxes. And our social network overlords are itching to get hands on that data.

That is, until someone dumps a public torrent full of scans of a whole country of real people, along with the CA private key, and hilarity ensues. Reminder that privacy preserving biometric schemes (PIR) exists to avoid catastrophic failures like this, but so far no government has been competent enough to be bothered. Why prevent identity theft, when you can just outlaw it?

Oh Jack

[nospam007]

Try first with simple, easy biometric steps, no orange people allowed.

logic

[sad_]

you can use a fake name to allow free expression, but you must use real biometrics.