[realpeopleio]

I agree that having a few walled gardens is a problem, but having more smaller walled gardens probably won't change much. Bad actors can still sign up, post, spam, harass, etc. on several small walled gardens. What we need is a way to better identify and handle bad actors.

The internet in the 90s seemed more fun and more open. Perhaps it's because the only people really participating were not interested in abusing sites or people. It was mostly nerds sharing nerdy things. Once money got involved, and free everything was available, it turned into this soup of bots, trolls, AI, fake this and that, big money, swaying public opinion, and gross content.

Smaller sites and discussion boards have been at a disadvantage recently trying to fend off spam, bots, and sock accounts and very often lose out to the big sites. Effectively controlling abuse and doing it a cost-effective way can be very hard.

RealPerson.io (https://realperson.io) was created as a way for websites to verify that a user is a real person, but without disclosing personal details about the user. Each person can create a single account on RealPerson.io and then can create separate, randomly-generated codes for each site they use. Websites register on RealPerson.io and then for each user signup on their website they simply asks the user for their RealPerson code for their website. A backend REST call to RealPerson.io with the user code for the site returns "yes" or "no." Sites don't share codes so you can't track across websites. No shared logins or authentication code. Bots would have to pay for a code for each account which would be cost prohibitive to run a bot farm.

The first implementation of this approach was done with RealPeople.io (https://realpeople.io) which uses RealPerson.io to verify that the user is real.

[watwut]

> The internet in the 90s seemed more fun and more open. Perhaps it's because the only people really participating were not interested in abusing sites or people. It was mostly nerds sharing nerdy things.

I distinctively remember people giving purposefully bad advice on innocently sounded IRC channels. By bad advice I mean hiding "rm -rf" somewhere in the command that is given out as advice. If the person complained about losing work, more fun to them. This was something I witness firs time I started randomly poking around IRC (I was not target). I also remember how there was whole philosophy around it, how newbies who come are vampires for daring to ask questions.

I remember there being a lot of "nerds" bragging about how funny it was to cause harm to that or this person - including putting their personal enemies phones into fake sex ads. Plenty were everything except nice innocent people sharing nerdy things.

There were plenty of nice thoughtful people and plenty of normal people who just care about board topic. They were not only ones out there.

[pjc50]

> Each person can create a single account on RealPerson.io

That web page doesn't explain how they guarantee uniqueness of users or pay for the required ID checking?

[realpeopleio]

It doesn't really guarantee uniqueness. It also doesn't verify identity (that this is really "John Smith"). It essentially verifies that the user has paid for an account on RealPerson.io, which is currently $9/year. This was to strike a balance between having to divulge too much personal info to RealPerson.io (like an identity verification service), but at the same time making it highly unlikely that the user is a bot. RealPerson.io doesn't try to drive the percentage to 0 that the user is a bot, but rather make it cost prohibitive for bots, while at the same time making it cost effective for real people, and still protect privacy.

Also, a user only gets one RealPerson code per website, so a user can't create multiple codes for a website and hence create multiple accounts on that website. And if that website bans the user, that user would need to get a new code for that website, which would mean creating a second account on RealPerson and paying again and face the scrutiny of RealPerson detecting that the user has two accounts on RealPerson.

[jasode]

>how they guarantee uniqueness of users

I was curious too so I clicked on the sign-up button to see how it worked. It immediately takes you to a page to pay $9.00 by credit-card.

I guess it guarantees you're a "real person" because bots† don't pay with credit-cards.

†(At the large scale required for profitable fraud)

[realpeopleio]

Right. Bots aren't going to pay. But a user might pay $9/year for all websites. Websites don't have to pay for the service either. The more websites that use the service, the more cost effective it is for users (since they pay once for all sites), and for websites (since the likelihood that the user signing up already has a RealPerson account and doesn't need to pay anymore).

This is the primary way to prevent bots, but there still are secondary means like IP address, credit card, behavior pattern than can be used to detect bots. But with estimated millions of bots operating on Twitter and Facebook and elsewhere, the bot operators are not going to spend millions of dollars on RealPerson accounts.

[corobo]

> But a user might pay $9/year for all websites

Nope. Not going to happen. A HN user might, but regular user? No way in hell. Honestly I'd be surprised if you managed to win them over with $1/year or whatever the card minimum TX cost is. Even I was blindsided by it with a "wooah, whats this about" and I'm happy paying up for apps etc just to test them once. I thought I'd accidentally signed up to the website side of it

It's hard enough for Netflix to get customers to pay (account sharing) never mind a site that - from the user's point of view - does nothing

On the thought of the website side - Why would I as a website owner have my users pay your service when I could set up my own paywall and also enjoy the monetary rewards? I really feel like I've missed something here

Side note, there's also no way to delete my account

[realpeopleio]

At first maybe for most people they won't want to pay the cost. What (hopefully) will happen is that smaller sites who have problems keeping bots and fake accounts at bay will decide it's worth it to them to require all their users to use RealPerson. And then (hopefully) over time users face no additional cost using RealPerson on other sites because they already have an account.

Incidentally, this is how RealPeople.io (https://realpeople.io) is able to have no ads because the revenue from RealPerson.io subsidizes it since they're owned by the same company.

[corobo]

The way you're addressing this site is confusing, you're talking as if your username isn't "realpeopleio" - are you affiliated with the site or just registered under a confusing username?

I apologise for asking this rather than any actual followup questions but it's got me proper distracted

[laumars]

> Bots aren't going to pay.

If your site ever gains traction then would quickly become rife with stolen credit card details as the amount is small enough that most banks wouldn't question it (at first at least - but it's small amounts like these that attackers use to verify the card details are still valid) and those attackers would get the added bonus of growing their database of fake user accounts, thus rendering the point behind your site irrelevant.

Worse still, you'd then need to find some way to differentiate between stolen details and legitimate accounts (you will legally need to do this otherwise you'd quickly get shut down) - which means you're back into the arms race against the bad actors. This is going to cost you money (hopefully not more than you're making but that really depends on how heavily you get targeted) and will mean you'll likely end up adding counter measures that add further hurdles for legitimate customers.

And thus we're all back to square one.

I do wish you luck with your endeavor; but I don't agree with you that this solves any of the problems you're hoping to address (or at least described in this thread - if your problem was merely to earn some extra cash on the side then this might work beautifully for you).

[vbezhenar]

I think that the only reliable way to verify that a user is a real person would be to coordinate this work with government. Kazakhstan allows for each citizen to get a signed digital certificate to use it for government websites, but it's possible to use it everywhere, it's a plain X.509 RSA certificate signed by a special certificate authority. I'm aware that there are many countries doing exactly the same thing. So many people already have certificates to verify their identity and they have an incentive to keep those certificates secure. It should be possible to build an analog of "realpeople.io" using those certificates (or directly use certificates for authentication).

[john_minsk]

And let government track your each step... I trust google more

[realpeopleio]

This was a motivating factor for us. If a market solution doesn't appear and remedy the problem, then we'll get government regulation.

[laumars]

> The internet in the 90s seemed more fun and more open. Perhaps it's because the only people really participating were not interested in abusing sites or people. It was mostly nerds sharing nerdy things. Once money got involved, and free everything was available, it turned into this soup of bots, trolls, AI, fake this and that, big money, swaying public opinion, and gross content.

The 90s had fair share of the above as well:

* bots: I used to write bots to troll 90s HTML chatrooms (I was young and an idiot). IRC bots have been around since forever at well.

* trolls: trolling is older than the web. Platforms like IRC and newsgroups used to be rife with trolls if you wondered into the wrong place or said something stupid to the wrong people.

* AI: this isn't really a web problem but more just a natural advancement of technology. I mean we had bots in the 90s so you can bet if AI was as far along then as it is now then we'd have seen AI then as well.

* fake this and that: this has always been a problem. Let's not forget that Snopes.com was launched in 1994.

* big money: The web definitely attacks big money now, but even in the 90s some businesses were sinking huge quantities of money in the bet that it would pay off big. Probably the most famous example being Amazon, who were founded in 1994.

* swaying public opinion: I agree here. This more recent trend of using user identifiable information to target persuasive pieces (eg what Cambridge Analytica were doing) is very worrying too.

* gross content: shock sites are nearly as old as the web itself. Goatse, for example, is so old it's now part of the mainstream consciousness.

* spam: Spam on forums is less of a problem now than it's ever been thanks to new techniques in user verfication (captcha and similiar, developers more aware to validate users with an activation email, etc). And spam email is an order of magnatude better now that it's been in years.

* sock accounts: To be honest I think this is another area where they were more common then than they are now. This time I think it is due to the current trend of using real world identities. In the late 90s it was particularly easy to create sock accounts due to how easy it became to create a multitude of free email accounts (eg Yahoo Mail).

* very often lose out to the big sites: this is where I think the biggest shift has happened. People seem less interested to stumble on new content than thye did in the 90s. Of course this might just be age bias on my part; I was in college in the 90s so had both the time and the social crowd to stumble upon random stuff online. Whereas these days I'm older and look for different requirements from the web so for me I look to it more as a tool than a toy.

I'm not saying things are better now nor then (actually I do kind of miss the 90s web) but there was definitely still a darker undercurrent present even in the 90s.

[realpeopleio]

There were some bad actors in the 90s, but the scale is different now. And the effect is now raised to the level of concern that elections are affected. Some people are even talking about how it is threatening democracy. We don't think an arms race of technology with the bots and bad actors is going to work long-term. We need to change the economics so that bad actors go broke trying to act bad, while real people have to pay very little and not have to give up privacy. Government regulation might solve some problems, but it might also just put Big Social Media in bed with politicians and then little guys will be prevented from playing, and/or the control over online speech will just flip back and forth between opposing ideologies every election.

[laumars]

> There were some bad actors in the 90s, but the scale is different now.

It depends on what you're measuring. Take trolls for example; is the proportion actually any bigger? Sure there are more trolls but there's also more users on the whole so you'd expect the number of trolls to also grow while the percentage might remain the same.

> And the effect is now raised to the level of concern that elections are affected. Some people are even talking about how it is threatening democracy.

That's not really the same point you were making in your first post. I agreed with you about how worrying those specific cases are but you were originally complaining about a more general problem of rot and giving examples of stuff that also existed in the 90s. But yes, I too am concerned about targetted "marketting" being abused in a way that is new to anything we had seen in the decades previous.

> We need to change the economics so that bad actors go broke trying to act bad, while real people have to pay very little and not have to give up privacy.

I don't disagree with you on principle but it's a lot easier said than done. I mean just look at how hard it has been getting a handle on spam email and as a result it's now harder than ever to host your own mail server.

Ultimately I don't think it is possible to have privacy / anonymity and to prevent spam. I also don't think it's possible to prevent bad actors from automation while allowing the good actors to do the same things on the cheap. The problem is the same controls that are used to make it difficult for bad actors will also make it difficult for the good ones, And equally the same controls that give us privacy also make it easy for malicious sock accounts to be created. It's a double edged sward like that of free speech allowing opinions we don't want to hear amongst those that we do need to here.

I think the best approach is education. There was a time when we were taught not to trust what we read online. Not to trust other people online. But things have since flipped and perhaps it's time to re-educate everyone to be cautious of anything presented online?

[realpeopleio]

> I also don't think it's possible to prevent bad actors from automation while allowing the good actors to do the same things on the cheap. The problem is the same controls that are used to make it difficult for bad actors will also make it difficult for the good ones,

That's how RealPerson.io is different. It's pay to play so it doesn't try to out-tech the bad actors, and so it doesn't make it harder for the good actors.

[laumars]

I can think of a few ways it makes it harder for the good actors just from an initial scan of the site:

* It's an additional service that people need to discover / learn and sign up for

* It's not free. While the cost might seem cheap for people like ourselves in well paid jobs, not everyone has a disposable income. Anyone in poorly paid jobs / unemployed, expensive bills or family etc wouldn't want to or even might not be able to afford such a service

* It requires people pay with a bank card, which excludes anyone who doesn't have a bank account / credit card (only a small group of people but they do exist). It also excludes anyone who doesn't feel comfortable with entering payment details online (I personally only use PayPal these days on all bar a very small handful of sites)

* I also don't trust handing "identity token" over to that site any more than I trust Facebook. What happens if/when they get hacked? Will they then have my bank card details? Will the be able to use my identity token to access other sites? These points matter to me because I know nothing about the company and they are gearing themselves up for being an obvious target for attackers.

So in summary there is no such thing as a perfect solution. By making it harder for bad actors you're going to make it harder for at least some good actors as well. That is an inescapable truth.

[realpeopleio]

> I also don't trust handing "identity token" over to that site any more than I trust Facebook. What happens if/when they get hacked? Will they then have my bank card details? Will the be able to use my identity token to access other sites? These points matter to me because I know nothing about the company and they are gearing themselves up for being an obvious target for attackers.

A RealPerson code is not an access token. It's a unique code generated for a particular website. It's more like a coupon code and RealPerson.io will tell a website if it's valid. The website still handles creating the account and authentication etc., like it has before and does it however it wants, using whatever authentication it wants. But now the website can make a backend call and ask RealPerson.io if the code given is valid, meaning someone (who knows who) generated a code for this site. That's it. Then the website can validate that no other user has used that code when signing up on their website. The website doesn't know what account on RealPerson.io has the code. The website doesn't know what other websites the user uses (the codes are unique to each website). So RealPerson.io just knows codes and websites, and websites just know if the codes are valid. Nothing else is shared.

Stripe processes the payment and credit card details are not stored in RealPerson.io. There are no identity tokens to steal. You have codes but you generate those on demand when you are signing up on websites. Once they are used, then there's nothing more you can do with them.

RealPerson.io doesn't have any personal details on you besides the payment token from Stripe. No bank details. No usernames or passwords for other sites. No usage on other sites.

[CM30]

Yeah, a lot of things that are seen as modern social media problems have been issues online (especially on community websites) for a while now.

Of course, part of the reason they seem worse now is because sites like Facebook, Twitter and Reddit have completely ignored all community management advice found online and done nothing to discourage bad actors or keep the quality control up.