Pseudonyms and Reputations
New members of the list may not be aware of the background of some of the technologies we discuss here, such as the remailers. The purpose of these systems is not really to help people mailbomb newsgroups or send harassing letters to their fantasy girlfriends without fear of repercussions. One goal of remailer-type technology (which present systems don't meet very well) is to allow people to use pseudonyms for their electronic activities. By using a "nym" a person is able to engage in communications of various types without fear that some aspect of what they say or do will impact them negatively in "real life". There are a lot of potential forms of harm which could arise now and in the future from databases recording the various interactions a person has had in cyberspace. By preventing the linkage between his online activities and his real identity he can protect himself and his privacy. At the same time, nyms allow for continuity of identity to be maintained over a period of time. A person posting under a nym can develop an image and a reputation just like any other online personality. Most people we interact with online are just a name and an email address, plus whatever impression we have formed of them by what they say. The same thing can be true of nyms. Cryptography plays an important part in making effective use of nyms possible. The first thing it can do is to allow users to send and receive messages under the name of their nyms without anyone discovering the True Name (capitalization from Vinge's short story "True Names") behind the nym. Cryptographer David Chaum has proposed two technologies for this; the network of "Mixes", on which our own remailers are modeled; and the so-called "Dining Cryptographers' Network" (DC-Net), which allows a cooperating group to send messages in such a way that it is not possible to tell which member of the group originated each message. Cryptography can also help maintain the continuity of the nym, by allowing the user to digitally sign messages under the name of the nym. The digital signature cannot be forged, nor can it be linked to the True Name of the user. But it makes sure that nobody can send a message pretending to be another person's nym. These techniques are already in use or under development, in some form or another. But there is much more that could be done to provide privacy protection and flexibility in the use of nyms. One possibility is a digital reputation system. Presently people and nyms develop informal reputations in the minds of their readers. This could be formalized by allowing readers to create endorsements of various types for those who have worthwhile things to say. An endorsement could take the form of a digital signature by the endorser. In the simplest form, the endorser would digitally sign a message which said, in encoded form, "In my opinion, person (or nym) XXX produces high-quality messages". This endorsement would be kept by the person it was given to and shown when he enters a new cyberspatial forum to help establish an initial reputation. People who are able to bring a variety of endorsements from respected individuals or organizations will be able to have their words carry weight from the beginning. Without these, a new poster may find that not many people can even be bothered to read his messages amongst the flood of others. The endorsements can break through the barriers, the filters which people use to decide what information to receive. They represent a digital reputation which can be carried to distant regions of cyberspace. One could imagine more elaborate forms of endorsements, as well. Chaum describes a technique by which a numerical rating could be given, say on a scale from 1 to 100. Because of the mathematical structure of Chaum's approach, a person who carries such an endorsement can optionally downgrade it when he shows it. Suppose some paragon of wisdom has dozens of "100" endorsements from respected individuals. Entering a new group, he may not want to intimidate people, so he displays his endorsements as a respectable "70+". This lets him be heard without overwhelming other participants. Pseudonyms can prevent messages from being linked to True Names, but there is still a privacy problem as information accumulates about the nym itself. As more and more activities take place online, if one uses the same nym all the time, the buildup of information about that nym, his preferences, his favorite places to go in cyberspace, his political views, etc., may become burdensome. All that baggage accumulates and is easily available to others. It may become as much of a barrier to a nym's online activities as it would have been to the True Name's real-life activities. One solution is to use a nym for some purposes and the True Name for others. Then the information about the two is separate and nobody can link them up. This helps, but after a while again there is an accumulation of information about both names, which is what we wanted to avoid. A better solution is to use multiple nyms, perhaps with different nyms in different online fora. Even the True Name could be used occasionally where warranted (such as in an online relationship where physical contact occurs as well). Nyms could be changed periodically as well, preventing the buildup of information about any given nym. One problem is that the simple reputation system above does not work with multiple nyms. If you get a digital endorsement of one nym in the form described before, you will not be able to use that endorsement on your other nyms without giving away the connection between them. And when you retire that nym and replace it with a new one, the endorsement is lost. This is the problem which Chaum solves in his paper, "Showing Credentials without Identification; Transferring Signatures between Unconditionally Unlinkable Pseudonyms," from AusCrypt 90. (A newer version of this paper may be available from Chaum.) He provides a method by which various forms of "credentials", which would include the endorsements described here, can be transferred among the nyms used by an individual, without giving away information about which nyms are related. Chaum's system is complicated and requires a centralized agency which gives out all endorsement certificates, as well as an agency which validates pseudonyms. His system does allow for optional restrictions on nyms which, for example, would allow only one nym to be used in any given online forum. A user would not be able to control two different nyms in that place, although he could have different nyms in other parts of cyberspace. There might be some situations in which this duplication could be harmful (such as certain kinds of online voting systems) and Chaum's method does allow this restriction. A simpler system, though, can be created with technology very similar to the "Magic Money" digital cash system created by the nym "Pr0duct Cypher." This system does not require any centralized control and allows individuals to make endorsements without help. It is somewhat less efficient than Chaum's approach but could be put into place more easily. The basic idea uses what Chaum calls a "blind signature". Above, the endorsement certificate was described as a digital signature on a coded message which named the nym or person being endorsed, as well as some information about the type of endorsement. With a blind signature, the signer does not see the message he is signing. It is supplied to him in a "blinded" form, he signs it, and then the person who supplied the message unblinds it. What is left is a signed message whose contents are not known by the person who signed it. This technology can be used directly to create blind endorsements. Suppose nym 123, who sometimes also uses the nym 456, gets an offer to receive a "good writing" endorsement from user U. He can supply U with a blinded message which says, in effect, "nym 456 has good writing". U does not see the contents of the message when he signs it, so he does not know that nym 456 is another name for nym 123. But when 123 gets the message back from U, he unblinds it to create an endorsement from U on nym 456. In order to control the type of endorsement ("good writing", etc.), that information is not put in the text of the message, but is determined by the exponent used in the digital signature. Each user would need to publish a table mapping exponents to types of endorsements (or perhaps such a table would be standardized over all users). And since nym 123 may actually have many pseudonyms in use, he would actually need to collect a large number of blind endorsements from U. In practice he would supply U with a large block of blinded endorsements, U would sign them knowing that they were all different pseudonyms of 123's, and 123 would keep them for use as needed. 123 could even include his True Name to receive a blind endorsement, as well as other pseudonyms he hadn't used yet. All of these would be capable of being shown with U's endorsement. Even when the original nym 123 was retired, other nyms which had received that endorsement could be put into use and they would carry the same stamp of approval. This system would allow very flexible use of pseudonyms while allowing the user to show endorsements and other forms of credentials without compromising his privacy. And the technology to do this is very close to systems already in use today, at least in its cryptographic aspects. The social problems of determining when writers should receive endorsements, how much credence to give to endorsements from unknown endorsers, how to appropriately display endorsements, and how to easily validate and verify endorsements proffered by others, are harder to solve. Despite these issues, a modification to Magic Money to support this application would allow for some initial experiments with the concept, which might help show where the significant problems lie. Hal Finney hfinney@shell.portal.com
hal finney:
Chaum's system is complicated and requires a centralized agency which gives out all endorsement certificates, as well as an agency which validates pseudonyms. His system does allow for optional restrictions on nyms which, for example, would allow only one nym to be used in any given online forum. A user would not be able to control two different nyms in that place, although he could have different nyms in other parts of cyberspace. There might be some situations in which this duplication could be harmful (such as certain kinds of online voting systems) and Chaum's method does allow this restriction.
these identification systems ultimately fall back on `real world' identification systems such as birth certificates, social security numbers etc. which all can be readily subverted by a determined adversary. i wonder if in general, you `cpunks' feel that e.g. voting systems that restict pseudonymity (i.e., multiple votes by a single person) are `fair' or `judicious'.
The social problems of determining when writers should receive endorsements, how much credence to give to endorsements from unknown endorsers, how to appropriately display endorsements, and how to easily validate and verify endorsements proffered by others, are harder to solve.
what, specifically, is problematic about these? does chaum just ignore them? does he describe them in greater detail? as for `endorsements for unknown endorsers', it seems to me the reputation system you refer to is a sort of `reputation web' not unlike the pgp `web of trust' model. a pseudonymous credential has as much weight as the pseudonym originating the certification. i.e., if `a' signs `b's pseudonym, that `edge' in the `reputation graph' has as much weight as `a' has reputation. that is, it should not be possible to create a whole bunch of new pseudonyms, have them all sign each other, and then increase your reputation. this brings up an interesting idea. future cyberspatial citizens may develop an elaborate netiquette that describes how to maximize one's advantage through the use of pseudonyms. all kinds of strategies will ensue. is it better to have a few good pseudonyms, without diluting reputation, or a whole bunch of pseudonyms but a bit more diluted reputation? one of the problems with a positive reputation system is that it would workd for `d-type people' <g> whose reputation is primarily negative. a whole lot of people would like to put a negative credential on `d' so that they would limit his influence in all forums he visits, similar to the way that one could globally encourage someone else through `accreditation'. `d' would simply not propagate any negative signatures to his pseudonyms. could such a negative signature system be constructed? it seems possible with a centralized `trusted' server, but this is not an ideal solution; ideally one would like the system to be possible from the independent interactions of people who trust only themselves. this of course is the ideal cryptographic model, and the very best and finest algorithms (e.g. rsa) conform to it. the problem is similar to preventing double spending in a cash system. how do you enforce that a person `spends' a certain amount of information? there are no `laws of the conservation of information' as their are of e.g. mass as with a paper currency. in fact maybe the double-spending preventative techniques for cash systems could be translated to get a negative reputation and prevent people from not displaying credentials, even negative ones, they have accrued (just in the way people are forced to reveal if they are `printing money', i.e. spending spent money) personally i like chaum's emphasis (or recognition) that forums exist such that restricting pseudonymity in them is natural, fair, and rational, i.e. a desirable design goal. it seems to me that even beyond this, people should be able to construct forums where they demand (or comply, or agree, or whatever) that identity be known, or that it be totally ignored. given all this inquisitional witchhunting of my `true identity' (whatever the !@#$%^&* that is), obviously this forum is in the former category <g> what do you think, cpunks, should you have the right to ignore people regardless of the pseudonyms they use? again, i ask if it is possible to construct a system that protects anonymity but at the same time allows someone to filter all pseudonyms associated with another person. it seems that we have reached an impasse -- these are two very useful design criteria but they appear to be contradictory. on one hand we would like to censor all the `d-type' pseudonyms, but on the other hand we would want a `clean slate' for all of our own. it seems to me that is the purpose of developing a moral code or etiquette in cyberspace-- almost by definition that these codes apply to people who agree that an individual is ultimately responsible for their own actions, regardless of presence or lack of punishment, and agrees to a set of guidelines because s/he believes it constitutes civil behavior, not because `if i don't, i will get caught'. ideally we can develop moral codes where our algorithms fail us. or maybe not <g> pseudonymously yours, --tmp
Hal Finney writes:
One possibility is a digital reputation system. Presently people and nyms develop informal reputations in the minds of their readers. This could be formalized by allowing readers to create endorsements of various types for those who have worthwhile things to say. ... People who are able to bring a variety of endorsements from respected individuals or organizations will be able to have their words carry weight from the beginning. ...
The social problems of determining when writers should receive endorsements, how much credence to give to endorsements from unknown endorsers, how to appropriately display endorsements, and how to easily validate and verify endorsements proffered by others, are harder to solve. Despite these issues, a modification to Magic Money to support this application would allow for some initial experiments with the concept, which might help show where the significant problems lie.
Years ago, I worked on "hypertext publishing", a vision of electronic publishing that often included the image of readers choosing what to read based on automated personal filters, filters which merged evaluations from previous readers, and which weighted those readers according to explicit "reputations", which were to be some sort of merging of evaluations of that reader. I eventually came to believe that the social aspects of this vision were the least well thought out, and needed the most attention. But the Xanadu software techies I worked preferred to focus on concrete software problems, though they acknowledged the importance of social issues. As I thought more about social issues, I drifted from the Xanadu group and toward thinking about other problems, which eventually led to my new career as a designer of social institutions. Anyway, the point of my story is to agree with Hal that there are big issues yet to be dealt with regarding decentralized reader filtering based on explicit author endorsements. And I want to remind folks that these issues are pretty much independent of cryptography; they have been around for a while, waiting for someone with the relevant social expertize to give them serious attention. So, yes, experiments would be useful, though they needn't be tied to a cryptographic system. But some just plain careful thinking would be perhaps more useful. I fear, however, that these issues may remain largely undealt with for some time to come, since the techies most interested in them may again prefer to focus on familiar software and math problems, rather than invest the time needed to develop expertize on social issues. I hope you prove me wrong though. :-) Robin Hanson
participants (3)
-
hanson@hss.caltech.edu -
hfinney@shell.portal.com -
tmp@netcom.com