Abuse resistant anonymous publishing

George Danezis George.Danezis at cl.cam.ac.uk
Thu Sep 29 13:56:57 UTC 2005


Hi or-talk (and Ben),

I am sorry to be jumping in the middle of the wikipedia-Tor debate, but Steven 
Murdoch just made me aware of it. A while back I had a short discussion with 
Roger about a possible way of mitigating abuse through anonymity systems like 
Tor on open publishing systems like wikipedia (and with additional precautions 
Indymedia). I have further discussed this with Ben Laurie at PET 2005.

The basic idea is quite simple: anonymity allows users to avoid being 
associated with a persistent identifier that could be used to filter out abuse 
cheaply. It is in fact a Sybil attack, ie. one user can pretend to be multiple 
users. Note that this can also happen if one controls many nodes (through a 
bot net for example). The aim of our protocol is to be able to associate 
persistent identifiers, with posts that are controversial (through a process 
that is defined), to be used to filter abuse (note that these do not have to 
be an identity, but only be useful to filter abuse). We should also try to 
maintain the user's anonymity, and at least plausible deniability.

My favorite approach in solving these problems is using and assuming the 
existence of social networks. In the case of Indymedia, I know they exist 
(people get teargassed together in the streets quite routinely -- this creates 
solid bonds), in the case of wikipedia it might be the case that they will 
have to be cultivated (through better flagging up who is the responsible 
editors for sections, who has been contributing so far to an article, and 
on-line chat forums where people can discuss).

Thus I will assume that getting introduced in to someone that is involved in 
wikipedia is not hard, but getting introduced to all/many people as having 
different identities is hard! (gmail and orkut has proved that it is posible 
to have an invite only system with a small seed ending up being quite 
inclusive). As a result we can have a graph that describes who has been 
introduced by whom (lets call it the wikipedia introduction graph, or just 
intro graph). Furthermore this graph has a couple of 'roots' ie the people who 
are 'in-charge' of wikipedia, or multiple roots (by section for example -- if 
we chose the people that magame sections of the site).

Example path from Root to User Charlie to be used in examples...:

Root -> Alice -> Bob -> Charlie

The protocol has three phases:

1) Introduction -- someone that is already in the intro graph 'introduces' a 
new user into the graph. They do this because they know the user or have 
chatted to him... From a technical point of view this provides the new user 
with the necessary (anonymous?) credentials to post to/modify the site.

2) Each action of the user is 'authenticated' using the credentials, and a 
'signature' is generated. This signature provides any third parties with the 
Root that the user is attached.

3) Responsibility allocation: If the action is deemed abusive by the Root (or 
a collective mechanism like voting / veto / ...), then the Responsibility 
allocation mechanism is started by the Root. This means that step by step the 
path lining the user Charlie to the Root is walked (starting at the Root, then 
Alice, then Bob then Charlie) until someone 'takes responsibility for the 
post. This process can depend on Alice and Bob (ie it must not be possible to 
trace without their consent) but if they do not collaborate in the tracing 
they accept to take responsibility. The article is tagged with the full traced 
path from the Root to the principal that has taken responsibility.

Mini-FAQ:

Why is this helping at all against abuse?

Assuming that it is hard to get multiple connections to the intro graph, 
persistent offenders can be identified, either by their own username or the 
username of the person who consistently introduces them. This is incentives 
compatible: you do not want to introduce people that may abuse the system 
otherwise abusive messages will be tagged with (and possible filtered on the 
bases of) your name! The chain from the Root to the user assuming 
responsibility for the article can them be used (very much like IPs or user 
names today) to implement filtering policies. Furthermore these policies can 
be specified by the users and do not need to be centralized and applied by the 
server.

What about anonymity?

No real IDs ever need to be traced! The design does not require step 1 to 
provide a real name at all, and in any case the design can ensure (through the 
use of crypto-fu?) that authentication only reveals the first hop (ie Alice). 
Others need to collaborate to ask further down the chain for someone to take 
responsibility. In any case the final user is no certain as we will see...

Wait a sec, a bad user can connect other abusive users easily!?

Yes as soon as an abuse user connects to the intro graph they can introduce as 
many of their friends as they like! This is the reason why filtering policies 
need to make use of the full path from the Root to the user that ultimately 
takes responsibility: a user that consistently introduces many other abusers 
will always be on the path, and can be used to filter stuff out! As a side 
effect of this one cannot (and should not) trust that the user that finally 
took responsibility is indeed the initiator of the abusive action. They could 
be a Sybil or another person up the chain that disagrees with the fact that 
this action constitutes abuse!

Why are you calling it 'taking responsibility' instead of tracing?

The point of the protocol is for someone to say 'I stand by this action' -- 
his path to the root can then be used for filtering such action out, by users 
that do consider it as abuse. Note that there is always contention in online 
communities about what constitutes abuse and this mechanism allows for 
differing opinions. Then there can be different policies filtering out 
different users in the chain. Possibly anyone (not just people on the Path 
between Root and Charlie) should be able to take responsibility and have the 
item tagged with their path.

What about abusing the anti-abuse system?

There is a risk that trolls will abuse the action of requesting tracing/taking 
responsibility for all actions, trying to get as much information as 
possible/wasting time/undermining confidence in the system. The conditions 
under which this mechanism is initiated is really not clear, (Root decides, 
voting, veto, ...). In any case it is a good idea for someone to take 
responsibility of the initiation of this process by tagging the request with 
their path to the Root. This way Root, Alice and Bob can filter out persistent 
abusers of the anti-abuse system :-). There is no contradiction there: 
anonymous political speech is a right (hence this complex system), but 
moderation (censorship?) has to be done transparently, and those doing it must 
come forward by tagging their action with their path to Root.

It seems that Root has a lot of power in all this (== your system embodies 
fascist values!)?

Yes, this is a problem. At the same time there is nothing stopping (aside from 
efficiency and the appropriate crypto-fu) full decentralization. Each person 
can be their own Root, and apply custom filtering according to the paths 
relative to them. Note that taking responsibility cannot be abused any more 
than before (since either you connect directly to the abuser, at which point 
you should know better, or you are still connected through nodes that will not 
consider your action abusive and will take responsibility for it!).

Ok, so how do we do all this magic?

It is clear that a trusted third party can do all this efficiently. Can we 
find a variant of certificate systems that allow delegation in an anonymous 
way to decentralize all this, and make sure that no one party can screw any 
other? Open research problem -- I am working on it!

Any feedback is welcome!

George



More information about the tor-talk mailing list