From The Hollow Men:
Our dried voices, when
We whisper together
Are quiet and meaningless
As wind in dry grass
Or rats’ feet over broken glass
In our dry cellar …
This is the way the world ends, not with a bang but a whimper.”
– T.S. Eliot
Assume, for a moment, that the world we want to live in can’t exist without freedoms and democratic institutions that in turn depend on informed citizens.
If you agree this is an essential precondition for a desirable society then you also have to agree we all need trustworthy sources of information.
Not just sources we trust. That comes later. First they have to be trustworthy.
I first wrote about the need for trusted information providers and how the Internet exacerbates the challenge of recognizing them more than two decades ago in InfoWorld (read “Trusted Information Providers,” 3/17/1997, although I didn’t draw the proper distinction between trusted and trustworthy.)
There isn’t yet a Trusted Information Provider seal, but we’ve reached the point where we need one desperately — not only as citizens but in our roles as IT and business managers and professionals. As evidence, I offer “Hoax attempts against Miami Herald augur brewing war over fake, real news,” (Tim Johnson, McClatchy DC Bureau, 2/24/2018).
Briefly, an Internet imposter posed as Alex Harris, a Miami Herald reporter. The imposter issued offensive tweets spoofed so Mr. Harris appeared to be their source. Another imposter, or possibly the same one, created a phony and equally offensive Miami Herald story by Mr. Harris, using screen shots indistinguishable from legitimate Miami Herald articles, and distributed them through Twitter and Snapchat.
I can think of only three reasons someone might do this. (1) They might be taking advantage of our increasing tribalism to discredit those on the other side of the issue being reported on. (2) They might be trying to discredit the mainstream media by making it appear to be disgusting. Or, (3) they might be going a step further, fostering distrust of any information we read because we can never trust that the source is who or what it claims to be.
Their motivations don’t really matter, though. The inevitable outcome is to further increase our tribalism and to contribute to the increasing distrust of the sources of information we’re accustomed to relying on.
When I first wrote about the need for a Trusted Information Provider certification body I was thinking in terms of whether a given information provider adhered to trustworthy information gathering and vetting practices.
The stakes are higher now. We need some means for validating that the information we encounter does come from its purported source.
For general news I can offer a short-term solution: Stop getting any of it from the Internet. It’s easy to fake up a page that looks like the source is CNN, Fox, or any major online newspaper. It’s much harder, not to mention more expensive, to print a fake newspaper and distribute it to hundreds of thousands of doorsteps.
Which in turn isn’t as hard as hijacking a cable channel to send out truly fake news.
But that doesn’t solve the problem. In your professional life you also rely on information providers. Only there’s a very good chance you have no print publications available to you. No matter your field … IT, marketing, finance and accounting, human resources, or what have you, printed magazines are as it were, pretty much yesterday’s news.
And it isn’t just general-purpose trade publications that are at risk. Think about information publishers like Gartner and Forrester. If you receive information from them you receive it electronically.
And if you receive it electronically it can be counterfeited.
We need something that reverses the usual order of things. If you subscribe to, for example, the Washington Post, you occasionally have to log in — to authenticate yourself so as to have access to the information it publishes.
What we need is a reliable mechanism for Trusted Information Providers to authenticate themselves to us.
I once helped a client become PCI compliant. The company was owned and managed by members of a tightly knit community. So when the time came to institute background checks, the CEO was incensed. “Background? I know my employees’ parents and grandparents! I was there when a lot of them were born! I’m a guest at their weddings! Why do I need background checks?”
When we were all truly tribal, proving you were who you said you were took no more effort than showing your face.
Not anymore.
Now, proof of identity just might be the central challenge of our age.
If only we had some sort of “currency” that could be predicated on actions, like publishing a story, that would prove the publisher’s identity and track all their actions cryptographically…. Feel free to block this post if what I’m saying will be part of next weeks post.
Bob:
Excellent – as usual!
I like your use of the word “tribal” – quite correct …
Best regards,
Marc Linville
The difficulty of faking the identity of an online news site like CNN or Fox is definitely less than publishing fake newspapers or hijacking a cable station, but it is one way that sites can “authenticate” themselves.
The problem, as always, is us.
So educating users about how to identify that there site they are looking at is authenticated, the dangers of going to one that’s not, and the importance of not going to web sites (malware providers) you don’t know are legit would go some distance toward this goal without requiring infrastructure change.
On a separate approach, a couple places I do business with (including my workplace) always show some customized information that I have chosen after I tell them my username but before I provide my password. I wish more places would start doing at least that much.
We already have a well-known (among those in the business who know) technology solution; public-key encryption. That technology provides both the ability to hide information from unauthorized viewers and, more importantly in this context, the ability to sign a document (any digital file) so that its provenance can be completely validated. An example of the technology is the open software OpenPGP, which is standardized by the Internet community as RFC 4880.
It will require that every author begin digitally signing everything they produce (if you miss some you compromise the credibility expectation: “this source signs some stuff but sometimes doesn’t”. It also requires that readers verify the signature on everything they read. which takes effort.
Is the integrity of our information infrastructure worth this effort? If we care enough we have a solution.
This was the first thing I’d thought of, but I’m not entirely sure the logistics of handling a few million information consumers works out.
I’m not sure it doesn’t, either, by the way. I am pretty sure that no matter what the technical solution there will be non-technical complexities accompanying it.
I think the public key encryption does present an interesting, potential solution. Perhaps we can use some sort of MD5 or similar solution for blog articles and news posts. Just thinking out loud here…
1) Bob writes a blog post “News Fakers!”
2) Before Bob posts his blog, he takes the whole article and packages it up like a piece of software.
3) Bob has this blog package certified by a Certificate Authority. The CA generates a hash for Bob’s article and keeps it in the CA’s signed-article database.
4) Bob goes ahead and posts his blog article on his website or distributes it to other media companies.
5) I, as a reader, come to Bob’s blog and spot this article.
6) Before reading the article, I want to make sure Bob actually wrote this and the content has not been tampered with. Fortunately, I have a plug-in on my browser that would read Bob’s article and validate the authenticity and integrity with the CA. The plug-in generates a signature from Bob’s article and compares it with the signature in CA’s signed-article database.
7) The plug-in lets me know whether the article was indeed submitted to the CA by Bob and whether the content has been modified since the signing of the article.
With this type of implementation, it would mean a blog post of a news article can no longer be just a string of text. It probably will need to contain some sort of meta-data about the post/article, so it can be signed prior to posting and verified after the posting.
What this probably also means we may need some changes in the way we publish stuff and with our publishing platforms, like WordPress.
I think this would work technically, but would prove cumbersome to scale.
What I’m thinking: We already think in terms of two factor and multifactor authentication. What I’m getting at is the need for Reciprocal Authentication. With reciprocal authentication, very simple steps result in me being sure you’re a subscriber or legitimate, non-‘bot, non-spammer comment poster and you’re equally confident what you’re reading and replying to really is Keep the Joint Running.
Exactly what hose simple steps are … that’s where it gets interesting. Whatever you have in mind, think about scale and convenience as keys to success.
Probably need two separate webs: anonymous and non-anonymous, the latter being voluntary opt-in, the former being “the wild”–i.e. what we have today. This guy’s company (which failed) was probably too far ahead of its time, but it seemed to have a good strategy to deal with identity in the wild:
https://www.youtube.com/watch?v=RrpajcAgR1E
The issue reminds me of a statement that Neal Boortz (retired radio talk show host) used to make. “Always assume that anything you hear me say isn’t the truth unless you know it to be true for a fact or have thoroughly and personally checked it. He was a lawyer as was I. My statement was also to “follow the money trail.” People are swayed by their biases even if they don’t think so. Subconsciously, you’re usually loyal to what feeds you.
Very good article.
It seems to me that when “tribalism” is taken to its logical conclusion, you come to believe that you can only trust those things that are exactly like you. Except that doesn’t work either, because there are many predators that succeed by looking exactly like you or something or someone you think is like you (see Bill Cosby, etc.), even though they are completely untrustworthy. This kind of predation has worked in religion, politics, and businesses. The diversity of each of us belonging to many groups is a strength, but when group becomes the only trusted source of what is true, whenever that group gains power, abominations will follow.
Perhaps it’s time for a new information model where the only companies or non-profits with the technical resources to discern ‘bots and other fake news mechanisms have fact-only portals (FOP). To get your news published on the FOP, your fact checking protocols have to be reviewed and approved by the FOP.
Verified facts only. Reporting of opinions, spoken or written, are facts, though the FOP, at its discretion, may require the inclusion of clarifying context information.
I never expected that Apple or Google should ever become trusted sources of news, but they may be some of the handful of organizations with the resources to independently fight state sponsored subversion of our freedom to know, so we can make responsible decisions.