Kevin Burton <firstname.lastname@example.org>
OpenPrivacy.org is building an Internet platform to take us into the next age - the age of secure personalized information. Basic to this goal is a platform that will provide people with complete control over their personal information and aid them in protecting their privacy while simultaneously enabling more efficient data mining by marketers and the access to highly desirable market segments by advertisers.
OpenPrivacy creates a secure marketplace for anonymous demographic and profile information, and a distributed, attack-resistant, reputation-based rating system that can be used for everything from item selection and ordering to search result filtering. Further, this system is completely open, allowing multiple communication mechanisms, languages and ontological meanings to coexist. This platform thrives on diversity.
To accomplish our goals, we introduce three new concepts: Opinions, Bias and Reputations. These are all first class, signed objects that are created at will under a multitude of pseudonymous entities maintained by the user. A fourth concept, that of a personal profile, is created virtually from a collection of the first three objects in such a way that only the owner of the information can validate the connections between them. However, if granted access, others (marketers, advertisers, online community builders and the like) may mine the profile for potentially profitable or otherwise valuable correlations while the owner of the profile maintains her anonymity.
While we provide a system that securely protects one's privacy, we are focusing our efforts on creating an open system. By "open" we mean much more than merely being Open Source[open] with open, published APIs. We are creating a mechanism for communication and interaction that provides free and open access to all.
In order to be able to freely search for and collect, read, write, publish and distribute information in a highly networked society without fear of reprisal, there must be a mechanism that can dissociate a user from her actions. It is our intention and firm belief that pseudonymous entities, combined with our concepts of reputation and their intrinsic value, will form the cornerstone of a powerful and unlimited communications mechanism that allows us to make better informed, useful and profitable decisions.
What you do tells a lot about who you are. For example, where you live, for whom you work (and how much money you make), where you went to school, when and what your grades were, what kind of car you drive, where you eat and what movies and plays you see, the magazines to which you subscribe and the organizations to which you belong, where you go on vacation and how much (and on what) you spend -- all of this data is collected by government agencies, corporations and direct marketers for the express purpose of providing you with enhanced services and the improved lifestyle that comes with them.
Of course, the problem herein lies in the fact that you have little control over who collects this information and far less control over how it is used, to whom it is sold, etc. While strong laws (such as those that exist in the European Union) can attempt to stem the abuse and misuse of personal information, in actuality it comes down to the fact that the consumer simply has to trust those who hold the power to do the right thing.
Systems like the Anonymizer[anon] and Freedom[zero] provide the essential anonymity needed to protect oneself from being watched while online, but they lack a way to create and profit from a long-lived pseudonymous identity. In today's online world, people want enhanced services such as personalized home pages, recommended reading lists, targeted advertising and respect within their communities. Many systems have been created to address these desires, such as my.Yahoo.com, Amazon.com's book recommendations and Slashdot.org, but these have problems, too. A very basic issue here is that a person who develops a good reputation on one site cannot carry that reputation with them to another. A deeper issue is that all of your information is known by the creators of these sites and can be used by them at will.
OpenPrivacy provides a framework for building intercommunicating systems that supports the concept of reputation through opinion accumulation. Opinions, which can be attached to any object such as pseudonyms, purchase histories, physical objects (using an expanded URI namespace), reputation servers, and even opinions and reputations themselves, are pervasive and directly affect every aspect of OpenPrivacy-enabled systems. One example of how this framework can be used is as a customizable privacy-enhanced personal portal with reputation-assisted search and publishing features [rept]. We are also creating reputation calculation engines that will provide work-alike similarity for the communities created by the likes of Slashdot and Advogato. Once systems such as these are built on the OpenPrivacy platform, not only with their users enjoy enhanced privacy and security from spoof attacks, but they will also be able to publish selected portions of their profiles for access by the members of these and other communities. Likewise, advertisers can avail themselves of targeted, high-quality profile information with the full cooperation and confidence of a pseudonymous user; conversely, the user can benefit from the targeted ads and promotions that will result.
We introduce a set of Reputation Services that form the cornerstone of the OpenPrivacy framework. These services provide a standard opinion and reputation framework that can be used by any community, supporting an unlimited number of mechanisms to create, use and calculate results from accumulated opinions, bias and reputations. The implementor of these services can nest or reuse an existing Reputation Calculation Engine (RCE) or roll their own. They gain the ability to query remote RCEs, to perform ontological forwarding, and share all or part of their users' profile database with other communities without violating user privacy.
A reputation management system, which implements the reputation services, acts as a peer in a distributed network supplying the capability to create, store and forward opinions (either autonomously or under user control), manage bias structures (including creation and validation) and calculate reputations. More specifically, a reputation management system implements the following interfaces:
OpenPrivacy uses a nym service to create and manage a set of pseudonymous virtual users - generally represented by public-key pairs - that inhabit OpenPrivacy space. A primary, or "parent" nym can be created by the nym service, and then use the service to beget any number of child nyms which can then recursively employ a nym service to beget grandchildren. This creates a hierarchical nym-space in which child nyms cannot be linked by a third party as originating from the same parent, but a parent can execute a validation mechanism to create an anonymous certificate proving that a set of child nyms were created from the same parent. (And of course, the parent can do so non-anonymously if it so chose.)
This is a key facility (pun intended) of the OpenPrivacy platform, as anonymity can too easily be pierced by what is known as "data triangulation." For example, knowing only the age and zip code of a heretofore anonymous person, plus the make and model of their car, can narrow the population quite a bit, often to one person. However, if each of these data points were stored under a different nym, then the same data exists but cannot be connected to a single person, nor even to each other. Others can make opinions as to what data is connected - and gain or lose reputation according to the value and usefulness of their opinions - but only the owner can prove it. Mechanisms exist that allow for such proof to be tied to a single receiving party, such that further dissemination of the proof without permission would directly - and adversely - affect the reputation of the receiver.
OpenPrivacy's reputation management system can assemble a set of related opinions into a bias. Bias is maintained via additional RCEs (possibly object clones) with different opinion sets. When a nym Ji creates new Opinions and adds these to an RCE, a smart implementation may choose to append these to Ji's bias for later use by getReputation requests so that results are better tailored for the nym.
Often, a bias may consist of Opinions from multiple nyms, particularly since a parent nym may use multiple child nyms to make successive requests. Further, a nym may want to use the bias from someone else altogether, for it may want to benefit from the bias of someone it holds in high regard. Finally, an RCE itself may be created with and/or develop a bias through its standard activities. For example, it may use sophisticated collaborative filtering techniques to develop its own opinions and associated bias.
Reputation Calculation Engine (RCE)
The reputation calculation engine is the brains of OpenPrivacy's reputation service, as it determines opinions on the information it has available. In its simplest incarnation, an RCE might do little more than mechanical collaborative filtering to create its opinions. But a sophisticated RCE has additional information at its disposal, such as the reputations of the various local opinions (and their, recursive, reputations), access to the opinions of other, remote RCEs, the calculated or gifted bias of the requester, and even hand-tweaking by its human maintainer. Ultimately, what form its opinions take, their quality and other factors are judged by its peers who may then assign it a reputation, and seek its advice -- or not.
The reputation server's opinion store supports the putReputation() and getReputation() methods which access some form of persistent data store. The store may be anything from simple in-memory hash tables to a full-blown Oracle database. We include the mention of the interface here only for completeness.
OpenPrivacy implements a coarse-grained capability-based framework in which each nexus of reputation services - generally located one to a hardware machine - is considered to be a secure computation environment (or "vat" [dist]) with respect to itself. Communications between vats are signed and encrypted, but also asynchronous and may be unreliable. Secure streams can be built, analogous to the way in which SSL is implemented on top of TCP, which is in turn implemented on top of UDP, but are not required for operation. Note that communication channels, as well as the objects they transport and reference, can themselves gain or lose reputation capital according to their security, reliability and speed. While we leave the specifics of the communications implementation as outside the scope of the OpenPrivacy framework per se, we believe that a secure, anonymous and uncensorable mechanism such as those that Freenet, Free Haven or Publius [free] provide would be well suited to most users' desires for robust, distributed and private communications.
Sierra - The Reference Reputation Management System
Sierra is the reference implementation of our Reputation Management System. It is based on the Talon component framework and defines our RCE plug-in mechanism.
Sierra incorporates various subsystems which should be used by most RCE implementations. It defines our Nym management system, Store interface, Query interface and the Reputation objects which we use as Payload holders. Developers that wish to build RCEs or incorporate a Reputation Management System with their application should evaluate Sierra.
Talon - Reputation based Component Management System
Talon is a flexible component system which we expect will become the cornerstone of all OpenPrivacy applications. Talon is simple yet powerful, sharing many of the characteristics of XPCOM and Microsoft COM [comp]. However, Talon solves a number of problems with these existing systems and also incorporates Reputations (Sierra) as part of its Component factory mechanism. Since Talon uses RCEs to determine what components to return, natural selection can take hold and a Talon-based system can "evolve" over time to become more efficient and powerful. This mechanism is similar to advanced profiler technologies [prof] but works with distributed systems.
Reptile - A Privacy and Reputation-enhanced Internet Portal
Reptile is an reputation-enhanced portal built using Mozilla technologies. Decentralized and peer-to-peer, Reptile can be used as a personal portal or within a corporate intranet, and features enhanced security as well as the ability to keep a user's profile anonymous. Further, it allows for the attachment of Opinions to news stories (and to Opinion makers), which enables using reputation mechanisms to more accurately find and filter information.
Reptile taps XML (RSS) channels that are published via the Open Content Syndication (OCS) mechanism. Reptile also supports the pseudonymous publishing of preferences as well as the creation of nym-based RSS channels that may be subscribed to (and earn reputation from) other peers on the network.
OpenPrivacy-enabled Communities, viz
Slashdot Moderation for Advogato and Trust Metrics for Slashdot
An RCE can be created to emulate the reputation mechanisms and trust metrics of any community and bring it the added benefits of secure - and portable - reputation management. To illustrate the power of this technology, we will create work-alike replacements for two well-known and very different communities (currently we are targeting Slashdot and Advogato [comm] as their open source code base will simplify the effort). We will then show how reputations for one community can be migrated to the other, and further, that they will be able to commingle with the reputations of the Reptile users described above.
This process will highlight the management process of reputations at several levels:
- the sysadmin has the power to define the extent to which sharing is permitted
- the profile owner specifies what parts of her profile she wishes to share
- the reputation calculation engine, working on behalf of the community or a particular user, can independently apply weightings to pseudonymous profile segments
Within any society, anonymity has decided usefulness. Freedom from observation and monitoring of one's physical location, purchases, reading and movie viewing preferences and history are, by and large, no one else's business. There is a reasonable expectation of privacy through confidentiality contracts made between a person and their school, employer, financial institutions and health providers. As well, in a less common but no less important role, the cloak of anonymity can be used by the oppressed to bring the sins of their oppressors to light without fear of retribution.
That said, law enforcement has traditionally been concerned about people being able to act anonymously, as they perceive a need to be able to track the actions of an unknowing public via electronic wiretaps, online data collection and physical surveillance. The aggregated information is often linked to ostensibly confidential databases gathered by employers, retailers and health care providers. If law abiding citizens have their privacy violated in the process, we are told not to worry, for we can "trust the government."
Within the business world, the concept of profile data being anonymous - that is, not connected to a person's name, address and other identifying means - strikes fear into the hearts of marketers, for while they could mine the data for concordances of interest, their present belief is that they would not be able to contact the market segments so identified.
The OpenPrivacy platform enables a user to wear a cloak of anonymity while divulging information useful to others - and by extension to oneself - without losing their anonymity. She can participate in communities, browse personalized retail catalogs, and be marketed to more accurately and safely by advertisers.
Anonymity has very real limitations, both in the social and business worlds. We find trust is built on the security of knowing and building relationships with our acquaintances and places of business over time. On the flip side, companies want to be able to provide personalized services that enhance their customer's experience and further, to understand their wants and capabilities so that they can be marketed to effectively.
Trust is a key point, and when many people trust some entity it gains a positive reputation. (Note: negative reputations are possible, too.) Trust is in fact the bridge between anonymity and useful pseudonymity. The OpenPrivacy platform - through long-lived pseudonymous entities and the reputations they accrue - enables various trust metrics to be employed that support this bridge.
Pseudonymity and Reputations
The OpenPrivacy security model is based on the user's ability to have control over their profile, and optionally publish chunks of said profile, under a multitude of apparently unrelated pseudonyms. This precludes the "data triangulation" methods used by numerous agencies and corporations to accurately identify a person from their activities, even when their name is not known. Further, users can create Bias objects - useful for the personalization of e.g. search results - that contain references to a collection of Opinions that may or may not all belong to them. In fact, each Bias can be formed under yet another pseudonym. Finally, the Reputation Management System transparently handles nym management and can additionally support the ability to flag any potential data leaks believed to be dangerous to one's privacy prior to the publication process.
Despite all these easily manufactured pseudonyms, the OpenPrivacy system encourages the use of long-lived pseudonyms for purposes of reputation creation and accrual, a key factor in any functional community. Pseudonyms that have accrued valuable reputation capital can provide a solid basis for accurate, privacy-protected data mining. These pseudonyms can bestow their reputation upon a new pseudonym to allow for direct marketing, and later destroy that pseudonym to securely opt out of future unwanted campaigns. This yields a three-way win: consumers are happy because they maintain their privacy, control their information, and receive en point advertising and promotions; advertisers are happy because they can reach highly accurate market segments with greater ease and at a lower cost; and a new breed of infomediaries can reap great benefits by freely data mining pseudonymous information, representing profile and demographic segments to advertisers and providing consumers with enhanced personalized services.
The Value of Information [Quality]
Information has been called the currency of the new economy, but what is information really worth? Here's a quote from Bruce Sterling talking about this way back in 1992:What's information really about? It seems to me there's something direly wrong with the "Information Economy". It's not about data, it's about attention. In a few years you may be able to carry the Library of Congress around in your hip pocket. So? You're never gonna read the Library of Congress. You'll die long before you access one tenth of one percent of it. What's important -- increasingly important -- is the process by which you figure out what to look at. This is the beginning of the real and true economics of information. Not who owns the books, who prints the books, who has the holdings. The crux here is access, not holdings. And not even access itself, but the signposts that tell you what to access -- what to pay attention to. In the Information Economy everything is plentiful -- except attention. [ster]
The OpenPrivacy framework creates value by enabling the attachment of opinions to information. Reputation calculation mechanisms - using bias metrics - then use these opinions to formulate subjective judgments as to the quality of that information. Further, OpenPrivacy enables a new service-based economy of information hunters, gatherers and filters, all adding value to their specific domains by attaching their opinions and simultaneously gaining reputation capital as they do so.
An Agoric, Reputation-based Marketplace [Capitalism]
As OpenPrivacy opinion stores and reputation calculation engines populate the online world, a natural economy is created, built upon the enhanced access to services enabled by the associated reputation mechanisms. Advertising will be much more focused, personalization will be more accurate and an agoric, service-based economy providing these services will thrive. There is no need for digital cash mechanisms to exist to bootstrap this processes; the trade in information services might resemble barter. However, when used in conjunction with large, legacy databases such as those used by retail, credit or financial institutions, the power of reputations to help direct producers and consumers first to the appropriate marketplace and then to the specific goods and services desired grows exponentially.
Validation and Verifiability
OpenPrivacy supports the ability to validate groups of pseudonyms as being part of a collection. This is particularly useful when a nym wants to prove that several heretofore disparate profile fragments all derive from the same person. Further, when associated with a retail company, bank or credit institution, variants of the blind signature mechanism can be used to verify the credit-worthiness or purchase history of a person's pseudonym without divulging the identity of the owner.
There are countless applications for these capabilities when combined with marketing interests and community accountability. These will be discussed in detail in a future paper.
Efficiency Via Chaos and Bias
Chaos is an essential element for systems to evolve, for without it the unexpected changes and mutations that lead to new, often revolutionary processes will not have a chance to occur. The very fact that people are all different - not only from each other but even with one's self from moment to moment - has a valuable ramification: that we all have different opinions and bias. This points to a major failing of search engines: that each person who enters the same search X probably has a slightly different mind set of what they would like to see as results.
OpenPrivacy thrives in this multitude of opinion, this diversity of thought, for though we are all different, there are certain areas in which two very different people may see eye to eye. For example, suppose person A reads the New York Times every day and finds an average of four articles that A considers tops - well worth the cost of the paper and her time to find them. Now consider that there probably exists a person B who finds the same four articles to be indispensable. The safe, secure, pseudonymous publishing environment of OpenPrivacy, along with the agoric marketplace of a million infomediaries looking for valuable concordances, make it possible for these two people to virtually meet. Further, A may strike a deal with B to provide her with the editorial filtering process, saving A time and aiding B at least in reputation if not also financially.
Security and Attack Resistance
OpenPrivacy does not attempt to defeat traffic analysis mechanisms nor locality of reference or storage attacks. Rather, our communications are transport agnostic, and we expect that many users and implementors will avail themselves of a growing number of anonymous and censorship-resistant publishing mechanisms such as Freenet and Free Haven.
A rigorous treatment of attack resistance that takes into account attacks such as denial of service (DOS), spoofing, replay, flooding, shills/slander and false claims is still being refined. However, our secure design strategy and capability-based implementation prevents these types of attacks from wreaking the havoc they can bestow upon other, less secure communications mechanisms.
- Reference: A pointer to an entity (generally a URI, often a URL). Examples include a physical or virtual object, place, person, pseudonym, web page or site, opinion, reputation, bias, profile, and reputation calculation engine.
- Nym: Short for "pseudonym," a nym is a fictitious name that can refer to an entity without using any of its directly identifiable characteristics, such as name, location, etc. OpenPrivacy uses public-key pairs to represent a nym, with the owner having sole access to the private part and the public part being published to at least one external party. A long-lived nym is useful in that it allows for trust (or "reputation") to accumulate over time and usage. Often, we refer to the public key as the "nym," as it is how the entity is know in the outside world.
- Principal: An identifiable, pseudonymous, or anonymous entity. A principal can be uniquely referenced by its public key. Any static entity that can be referenced can in theory be a principal, the only requirement being that it can store a private key and perform signature operations.
- Opinion: A unique description of something (pointed to by a reference). Uniqueness is satisfied by attaching a hash, generally created from the principal's signature, to the opinion such that no two opinions are exactly the same. An opinion may be clearly subjective (as in "openssl is a good cryptography package") or appear as a statement (as in "I live in San Francisco," where the reference is "San Francisco" and the description is "where I live").
- Reputation: A value that represents the collective opinion of some reference. A reputation is really just another name for an Opinion, as it is the calculated opinion of a Reference by the issuing Reputation Calculation Engine. Reputations are ephemeral, and the weight applied to an Opinion representing the reputation of some Reference is subjectively applied by the end user (person or program) that requests it. As Principals add their Opinion to a Reference, it accrues (positive or negative) reputation capital [tmay].
- Bias: While reputations generally reflect the sum of many opinions of a single reference, a bias is an accumulation of opinions that represent the views of a single principal. Biases may be divided by area or type of reference (such as groups of political or demographically descriptive opinions). A RCE uses one or more Bias collections in the course of its calculations.
- Offer Template: A set of seemingly disparate opinions can be grouped together (in a bias-like structure) for the purpose of finding best matches in a universe of unconnected data. A reputation service that receives an offer template may advertise prizes for parent nyms that can validate ownership of a subset of the template.
- Profile: A collection of pseudonymous opinions (also in a bias-like structure) that an entity claims that it can prove belong to a single (parent) entity. (The proof itself is called validation.) Finally, as a profile may be a singular object indistinguishable from a Reputation, the terms can be used interchangeably - the difference is often a matter of semantics.
- [anon] The Anonymizer <http://www.anonymizer.com>
- [comm] Communities; see e.g.:
- Advogato <www.advogato.org>
- Slashdot <www.slashdot.org>
- [comp] Component systems; see e.g.:
- XPCOM <http://www.mozilla.org/projects/xpcom/>
- Microsoft COM <http://www.microsoft.com/com/>
- [dist] OpenPrivacy uses capability-based security; see e.g.:
- Distributed Computing in E, <http://www.skyhunter.com/marcs/ewalnut.html#SEC36>
- [free] Distributed, censorship-resistant publishing; see e.g.:
- Freenet <http://freenet.sourceforge.net>
- Free Haven <http://www.freehaven.net/>
- Publius <http://www.cs.nyu.edu/~waldman/publius/publius.html>
- [rept] Reptile <http://reptile.openprivacy.org/>
- [open] Open Source and Free Software.
- OpenPrivacy is not only Open Source but also Free Software as we not only have the source available for inspection, but we also support the freedom to use the software as outlined by the GNU Public License (GPL). Specifically, we dual license our software under the GPL and the BSD license. This allows OpenPrivacy packages to be used within projects from the Free Software Foundation and the Apache Software Foundation, as well as many others. Commercial projects may also use OpenPrivacy software as the BSD license is very flexible in this respect.
- [prof] Advanced profiler technologies; see e.g.:
- Java HotSpot Technology <http://java.sun.com/products/hotspot>
- [ster] Bruce Sterling, author.
- from a speech to the Library Information Technology Association, June 1992, San Francisco CA (the prescience of this comment is phenomenal)
- [tmay] Tim May used the term "reputation capital" in a 1994 cypherpunk paper
- Crypto Anarchy and Virtual Communities <http://www.idiom.com/~arkuat/consent/Anarchy.html>
- [zero] Freedom (by Zeroknowledge) <http://www.freedom.net>
Copyright © 2001 Fen Labalme and OpenPrivacy.org. http://www.openprivacy.org/papers/200103-white.html