[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Negative reputations
A generally important problem seems to be that of tagging a negative
behavior source for future recognition. The tag might be used for
negative information shared publically (eg, credit ratings) or
kept private (eg, kill files). The behavior source might be
non-human (eg, recognizing virus patterns for the purposes of virus
scanning). Where the behavior source is adaptable and self-interested,
it has an incentive to spoof the tagging: a debtor to change names to
avoid paying his debt, a virus to scramble its pattern to avoid scanning,
and so on. If the tag carries a greater positive reputation (where
zero is the reputation of a newcomer) this incentive is lost
and the negative side of the reputation must be borne.
Suggested digital credentialling mechanisms that I am aware of seem
to fail to facilitate such negative reputation handling.
Service-specific nym reputation may not be able to accomplish such
tracking of negative reputation. If a nym accumulates more negative
than positive credentials, it can simply be replaced by a newcomer
nym for this service, without harming the positive reputation capital of
the other behavior source nyms. Hostile sources can continuously spoof
innocent newcomers. Counterparties lose the ability to determine a
history of previous hostile behavhior -- kill files, virus scanning,
credit ratings, etc. fail.
Chaumian credentials also give the credential holder control over
the transfer of credentials between his pseudonyms (hereafter "nyms"),
creating an incentive to show positive credentials and hide
negative ones.
Tags that bundle the results of a wide variety of transactions --
universal IDs or "True Names" -- seem to provide the most incentive
for parties to carry their negative credentials. Most people have
accumulated enough positive reputation is some areas that it is
well-nigh impossible for them to start over their entire lives as newcomers.
A big problem arises from negative credentials when they are used,
not merely to avoid engaging in a particular activity with a party,
but for retribution against that party. Retribution may take some
nonviolent online form, such as slander, denial of service attack,
and so on, but the most worrisome form of retribution is a violent
physical attack. Could we have digital tags that, while
tracking negative behavior sources through the digital world, remain
strictly unlinked to any kind of physical location data? Alas,
we have several important systems, such as cellular phones,
shipping addresses, etc. that provide such linkage.
Another problem for negative reputations is that "negative" is subjective.
What is perfectly reasonable in one culture may bring a death sentence
in another. Hower, there are some important, well-defined transactions
where there is a widely agreed use of historical information. For
example, for those who extend credit (and keep in mind, credit is implicit
in most contracts), borrowers who have not paid their bills in the past
are universally a negative. Being on the receiving end
of a computer virus is practically always a negative. And so on.
The question may become one of deciding which of these three dimensions
are most important, and how they can be traded off:
* The gains to be had from tracking and thereby avoiding negative
behavior sources
* The gains to be had from a nonviolent digital world (ie, a virtual
realm within which any digital action can have no physically violent
consequences).
* The inconvenience (and perhaps impracticality) of partitioning
the physical and digital worlds into different ID systems (more
realistically, some "pure" subset of the digital world completely
partitioned from location devices, physical shipping information, etc.)
Keep in mind too, that in practice these are evaluated primarily
by a market evolving from its current state, rather than by abstract
ethical philosophies.
True Name keys, which have many drawbacks in terms of privity,
may be the best way to track negative reputation, but they
are no panacea. Carl Ellison on the SPKI (Simple Public Key
Infrastructure) list raised an important conundrum in an ID-based key
system: the conflict between the ability to get a new key when the
old one is or could be abused by another (key revocation), and the
ability of another to be sure they are dealing with the same
person again. This may also provide an opportunity for parties to
selectively reveal positive credentials and hide negative ones. For
example, a person with a bad credit rating could revoke the key under which
that rating is distributed and create a new one, while
selectively updating their positive credentials to the
new key (eg, have their alma mater create a new diploma).
Key revocation authorities might combine forces with credit
rating agencies to avoid such erasure of negative history,
but this gives them even more centralized control -- not
merely over IDs but over important elements of reputation
associated with those IDs. This further violates the
principles of separation of powers and segregation of duties,
providing added opportunities for undetected, fraudulent issue or
revocation of IDs along with fraudulent communication of reputation
information.
The current universal (non-cryptographic) key in the U.S., the SSN,
is very difficult to revoke. Much easier to change your name. This
policy is probably no accident, since the biggest economic win of True
Name identification is the tracking of negative reputations, which
revocation can defeat. As long as the SSN is a shared database
key, not used for the purpose of securely identifying a faceless
transaction, there is little need for revocation beyond the undesired
erasure of negative history. Combining into one key a secret
authentication key, which must be revocable, with a public universal
ID is problematic.
Nick Szabo
szabo@netcom.com
http://www.best.com/~szabo/
Follow-Ups: