What Did You Call Me? (2F)

Session Topic: Pseudonymity, Reputation, and Real Names (T2F)

Convener: Dave Sanford, Kevin Marks

Notes-taker(s): Joe Boyle

Tags for the session - technology discussed/ideas considered: 

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

Google+ "real" names controversy - "WASP names policy" (must "look like a name")

Kevin was involved with Portable Contacts - oops, it only had one name field. Flawed assumption because we started with address books - less true for profiles,

People want to be found => multiple names for searching connected to one identity

People want not to be found => multiple personas not publicly connected

Dave: Legal name is just one attribute - not needed for most stuff. But people need to develop reputation and therefore a persistent persona / identity, even when want it separate from legal identity.

High or low assurance - high more likely to use "real" credentials

Q: Why not one "real" identity and various pseuds linked by crypto. A: For a technical solution like that, questions like where does the linking take place, how hard is it to crack, etc. C: If linked at all then is vulnerable to govt e.g. subpoena.

@tariktech (CTO personal.com): We put a flag in the sand on some of these issues. We believe in user control and transparency to the user. Would pass a warrant on to the user.

Kevin: 3 or 4 layers of legal in US. Different in UK.

Rick Campbell: Identity can be just a public key, names just attributes attached to those via self-signing, cert authority, etc.

Kevin: Credit databases are designed to correlate info with people who don't want to be correlated. They make DBs we create look robust.

Jay Unger: Pairwise pseudonymous IDs (PPIDs) Comment: But they haven't been adopted widely.

Bob Morgan: SPKI (Simple Public Key Infrastructure) 10 years ago, still complicated and not widely adopted.

Kevin: Currently widely adopted example is OAuth tokens, now bigger than any of the other crypto examples.

Dave: "Reputation demands linked pseudonyms"

Darius: (missed)

Phil Windley: Everyone's activity tends to link pseudonyms, making them useless

Comment: Face to face adds a degree of verification

Kaliya: People need pseuds for private life. Need something between pseudonymity and "real" identity: idea of Limited Liability Persona, that can have verifiability or reputation.

Jay Unger: A few attributes like first name, SSN, something else (place?) can identify 95% of Americans. Correlation is easy. Users have to trust system to do anything, currently don't understand system and give up privacy. Idea: Display some kind of metric on how identifying a query would be, so user can judge how privacy revealing. Change the exch mech between RP and IDP to enable this.

Kevin: When forced to fill out info, users give false info, so harvested data is often mostly garbage anyway

Sara Singlett: Even independent from need for privacy or strong pseudonymity, people have multiple reputations, reputations in different fields are fairly separate. Want persistent reputation per facet.

Dave: I am long time fan of open reputation framework linking sites in a given subject area.

Phil Windley: Glad to share Bibtech file of literature on reputation systems

?: Even when current RPs good on pseudonym portability they are not good on attribute portability

Phil Windley: "Bad reputations don't stick to cheap pseudonyms" because they're disposable. E.g. eBay doesn't want to make accounts hard to create to not drive away business => there are no active accounts with bad reputations

Jay: I wouldn't buy from 100$ rep but month old. Rick: Wouldn't buy from 10y old but 3 transactions either

Kaliya: G+ is not allowing use of long-established (expensive) pseudonyms

Bob Morgan: Cites a system linking faculty members to all their publications etc. allowing easy evaluation by potential collaborators etc.

?: Cheap pseuds problem is only for mistrust. Flip focus to trust. Long-est pseuds Kaliya cited develop via natural usage not artificial tests.

Dave: for a federated reputation system, the member cites need reputations to be evaluated by too!

Kevin: Empirical answer used recently is binding to a name, statement, photo allowing other users to evaluate trust. Up to host to make sure those attributes non forgeable. Similar to real life evaluating people on face to face behavior. Purely machine system would be much more difficult / less good at evaluating.

Jay: RP convenience seems to outweigh user privacy. "I have very little sympathy for programmers"

Kaliya: Normal people give correlateable identifiers like phone numbers all the time. How can we ask services to not resell or correlate them and have some trust in that? Don't want norm to be selling everything.

Tarik: Purpose binding. Rick: Seems like an impossible problem.

Dave: Auditing doesn't scale.

Jay Unger: Can audit at different levels - per transaction, per code version.

Sammo: Need to make auditing actual behavior scale.

Jay: Disagree.

Kevin: Default is trust.

Rich Goodwin: Also limit time data is retained.

Tarik: Hard to insure over multiple systems designed for data retention, many don't use SSL.

Rick: Difficult to prove you've deleted something.

Rich Goodwin: Cites policies that service will delete your data on service termination.

Tarik: 1/3 of Personal's codebase for is ensuring this stuff.