I’m fascinated by stories about what is “real” and what is “fake” and because of my obsession with digital identity, I’m especially fascinated by stories about fake credentials (such as academic qualifications). What’s more, being English, I have a particular obsession with stories about fake dentist credentials. For example, the story of Omid Amidi-Mazaheri, an asylum seeker who told British immigration officers that he had a dental practice in Iran and repeatedly left patients in agony after he drilled without a local anaesthetic and did expensive fillings that crumbled within days. But how were his patients supposed to know whether he was a real dentist with a false identity or a real identity with false credentials?
What Are You Faking?
You would imagine that some training is necessary to be a dentist. Hence the need to check the credentials of dentists (although while writing this it occurs to me that I have never checked the credentials of mine) but there are other jobs — perhaps many other jobs — where the credentials are window dressing. I am reminded here of the case of a builder who faked a resume and went on to rise to a very senior level in the British National Health Service (NHS), leading one to inevitably question why that particular employer asked for the qualifications in the first place, since they were evidently irrelevant.
Lots of positions demand experience, rather than credentials. For example, there is the position of Chief Financial Technology Officer at the Office of the Comptroller of the Currency. Until recently this position was held by Prashant Kumar Bhardwaj, a chap with an impressive resume including top jobs in the worlds of management consulting and banking. He was the chief information officer at Fifth Third Bank (except that a spokesman says that they never employed him), he was IT director at Citi (which was impressive considering he was 13 years old at the time), he was CIO at Huntington Bank (except that the position was held by other people during the time of claimed employment and one of the actual officer holders had never heard of him) and he was MD Financial Services technology at Accenture (except Accenture only has a record of employing someone with his name in a senior manager role).
Low level jobs such a C-suite at a Federal agency to one side, here’s another recent case where credentials and experience appear to be irrelevant. In Kenya, a lawyer named Brian Mwenda was arrested after winning all 26 of his cases because he had no legal training and had stolen the identity of an actual lawyer called Brian Mwenda Ntwiga. Fake Brian had allegedly accessed the Law Society of Kenya’s portal and tampered with the account details of real Brian by uploading his own picture. The credentials were true, if any client had taken the time to look them up, but the identity was false.
If it is difficult to know whether you are dealing with a real lawyer in the universe, imagine what it is going to be like in the Metaverse. There are already lawyers there, of course, just as there are lawyers everywhere else. Zannes Law, a Toronto-based law firm has a seven-level office in a metaverse and principal lawyer Madaline Zannes conducts private consultations with clients there as well as meeting people who turn up with legal questions. Interestingly, she says that there are “bad actors” who attempt to offer legal services in virtual spaces without any sort of certification. Some go as far as to keep their identity hidden from clients, as if you can imagine such malfeasance.
(To tackle the problem she has created the international Metaverse Bar Association, which aims to provide a registry of verified licensed lawyers.)
There are two different kinds of deception affecting the lawyers, dentists and managers noted above. Honest avatars going about their daily business need to be protected from both kinds: faking the identity of someone with credentials (identity fraud) and faking the credentials of someone with identity (reputation fraud). So how can we make this work? When you meet your lawyer in a metaverse, you want to know three things: you want to know that the credential (the licence or whatever) is valid, you want to know that it belongs to the mundane master of the avatar and you want to know that the mundane master is present. But how?
Here’s one suggestion. China’s state-owned telecoms operator China Mobile, put forward proposals for a “Digital Identity System” for all users of the Metaverse at the second meeting of the International Telecommunications Union (ITU) Metaverse Focus Group in Shanghai in July 2023.
(The ITU is a United Nations agency and plays influential role in defining the ground rules for global telecommunications).
The Chinese operator said that the digital ID should work with “natural characteristics” and “social characteristics” that include a range of personal data points like people’s occupation, “identifiable signs” and other attributes. They also suggested this information be “permanently” stored and shared with law enforcement “to keep the order and safety of the virtual world.”
(The proposals even provides the example of a noxious user called Tom who “spreads rumours and makes chaos in the metaverse”; the digital identity system would allow the police to promptly identify and punish him.)
The Third Way
I’m not sure that either a web2 registry or a web3 centralised control approach are best though, so instead I think we should look to the world of web3 and digital identity to attack the problem. When I meet my lawyer in the metaverse, I want to see her license to practice and proof of her employment history as Verifiable Credentials (VCs) not as PDFs or barcodes on the virtual wall of her virtual office.
Under the hood, so to speak, it will be cryptography that does the checking. My machine will generate a challenge using the public key in the relevant credential, and since that challenge can only be answered by someone with control over the corresponding private key, it will know that my counterparty is the person with that credential, but as a consumer I will never see any of this.
Given the ease with which these standard cryptographic techniques can be implemented, it seems to me that it should be safer to employ someone in the metaverse than in the universe so surely it is only a matter of time before HR moves into the metaverse. I dream of the day when this will extend to a visit to the dentist as well.