Hacker News new | ask | show | jobs
by Animats 1423 days ago
As I said 48 days ago when this last came up on YC, the classic "Why your idea for stopping spam sucks" list applies.[1] Go re-read that and you'll see the same identity problems and proposed solutions.

If people can create and abandon identities cheaply. they will use those identities for annoyance or fraud. Hence spam, robocalls, etc. This is also why the "federated" social networks are not too useful.

On the other hand, publicly visible identities that are very strongly tied to a person or physical place lead to strong tracking and the abuses associated with that.

So, explain how "Web5" avoids those problems.

[1] https://craphound.com/spamsolutions.txt
4 comments
helloworld11 1423 days ago
Bullshit on at least a couple fronts.

First, even when people strongly have their real identity tied to their digital or other activities, it amazingly often does nearly nothing at all to stop them from all kinds of spammy abuse, fraud, lying, trolling and all sorts of bad behavior. This happens across the board, world-wide in any non-personal social or digital setting.

Secondly, I'd argue that the ability to "decentralize" ID and anonymize oneself is more than worth having as at least a moderate bulwark against the pervasive parasitic, predatory modern corporate/government surveillance world that we increasingly live in. It's nice to talk about keeping people "respectful" with a strongly tied down identity but how ideal is this when these people live in a world of giant institutions that respect next to nothing whenever it's convenient for their interests?

link
RL_Quine 1423 days ago
Yeah, in no small part that "identity" is transferable. It can be stolen, resold to other parties for a profit, or rented out.
link
Spooky23 1423 days ago
Decentralization is about decentralizing services, not identity. You have one identity, decentralization allows you to control how it’s used.
link
thomassmith65 1423 days ago 

  even when people strongly have their real identity tied to 
  their digital or other activities, it amazingly often does 
  nearly nothing [...]
Is that based on any particular example? Off the top of my head, I can think of several mechanisms by which tying a pseudonym to a real identity could deter or address malicious behavior: law suit, jail time, loss of collateral, permanent ban of a human being from a service, etc.

   the ability to "decentralize" ID and anonymize oneself is more than worth [...]
Well, the downside is unstoppable crime, harassment, dis/misinformation... but let's entirely ignore all that, and just daydream about the valiant freedom fighters it will save from oppressive government /s
link
ipaddr 1423 days ago
Connecting your digital identity opens you up to stalking, data mining, identity fraud and a host of other things not government related.
link
thomassmith65 1423 days ago
Sure, but a pseudonymous digital identity can provide decent protection for those problems. If government wants the user's personal details, that's different, since, even if the information were never stored on computer, one could obtain it via court order – but the ability to do that is partly the point.
link
nibbleshifter 1423 days ago
Personally, I think the state being able to deanonymize users is an antifeature. A bug that needs fixing.
link
ETH_start 1423 days ago
>>but let's entirely ignore all that, and just daydream about the valiant freedom fighters it will save from oppressive government /s

The threat from governments and other entities that obtain a monopoly on violence is one that is not naturally self limiting. There is no right governments cannot deprive people of, making most of the methods people use to defend themselves from a threat (e.g. being discriminating when choosing who to associate with, hiring private security, etc) ineffective when dealing with threats posed by governments. Therefore, I think mitigating the dangers posed by the state should be the highest priority.

One way we know that achieves this is eliminating, via disintermediation of centralized platforms, the bottlenecks that magnify the power of the state, and reduce the political cost for those who control the state to enforce mass-surveillance or censorship edicts.

link
helloworld11 1423 days ago
I can think of many (admittedly anecdotal but I think valid enough) examples. Just off the top of my head, Facebook is full of people who plainly use their real name and operate their account within the context of their real, in-person or professional circles of friends. Despite this, many of these people regularly place comments or posts that are blatantly rude, racist, spammy, fraudulent and so forth. It's a very common phenomenon and with little repercussions in most contexts. Social media and many other digital media forums are also loaded with people who regularly defraud others in ambiguous ways with little to no legal consequences. Imagine, if you go to a typical city police station in, say, nearly any North American city and report a non-violent property crime, the police will often straight up tell you that aside from filing a report, they'll do next to nothing else. Now imagine how much less they usually care in the case of legally grey cases of digital fraud below a certain genuinely large or frequently repeated amount. Even if you have a person's completely real name to point to, many criminal investigators just won't care, it won't be worth their time unless it's part of a massive pattern, involves lots of money, or affected someone with major political or social clout. A lack of anonymity means nothing in these contexts. At the same time, a lack of anonymity does indeed expose many other people to all kinds of unfair abuse that they have little recourse against.

As for your second point: The topic of dis/misinformation is a whole separate can of worms that I won't go into in detail right now, aside from saying that it's loaded with assumptions and shifty, politically charged definitions of what really is disinformation. This aside from the fact that I sincerely believe people have a right to share even stupidly mistaken opinions of X or Y, regardless of what certain self-proclaimed intellectual betters think should be allowed. With regard to your other points about crime and harassment, I refer you to my point above: firmly verified IDs barely dent these things. However they definitively do open people up to surveillance, censorship and the illegal leaking of vast troves of sensitive personal data from hacks of "secure" ID verification systems run by governments and corporations. To me, the trade-off is clearly in favor of giving people a basic right to hiding their real identity in all but absolutely necessary situations..

link
conradev 1423 days ago
> The process of binding a DID to something in the physical world, such as a person or an organization β€” for example, by using verifiable credentials with the same subject as that DID β€” is contemplated by this specification and further defined in the Verifiable Credentials Data Model [VC-DATA-MODEL].

https://www.w3.org/TR/did-core/#proving-control-and-binding

Here is the diagram:

https://www.w3.org/TR/vc-data-model/#lifecycle-details

The idea there is that identity providers and other authorities (governments, credit agencies, etc) issue credentials after the person authenticates with them.

This isn't much different than how it works today with, for example, a cookie on the Experian website, but the idea is that I can now take this cookie, show it to a third party and the third party can verify the credential's validity.

link
rektide 1423 days ago
Wow now it sounds awful for other reasons.

Still pie-in-the-sky, but I still think we've been low ambition & not had good decentralized-identity-preconditions to begin exploring web-of-trust models. Past behavior is a huge indicator, one we can judge, & which many others will have judged. Trying to filter those other judges, decide what trust anchors we have & what biases to give, is a place where humanity would have a lot of freedom to tweak & explore, if we had these modest adequate technical underpinnings to begin to explore from.

But we just lost a decade to blockchain mania & consensus computing, rather than exploring anything actually genuinely distributed & decentralized & non-consensus. Also worth admitting AI just got good enough to convincingly fake being an online person fairly well, which can potentially massively outperform any attempt at moderation & seeking truth/genuineness that humans might ever make; said explicitly, bad/business-motivated actor's ability to fuck up anything but an ultra-conservative/paranoid web-of-trust has gone up orders of magnitudes in the past couple years.

link
Animats 1423 days ago
> web-of-trust models

Been there, done that, seen it abused for SEO.

link
rektide 1422 days ago
Hi John. Where has it been done distributedly ever and at any decent size of adoption?

To me, the premise that we start with some self soverign moderation opens to the door to endless creatives refinements & betterments we can collaboratively explore? Afaik Earth has never had that privilege, has never really tried this at any degree. We've had some keysigning parties but actual reputation & moderation... no.

Im not sure what evidence we have to stick a fork in this one & call it done. Doesnt feel to me like we hardly ever began.

link
Animats 1421 days ago
Google's original backlink-based rating system was a web of trust model. A whole industry developed around gaming it.
link
bawolff 1423 days ago
> but the idea is that I can now take this cookie, show it to a third party and the third party can verify the credential's validity.

Or you know, like oauth.

Or if you want to really play up the credential angle, how tls client certificates work, if anyone would ever use them.

link
judge2020 1423 days ago
Perhaps TLS client certificates are unpopular because pretty much everyone uses some sort of anti-ddos or caching server in front of their services (cloud load balancers, fastly, akamai, cloudflare) so any TLS client certificate authentication and validation has to be baked into the service[0] (another possibility could be the service encoding the client's information and shipping it to the origin server via headers).

Another options for companies is only signing request bodies and validating a request signature in the header like discord does[1].

0: https://developers.cloudflare.com/api-shield/security/mtls/c...

1: https://discord.com/developers/docs/interactions/receiving-a...

link
bawolff 1423 days ago
TLS client certs were unpopular way before external TLS termination became popular.

Besides, it would be fairly easy to implement at a cdn layer. Just give it a list of valid CAs, and have it set some header.

The real reason is that UI challenges for client certs are really hard. You can see it in the fact that people actual do use client certs in server to server communication (e.g. like between cache and backend)

link
nibbleshifter 1423 days ago
Having worked with TLS client certificates before, I like them, but I wouldn't inflict them on anyone else.
link
ThalesX 1423 days ago
Would having all data produced by a DID being verifiable mean that I could stop any nugget of information coming out of that producer from reaching me just by a simple computation?
link
gonehome 1423 days ago
Urbit solves it by making the ID scarce with a cheap, but non-zero cost that makes spam prohibitively expensive.

It also makes blocking and moderation easy and the pseudonyms accrue reputation.

link
linksnapzz 1423 days ago
Yeah...wonder why it wasn't mentioned...
link