Scan your fingerprint. Enter your mother’s maiden name. Provide your phone number. Internet security is a pain in the ass, and after every credit card breach or celebrity selfie hack it gets more annoying and invasive. How many times can Gmail ask for your phone number before it’s robo-sexual harassment?
We know security is important. We know we should care. But improving it is the corporations’ job, right? And besides, each new security measure just makes our apps less convenient. As far as social advocacy goes, Internet security isn’t about to get its own ice bucket challenge.
But that’s because we’re not seeing what’s really possible with a trustworthy Internet: more intimate apps, more convenient services, and billions of dollars in commerce. That the only obstacle to all this money and awesomeness is our own indifference.
“In a world where everyone has a public key, you can trust documents, sign things, authenticate yourself, transfer money safely, keep conversations private, even let someone in your front door–all without sharing a password or trusting cloud services,” says OkCupid founder Chris Coyne.
He’s picturing a world without passwords, security questions, codes, or pins to memorize. “It could be amazing,” he says. It could be. That is, if we all knew what a “public key” was.
“There are all kinds of amazing things that can be built if you take as a premise that everyone has a public key,” he says. “But almost no one has one, for a variety of reasons.” Reason number one on his list: “They’re confusing.”
You see, for a public key to work–saving our private data and unlocking billions in e-commerce–we all have to participate. Getting a public key is like creating any other Internet password: Nobody can do it for you. But since this key is your last line of defense, verifying you are actually the person you claim to be requires more than just a confirmation email, which puts it outside the reach of most casual Internet users.
Traditionally, cryptographers used a byzantine and technical verification process to validate public keys, but Coyne and his OkCupid cofounder Max Krohn think they have a better solution to the “identity problem” that might work for the masses. It’s an experimental project called Keybase, and it makes generating a public key as simple as hooking up all your social accounts. If you can figure out About.Me or IFTTT, you can figure out Keybase.
“Everyone from my wife to Obama has a Twitter handle, a personal website, a Facebook name, et cetera,” says Coyne, “so we’re building software that lets you provably connect a public key to the sum of all your known identities.” As long as someone doesn’t hack into every single account you own, your identity can’t be stolen from you.
Even if someone does hack into one (or more) of your social accounts, it’s a public hack, so you’ll notice right away. Here’s the tweet that was auto-generated from my Twitter account when I verified my Keybase identity via Twitter.
It someone ever hacked my Keybase identity, I’d see another verification tweet like this in my own tweet stream, issued by the interloper trying to re-assign my account to him or herself. So as long as I’m paying attention to my own feeds, I have a chance to jump into my other accounts and change the passwords. The most pernicious thing about most hacks is that the victim is unaware they’ve been hacked, allowing careful exploits to go on for month after damaging month.
The core technology of Keybase is already built and working–you can join the public beta here–even though Coyne and Krohn haven’t even raised money or hired employees yet.
The larger challenge here is storytelling, not technology (although Coyne admits they haven’t worked out how the code will work on mobile devices yet).
Explaining Keybase is hard not just because people are disinterested, but because we think we already know how the tale ends. Safer selfies, right–that’s what we’re talking about here?
For a project like this to succeed, its creators will have to find a way to show what’s actually at stake: a new and supercharged economic engine for the Internet that could enrich all of us, socially and otherwise. They need to show people why they should care. And that their solution is the best. And that they themselves are trustworthy.
In the programming world, few engineers need convincing. But outside of the technology world, noise, misinformation, and special interests make it hard for consumers to know who to believe. In a recent editorial, The Washington Post confusingly advocated a “golden key” solution for cryptography, which Coyne says would be tantamount to a government and corporate backdoor. In a top-ranking blog post on Hacker News this month, Coyne shot back with his own vision of a backdoor future:
You’d pick your own password for when you needed your data, but the companies would also get one, of their choosing. With it, they could open any of your docs: your photos, your messages, your diary, whatever. The Post assumes that a “secure key” means hackers, foreign governments, and curious employees could never break into this system. They also assume it would be immune to bugs. They envision a magic tool that only the righteous may wield. Does this sound familiar?
As familiar as every other utopian dream, yes. Now the onus is on Coyne and Krohn to prove Keybase isn’t just that.
But it’s our responsibility too. The next time you’re entering a password, see that text box for what it really is–a bit of UI friction, an impediment to your free-flowing money and information. Fixing Internet security is about removing tolls from the thing we used to call the “information superhighway.” It’s about sharing more. Buying more. Working faster. Measuring everything. It is not simply about your naked selfies.