Hi or-talk (and Ben), I am sorry to be jumping in the middle of the wikipedia-Tor debate, but Steven Murdoch just made me aware of it. A while back I had a short discussion with Roger about a possible way of mitigating abuse through anonymity systems like Tor on open publishing systems like wikipedia (and with additional precautions Indymedia). I have further discussed this with Ben Laurie at PET 2005. The basic idea is quite simple: anonymity allows users to avoid being associated with a persistent identifier that could be used to filter out abuse cheaply. It is in fact a Sybil attack, ie. one user can pretend to be multiple users. Note that this can also happen if one controls many nodes (through a bot net for example). The aim of our protocol is to be able to associate persistent identifiers, with posts that are controversial (through a process that is defined), to be used to filter abuse (note that these do not have to be an identity, but only be useful to filter abuse). We should also try to maintain the user's anonymity, and at least plausible deniability. My favorite approach in solving these problems is using and assuming the existence of social networks. In the case of Indymedia, I know they exist (people get teargassed together in the streets quite routinely -- this creates solid bonds), in the case of wikipedia it might be the case that they will have to be cultivated (through better flagging up who is the responsible editors for sections, who has been contributing so far to an article, and on-line chat forums where people can discuss). Thus I will assume that getting introduced in to someone that is involved in wikipedia is not hard, but getting introduced to all/many people as having different identities is hard! (gmail and orkut has proved that it is posible to have an invite only system with a small seed ending up being quite inclusive). As a result we can have a graph that describes who has been introduced by whom (lets call it the wikipedia introduction graph, or just intro graph). Furthermore this graph has a couple of 'roots' ie the people who are 'in-charge' of wikipedia, or multiple roots (by section for example -- if we chose the people that magame sections of the site). Example path from Root to User Charlie to be used in examples...: Root -> Alice -> Bob -> Charlie The protocol has three phases: 1) Introduction -- someone that is already in the intro graph 'introduces' a new user into the graph. They do this because they know the user or have chatted to him... From a technical point of view this provides the new user with the necessary (anonymous?) credentials to post to/modify the site. 2) Each action of the user is 'authenticated' using the credentials, and a 'signature' is generated. This signature provides any third parties with the Root that the user is attached. 3) Responsibility allocation: If the action is deemed abusive by the Root (or a collective mechanism like voting / veto / ...), then the Responsibility allocation mechanism is started by the Root. This means that step by step the path lining the user Charlie to the Root is walked (starting at the Root, then Alice, then Bob then Charlie) until someone 'takes responsibility for the post. This process can depend on Alice and Bob (ie it must not be possible to trace without their consent) but if they do not collaborate in the tracing they accept to take responsibility. The article is tagged with the full traced path from the Root to the principal that has taken responsibility. Mini-FAQ: Why is this helping at all against abuse? Assuming that it is hard to get multiple connections to the intro graph, persistent offenders can be identified, either by their own username or the username of the person who consistently introduces them. This is incentives compatible: you do not want to introduce people that may abuse the system otherwise abusive messages will be tagged with (and possible filtered on the bases of) your name! The chain from the Root to the user assuming responsibility for the article can them be used (very much like IPs or user names today) to implement filtering policies. Furthermore these policies can be specified by the users and do not need to be centralized and applied by the server. What about anonymity? No real IDs ever need to be traced! The design does not require step 1 to provide a real name at all, and in any case the design can ensure (through the use of crypto-fu?) that authentication only reveals the first hop (ie Alice). Others need to collaborate to ask further down the chain for someone to take responsibility. In any case the final user is no certain as we will see... Wait a sec, a bad user can connect other abusive users easily!? Yes as soon as an abuse user connects to the intro graph they can introduce as many of their friends as they like! This is the reason why filtering policies need to make use of the full path from the Root to the user that ultimately takes responsibility: a user that consistently introduces many other abusers will always be on the path, and can be used to filter stuff out! As a side effect of this one cannot (and should not) trust that the user that finally took responsibility is indeed the initiator of the abusive action. They could be a Sybil or another person up the chain that disagrees with the fact that this action constitutes abuse! Why are you calling it 'taking responsibility' instead of tracing? The point of the protocol is for someone to say 'I stand by this action' -- his path to the root can then be used for filtering such action out, by users that do consider it as abuse. Note that there is always contention in online communities about what constitutes abuse and this mechanism allows for differing opinions. Then there can be different policies filtering out different users in the chain. Possibly anyone (not just people on the Path between Root and Charlie) should be able to take responsibility and have the item tagged with their path. What about abusing the anti-abuse system? There is a risk that trolls will abuse the action of requesting tracing/taking responsibility for all actions, trying to get as much information as possible/wasting time/undermining confidence in the system. The conditions under which this mechanism is initiated is really not clear, (Root decides, voting, veto, ...). In any case it is a good idea for someone to take responsibility of the initiation of this process by tagging the request with their path to the Root. This way Root, Alice and Bob can filter out persistent abusers of the anti-abuse system :-). There is no contradiction there: anonymous political speech is a right (hence this complex system), but moderation (censorship?) has to be done transparently, and those doing it must come forward by tagging their action with their path to Root. It seems that Root has a lot of power in all this (== your system embodies fascist values!)? Yes, this is a problem. At the same time there is nothing stopping (aside from efficiency and the appropriate crypto-fu) full decentralization. Each person can be their own Root, and apply custom filtering according to the paths relative to them. Note that taking responsibility cannot be abused any more than before (since either you connect directly to the abuser, at which point you should know better, or you are still connected through nodes that will not consider your action abusive and will take responsibility for it!). Ok, so how do we do all this magic? It is clear that a trusted third party can do all this efficiently. Can we find a variant of certificate systems that allow delegation in an anonymous way to decentralize all this, and make sure that no one party can screw any other? Open research problem -- I am working on it! Any feedback is welcome! George ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.leitl.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]