From: "L. Detweiler" <ld231782@longs.lance.colostate.edu>
Date: Sun, 17 Oct 93 23:07:08 PDT
To: cypherpunks@toad.com
Subject: on anonymity, identity, reputation, and spoofing
In-Reply-To: <9310171819.AA21961@soda.berkeley.edu>
Message-ID: <9310180605.AA13346@longs.lance.colostate.edu>
MIME-Version: 1.0
Content-Type: text/plain


H.  Finney <hfinney@shell.portal.com>
>After going to enormous efforts to create a network of anonymous remailers,
>we are hoist by our own petard, as our list receives strange, irrelevant,
>and argumentative posts through our own anonymous remailers.  (Not all
>anonymous posts are like this, but there have been quite a few in the last
>few weeks which fall into these categories.)

I've been thinking about this a lot lately. I think a large part of the
problem as you indicate is associated with reputation. How does one
build up a reputation and identity in cyberspace in general? Part of
the problem IMHO is that this list software & the internet in general
is extremely vulnerable to a lot of different kinds of spoofing.

People are very sensitive to the perception of a `consensus' -- they
are deeply influenced by what they perceive to be the `majority
opinion'. What if that `opinion' was not an accurate representation of
reality? what if a few people were creating the illusion that some
different kind of consensus existed? what if that `agenda' were
actually something inherently wicked like lawlessness or anarchy? what
if a conspiracy created the impression that some project or progress
was underway when it really wasn't? or that some person was loudly
favored or condemned by the `group'? this could be especially
problematic if any kind of intimidation were happening `behind the
scenes' in email. who would ever know? unless the dissatisfaction
reached the list, how would we find out? another problem is that, at
the same time being strongly influenced by a lot of flames, people just
delete them out of sheer distaste and they may not be around later for inspection.

what really is our assurance that all these email addresses actually
exist and represent *unique* people? there really is very little currently. 

I think newsgroups are far less vulnerable to this kind of spoofing,
but unfortunately mailing lists are *extremely* vulnerable. (Keep in
mind, there are a whole set of other benefits and detriments in *other*
categories which I'm not talking about here.) In the former we have
thousands of subscribers all checking on each other's honesty. If a
suspicious address or opinion pops up, there is some probability
someone will notice, and cases of spoofing would probably be noise
drowned out in the representative opinion. Also, distribution is
centralized, so that `message blocking' is not very feasible.

In the latter case, i.e. mailing lists such as this one, there is a
much closer knit community that is geographically isolated. Individuals
on the list are far more susceptible to spoofing. People are more
likely to see *every* message including the `spoofed' ones. There are
far fewer people to `check up' and those that are there may not have
the technical expertise. What's worse, the list is not `distributed' in
a certain sense. If someone wants to get out the message that
`something wrong is going on' it could be censored because of the
centralization of the distribution. This wouldn't work with Usenet
because the distribution of the messages (e.g. NNTP servers) is
generally cleaved from the people with strong self-interests in the
traffic (e.g. people who post to group [x]).

This cyberspace stuff can be a *very* powerful influence on many. It is
an electronic community, and peer pressure is *extremely* powerful.
Many people do not have an extremely strong internal `moral compass'
and could be influenced by this kind of corrupt magnetism associated
with a `conspiracy of spoofing'. Note that reputations are crucial in
not only persuading us to listen attentively to those we respect, but
to `tune out' the lunatics and criminals.

* * *
Spoofing

Regarding the what also gets my vote as `strangest posting of the year'
by `S. Boxx',  Philippe D. Nave, Jr. <pdn@dwroll.dw.att.com> (based on
my email, a loyal cypherpunk and fellow Denverite!) wrote:

>[...] it seems that the point of the message is that there is a lot
>of smoke coming from people who use aliases or anonymous remailer
>services to post to the cypherpunks list. Does this posting contribute
>to that problem, or have I missed something?
[...]
>What the hell ?!? I've either missed something significant (and would
>appreciate enlightenment) or this is a candidate for 'strangest post
>of the year'. If 'S. Boxx' really exists and is the author of this
>posting, I apologize- if not, then come out from behind your damn
>remailer and quit contributing to the problem. As for monitoring the
>list for traitors, go ahead- I post under my own name, and I don't
>give a shit what you do with the text. If I was concerned about lurkers
>building 'traitor files', I'd encrypt my messages and happily watch you
>choke on them.

I think I speak for many here in saying that I weigh anonymous postings
very little, but don't consider the capability a serious problem. They
have very significant purposes in e.g. `whistleblowing' `within the
system' that I've always been attracted to.

On the other hand, I think there is an implicit assumption by virtually
everyone here that addresses on public posts and private email that are
not specifically anonymous represent *unique* people. That is, if some
people were taking advantage of the loose, free, and open atmosphere
here to influence opinion or perception of reputations by posting
messages under different presumably `real' identities (defined as
anything that is not obviously tagged as anonymous), I and probably
everyone else would feel very `upset' in the least and `violated' at
the most. It would seem like a very serious breach of community trust,
and might even have the effect of derailing positive contributions to
the `cypherpunk cause' (whether algorithmic or political, the two chief
schools of thought). I recall discussions of this related to the
Extropians list, which specifically bars this practice.

* * *
List suggestions

The fact that this `uniqueness of real identities' has always been
something of an implicit assumption here bothers me. I think anything
this delicate and important should be made formal and explicit. We
should not simply assume that `everone is honest and no one would be
depraved enough to do this.' I think the following guidelines are very
reasonable, and might be part of a list charter agreed to by new members:

1) list members are allowed *one* anonymous identity if any. They are
required to associate some name with all anonymous posts via that identity.
2) *no one* is allowed multiple `real' identities and in fact any
violation of this is considered an extremely serious breach of netiquette & honesty.
3) completely anonymous posts from `outside' the list are allowed; if
no pseudoidentity is given they are assumed to come from `outside'.

and if anyone has been posting under multiple `real' identies, I think
they owe it to everyone here to `come clean'. I don't see why anyone
would go to the trouble but if someone was just unstable or obsessive
enough to equate reputation with posting traffic, s/he might go off the
deep end. The practice amounts to `spoofing' and any patriotic
cypherpunk with some integrity ought to recognize that immediately and
condemn it, technical capabilities regardless. I would equate this
practice with `lying to one's colleagues'. spoofing is probably the #1
crime against cypherpunk ideology.

* * *
Reputations

As for reputations, what can we do about this? I think that there are a
lot of solutions to be experimented with in software. One of the best
is just to have archives that are searchable by ID. But archives are
very disk-consuming. I have some various other ideas that wouldn't
require much beyond the current database maintenance of email
addresses. Suppose that along with everyone's name, the following
statistics were presented:

1) how long they have been on the list in days, 0 if none at all
2) how many postings they have posted here
3) maybe a posting/age ratio -- some people seem to be very sensitive
or tune out people with a high one.
4) another idea: tracking the number of responses a given poster has,
average, per original post, measured by `re: [x]' subject tracking.

now, look what we get with all these. They are all simple to implement.
They all can tremendously help us weigh the various opinions that are
out there. They can set up a positive feedback system whereby `good'
posters potentially really are quantitatively identified.  Regarding
(4), one way to `punish' a poster for irrelevant postings is to simply
not respond, and they will not get any `credit' in this statistic. The
problem with this is that from my experience, sometimes my most
authoritative and finely-crafted postings generate the least response.
But note the point of all these things: they don't necessarily require
any digital signatures to implement. Authentication of postings
`allowed' to the group really seems like a separate problem to me.

Another simple idea is to have a voting system in response to postings.
People's `credit' associated with their postings could be listed in
headers too. This of course is far more ambitious, and the generally
complex problem of authentication rears its ugly head.

In addition to all this, I would like to see protocols that guarantee
honesty on the part of the list maintainer. When databases like this
are maintained, a little unilateral tweaking here and there can be
extremely deleterious to community integrity, honesty, and reputations.