The first Internet Identity Provider for Social Networks?
I received this newswire story about a new company called safeTspace that claims to provide the kind of identity and age verification service that I blogged about a few weeks ago. Aimed at social-networking sites like MySpace, it combines an in-person registration process with biometric authentication to offer an unprecedented level of security for users. The mission statement looked promising:
The company’s proprietary technology keeps
unwanted adults out of social- networking sites by verifying each
user’s identity with fingerprint technology backed by in-person
registration. In addition to identity and age verification, the
safeTspace process obtains parental consent for users under 18 years
old. The technology protects the child – and not the computer –
allowing them to log on and be protected at any computer.
Intrigued, I headed over to their website to find out more. In their initial rollout, safeTspace is only dealing with social-networking sites for children, so it essentially is trying to ensure that you know who is an adult and who is a child (and not an adult posing as a child), thereby restricting access to child-only services and chat rooms. The verification process essentially involves an adult parent going online, creating an account with all their personal information (name, DOB, gender, address, …) and providing the information of their children that they want to register. They will receive an invitation letter that the child takes to school along with one form of identification. The child’s identity is verified and they have their fingerprint taken by a safeTspace representative (usually a safeTspace certified teacher), and their account is activated. From that point on, they can access child-friendly social-networking sites by first logging into safeTspace using their account id, password and fingerprint. The site then sends them to the unlocked member site. The safeTspace website optimistically says:
The only hardware required is a lowcost fingerprint ID reader. Registered
children simply login to safeTspace by entering their ID, password and
fingerprint. Once there, they can access a wide variety of child-only
content and chat, IM and explore with complete freedom.
This is obviously one of the first attempts to create a sort of internet identity provider, even if it seems to operate on the Web SSO principle more than the identity-as-a-service principle.
It incorporates one of the key elements to making identity verification possible. It uses an in-person process, which is the only way to truly verify someone’s identity (never ask a computer to do a human’s job). It also brings in a ubiquitous institution – schools – into the process (in my post on identity verification I had singled out banks as the institution of choice).
The biggest hole seems to be its reliance on biometric authentication. While this ensures that an adult will not log in with a child’s account (actually, I think determined people will find a way around that, but it’s better than nothing), it imposes a burden that I don’t think the user community is ready for. Social networking sites today have tens of millions of users, know no global boundaries, are accessed on all manner of devices (cellphones, communicators, public internet terminals) and are free. All of which do not jive with fingerprint based authentication. It would therefore be interesting to see how this technology would interact with risk based authentication and ATO protection security measures.
First off, I don’t see schools in developing countries (some of which have the most active children communities) being able to get online with this program soon.
Those same children may not be able to afford the fingerprint reader this scheme needs. The site FAQ states: the cost will depend on the content provider providing the technology, but the general price is around $30 per year –
less than the cost of one cup of premium coffee a month. Yeah, here in the US maybe, but in China, India or Thailand?
Also, how this is supposed to work when kids are increasingly using cellphones to blog, photoblog, chat, IM and twitter on social-networking sites leaves a gaping hole in the story.
The FAQ does state that the technology works with mobile devices, but offers no specifics.
It’s an interesting challenge. Technologies like CardSpace and OpenID promise user-centric identity selectors, but impose no requirements on authentication to get access to the Identity Cards. Security is only as strong as the weakest link, and the reliance on a PIN to access an Identity Card seems to be the weak link. I for one will be interested in seeing how safeTspace does in the market. What do you think?