Mar 25th, 2013 by JoeC
This post proposes the notion of a Collateralized Identity which ties a value asset balance and its history to a globally unique identifier. Such a CID thus becomes a means to verify the identity’s age and balance history and can eliminate the problem of disposable sockpupptet identities. Further, it proposes to use bitcoin addresses as the implementation. Bitcoin provides both a means to attach value to a GUID, and to make the balance history of the GUID publicly available and easy to verify.
“A sockpuppet is an online identity used for purposes of deception.” (Wikipedia) Sockpuppets are disposable, use-once identities created in multitudes by hacker “bots” attempting to perpetrate theft, fraud and other illegal activities. They’re also employed by so-called “trolls” or “haters” on social media and forum sites to bully, abuse and generally cause trouble for other members or to perpetrate reputation fraud by creating the appearance of greater numbers of followers or detractors.
Sockpuppets exist and work because most membership sites want as many members as possible and so endeavor to make it as easy as possible to join. This allows those intent on fraud to create large numbers of these empty identities, which if suspended or restricted, are simply abandoned for a new one.
Currently, sites attempt to combat this abuse with various methods to try to detect sockpuppetry during registration or use. For instance, “Captcha” tests attempt to ensure that a human rather than a “bot” program is creating the identity or attempting to use it. Such strategies tend to be only partially effective and are not terribly difficult to circumvent given enough cheap labor or computer horsepower.
The most effective means of combatting sockpuppets is to charge a subscription or membership fee or require some kind of deposit or collateral for joining. While being very effective, these strategies tend to discourage potential users from signing up because of the expense of joining multiple sites or lack of trust in sites to refund deposits.
This post proposes a solution to this problem – termed Collateralized Identity (or CID) – which leverages properties of the digital currency bitcoin to create a cryptographically strong identity that carries an associated time-value weight. This time-value weight is inextricably linked to the identity and can be used as a measure of the history or permanence of the identity. This is accomplished without reliance on any trusted 3rd party.
The word collateralize has multiple meanings, but for purposes of this proposal, it has the meaning “To pledge (property, for example) as collateral.“ (The Free Dictionary) This post proposes the notion that an internet or digital identity:
- Be globally unique in and of itself. That is, not subordinate to a certain domain’s namespace, like an email user name is subordinate to its hosts domain name. (ie, ‘jcasciojr’ is only unique within the domain ‘gmail.com’, but ‘email@example.com’ is globally unique because ‘gmail.com’ is globally unique.
- Have a publicly determinable amount of value asset uniquely associated with it for a publicly determinable period of time.
Sites at which the identity is used can easily determine what its value asset balance history is, and decide if the identity is acceptable. It’s somewhat like a credit history score used by creditors to determine if an applicant is a good risk.
This provides a disincentive for bad behavior since if such an identity is banned or suspended it is costly in time, money or both to establish a new one. It also provides a strong incentive to secure the identity against compromise.
Sites accepting CIDs can apply whatever criteria they choose to the CID’s history to authorize functions particular to that site. For instance, a social media site may require that a new registrant’s CID must have at least 30 days of a continuous balance of the bitcoin equivalent of $50. Moreover, other members of the site can apply whatever criteria they want to, for instance, allow another member to comment on their posts or “follow” or “friend” them or whatever that particular site offers.
Since each CID is globally unique, members of sites can easily spot people they know across sites, assuming that person uses the same CID at different sites. The question of using the same or different CIDs at different sites is entirely up to each user’s preference and how much money they’re willing to tie up. Also owing to its global uniqueness, it’s possible for other users with CIDs or sites to vouch for your behavior. Admittedly, this is a two-edged sword because an unscrupulous or hacked site could impeach your reputation, but by the same token, such a site would quickly become notorious itself and be discounted as a reputation reference.
Bitcoin neatly combines all of the necessary properties needed to implement this notion.
A bitcoin address is the public key of a public/private key pair. The private key is held in the owner’s so-called “wallet” file. Bitcoin addresses are, for all intents, random numbers that are very large and hence act as globally unique identifiers (GUIDs). This public key becomes its owner’s membership identifier, her “username”, as it’s typically known, when she registers or logs in at a site. This fulfills the first requirement of a CID implementation.
Incidentally, sites accepting CIDs as usernames authenticate a registration or login not with a traditional password, which must be known by both parties, but by giving the user a nonce to sign using the private key that goes with the public key. Using the CID public key, the site can verify that the signed message was generated by the holder of the private key. This is a particularly interesting corollary property that could eliminate issues with sites being hacked and their users’ passwords or hashed passwords being stolen. Only the identity’s owner has the private key. The site has only the public key.
The entire transaction history of a bitcoin address is publicly available in the bitcoin blockchain. Thus, its current balance and balance history are easily determined. See http://blockexplorer.com/q/addressbalance. This fulfills the second requirement of a CID implementation.
Using a bitcoin address as a Collateralized ID
To use a bitcoin address as a CID, the user merely deposits an amount of bitcoin into an address of her choice and leaves it there. This is the collateral that is pledged to the identity. She can then use this address as her CID “username” when registering at a site that accepts them. The site accepting the CID can now use the address to query the blockchain to determine the balance history of the address.
Implementation Note: There should probably be a separate wallet file for CIDs to avoid the problem of the user inadvertently “spending” her CID collateral because the bitcoin client happens to choose that address to draw from.
An important point to note here is that the money pledged as collateral never leaves the user’s possession. She doesn’t have to worry that a site she’s pledged it to will lose or abscond with it, and she doesn’t have to trust any third party, like an escrow service, to hold it or report truthfully about it. It’s as though she locked some amount of cash in a glass jar in front of the town hall. Only she has the key to get it out, but it’s there for anyone to see and verify.
If she decides that she really needs the money pledged to that particular CID, it is her decision and her decision only whether or not to give up the value-time reputation she’s built up in it by spending the bitcoin. In reality, sites accepting CIDs as membership IDs would have their own way of accumulating a “trust balance” for an ID. If a person owning a CID behaves responsibly for a certain amount of time, or contributes otherwise the site’s community, the site may cease to check the bitcoin balance and rely on their own history with her.
One of the well-known issues of public-key crypto-systems is the problem of compromised private keys. This proposal offers no new remedies or strategies for dealing with compromised keys. However, using CIDs as identifiers for site memberships does eliminate the possibility of one’s identity being compromised by an attack on the site where it was used as a username. This is because the the site does not share any password or other secret information that can be revealed to an attacker.
However, as bitcoin becomes popular, there will be a strong incentive for users to take great care to protect their private keys since they are the equivalent of money. CIDs can piggyback on the security measures developed for bitcoin, since they are nothing more than dedicated use bitcoin addresses.
This work by Joseph Cascio, Jr. is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.