Home - Topics - Papers - Theses - Blog - CV - Photos - Funny |
Today's online ecosphere continually suffers from its inability to tell who is a genuine, unique human and who isn't. Because open-access messaging systems cannot isolate or authenticate the human source of messages for the purpose of suppressing abuses, spam has already relegated USENET to historical obscurity [Templeton01], threatens the usability of E-mail [Wouters05], and is even advancing on Skype. The automated "Turing tests" many web sites employ lock out visually impaired users [Chong03, May05] and are vulnerable to attack using artificial intelligence [Chellapilla05] or social engineering [Doctorow04]. Wikipedia progressively tightens its editing rules to combat the rising tide of anonymous vandalism [Knight05, Hafner06, Thompson06]. Voting-based participatory systems such as Slashdot operate reliably only to the extent that nobody cares about the results of votes enough to bother opening many accounts and stuffing the ballot boxes. Banning detected abusers by IP address frequently prevents access by other legitimate users on the same ISP [Kalsey04], and many attacks come from compromized zombie machines not under the control of their owners [Evers05].
More serious proposed solutions to these abuses typically revolve around authenticating a user's identity in some way before granting (full) access. Most E-commerce sites already require users to identify themselves by entering personal information and a credit card or even a bank account number, although a few support emerging anonymous payment services such as paysafecard, Xrost, or Ukash. Single sign-on initiatives such as Microsoft Passport, the Liberty Alliance, and OpenID try to centralize a user's personal information at a single "identity provider", which various online services contact to authenticate the user. Identification is often more than we want or need, however: anonymous communication and social participation is widely viewed as a crucial tool to safeguard basic democratic values such as privacy and freedom of speech [Teich99], and the rights of minorites [Stein03].
Often what we need is not to determine who an online user is, but merely to ensure that each human participant in a given online service or community can have only one account or persona at once. If online services could reliably enforce a one person, one persona rule when appropriate without having to obtain and verify personal information, then online personas would no longer be disposable and thus would provide a degree of accountability. Online services could temporarily revoke the access rights of abusers, such as E-mail spammers or Wikipedia vandals, without affecting innocent users or permitting the same abuser to reappear immediately under a different name. Voting-based systems for peer review or online democratic deliberation could protect voting anonymity while preventing ballot box stuffing.
The abuse of an online system by creating many illegitimate virtual personas is known as a sybil attack, after a famous case of multiple personality disorder [Schreiber75], and there is probably no purely technical way to defend against such attacks [Douceur02]. While distinguishing one human from another may be difficult for computers, however, humans manage this task all the time when we meet in person. A relatively informal and inexpensive bit of organizational infrastructure in the offline world might provide exactly the foundation we need for anonymous but accountable online participation, allowing users to create multiple privacy-preserving online personas while protecting online services against sybil attacks.
Suppose that on some particular day of every year - let's call it Sybil Day for the moment - groups of people interested in having private but accountable online personas gather somewhere in their nearby physical neighborhood to throw a party. Any group of people may organize a such sybil party, provided the group follows certain procedures standardized by some broader distributed network of sybil party organizers and opens itself to oversight by organizers of other parties to ensure that the required procedures are followed correctly. Outside of this standardized framework, each sybil party's organizers are free to run their party as they see fit - e.g., as a festive social occasion in which participants are invited to bring food and drinks to share (hence the term "party"), as a conference or workshop in which to discuss online social issues and the like, or as a purely functional affair minimizing cost and volunteer effort.
Regardless of form, at the heart of each sybil party is a procedure in which each participant receives login information granting access to one, and only one, anonymous sybil account on a designated web site run by the party's organizers or an affiliated organization. Sybil accounts store no personal information, and no one needs to show identification or meet any requirements regarding age, citizenship, home location, or other personal characteristics, in order to obtain an account. A New Yorker visiting Paris on Sybil Day can just show up at any sybil party in Paris to get his yearly account, and shouldn't even need to know French. The only requirement is to be alive and able to show up and follow the required procedure. As with elections in poor countries that have no formal voter registration, each participant is marked with indelible ink in an obvious place on their body as they are given their sybil account, preventing them from obtaining several accounts on the same day (e.g., at different parties in the same area).
A sybil account is not affiliated with any particular online service, but acts as a front-end through which users create or renew accounts on participating online services. A user might login to his sybil account and enter wikipedia.org, for example, to create a personal Wikipedia account for himself and automatically log him into it. The sybil account server is responsible for enforcing the one person, one persona rule: if the user enters wikipedia.org again in his sybil account, he simply finds himself in his existing Wikipedia account. Since each person can obtain one new sybil account per year, online services may expire accounts created this way after a year to prevent users from gradually accumulating many accounts, and may offer users a way to transition smoothly from one year's account to the next, but such policies are specific to the online service.
A sybil account holder may create one personal account on each of any number of distinct online services in this way. To protect the user's privacy, the sybil account server ensures that online service providers cannot tell which two accounts on different services correspond to the same sybil account, and hence the same user, unless the user explicitly gives them personal information establishing such a link. If user uses his sybil account to create both a professional profile for himself on LinkedIn and a steamy personal profile on AdultFriendFinder, for example, no one can tell that the two profiles represent the same person even if the two web sites collude or are hacked - unless, of course, the user gives away the connection, by posting the same photo in both profiles for example. Even then, the user could deny the connection, claiming that someone had simply downloaded his photo from LinkedIn and used it to fabricate an embarrassing profile on AdultFriendFinder, and there would be no way to prove the connection existed short of compromising the sybil account server. In effect, the sybil account server expressly defends the user's right to exhibit a controlled form of "multiple personality disorder" across different services in order to protect his privacy.
Sybil accounts need not replace existing account creation and login mechanisms, but could serve as a "premium" mechanism offering rewards to users who make the effort to help organize or at least show up at a sybil party once a year. E-mail authenticated via a sybil account might be exempted from heuristic spam filters, for example, preventing the loss of legitimate E-mail due to false positives. Wikipedia might still allow users to create traditional accounts, but could exempt sybil account users from IP address bans or from waiting periods imposed between account creation and editing. (An abusive E-mail or Wikipedia user logged in via a sybil account can still be banned by his sybil account's pseudonymous identity, of course, and will be unable to create a fresh sybil account until the next Sybil Day.) Online services that support peer review by voting might require a sybil account in order to cast votes, while allowing less sensitive forms of access via a traditional account or no account.
Unlike identity-based single sign-on schemes, users need not trust their sybil account provider with their personal information, because they never had to provide any personal information to obtain the account. Users may need to trust the sybil party organizers to protect their privacy in the account assignment process: e.g., not to try to identify and keep tabs on who was assigned which account. Users also must trust the party's designated account server to protect the relationship between different online service accounts the user obtains via the same sybil account. Each sybil party's organizers may run their own server or work with a support organization they consider trustworthy; each user in turn has a free choice of which sybil party in their area to attend, and thus which group of organizers to trust.
Online service providers must similarly trust sybil party organizers and their designated account servers to enforce the one person, one persona principle. Each service's administrators ultimately choose which sybil account servers to trust, but the network of sybil party organizers may also need to establish a system of mutual oversight and operational peer review to monitor each party's health and trustworthiness. Initially, each sybil party might simply stake its claim to legitimacy on the public, online or offline reputations of its organizers.
Topics: Security Privacy Anonymity Identity Personhood Democracy | Bryan Ford |