Ask HN: Should we develop a biometric-based alternative to HTTPS?

2 points by blindprogrammer 1 year ago | 5 comments

While this would undoubtedly invade our privacy more than current advertising companies like Google and Facebook, it could potentially eliminate or significantly reduce the wholesale theft of AI scrapers.

Obviously, there's a risk of your biometric information being stolen or spoofed. However, if combined with a government-issued ID, this could make it nearly impossible for AI to acquire and resell your intellectual property.

PaulHoule 1 year ago |

I don’t get it. Https is about privacy and integrity. Biometrics is about verifying who you are. I can see them working together but one doesn’t substitute for the other.

slwvx 1 year ago | |

I agree.

If someone wants to do something interesting with protocols, how about making a zero-knowledge [1] protocol wherein the person sending a packet can't see who requested it, nodes which forward it can't see the sender or receiver, and perhaps even the person who requested the packet doesn't know who sent it. Zcash [2] does something like this for tokens; I'd like something that is much more efficient (lower overhead) than Zcash's blockchain-based technique.

[1] https://en.wikipedia.org/wiki/Zero-knowledge_proof

[2] https://en.wikipedia.org/wiki/Zcash

LinuxBender 1 year ago |

Today that is somewhat addressed using client certificates. That is how one at very least validates the identity of the machine a request is coming from. I've used them in a large company but scaling that out to the entire internet would be quite a challenge. Then to meet your requirement there would have to be a daemon that uses fingerprint readers to tie that hardware certificate to a person or set of persons. How would you incentivize people to participate in such a thing? Who performs the attestation that proves a fingerprint really belongs to a particular person? The lazy way would be using debit/credit cards but that is easy to spoof. Would a public notary show up to my home or would I use a notary at a bank? Do we store all this in the very hackable TPM's? How do we back this up? If a dependancy is built on this and a persons machine croaks, how do they access the services that now depend on this? Go back to the bank or post office in person? Do we integrate with the DMV and what risks does that bring? DMV queues can be quite large in some cities even without this. Does this get stored on your state or federal ID? Are there backup keys and can each one be individually revoked? Or does your ID have a primary key and then institutions issue sub-keys mapped to your primary key and fingerprints? Could criminals weaponize this? I am going to stop thinking about this. Every idea creates dozens of more questions.

I should add that something like this sortof existed for businesses. They could buy Extended Validation certificates. Initially this required a public notary but that did not scale well at all. Eventually all the friction was removed and the only difference was you needed a Dun & Bradstreet number and to pay more for the cert. It sounds like you want something similar but on the client side which would be even harder to scale in my opinion.

giantg2 1 year ago |

I fail to see how this is even possible. Anyone wanting to run or train AI could just run it under their biometric identity. Pretty much any biometric could be relicated so they could automate the process. You would end up just concentrating AI training and power to the people who are willing/able to do this.

al_borland 1 year ago |

If it’s all in the name of avoiding AI, I think I’d prefer a return to in-person and analog.