Exactly. The SSID proves precisely nothing. It is sad to see them to claim it "keeps people honest."
This "Karma FirstName" scheme is going to alienate some potential customers. Also, I suspect the added advertising boost from letting your users be clever would offset losses. But that is a simple empirical question. It wouldn't be hard at all. How many new signups per hotspot do you get from hotspots with custom SSIDs versus stock SSIDs?
Looking forward to seeing what security measures they do have in place to prevent someone from spoofing. At an abstract level, the device is going to need to contain some public-key (or something similar) that it sends somewhere on the Internet which is then verified with a private key. Then it's got to tell the user whether or not it's a real Karma hotspot or there's trouble.
There will always be a risk. But it could at least be managed to the point where it is one of the lesser Internet risks.
Remember this isn't really a new security hole for users of public wifi. Just setting up your own Starbuck's access point (dlink) and loading it with malware and snooping would do the same thing.
I don't really know how SSL works over a compromised access point. So maybe there are safeguards. But I tend to assume if the access point is compromised, all my base are belong to them. Or at least the data I send.