Abuse resistant anonymous publishing

[George Danezis]

Hi or-talk (and Ben),

I am sorry to be jumping in the middle of the wikipedia-Tor debate, but Steven
Murdoch just made me aware of it. A while back I had a short discussion with
Roger about a possible way of mitigating abuse through anonymity systems like
Tor on open publishing systems like wikipedia (and with additional precautions
Indymedia). I have further discussed this with Ben Laurie at PET 2005.

The basic idea is quite simple: anonymity allows users to avoid being
associated with a persistent identifier that could be used to filter out abuse
cheaply. It is in fact a Sybil attack, ie. one user can pretend to be multiple
users. Note that this can also happen if one controls many nodes (through a
bot net for example). The aim of our protocol is to be able to associate
persistent identifiers, with posts that are controversial (through a process
that is defined), to be used to filter abuse (note that these do not have to
be an identity, but only be useful to filter abuse). We should also try to
maintain the user's anonymity, and at least plausible deniability.

My favorite approach in solving these problems is using and assuming the
existence of social networks. In the case of Indymedia, I know they exist
(people get teargassed together in the streets quite routinely -- this creates
solid bonds), in the case of wikipedia it might be the case that they will
have to be cultivated (through better flagging up who is the responsible
editors for sections, who has been contributing so far to an article, and
on-line chat forums where people can discuss).

Thus I will assume that getting introduced in to someone that is involved in
wikipedia is not hard, but getting introduced to all/many people as having
different identities is hard! (gmail and orkut has proved that it is posible
to have an invite only system with a small seed ending up being quite
inclusive). As a result we can have a graph that describes who has been
introduced by whom (lets call it the wikipedia introduction graph, or just
intro graph). Furthermore this graph has a couple of 'roots' ie the people who
are 'in-charge' of wikipedia, or multiple roots (by section for example -- if
we chose the people that magame sections of the site).

Example path from Root to User Charlie to be used in examples...:

Root -> Alice -> Bob -> Charlie

The protocol has three phases:

1) Introduction -- someone that is already in the intro graph 'introduces' a
new user into the graph. They do this because they know the user or have
chatted to him... From a technical point of view this provides the new user
with the necessary (anonymous?) credentials to post to/modify the site.

2) Each action of the user is 'authenticated' using the credentials, and a
'signature' is generated. This signature provides any third parties with the
Root that the user is attached.

3) Responsibility allocation: If the action is deemed abusive by the Root (or
a collective mechanism like voting / veto / ...), then the Responsibility
allocation mechanism is started by the Root. This means that step by step the
path lining the user Charlie to the Root is walked (starting at the Root, then
Alice, then Bob then Charlie) until someone 'takes responsibility for the
post. This process can depend on Alice and Bob (ie it must not be possible to
trace without their consent) but if they do not collaborate in the tracing
they accept to take responsibility. The article is tagged with the full traced
path from the Root to the principal that has taken responsibility.

Mini-FAQ:

Why is this helping at all against abuse?

Assuming that it is hard to get multiple connections to the intro graph,
persistent offenders can be identified, either by their own username or the
username of the person who consistently introduces them. This is incentives
compatible: you do not want to introduce people that may abuse the system
otherwise abusive messages will be tagged with (and possible filtered on the
bases of) your name! The chain from the Root to the user assuming
responsibility for the article can them be used (very much like IPs or user
names today) to implement filtering policies. Furthermore these policies can
be specified by the users and do not need to be centralized and applied by the
server.

What about anonymity?

No real IDs ever need to be traced! The design does not require step 1 to
provide a real name at all, and in any case the design can ensure (through the
use of crypto-fu?) that authentication only reveals the first hop (ie Alice).
Others need to collaborate to ask further down the chain for someone to take
responsibility. In any case the final user is no certain as we will see...

Wait a sec, a bad user can connect other abusive users easily!?

Yes as soon as an abuse user connects to the intro graph they can introduce as
many of their friends as they like! This is the reason why filtering policies
need to make use of the full path from the Root to the user that ultimately
takes responsibility: a user that consistently introduces many other abusers
will always be on the path, and can be used to filter stuff out! As a side
effect of this one cannot (and should not) trust that the user that finally
took responsibility is indeed the initiator of the abusive action. They could
be a Sybil or another person up the chain that disagrees with the fact that
this action constitutes abuse!

Why are you calling it 'taking responsibility' instead of tracing?

The point of the protocol is for someone to say 'I stand by this action' --
his path to the root can then be used for filtering such action out, by users
that do consider it as abuse. Note that there is always contention in online
communities about what constitutes abuse and this mechanism allows for
differing opinions. Then there can be different policies filtering out
different users in the chain. Possibly anyone (not just people on the Path
between Root and Charlie) should be able to take responsibility and have the
item tagged with their path.

What about abusing the anti-abuse system?

There is a risk that trolls will abuse the action of requesting tracing/taking
responsibility for all actions, trying to get as much information as
possible/wasting time/undermining confidence in the system. The conditions
under which this mechanism is initiated is really not clear, (Root decides,
voting, veto, ...). In any case it is a good idea for someone to take
responsibility of the initiation of this process by tagging the request with
their path to the Root. This way Root, Alice and Bob can filter out persistent
abusers of the anti-abuse system :-). There is no contradiction there:
anonymous political speech is a right (hence this complex system), but
moderation (censorship?) has to be done transparently, and those doing it must
come forward by tagging their action with their path to Root.

It seems that Root has a lot of power in all this (== your system embodies
fascist values!)?

Yes, this is a problem. At the same time there is nothing stopping (aside from
efficiency and the appropriate crypto-fu) full decentralization. Each person
can be their own Root, and apply custom filtering according to the paths
relative to them. Note that taking responsibility cannot be abused any more
than before (since either you connect directly to the abuser, at which point
you should know better, or you are still connected through nodes that will not
consider your action abusive and will take responsibility for it!).

Ok, so how do we do all this magic?

It is clear that a trusted third party can do all this efficiently. Can we
find a variant of certificate systems that allow delegation in an anonymous
way to decentralize all this, and make sure that no one party can screw any
other? Open research problem -- I am working on it!

Any feedback is welcome!

George

----- End forwarded message -----
--
Eugen* Leitl <a href="http://leitl.org">leitl</a>
______________________________________________________________
ICBM: 48.07100, 11.36820            http://www.leitl.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE

[demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]