[hopfog]

I run a free browser game where you can start playing immediately, no registration required. The game has a big sandbox element where you can build and paint on the world map.

Naturally I've attracted trolls doing everything in their power to grief and ruin it for other players. This has lead me to reluctantly implement moderation tools such as IP bans and proxy detection.

I'm currently using a couple of services where I can supply an IP and get a risk score back but I'm worried about false positives. I'm afraid this initiative, while great for privacy, will make my defense measures futile.

What should I do? I just want to run a game with as few intrusive barriers as possible. I have no interest in collecting any private data from users whatsoever.

[aaronax]

You have to have intrusive barriers. This is true in real life and it is true online.

The world is not a graffiti free-for-all because there are barriers: the government (police) is able to apprehend individuals, link that physical individual to an identity (which it issued at birth), and effectively implement consequences to that identity/individual.

If you want your site to not be a graffiti free-for-all, you will need a durable way to identify actual people. Twitter, for example, essentially requires a phone number to use their site. Phone numbers are fairly difficult to get anonymously. Therefore, Twitter has a useful link between their users and a physical individual. Other services use other things.

The government should implement cryptographic certificate based identities to citizens. Ideally there would be a way to "sign" something that says you are a real citizen without revealing which citizen you are, but is durably unique (subsequent signings identify you as the same citizen).

Facebook, Google, etc. are effectively filling this function right now but they leave much to be desired.

[hopfog]

> Ideally there would be a way to "sign" something that says you are a real citizen without revealing which citizen you are, but is durably unique (subsequent signings identify you as the same citizen).

This is a truly interesting and groundbreaking idea that would solve all my problems. Do you know if there are any initiatives like that or is it science-fiction?

[aaronax]

Actually issued by a government? Not sure.

How to implement? Also not sure. I am not an expert in this field. "Anonymous credentials" seems like the closest thing maybe. Basically you need to somehow prove you have a valid signed certificate without disclosing the public key.

https://crypto.stackexchange.com/questions/83412/how-to-achi... https://crypto.stackexchange.com/questions/52189/zero-knowle...

Since you seem open to putting up barriers...in the process of looking into this I discovered Idena and checked it out a little. You could required verified Idena something or other, just as an example. I'm sure there are scores of these types of things being built, most or all of which will fail to gain traction.

[dejawu]

I don't know if a government would use it, but 4chan has tripcodes that can uniquely identify an anonymous user across multiple posts without the user ever needing to create a permanent identity.

[xani_]

You will just have a bunch of random false positives that get blocked and never come back. Even before VPN a lot of ISPs gave you dynamic IP that changed anywhere from every few weeks to daily, to each reconnect. Same with any public access point

Same with carrier grade NAT, IP stopped being good way to block things long time ago. About the only use is "this IP is DoSing me now, block it for few hours".

There are few other methods, all of them intrusive on privacy. Generating fingerprint of browser and blocking based on that might work for the clueless users but dedicated ones will go around it. Making using one of the popular SSO logins is one option (at least banning-wise) but that's a lot of work

[BrainVirus]

Redesign the rules so that trolling is not rewarding. Yes, I know, it's hard.

[hopfog]

Yeah, I thought I could pull that off but in the end I was naive thinking I could solve it with mechanics. The idea was that I would never need to ban anyone, ever. However, even with thousands of players playing the game as intended just one troll can wreck havoc by creating hundreds of accounts through proxies.

I have implemented measures where you can't chat until you've finished the tutorial, 5 minutes decay on stuff built/painted outside plots and upkeep on claimed plots but it's not enough. The trolls are extremely dedicated and devote their life to ruining my game.