diff options
Diffstat (limited to 'content/posts/sybil-resistance-identity/index.rst')
-rw-r--r-- | content/posts/sybil-resistance-identity/index.rst | 122 |
1 files changed, 79 insertions, 43 deletions
diff --git a/content/posts/sybil-resistance-identity/index.rst b/content/posts/sybil-resistance-identity/index.rst index 1a18d78..6f1bee3 100644 --- a/content/posts/sybil-resistance-identity/index.rst +++ b/content/posts/sybil-resistance-identity/index.rst @@ -19,14 +19,14 @@ individual computers. For decades, computer scientists to some success have been individual computers that make up such a distributed system need to be programmed for the resulting amalgamation to behave in a predictable, maybe even a desirable way. Though seemingly simple on its surface, this problem has a surprising depth to it that has yielded research questions for a whole field for several decades now. One particular -as-of-yet unsolved problem is resistance against *theia attacks* (or "sybil" attacks in older terminology)*. +as-of-yet unsolved problem is resistance against *theia attacks* (or "sybil" attacks in older terminology). Named after the 1973 book by Flora Rheta Schreiber on dissociative identity disorder, a sybil attack is an - attack where one computer in a distributed system pretends to be multiple computers to gain an advantage. From my - standpoint, naming a type of computer security attack after a medical condition was an unfortunate choice. For this - reason this post uses the term *Theia attack* to refer to the same concept. This is named after a greek godess of - light and glitter and alludes to the attacker performs something alike an optical illusion, causing the attacked to - perceive multiple distinct images that in the end are all only reflections of the same attacker. + attack where one computer in a distributed system pretends to be multiple computers to gain an advantage. From your + author's standpoint, naming a type of computer security attack after a medical condition was an unfortunate choice. + For this reason this post uses the term *Theia attack* to refer to the same concept. Theia is a greek godess of light + and glitter and the name alludes to the attacker performing something alike an optical illusion, causing the attacked + to perceive multiple distinct images that in the end are all only reflections of the same attacker. The core insight of computer science research on theia attacks is that there cannot be any technological way of preventing such an attack, and any practical countermeasure must be grounded in some authority or ground truth that is @@ -115,24 +115,32 @@ else to fool the system. Identity between Cyberspace and Meatspace ========================================= -A common thread in all of these solutions, be it the Facebook'esque Stasi_ methods or the crypto-anarchist -challenge-response utopias, is that they all approach digital identity as a question of Objective Truth™ that can -unanimously be decided at a system level—or that can be externalized to the next larger system such as the state. Alas, -the important question remains unasked: +A common thread in these solutions, from the Facebook'esque Stasi_ methods to the crypto-anarchist challenge-response +utopias, is that they all approach digital identity as a question of Objective Truth™ that can unanimously be decided at +a system level—or that can be externalized to the next larger system such as the state. Alas, the important question +remains unasked: What *is* identity? -Departing from all the systems outlined above, I want to make a suggestion on how we can approach this topic in a more -practical, less discriminatory [#discriminatory]_ manner. I think both using people's social connections and proxying -the decisions of external authorities such as the state are bad systems to decide who is a person and who is not. I will -now illustrate this point a bit. Let us think about how many digital identities a human beign might have. First, -consider the case of n=0, someone who simply wants no business with the system at all. For simplicity, let us assume -that we have solved this issue of consent, i.e. every person who is identified by the system consents to this practice. -For n=1, the approaches outlined above all provide some approximate solution. States may not grant every human -sufficient ID (e.g. children, the mentally disabled or prisoners might be left out), and the social systems might fail -to catch people who simply do not have any friends, but otherwise their approximations hold. Maybe. But what about n=2, -n=3, ...? None of these systems adequately consider cases where a human being might legitimately wish to hold multiple -identities, non-maliciously. +The answer to this question certainly depends on the system being examined. For example, an important reason the +capitalist corporations mentioned above require knowledge about their users' identity is to generate plausible +statistics for the advertisers that form their customer base, similar to how a farmer will keep statics on yield and +quality for the buyers of his crop. With this background, a full decoupling of platform accounts from a notion of legal +identity seems at odds with the platform's business model—and we will have to adjust our expectations for reform +accordingly. + +A common thread among all systems mentioned above is that they all have a social component to them. For this common use +case of social systems, I want to make a suggestion on how we can approach digital identity in a more practical, less +discriminatory [#discriminatory]_ manner than any of the methods we discussed above. I think both using people's social +connections and proxying the decisions of external authorities such as the state are bad systems to decide who is a +person and who is not. I will now illustrate this point a bit. Let us think about how many digital identities a human +beign might have. First, consider the case of n=0, someone who simply wants no business with the system at all. For +simplicity, let us assume that we have solved this issue of consent, i.e. every person who is identified by the system +consents to this practice. For n=1, the approaches outlined above all provide some approximate solution. States may not +grant every human sufficient ID (e.g. children, the mentally disabled or prisoners might be left out), and the social +systems might fail to catch people who simply do not have any friends, but otherwise their approximations hold. Maybe. +But what about n=2, n=3, ...? None of these systems adequately consider cases where a human being might legitimately +wish to hold multiple digital identities, non-maliciously. Consider a hypothetical lesbian, conservative politician. An active social media presence is a core component of a modern politician's carreer. At the same time, "conservative homophobe" is still well within the realm of tautology and @@ -150,38 +158,63 @@ identities, and we do not have a technical or political answer to it. All hope i undo this gordian knot by acknowledging an unspoken assumption that underlies any social relationships between real people, past the procrustean bed of computer systems or organizational structures these relationships are cast into. - Identity is subjective. Identity arises from a relationship between people, and the same person might legitimately - have multiple identities to different people. - -Thinking beyond the straw man politician above, this is evident in more subtle ways in almost all our everyday -relationships: Some people may know me by my legal name, some by my online nickname. To some I may be a computer -scientist, to some a flatmate. None of my friends and acquaintances have ever wanted to see my passport, or asked to -take my DNA to ascertain that I am a distinct human being from the other humans they know. Also, it would simply be -exceedingly weird for someone I know to snoop around the other people I know, trying to build a map of where these -people know me from and whether they think the same about me. Yet, this concept of a single, consistent, global, true -identity is exactly what up to now all technological solutions to the identity problem are trying to achieve. + As a function of social interaction, digital identities conform to roles_ in sociological terminology, and are not + at all the same as personhood_. Roles are subjective and arise from a relationship between people, and a single + person might legitimately perform different roles depending on context. + +When computer scientists or programmers are creating new systems, there always is an (often implicit) modelling stage. +Formally, during this stage a domain expert and a modeller with a computer science background come together, each +contributing their knowledge to form a model that is both appropriate for real-world use and practical from an +engineering point of view. In practice, these two roles are often necessarily fulfilled by the same person, who is often +also the programmer of the thing. This leads to many computer systems using poor models. A typical example of this issue +are systems requiring a person's name that use three input fields labelled "First Name", "Middle Initial" and "Last +Name". These systems are often created by US-American programmers, who are used to this naming schema from their lived +experience. Unfortunately, this schema breaks down for those few billion people who use their last name first, who have +more than one middle name, or who have multiple given names and do not normally use the first one of those. + +Once a system creator's implicit assumptions have been encoded into the system like this, it is often very hard to get +out of that situation. A pattern to use during careful modelling is to keep the model flexible to account for unforeseen +corner cases. For example, when modelling a system requiring a person's name, one would have to ask what the name is +used for. It may be the most sensible decision to simply ask the user for their name twice: Once in first name/last name +format for e.g. tax purposes, and once with a free-form text field for e.g. displaying on their account page. + +While for names, many systems already use some form of flexible model by e.g. having a *handle* or *nickname* separate +from the *display name*, "social" systems still often are stuck with an identity model based around a concept of a +single, rigid identity. In practice, people perform different roles_ in different circumstances. When asking for a +person's identity, one would get wildly different answers from different people. A person's identity as perceived by +others is coupled to their relationship more than to some underlying, biological or administrative truth. Thinking back +to the straw man politician above, this is evident in subtle ways in almost all our everyday relationships: Some people +may know me by my legal name, some by my online nickname. To some I may be a computer scientist, to some a flatmate. +None of my friends and acquaintances have ever wanted to see my passport, or asked to take my DNA to ascertain that I am +a distinct human being from the other humans they know. Likewise, identifying me by my social connections is impractical +as it would require an exceedingly weird amount of what can only be described as snooping. Yet, this concept of a +single, consistent, global, true identity is exactly what up to now all technological solutions to the identity problem +are trying to achieve. Building Bridges ================ I think I can offer you one main take-aways from the discussion above. - Focus on relationships, not identity. + During modelling social systems, focus on relationships—not identity. -Rephrased into more actionable points, as someone designing a digital system, do the following: +Rephrased into more actionable points, as someone designing a social digital system, do the following: -1. Allow people to chose their own identifier. Don't require them to use their real names, they may not wish to - disclose those or they may not be in a format that is useful to you (they may be too long, too short, too - ubiquituous, in foreign characters etc.). A free-form text field with a reasonable length limit is a good +0. Early in the design stages, take the time to consider fundamental modelling issues like this one. If you don't, you + will likely get stuck with a sub-optimal model that will be hard to get rid of. +1. Where possible, be flexible. Allow people to chose their own identifier. Don't require them to use their real names, + they may not wish to disclose those or they may not be in a format that is useful to you (they may be too long, too + short, too ubiquituous, in foreign characters etc.). A free-form text field with a reasonable length limit is a good approach here. 2. Do not use credit cards or phone numbers to identify people. There are many people who do not have either, and scammers can simply buy this data in bulk on the darknet. -3. Allow people to create multiple accounts [#accountswitchopsec]_, and acknowledge the role of social relationships in +3. Allow people to create multiple identites [#accountswitchopsec]_, and acknowledge the role of social relationships in your interaction features. People have very legitimate reasons to separate areas of their lifes, and it is not for you or your computer to decide who is who to whom. If your thing requires a global search function, re-consider the data protection aspects of your system. If you want to encourage social functions in the face of bots and trolls, make it easy for people to share their identities out-of-band, such as through a QR code or a copy-and-pasteable - short link. + short link. If you require someone's legal name or address for billing purposes, unify these identities behind the + scenes if at all and allow them to act as if fully independent in public. While change of perspective comes with its share of user experience challenges, but also with a promise for a more human, more dignified online experience. Perhaps we can find a way to adapt cyberspace to humans, instead of continuing @@ -190,12 +223,13 @@ trying it the other way around. .. _astroturfing: https://en.wikipedia.org/wiki/Astroturfing .. _Stasi: https://en.wikipedia.org/wiki/Stasi -.. [#cryptocurrency] Pseudo-currencies in that while they provide some aspects of a regular currency such as ownership and - transactions, they lack most others. Traditional currencies are backed by states, regulated by central banks - tasked with maintaining their stability and ultimately provide accountability through law enforcement, courts and - political elections. +.. [#cryptocurrency] Pseudo-currencies in that, while they provide some aspects of a regular currency such as ownership + and transactions, they lack most others. Traditional currencies are backed by states, regulated by central banks + tasked with maintaining their stability and ultimately provide accountability through law enforcement, courts + and political elections. -.. [#discriminatory] Discriminatory as in discriminating against minorities, but also as in deciding what is and what is not. +.. [#discriminatory] Discriminatory as in discriminating against minorities, but also as in deciding what is and what is + not. .. [#accountswitchopsec] This does mean that you should not actively prevent people from creating multiple accounts. It does not necessarily entail building a proper user interface around this practice. If you do the latter, e.g. by @@ -206,3 +240,5 @@ trying it the other way around. .. [#meatspacefn] Meatspace_ is where people physically are, as opposed to cyberspace .. _Meatspace: https://dictionary.cambridge.org/dictionary/english/meatspace +.. _roles: https://en.wikipedia.org/wiki/Role +.. _personhood: https://en.wikipedia.org/wiki/Personhood |