Ryan Freebern (rfreebern) wrote in memedev,
Ryan Freebern

  • Mood:
  • Music:

LJ Account Verification

So while brainstorming a new meme, I ran up against an issue that has been dealt with before, but that doesn't have a satisfactory solution yet: how do you verify that a person actually owns the LJ account they claim to?

The method used in the past goes as follows:
  1. Provide your LJ username.
  2. Go edit your userinfo (or make a public post) and add a certain keyword or number.
  3. Click "verify" so that the script can retrieve your userinfo (or latest public post) and check for the keyword or number.
  4. If keyword or number is there, accept. If not, reject.
  5. Go edit your userinfo (or the post) and remove the extraneous keyword or number because it's annoying to have it there.
This is cumbersome and deters casual users who don't want to invest that much time in a "stupid meme." Here's what would be ideal:
  1. Provide your LJ username.
  2. Click "verify" so that the script can somehow magically check if you're telling the truth.
Obviously this has flaws such as that it relies on magically determining veracity.

A second option is to ask the user to provide their LJ username and password, and use the LJ protocol behind the scenes to log into LJ as them. This, however, requires that the user trust you with their LJ info, which is both a bad idea and an even bigger deterrent, even if we swear up and down that we won't cache that info or use it for anything other than verification.

Here's my proposal: we could set up a centralized "MemePass" system so that people only have to verify their LJ account once, and we can all use a central username/password database in the future to determine if they've been verified. Anyone think this is useful enough to commit time and energy to? I'd be willing to design, write, and host the system over the next few weeks if you all think it would get used.
  • Post a new comment


    default userpic

    Your IP address will be recorded 

I've seen this solved before.

The meme gets you to paste a unique code into your Journal. You do so and hit submit. The meme then checks it can read that unique code off your Journal - if it can you've clearly got posting access to the Journal and that's good enough.

Users who dislike having a weird code slapped on their LJ can delete the post once the meme db knows they're who they say they are.
Yes, I know. This is the first method, described above.
Yup. Just repeating in my own words what you've said. That's our in-house way of proving you've understood. Plus I've seen it work and people were happy enough with the two stage bit.
I think the first is too much of a pain in the ass. Definitely a great solution to this problem, though.

I love the idea of centralized single sign-on, too. I'd be willing to hack up a perl module to interface with whatever system you come up with.
Perl and PHP I can handle, but thanks for the offer. I need someone to do Python, though. Got any skills in that area?

I'll post more here as I work out the details, but I think it'll be a pretty simple system. Minimising bandwidth usage will definitely be a priority.
I think that's a good idea. The first method, as you pointed out, works, but is a total pain in the ass.

with a "central username/password database" my concern is that, since some meme developers will be more skilled than others, you'll have bad coders compromising this system.
I don't think bad coders will necessarily compromise the system, but malicious ones could collect visitors' MemePass usernames and passwords and wreak havoc. At least this way, the havoc they can wreak is relatively minor, and potentially traceable. I haven't come up with a good way to avoid it entirely, unfortunately.

but under what circumstances would it MATTER whether or not the person owned the journal they were claiming to own?
Anything where trust is an issue, basically. Think of the (evil, unethical) LJ Secret Crush Meme. It was expected that when you gave your LJ username, you were really who you said you were. That way, people couldn't wreak social havoc among someone else's friends by listing crushes where they didn't really exist. Using a verification scheme, which the Crush Meme did, ensured that when you claimed you were LJ user joebob25, you could actually prove it.
I am not familiar with the Secret Crush Meme, but I assume that it is a bayesian filter of sorts that peruses one's public diaries. that being the case, I don't see what sort of trust issues could possibly exist.

It seems sort of arrogant on the part of a programmer to think that people who are capable of writing bayesian filters can be trusted with them and people who are not so capable can not be.

Personally, when I post something with the "public" flag set, I really mean that it is PUBLIC and I would hope that other people have the same intent. If someone ran a filter on my entries and claimed that I was in love with rfreebern or was a neo-nazi or whatever, I would laugh it off and say: "oh, that wacky weak AI, what fallacious assumptions will it make next?"

I guess I just can't see any situations where user verification would be necesarry or even desirable unless the meme wanted access to private/f-o entries. and that... well that would be a truly evil meme.
Unfortunately, your assumptions are incorrect, and so the premises you draw from them are fallacious. The Crush Meme allowed you to select people on your friends list who you had a crush on, and alerted you when both you and someone else had listed each other as a crush. If there was no verification, I could pretend to be you, and select any of your friends as crushes, and potentially cause embarassing situations among your social circle. It's not terrible, but a lot of people took the Crush meme very seriously, and it could have caused problems had the verification system not been in place.

The verification system explicitly doesn't give the meme any further access to one's LJ account or private/f-o entries. All it does is verify that when I claim to be the owner of a specific journal, I can prove it.

As I stated above: the verification system is useful in terms of trust. When I take part in a meme and am told that a friend of mine, for instance, has a crush on me, it would be nice to know that there is some level of verification involved so I can know that it's probably true and not someone else masquerading as that friend.