E-MailIdentity, Trust, and Reputation 2.0
by Brian Pontarelli
Once dismissed as a vacuous Silicon Valley buzzword, Web 2.0 is gradually becoming recognized as an important collection of technologies, business strategies, and social trends. In our next issue, we will discuss the technologies and concepts that underlie Web 2.0 — and what they mean for the enterprise. Learn how to resolve vexing issues of online trust, identity, and reputation so your organization and its customers don’t fall prey to online fraud. Discover how you can use Web 2.0 techniques to enrich your enterprise BI applications, leading to increased user adoption and greater application "intelligence." And find out how you can form and sustain a vibrant product community that will improve your ability to deliver the right software at the right time. The "next new thing" is here — is your organization ready to take advantage of it?
REAL-WORLD IDENTITY, TRUST, AND REPUTATION
Identity, trust, and reputation are core concepts that structure a society and the interactions between the members of that society. In the real world, identity ranges from physical appearance to governmental identification such as driver's licenses and Social Security numbers. Identity is used every day in the form of names, business cards, résumés, and photographs. These identities are untrusted, because there is no proof of their validity.
In most instances in which the word "trust" is used in the English language, it is usually synonymous with reputation. "I trust that person" usually implies a trust based on appearance, experience, or word of mouth. The word as it is used online is normally synonymous with security. Trust given to an online identity is based on that identification being secure from hacking or cracking. Thus, I'll refer to online trust as either trust or trusted identity in this article. Real-world trust is backed and ensured by governing bodies and the penalties they enforce for abuse. This assurance is then built into that governing body's identity system via large quantities of information about how trustworthy each identity is. With a trusted identity that carries penalties for abuse, merchants can feel safe selling alcohol, accepting credit cards, allowing test drives, selling cars, and so on.
Real-world reputation is an abstract concept that is not regulated but is used inherently. Reputation is built from appearance, word of mouth, the press, references, and instinct. When you meet someone, you consider his clothes, outward appearance, and body language in quickly formulating a mental picture of his reputation. This snap assessment might be either confirmed or called into question by things that your friends say about this person. We use this notional information every day to make decisions about whom to do business with or whether or not a person is reliable.
Like real-world identity, online identity has many different levels and forms, ranging from the lowest-level systems of the Internet all the way to Web applications. A computer's IP address is constantly being transmitted with each message that it sends, which is logged by Web servers, e-mail servers, and routers. Most online applications require a user to log in prior to completing a transaction or at least to identify herself in some manner. These forms of identification are designed specifically for the system with which they are used.
Trust has existed online for quite some time. This online trust has traditionally been an extension of real-world trust. I might grant access to a friend or a company employee based on varieties of real-world trust. More modern versions of online trust are built more on information than on real-world trust. For example, SSL certificates for Web sites are issued after a series of verifications have been performed, without the SSL authority ever meeting or knowing the person requesting the certificate. Trust is as vital online as it is offline for the same reasons, but to date no clear standard has emerged to fill this need.
Online reputation is a not a new concept. Systems that fill a specific need have existed for a while; for example, rating systems built into applications provide information about the users of the application to interested parties. Both new companies and a few existing companies are attempting to provide a more global view of reputation, although the usefulness and validity of global online reputation have yet to be determined.
IDENTITY
Currently, most online identity is application-specific. A server maintains a file of user identity information for remote access, and a Web application maintains a database of user identity information that allows users to log in. More global concepts for identity exist, such as single sign-on (SSO), but these normally exist within LAN boundaries.
Nonetheless, there are a number of existing and new technologies that are designed as global identification systems. In the short term, these will exist mainly on the Web, but their long-term goal is to provide identification to any application. Some of these systems have been around for many years without widespread success (e.g., Microsoft's Passport Network), while others have recently sprung into existence (OpenID, Sxip, LID, etc.). These systems are attempting to create standard repositories for identification that can communicate with other repositories via a standard API. Applications can leverage these APIs to identify an individual using credentials stored elsewhere.
Many pitfalls to global identification systems still exist, including security weaknesses that would allow third parties to steal passwords from less technically savvy users. As with e-mail, these types of systems are often open to phishing attacks, in which a sham Web site is constructed to simulate a trusted Web site in order to steal usernames and passwords. Phishing of this kind is difficult to prevent, because the container -- in this case the browser -- is not aware of the issues, as a modern e-mail application might be. In order for a global identity system to be secured, it must be built into the browser, and thus it becomes the responsibility of the browser to ensure that phishing is not allowed. Nothing of this kind has yet to be produced as an open standard.
In order to build trust systems on top of these global identification systems, they must first be secured. The reason trust must be built on top of the global identification systems is that, by itself, identity is nothing more than a name and a profile, which are simple to falsify. As an illustration, I set up an OpenID for Bill Gates at one of the major OpenID Web sites, with no problems at all. The e-mail address isn't Bill's e-mail address, but everything else makes it appear as though I am Bill Gates. My hoax would be fairly easy to detect, as Bill has a rather well-known e-mail address, but the majority of the online population do not.
Unfortunately, adding trust to online identity is no simple task and has no complete solution as of yet. First and foremost, global identification systems are an absolutely necessary foundation in order to build trust online. It is not feasible for an application to identify and then trust a user if there is no authoritative source for this identity and trust, or worse, if the application must interact with thousands of proprietary systems. Likewise, at some point the choices for trust and identity must be collapsed into only a few in order to make it cost-effective for companies to leverage them.
TRUST
Before I get into the substance of trust, there are a few concepts that I should cover first: trust levels, privacy, and authoritative sources for trust.
TRUST LEVELS
Trust can be broken down into many different levels using examples from the real world. If you buy something using cash, you are using visual identity, wherein the store worker has seen your physical appearance but nothing more. This is usually considered an anonymous transaction lacking a trusted identification. Say the person sitting next to you at a restaurant offers you his business card. This is also considered an untrusted identity. In contrast, suppose you buy a new briefcase with a credit card. You have revealed your name, credit card number, and signature. The credit card is a trusted identity source. Finally, you purchase a bottle of wine and are asked for an ID card issued by the government. This is also a trusted source of identity.
PRIVACY
Privacy is a large topic that many are currently debating with respect to trust and identity online. Privacy refers to a person's ability to use a Web application or information source without revealing her trusted identity. Many correlate this to an individual's right to walk down a street without having his ID pinned to his shirt. Privacy is only an issue when a trusted identity exists. Without it, as I've mentioned, identity is already anonymous.
AUTHORITATIVE SOURCE
Trust is built into many real-world systems, including driver's licenses and credit cards. Both provide assurance that someone is who her identification says she is. These identifications are issued and backed by an authority. Normally these authorities keep detailed records of all transactions the person has been involved with. The government maintains criminal, traffic, tax, property, and other records that can all be associated to the person's driver's license or Social Security number. The credit card company maintains purchasing and payment history. These authoritative sources are often consulted when there is a need for maximum trust, such as for large loans or firearm purchases. The assurance of these systems is reinforced by the fact that abuse is a punishable crime in many countries and is enforced by the government.
THE CIRCLE OF TRUST
But the fact is, Greg, with the knowledge you've been given, you are now on the inside of what I like to call ... "the Byrnes family circle of trust." I keep nothing from you, you keep nothing from me ... and round and round we go.
-- Robert DeNiro as Jack Byrnes, in Meet the Parents
Now let's take a look at how a real-world trusted identity is created and how someone goes about requesting and receiving that trusted identity. "The circle of trust" is a term that was made famous by Robert DeNiro in the comedy Meet the Parents. This term is ideal for describing how trusted identities are attained. The circle is formed like this:
1. Someone who wants a driver's license in the US must present some proof of identity to a trust provider; in this case, the government of the state in which he lives.
2. The trust provider employee takes the proof of identity, be it a birth certificate or Social Security card, and looks up the person in a database to ensure that he is still alive, has no outstanding warrants, and is old enough to drive. By this means, the trust provider verifies identity via external sources.
3. Oftentimes, an external source contains an old photograph, which can be compared with the person standing there.
4. The trust provider employee might acquire the requester's picture, fingerprints, and other forms of physical documentation to record the event.
This process of trusted identity acquisition is diagrammed in Figure 1.
Figure 1 -- Real-world circle of trust.
This trusted identity acquisition forms a circle going from the requester to the trust provider, to any number of external sources, and back to the requester. (These steps are shown as solid arrows in Figure 1.) These are direct connections, as outlined in steps 1-4 in the example above. The connection from the external source back to the requester (step 3) is vital because it reduces the potential for fraud. If the external source contains old photographs and/or fingerprints, the employee at the trust provider can compare that picture -- and perhaps, in the future, the fingerprints -- with the person standing there, which places more trust into the identification. These connections complete the circle of trust.
In addition to these direct connections, there is a connection between the trust provider and the requester (shown as a dashed arrow in Figure 1). This connection is implied because the trust provider has seen the person, taken photographs, and collected other records. Forcing the person who is requesting the identification to physically appear at the trust provider reduces the likelihood that the person will commit fraud.
The last component, which builds enough trust into an identification to make it valuable, is that there are consequences for abuse. In the real world, identity theft or forgery are punishable by fines, entries in a permanent record, and/or jail time. These penalties are usually enough to prevent most fraud.
TRUST ONLINE
There are two main forms of trust that currently exist online. First is the category of trust services, such as Trufina, IDology, and Opinity. The top providers in this category use background checks, a valid credit card, and questions of a personal nature to ensure that a person is who she claims to be. These providers then issue a trust identity in the form of a URL, an online badge, or partnerships with other services in which Web services connect the two; the identity mechanism is seamless to the user. The second category is the certificate authorities, such as Verisign and Thwate. Purchasing certificates allow a person to attain a trusted identification in the form of an encryption certificate. Certificate authorities usually work with businesses, but personal certificates can also be acquired. These providers perform similar checks as trust providers in the first category, but they issue a certificate at the end of the process. 1 These certificates can be used to access Web applications, send e-mail, and otherwise provide online identity. When a certificate is presented to an application, the application can check with the certificate authority to check validity and the level of trust.
Neither of these types of trust presents the same picture as real-world trust. As shown in Figure 2, online trust lacks the final connection back to the requester. This lack of connection is where the insecurity of online trusted identity becomes apparent.
Figure 2 -- Online circle of trust.
In online trust, the connection between the external source and the requester has been severed. In addition, the implied connection between the trust provider and the requester has also been severed, except for possibly an IP address, which is not always a reliable identity system.
A real-world example using this online trusted identification process would look something like this. The requester fills out a trusted identity form with a Social Security number or credit card number and mails it to the trust provider. That provider mails it back to the requester along with a number of questions from public records and other available sources. The requester answers all the questions and mails it back. Finally, the trust provider mails the requester his driver's license (without a picture of course).
This process is identical to the current online trusted identity systems because a physical appearance in an office is never required. The person's photograph or fingerprints are never taken, so the only record online is their IP address, which is roughly equivalent to a postmark from the post office.
Let's look at this situation in terms of identity theft. The requester goes garbage diving and finds a credit card statement, or she works at a store and just memorizes the number, date, and security number on the back. Next, she pokes around in the phone book and finds the person's address. She runs a background check and pays the county clerk for all documents on the person, including home sale and other public information. She might be daring enough to do a little social engineering and call the victim's bank for some more information. Next, she mails in the form, gets the list of questions, and sees if she can answer them all from the information she has gathered. If she can, she sends the form back in, and now she has a driver's license in the victim's name.
ONLINE TRUST OF TOMORROW
Above I laid out the foundation of trusted identities online and showed what is lacking in current online trust systems. Now I'll discuss what is needed to address these weaknesses. I see three things:
1. Closing the circle of trust
2. Open standards for people, not applications
3. Consequences
Closing the circle ensures that verification of a real person has been done. This might entail a visit to a notary or another trust provider office. This in-person verification can then be recorded, physical documentation of the requester can be attained, and, more importantly, an already trusted identification can be verified. All of these measures would make it much more difficult for someone to fake an identity. They also change trusted online identity from something that is established strictly online to something that makes a connection back to the real world.
Open standards are required to ensure that any issued trusted identification will be applicable to and usable with all online applications. Therefore, a platform is required. Without a platform that is open and secure, competing trusted identification systems will cause users to reject the system because too much is asked of them. This standard needs to encompass all aspects of online identity from encryption and signatures to logins, verification, and revocation. Ideally the standard would be simple, such as an API through which any online application could check the validity of a user's identity and check his level of trust.
Finally, consequences are needed in the same manner that they are in the real world. Closing the circle would greatly reduce fraud because it is difficult to create fake IDs -- but, as many a teenager has shown, it is not impossible. So while closing the circle is vital, consequences are still needed to further reduce fraud. The main issue surrounding consequences is that consequences have traditionally been handled by some regional level of government, and unfortunately there isn't a single government for the Internet. The Internet spans political boundaries, making enforcement a daunting task.
Going forward, there might be technical solutions that so nearly eliminate the possibility of fraud that they would close the circle of trust and reduce the need for consequences. Such solutions would secure identity in a manner that removes the possibility of password theft. Biometrics and similar technologies, once perfected, would go a long way toward achieving this goal.
REPUTATION
Reputation is difficult to measure and quantify because it is an abstract concept that is different for each person and is cumulative based on a series of interactions. In the real world, we glean bits of information about a business or a person -- both before and after we interact with them -- from a variety of sources (friends, the press, online reviews, instinct, etc.). This helps us to determine if we want to do business with a company or trust a person enough to, say, hold our firstborn. This makes reputation an extension of trust that is personal.
The notion of online reputation has been around for a while. eBay uses a reputation system to help users decide which stores to use or auctions to bid on. Other services such as iKarma have built a somewhat global reputation system that allows users to review each other. These systems are good ways for people to provide feedback about companies and others. Both are based on text-based reviews along with star/number ratings, which any user can typically view.
The main downfall of all of these systems is abuse. IKarma and eBay both suffer from two distinct types of abuse: unwarranted negative reviews and positive review circles. Unwarranted negative reviews are the simplest form of abuse, because fake accounts can easily be created and reviews quickly posted. eBay reduces this abuse by only allowing reviews from those who have been involved with a purchase; however, it is still possible. A reviewer can quickly affect the overall rating of the business or person with a few well-spaced negative reviews.
Positive review circles are a ploy some online businesses use to boost their overall scores -- regardless of their true reputation -- in order to attract more customers. These circles can be constructed by a few people who sign up for hundreds of accounts and then use those accounts to provide positive feedback on their own business. Often they even fake purchases in order to leave the positive feedback, because all they lose is the percentage of the sale that eBay takes as a fee. This is usually a small enough amount that even hundreds of sales will not incur great cost to the business but will boost its ranking enormously.
The question arises as to whether or not it is possible to have a reliable gauge of online reputation given the numerous ways to abuse systems and work around rules. I believe the answer is yes, but it brings us back to the issue of trust. Let's hypothesize that a trusted identity system exists and that reviews can only be made using this trusted identity. In this scenario, reviews seem more valid because they are tied to the actual reviewer. Abuse can now be easily addressed based on the trusted identity. A reputation system built on top of trusted identities would be one that individuals would be hesitant to abuse. If someone is caught abusing the system and that infraction goes on record with her trusted identification, we can now look at that person's trustworthiness and reputation more candidly. The information will be more transparent, giving online reputation a more dependable foundation.
CONCLUSION
Online reputation depends on trust. In order to provide trust online, the entire online community must find a way to ensure that identities are reliable and to build global methods of enforcement. Neither trusted identity nor reputation reduces the amount of privacy or anonymity one has in the real world, and both can be easily and closely modeled to real-world environments. A trusted identity need only be revealed at times when security is required, such as in banking, purchasing, logging into servers, managing Web sites, and other such activities. At other times, this information can remain safe. Likewise, reputation is a public attribute of any person. If you never do business or reveal your name online, your reputation will remain a blank slate. However, if you interact online and reveal yourself to others -- thereby "filling in" your reputation -- you may be subject to criticism, just as you might be in real life.
The Internet implementation of trust and reputation is long overdue. Businesses fight fraud and people fall prey to bad business decisions on a constant basis. No longer is it sufficient to fight fraud and maintain reputation only in the real world. Accountability is more relaxed online than it is offline, and yet people continue to do business and produce and consume information online. Companies spend millions of dollars combating fraud and people lose thousands of dollars with purchases from bad merchants or individuals. The solutions are achievable and the technology exists. The next step is to forge a new Internet that is governed such that fraud and bad business do not go unpunished.
NOTES
1 Many certificate authorities have built proprietary systems of trust on top of personal certificates that sometimes involve visiting notaries to be validated. These systems are not being considered in this article because they are not open standards, and the notaries are not bound by regulations that completely prevent fraud. Furthermore, few applications use certificates, which makes them less useful.
ABOUT THE AUTHOR
Brian Pontarelli is the Director of Technology at the Chicago-based startup Naymz, founder of the Boulder-based software company Inversoft, founder of numerous open source software projects, and a board member of the Boulder Java Users Group. In the past, he was the President of the Chicago Java Users Group and an Enterprise Architect for Orbitz. Mr. Pontarelli has been programming and writing for many years. He has published various articles in both print and online magazines about Java, J2EE security, JavaServer Faces, and Java NIO. Mr. Pontarelli can be reached at brian@pontarelli.com.