jaseg/blog
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Work notes from discussion with Jörg into Sybil draft.

Browse source
This commit is contained in:
jaseg 2020-09-16 11:50:58 +02:00 committed by jaseg
parent 9fc934f9d2
commit 01a54b7156
2 changed files with 79 additions and 43 deletions
Download patch file Download diff file Expand all files Collapse all files

2
content/posts/kicad-mesh-plugin/index.rst
View file

@ -208,7 +208,7 @@ the board, but are still invisible for some reason. You have to save the board f
become visible. Also KiCAD crashes whenever the plugin tries to remove a trace, so currently my workflow involves always
making a copy of the board file first and treating mesh generation as a non-reversible finishing step.
`Check out the code on my cgit <https://git.jaseg.de/bigdata/pub/kicad_mesh_plugin.git/tree/plugin/mesh_dialog.py>`_.
`Check out the code on my cgit <https://git.jaseg.de/kimesh.git/tree/plugin/mesh_dialog.py>`_.
.. ::

120
content/posts/sybil-resistance-identity/index.rst
View file

@ -19,14 +19,14 @@ individual computers. For decades, computer scientists to some success have been
individual computers that make up such a distributed system need to be programmed for the resulting amalgamation to
behave in a predictable, maybe even a desirable way. Though seemingly simple on its surface, this problem has a
surprising depth to it that has yielded research questions for a whole field for several decades now. One particular
as-of-yet unsolved problem is resistance against *theia attacks* (or "sybil" attacks in older terminology)*.
as-of-yet unsolved problem is resistance against *theia attacks* (or "sybil" attacks in older terminology).
Named after the 1973 book by Flora Rheta Schreiber on dissociative identity disorder, a sybil attack is an
attack where one computer in a distributed system pretends to be multiple computers to gain an advantage. From my
standpoint, naming a type of computer security attack after a medical condition was an unfortunate choice. For this
reason this post uses the term *Theia attack* to refer to the same concept. This is named after a greek godess of
light and glitter and alludes to the attacker performs something alike an optical illusion, causing the attacked to
perceive multiple distinct images that in the end are all only reflections of the same attacker.
attack where one computer in a distributed system pretends to be multiple computers to gain an advantage. From your
author's standpoint, naming a type of computer security attack after a medical condition was an unfortunate choice.
For this reason this post uses the term *Theia attack* to refer to the same concept. Theia is a greek godess of light
and glitter and the name alludes to the attacker performing something alike an optical illusion, causing the attacked
to perceive multiple distinct images that in the end are all only reflections of the same attacker.
The core insight of computer science research on theia attacks is that there cannot be any technological way of
preventing such an attack, and any practical countermeasure must be grounded in some authority or ground truth that is
@ -115,24 +115,32 @@ else to fool the system.
Identity between Cyberspace and Meatspace
=========================================
A common thread in all of these solutions, be it the Facebook'esque Stasi_ methods or the crypto-anarchist
challenge-response utopias, is that they all approach digital identity as a question of Objective Truth™ that can
unanimously be decided at a system level—or that can be externalized to the next larger system such as the state. Alas,
the important question remains unasked:
A common thread in these solutions, from the Facebook'esque Stasi_ methods to the crypto-anarchist challenge-response
utopias, is that they all approach digital identity as a question of Objective Truth™ that can unanimously be decided at
a system level—or that can be externalized to the next larger system such as the state. Alas, the important question
remains unasked:
What *is* identity?
Departing from all the systems outlined above, I want to make a suggestion on how we can approach this topic in a more
practical, less discriminatory [#discriminatory]_ manner. I think both using people's social connections and proxying
the decisions of external authorities such as the state are bad systems to decide who is a person and who is not. I will
now illustrate this point a bit. Let us think about how many digital identities a human beign might have. First,
consider the case of n=0, someone who simply wants no business with the system at all. For simplicity, let us assume
that we have solved this issue of consent, i.e. every person who is identified by the system consents to this practice.
For n=1, the approaches outlined above all provide some approximate solution. States may not grant every human
sufficient ID (e.g. children, the mentally disabled or prisoners might be left out), and the social systems might fail
to catch people who simply do not have any friends, but otherwise their approximations hold. Maybe. But what about n=2,
n=3, ...? None of these systems adequately consider cases where a human being might legitimately wish to hold multiple
identities, non-maliciously.
The answer to this question certainly depends on the system being examined. For example, an important reason the
capitalist corporations mentioned above require knowledge about their users' identity is to generate plausible
statistics for the advertisers that form their customer base, similar to how a farmer will keep statics on yield and
quality for the buyers of his crop. With this background, a full decoupling of platform accounts from a notion of legal
identity seems at odds with the platform's business model—and we will have to adjust our expectations for reform
accordingly.
A common thread among all systems mentioned above is that they all have a social component to them. For this common use
case of social systems, I want to make a suggestion on how we can approach digital identity in a more practical, less
discriminatory [#discriminatory]_ manner than any of the methods we discussed above. I think both using people's social
connections and proxying the decisions of external authorities such as the state are bad systems to decide who is a
person and who is not. I will now illustrate this point a bit. Let us think about how many digital identities a human
beign might have. First, consider the case of n=0, someone who simply wants no business with the system at all. For
simplicity, let us assume that we have solved this issue of consent, i.e. every person who is identified by the system
consents to this practice. For n=1, the approaches outlined above all provide some approximate solution. States may not
grant every human sufficient ID (e.g. children, the mentally disabled or prisoners might be left out), and the social
systems might fail to catch people who simply do not have any friends, but otherwise their approximations hold. Maybe.
But what about n=2, n=3, ...? None of these systems adequately consider cases where a human being might legitimately
wish to hold multiple digital identities, non-maliciously.
Consider a hypothetical lesbian, conservative politician. An active social media presence is a core component of a
modern politician's carreer. At the same time, "conservative homophobe" is still well within the realm of tautology and
@ -150,38 +158,63 @@ identities, and we do not have a technical or political answer to it. All hope i
undo this gordian knot by acknowledging an unspoken assumption that underlies any social relationships between real
people, past the procrustean bed of computer systems or organizational structures these relationships are cast into.
Identity is subjective. Identity arises from a relationship between people, and the same person might legitimately
have multiple identities to different people.
As a function of social interaction, digital identities conform to roles_ in sociological terminology, and are not
at all the same as personhood_. Roles are subjective and arise from a relationship between people, and a single
person might legitimately perform different roles depending on context.
Thinking beyond the straw man politician above, this is evident in more subtle ways in almost all our everyday
relationships: Some people may know me by my legal name, some by my online nickname. To some I may be a computer
scientist, to some a flatmate. None of my friends and acquaintances have ever wanted to see my passport, or asked to
take my DNA to ascertain that I am a distinct human being from the other humans they know. Also, it would simply be
exceedingly weird for someone I know to snoop around the other people I know, trying to build a map of where these
people know me from and whether they think the same about me. Yet, this concept of a single, consistent, global, true
identity is exactly what up to now all technological solutions to the identity problem are trying to achieve.
When computer scientists or programmers are creating new systems, there always is an (often implicit) modelling stage.
Formally, during this stage a domain expert and a modeller with a computer science background come together, each
contributing their knowledge to form a model that is both appropriate for real-world use and practical from an
engineering point of view. In practice, these two roles are often necessarily fulfilled by the same person, who is often
also the programmer of the thing. This leads to many computer systems using poor models. A typical example of this issue
are systems requiring a person's name that use three input fields labelled "First Name", "Middle Initial" and "Last
Name". These systems are often created by US-American programmers, who are used to this naming schema from their lived
experience. Unfortunately, this schema breaks down for those few billion people who use their last name first, who have
more than one middle name, or who have multiple given names and do not normally use the first one of those.
Once a system creator's implicit assumptions have been encoded into the system like this, it is often very hard to get
out of that situation. A pattern to use during careful modelling is to keep the model flexible to account for unforeseen
corner cases. For example, when modelling a system requiring a person's name, one would have to ask what the name is
used for. It may be the most sensible decision to simply ask the user for their name twice: Once in first name/last name
format for e.g. tax purposes, and once with a free-form text field for e.g. displaying on their account page.
While for names, many systems already use some form of flexible model by e.g. having a *handle* or *nickname* separate
from the *display name*, "social" systems still often are stuck with an identity model based around a concept of a
single, rigid identity. In practice, people perform different roles_ in different circumstances. When asking for a
person's identity, one would get wildly different answers from different people. A person's identity as perceived by
others is coupled to their relationship more than to some underlying, biological or administrative truth. Thinking back
to the straw man politician above, this is evident in subtle ways in almost all our everyday relationships: Some people
may know me by my legal name, some by my online nickname. To some I may be a computer scientist, to some a flatmate.
None of my friends and acquaintances have ever wanted to see my passport, or asked to take my DNA to ascertain that I am
a distinct human being from the other humans they know. Likewise, identifying me by my social connections is impractical
as it would require an exceedingly weird amount of what can only be described as snooping. Yet, this concept of a
single, consistent, global, true identity is exactly what up to now all technological solutions to the identity problem
are trying to achieve.
Building Bridges
================
I think I can offer you one main take-aways from the discussion above.
Focus on relationships, not identity.
During modelling social systems, focus on relationships—not identity.
Rephrased into more actionable points, as someone designing a digital system, do the following:
Rephrased into more actionable points, as someone designing a social digital system, do the following:
1. Allow people to chose their own identifier. Don't require them to use their real names, they may not wish to
disclose those or they may not be in a format that is useful to you (they may be too long, too short, too
ubiquituous, in foreign characters etc.). A free-form text field with a reasonable length limit is a good
0. Early in the design stages, take the time to consider fundamental modelling issues like this one. If you don't, you
will likely get stuck with a sub-optimal model that will be hard to get rid of.
1. Where possible, be flexible. Allow people to chose their own identifier. Don't require them to use their real names,
they may not wish to disclose those or they may not be in a format that is useful to you (they may be too long, too
short, too ubiquituous, in foreign characters etc.). A free-form text field with a reasonable length limit is a good
approach here.
2. Do not use credit cards or phone numbers to identify people. There are many people who do not have either, and
scammers can simply buy this data in bulk on the darknet.
3. Allow people to create multiple accounts [#accountswitchopsec]_, and acknowledge the role of social relationships in
3. Allow people to create multiple identites [#accountswitchopsec]_, and acknowledge the role of social relationships in
your interaction features. People have very legitimate reasons to separate areas of their lifes, and it is not for
you or your computer to decide who is who to whom. If your thing requires a global search function, re-consider the
data protection aspects of your system. If you want to encourage social functions in the face of bots and trolls,
make it easy for people to share their identities out-of-band, such as through a QR code or a copy-and-pasteable
short link.
short link. If you require someone's legal name or address for billing purposes, unify these identities behind the
scenes if at all and allow them to act as if fully independent in public.
While change of perspective comes with its share of user experience challenges, but also with a promise for a more
human, more dignified online experience. Perhaps we can find a way to adapt cyberspace to humans, instead of continuing
@ -190,12 +223,13 @@ trying it the other way around.
.. _astroturfing: https://en.wikipedia.org/wiki/Astroturfing
.. _Stasi: https://en.wikipedia.org/wiki/Stasi
.. [#cryptocurrency] Pseudo-currencies in that while they provide some aspects of a regular currency such as ownership and
transactions, they lack most others. Traditional currencies are backed by states, regulated by central banks
tasked with maintaining their stability and ultimately provide accountability through law enforcement, courts and
political elections.
.. [#cryptocurrency] Pseudo-currencies in that, while they provide some aspects of a regular currency such as ownership
and transactions, they lack most others. Traditional currencies are backed by states, regulated by central banks
tasked with maintaining their stability and ultimately provide accountability through law enforcement, courts
and political elections.
.. [#discriminatory] Discriminatory as in discriminating against minorities, but also as in deciding what is and what is not.
.. [#discriminatory] Discriminatory as in discriminating against minorities, but also as in deciding what is and what is
not.
.. [#accountswitchopsec] This does mean that you should not actively prevent people from creating multiple accounts. It
does not necessarily entail building a proper user interface around this practice. If you do the latter, e.g. by
@ -206,3 +240,5 @@ trying it the other way around.
.. [#meatspacefn] Meatspace_ is where people physically are, as opposed to cyberspace
.. _Meatspace: https://dictionary.cambridge.org/dictionary/english/meatspace
.. _roles: https://en.wikipedia.org/wiki/Role
.. _personhood: https://en.wikipedia.org/wiki/Personhood