There has got to be a better way to do online identity as a society! The most promising ideas I've heard about are WebAuthn and Estonia's digital identity system. How long is it going to take to get out of the dark ages and get this right?
One thing I'm sure of, uploading a scan of my passport to every website is not an appealing thought. Besides the inconvenience, do I really want my passport spread around on dozens/hundreds of different high-value servers run by who-knows-who?
Suppose WebAuthn was the standard authentication scheme everywhere. People used a series of tokens (Yubikeys, phone apps, etc.) with private keys which they use to authenticate to services. The government runs a department where you present them proof of your identity and the public keys from your Yubikeys/whatever, and they would publish a cryptographically signed electronic message which read the equivalent of "the owner of the private keys associated with public keys a, b, and c is a real person"). Then, when you signed up for an account at Twitter, or wherever, they could quickly check that published list and know that you where a real person.
Advantages, you own your own private keys and completely manage your online identity. The government doesn't have any control over where you log in, or who you sign up for accounts with. Also, you can remain anonymous to the site you sign up to. They can check that you're a real person and only signed up once, without actually knowing your real name or other details.
This still doesn't allow for the case where you have multiple accounts for valid reasons like keeping personal and professional accounts but neither does a phone number so this is still an improvement.
I think the main thing blocking this is its a huge pain to go through this system when the average person doesn't care that facebook and twitter have their phone number
I have 700+ accounts recorded in my password manager. Organizing, managing, occasionally changing passwords on important ones, etc. etc. takes a non-trivial amount of time and dedication!
And it's way way harder for many people who never got a system down, something I'm reminded of every time I visit my grandparents.. :-) Their main email account used to be an old ISP one that they'd payed for for years, and for whatever reason (I couldn't figure out why) it stopped working with some sites. Without that email account they lost access to a bank account, several credit card accounts, and some other stuff, and I ended up walking them through setting up a gmail account and calling in to change the email associated with all those accounts. Well, I used their landline phone to help set up the gmail account, and this year they moved, no longer have that phone number, and lost access to that account. I tried to help recover it, but wasn't successful. Guess what... they had to repeat the process for the bank and all those credit cards.
NOTE: in the following when I talk about "digital cash" systems I am not talking about blockchains!
It might be possible to do something based on one of the centralized "digital cash" systems that cryptographers have developed. A typical system allows some central entity (e.g., a bank) to issue a "digital dollar".
The digital dollar can be transferred to a merchant in such a way that the merchant can turn it back in to the bank, and the bank (1) can recognize that it corresponds to one they issued, (2) can tell that it has not previously been turned in, and (3) gets no information whatsoever about who they originally issued it to.
So suppose some entity that people trusted revealing their identity to provided a service where you prove your identity to them, and they use a digital cash system to issue you a token. You can redeem that token at Twitter, which verifies it with the issuer, and if it is valid and not previously redeemed, lets you create an account with no further need for identification.
The token issuing entity does end up with a list of real identities of Twitter users, but has no way to match those to Twitter accounts. (Or rather, they have the identities of people who asked for Twitter account creation tokens...they have no way of knowing if a given person ever actually went ahead and created an account).
If your Twitter account gets banned and you want another one, you'll either have to try to go through the token issuer again, and they can see that a token was already issued using your real identity and refuse. You'll have to do something like get other people who don't have Twitter accounts to use their real identities to get tokens, and then give those to you.
That was just an off the cuff idea, to suggest some possibilities, and based on the capabilities of the earliest digital cash systems. I bet you could design a more sophisticated system where the token issuing entity works with multiple sites, and can't tell which site you are getting a token for, but can still limit you to one account per site.
You don't even need the token issuer to have government identities, you just need some way of rationing tokens.
Using identities for that is actually somewhat problematic because identity theft is generally pretty easy. The attacker compromises many devices, or a database containing the information of millions of people necessary to impersonate any of them to the token issuer. Then not only does the attacker get a large number of tokens, a large number of people also lose the ability to sign up for the service themselves. It also opens you up to deanonymization attacks if the token issuer and the site collude, or anyone else can compromise or coerce both of them at once.
But there are plenty of other alternatives.
You could ration them based on some other scarce thing, e.g. issue only X number of tokens per public IPv4 address or IPv6 /64 block per year.
You could exchange tokens for a security deposit. A few dollars for a token that can be used for over a decade is a minimal cost to a real user, but a few dollars for a token that lasts 90 seconds before getting banned is a real cost to the spammer.
And you can combine them. One free token per public IPv4 address per month, and if you need more then provide a security deposit.
There is proof of stake. You stake some moderate amount ($25), refundable at any time but forfeit if you spam. For a non-spammer it effectively costs nothing but the spammer loses their stake for every spam someone reports, and every spam posted against the same stake can be disabled at once.
The requirement obviously being the ability to make small anonymous payments.
I think it would be great for Twitter if they could get away from the advertising model. If holding a Twitter account required holding a share of Twitter stock, I wonder if users could end up owning the platform?
One thing I'm sure of, uploading a scan of my passport to every website is not an appealing thought. Besides the inconvenience, do I really want my passport spread around on dozens/hundreds of different high-value servers run by who-knows-who?