Further thoughts on Reputation Capital systems and implementation

[Sunder]

There are plenty of systems of reputation capital already in existance out
there. (RepCap to shorten it.)  In this post, I will use several fictional
examples, though the names may or may not resemble actual Nyms, within the
context of this post, they are fictional and any such resemblance is
purely coincidental (or halucinational in your case), and "you" refers to
another Nym, not necessarily the reader, as "I" does not refer to the
author, but yet another Nym.  Ditto for actual named Nym's.


In the finance world funds always have disclaimers stating that past
performance is not a predictor of future growth, but in practice past
performance is always used or at least taken into consideration.

Reputations are built based on interactions of individuals with others who
communicate references about their experiences.

For the longest time your credit record has sufficed.  Previous to that,
your riches or your actions, (or breeding - a poor solution) or the esteem
that others have for you that the viewer is acquainted with show (or at
least hint) your reputation to those who are unfamiliar with you.

New examples include things such as slashdot's karma points for insightful
postings, and ebay's feedback profiles that allow a buyer to rate a seller
numerically once per transaction with positive, neutral, or negative, and
a comment.  The seller can also rate the buyer and warn other sellers that
this guy pays on time or was a hassle, or a dead beat.

Anyone can view a nym's repcap and see all the comments along with the
items that were sold, etc.

Sellers can prevent those with negative or low rep-caps from posting bids,
or can state that those with less than a certain amount must pay by
certified check or credit card since they aren't trusted - or that their
personal checks must first clear, etc.

I actually like this model, but it can be expanded.  Reputation capital
can however be abused.

In a Cypherpunk reputation capital environment, Mallet can set up two nyms
and use them to defraud others.  Here I will present a way around this.
Mallet creates Alice and Bob, and has them perform some transaction over
and over again, on each transaction posting postive repcap to each other.

As Adam Shostack and Wei Dai's comments have pointed out, there are
possible abuses to such a system:

For the ebay model: Alice can sell Bob a used piece of toilet paper for
$0.01, and on completion both Alice and Bob post positive repcap's for
each other.  Of course both Alice and Bob are Mallet's Nym's, so Mallet
runs this process repeatedly until both Alice and Bob have high
repcap's.  This attack can be extended by Mallet over several hundreds of
Nym's to make this less obvious, and can be randomized somewhat, etc...

If a high rep-cap Nym is sold, the old owner can reursup the Nym if the
buyer doesn't revoke the old public key and issue a new one.  The old
owner can even have a predated revocation certificate causing
confusion.  But in this case, fraud has been commited, so the buyer must
have some recourse.

Perhaps the buyer can then disclose their identity (or rather their
original nym) and the signed messages between themselves and the
fraud.  Money may be perhaps reclaimed, or not depending on how the Nym
was sold.

RepCap's should certainly not just have a single dimension stating
positive or negative, but rather a set of vectors.  Certainly repcap
metadata about a sale is different than that of an essay posting, or that
of a social interaction.  (Choate might for example have the best bbq's in
the entire country and he might have huge successful parties, but perhaps
his posts leave something to desire.)

Perhaps XyzzY is a genius when it comes to her knowledge of perl scripts,
but she's notoriously in debt, so I might not want to accept business from
her, though when I read the perl mailing lists, I would happily see her
messages.



In a posting model such as Cypherpunks I believe I have an idea for a
decent system.  I'm not suggesting we implement this as there would be too
much resistance to a fully working restrictive repcap based mailing list
here, but, rather this can serve as a theoretical example.

We swipe a bit of the Slashdot system, a bit of the ebay system, and add
digital signatures.  Let's start with a post.

Say Tim posts a very brillian post about something.  The readers of the
post can if they chose to sign a hash of that message along with their
vote for postive, neutral, or negative and a small comment (not a reply to
the message, but a comment about the character of the post.)

This message does not make its way onto the list as a message, but rather
as metadata.  That is your special mail client won't display them to you,
so you won't see a flood of metadata emails, but your client will process
them after authenticating their signatures.  RepCap archive servers will
collect and cache these for anyone to see.  Individual clients can do the
same.  (You don't want a central server or a set of central servers as
these can be destroyed, etc. and then the system fails.)

Suppose that in my client, I hold Declan and Sandy in high reputation.  
That is my cache of their repcap is high and positive in relation to
others.  Now suppose that Tim posts a message and suppose they both vote
that Tim's post was brilliant - thus give it a positive vote.  Instead of
adding just "2" points to my cache of Tim's rep, since I trust Sandy and
Declan as non-nutcases, their votes are weighed against their own repcap's
in my cache.

Say Tim has a repcap of 600, say Declan has 500, and Sandy has 400.  Then
I add +1 * 500/X from Declan's repcap and +1 *400/X to Tim's repcap, so
now my cache of Tim's repcap might jump to 620.

Now this is not Tim's true reputation capital which came from individual
votes, and can be downloaded from any archive by any new user at any time,
it's rather my view of it. 

For example, say Jim doesn't like Tim, Jim can change the weight of Tim's
repcap, or even the actual repcap in his own cache to something low, and
then Declan and Sandy's vote won't make any difference.

Further, if I or anyone else choses to, we can ignore posts by those with
repcap under a certain threshhold.  Doing so would also stop spammers from
getting their message displayed (but not necessarily the bandwidth
hogging.)

Any time I chose to, I can change my own cache of someone's repcap, thus
overriding public opinion.  Perhaps this personal setting for each Nym I
see would be locked either for a specific duration (so further votes can
change it later on -- see below example of Aimee and Faustine), or
forever.  These should only override the tallied up ones from the servers,
not replace them.  

Perhaps I can also share my views of a certain Nym, stating that "Vulis is
a nutcase" or "Eric Hugh's is cool" and some sets of values, if I chose
to.  These can be the same as the weights I privately use to filter out
things, or they can be a different set - should I chose to be two faced.

But what about a new user who doesn't know Tim from Jim?  Simple.  They
can talk to the archive servers and get either a count of positives and
negatives or download the last six months worth of votes and optionally
comments, or even download all that the archives have for a particular
nym, including their public key, and any signatures on that key (pgp web
of trust, etc.)

Alternatively (or additionaly) the new user might want a query of what
Declan and Sandy think of this guy and perhaps average them to build the
cache.

How does a new Nym build repcap?  Lurkers who only read will be invisible,
so they won't have a reputation.  As soon as they post others can vote one
way or another, and based on the weight of the repcap of the voter, a
quick rep cap can be built.  As each person can decide to change their own
weights for that new Nym, this can be settled quickly.

For example both Faustine and Aimee had initially interesting posts, but
over time cracks appeared, lowering their repcap, etc...  Their repcaps
would have initially jumped up and then dropped.

Of course those that choose to opt out, should be able to do so by simply
not opting in the first place, though they might find it hard to do
business with those that do...

Note that everyone should be able to read all postings, and repcap
metamessages at any time without participating.


Flaws of course are that trust is not transitive (however, a system of
personal weights can ameliorate this), and that past behavior is not a
guarantee of future behavior (Nym's can go insane, or be cured of
insanity, can relapse, can sell/buy Nyms.)

Any other flaws?



Again, this is a ficticious example of a reasonable system.  It will
likely never work here on this mailing list, though another mailing list
like system can be created, though it would require both clients and
reputation servers.  The examples of people I used are entirely ficticious
any resemblance to real humans is coincidental, parental discretion
advised.  This message will burp itself in ten seconds, though you will
have to change its diapers all by yourself.




----------------------Kaos-Keraunos-Kybernetos---------------------------
 + ^ + :Surveillance cameras|Passwords are like underwear. You don't /|\
  \|/  :aren't security.  A |share them, you don't hang them on your/\|/\
<--*-->:camera won't stop a |monitor, or under your keyboard, you   \/|\/
  /|\  :masked killer, but  |don't email them, or put them on a web  \|/
 + v + :will violate privacy|site, and you must change them very often.
--------_sunder_ at _sunder_._net_------- http://www.sunder.net ------------