Table of Contents
What if you had to show ID to use the internet?
That is the premise behind a new paper by AI researchers from well-known institutions such as OpenAI, Harvard University and Microsoft who are advocating for personality references, or a new method to prove our humanity online.
The researchers argue that increasingly capable AI – which can simulate people in video calls, express human experiences and take human actions, including figuring out how to bypass security measures such as CAPTCHAs – is allowing malicious actors to orchestrate more effective and sinister schemes.
“The biggest concern of this paper is that we don’t have great solutions right now, frankly, for bots that can masquerade as humans on the internet,” said Tom Zick, a project fellow at Harvard’s Berkman Klein Center for Internet and Society and one of the paper’s authors. “The solutions we have may not hold up to more sophisticated AI systems.”
There were more than 3,200 data leaks in the U.S. in 2023, a massive 72% increase from 2021, according to the nonprofit Identity Theft Resource Center. The majority were cyberattacks. As cybersecurity incidents become more common, researchers say there’s a risk that AI-powered activity could take over the internet. And they argue that the best tool to address this challenge while balancing anonymity and trustworthiness for those involved is to give us an entirely new human reference.
If you’re wondering what these qualifications mean and how they could affect you, here’s what you need to know.
What is a personality certificate?
A personhood credential would be proof that you are a human and not a bot. You could then use these credentials to access online platforms and digital services.
“There are two things that AIs can’t do right now,” said Wayne Chang, CEO of digital credential startup SpruceID and another author. “One is to show up in person. The second is that they can’t crack cryptography, as far as we know.”
Personal data can come in many forms, but they all generate cryptographic evidence to authenticate you. (Cryptographic evidence uses cryptography — a method of secure communication using algorithms and secret keys that can encrypt and then decrypt data — to verify the authenticity of data.)
It could be a certificate in your web browser.
It can be linked to your biometric data, such as your fingerprint, iris, face or voice.
Or it could be a blockchain-based token, such as a non-fungible token, or NFT. (Blockchain is a secure database that maintains records, called blocks, that can be used to make data immutable, or unchangeable. NFTs are digital assets stored on a blockchain.)
Why do we need personality references?
The argument for the existence of personhood stems from the need to be able to determine whether online content was created by a person or a bot.
Bots have degraded the internet by the spreading of misinformation, commit fraud And causing services to crashAccording to the article, there is a significant risk that deceptive AI activities will eventually overwhelm the internet, as AI makes these activities more convincing with human-like content, avatars, and actions.
If we can distinguish a person from a bot, we can reduce misleading activities such as fake accounts on social media and dating platforms. We can also reduce the chance of abuse on online marketplaces where bots buy up products such as tickets and sneakers and resell them at higher prices.
“This identity data ensures that only real people create accounts, increasing the integrity of the communities they belong to,” said Jason Alan Snyder, Global Chief Technology Officer at advertising agency Momentum Worldwide.
There is also a training data corner.
AI and machine learning models rely on human-generated data.
“When bots are contributing to that data, it degrades the quality of the models and leads to the models making really crappy decisions,” Snyder said. “Personal references can filter out all that bot-generated data and improve the accuracy, ethics and fairness of AI.”
How would we get them?
The references may come from multiple sources.
One of these is a government agency like the DMV or the post office. They can verify your identity using government-issued documents and then issue a digital ID or passport.
Another option is your bank, university or workplace, or even theoretically a retailer like Costco, if you’re a member, Snyder said.
Technology companies like Apple and Google could also release identity data tied to their existing identity systems, such as your Apple ID or your Google account.
“Most of the authors of the paper agree that we do not want to say that [one source like] “The Post Office is going to emphasize the humanity of everyone,” Chang said.
Do we need one or more personality certificates?
That is still unclear.
According to Zick, having one personhood credential that works for everyone would be easier than managing multiple credentials. But no one has figured this part out yet.
What about privacy and security?
The paper’s authors want a credential that can be private, so you don’t share anything about yourself that you don’t want to. But they didn’t find an existing option that walks the line between preserving privacy and verifying personality, Zick said.
That’s still a detail that needs to be worked out.
“We’d like to see that maybe you can just use the fact that you bought eggs and that creates this breadcrumb trail that you can use and that can protect your privacy,” Chang added. “You can say, ‘I was a human in a grocery store. I’m not going to tell you which one, but I was there,’ and that’s enough to get a comment out there on the internet.”
Would this be unique to the US or worldwide?
Bots can come from any country.
According to software company Netacea, the UK, US, Russia, China and Vietnam are the countries that create and implement most bot attacks. Furthermore, IT company Thales Group discovered that bad bots now account for nearly a third of all Internet traffic.
To distinguish humans from bots in a global context, global acceptance of personhood credentials would be best, Snyder said. But that’s a tall order that requires some kind of universal standard, not to mention trust between nations.
“If every country adopted a personhood credential, it would be much harder for bots to operate across borders because they wouldn’t have the credentials to interact with systems and platforms,” he added. “It provides all kinds of inclusivity and fair access, and it gives you a global platform for social media networking and e-commerce and all those other things.”
What are the legal and ethical considerations?
The implementation also requires new rules to ensure that the identity of individuals is safeguarded while respecting privacy, security and human rights.
Snyder admitted that this is a utopia, but said, “It would be really great if we could achieve something even close to this. It would eliminate a lot of the nonsense and make AI a lot safer for the world.”
How far is this?
Chang and Zick say most of the technology for verifying people’s identities already exists, but they estimate it will be two to 10 years before we see it in the real world.
According to Chang, the devil lies in the details of the execution.
“I think it will mostly happen if there is actual demand for it,” he added. “We haven’t seen the internet become overrun by AI yet, so I think like a lot of things, it could be a reactive thing.”
Snyder predicts that in the next one to three years, we’ll see early adoption in industries where secure identity verification is critical, such as finance, healthcare, and government. In about 10 years, it will become a standard similar to what two-factor authentication is today.
“It’s not something that’s happening right away, but we do think it’s an immediate problem,” Zick added.
What do critics say?
Not everyone agrees with this.
Jacob Hoffman-Andrews, senior technology officer at the nonprofit Electronic Frontier Foundation, called the personality credentials “hugely dystopian,” with the government potentially determining who can speak online.
“The idea is presented that there are multiple potential issuers of personhood, but in the context of the paper, governments seem to be the main target, while governments have historically been very bad at granting personhood to everyone,” he said.
He advocated for a better solution to the problem of AI disinformation.
“To some extent, it’s all in the name,” Hoffman-Andrews said. “No one person should be the proof of their personhood. Your personhood is an innate characteristic of your being. It can’t be bestowed upon you by someone else.”
