USS Clueless -- Trust but Verify

  USS Clueless

             Voyages of a restless mind

no graphics

Log archives
Best log entries
Other articles

Site Search

Trust but Verify

There has developed a sub-culture on the Web of "web loggers", of which yours truly is a recent addition. My own web log ("blog") happens to be rather sterile, mostly consisting of my opinions about things. But many of them amount to public diaries. As such, most are pedestrian because most people don't really live interesting lives. Still, many are very good, especially if the person is living through a crisis. Inevitably networks of these things have developed who cross link to each other. They also comment on their own blogs about what others have said; you have to read both simultaneously to see the conversation.

The people doing this also sometimes develop quite close relationships with each other, and will exchange email and even gifts. There have been marriages. But there have also been several high profile cases where this kind of thing has ultimately been exposed as an elaborate hoax. The public persona was revealed to be synthesized, not based on reality. In some cases the persona was a different gender than the actual author.

Just recently, as this is written, something like this was exposed on the messaging system associated with AnandTech. AnandTech is a very respected semi-pro hardware review site for people interested in computer hardware. AnandTech also runs a messaging system, mostly for discussion about hardware issues but in practice also as an online social meeting place. About a year and a half ago, one male participant decided to see what it would like to be a woman.

So even as he continued to participate in his own person, he created a separate female identity. He learned (as have many women) that there are a lot of desperate single guys out there, because they started hitting on "her". To defuse this, he decided to start a relationship between his normal identity and "her". But this only made it worse, because others on the board started nagging for details on how the romance was going. So in January of 2000 he "killed" her, announcing that she and her (also mythical) child had been hit by a car. And the other people involved actually created a memorial site about "her", which was online for more than a year, complete with tearful testimonials from "her" friends.

Recently he came clean. It's obvious that he never understood what he was getting into, and that his attempts to manage the situation simply dug him in deeper. Upon learning of the hoax, the moderators of the board banned him, and the other participants responded with anger and recriminations. The memorial site was changed to denounce him and to announce the hoax. (As I write this, it doesn't seem to be accessible any longer.)

There is at least one case like this involving a web log ostensibly run by a woman but actually run by a man. (Of course, there's nothing that requires that a hoax like this be cross-dressing, but it happens to be in the two cases I've cited to this point.) He, too, confessed but the original web site remains up, though it hasn't been updated in a long time. This "woman" was actually quite active in other ways, establishing a web ring, for instance, which still shows the fake identity as a contact.

As I write this, there is considerable controversy developing over the possibility that it may have happened again. Unlike the two previous examples, no-one has come forward and confessed, and the evidence is ambiguous (to say the least). (Update: yes, it is definitely a hoax and there has been a confession.) But it lead me to consider the generic question: how do we know who we communicate with electronically is genuine?

I think we don't. I think there isn't any way to do it. It is possible to prove consistency but not identity. By that I mean that it's possible to prove that a given communication came from the same person that created previous communications in a series, but it is not possible to prove who the entire series came from.

I have posted a scan of my driver's license (with certain critical information blanked out) but you don't actually know that the driver's license in question is really me. I might actually be a 70 year old woman stuck in a nursing home.

The problem is that computers make it too damned easy to fake this kind of thing. Indeed, the photo in my driver's license might have been inserted (though with the overlay pattern of a driver's license, that would be pretty difficult. But it's not impossible. Or the picture could be genuine -- and stolen.

Or I could post a public key (e.g. a PGP fingerprint) on my web site, and someone receiving mail from me might have to use that public key to decrypt it. That proves that it was sent by the person owning the web site. But it doesn't prove who that person actually is.

Each entry on the web site could be provided in both clear and encrypted forms, requiring use of the public key to decrypt. This would prove that the same person created each log entry. But it doesn't prove in the slightest whether the content of those log entries are trustworthy -- the entire thing might be a pack of lies.

I just finished reading Crypto, and Whit Diffie wrestled with the problem nearly 20 years ago. He thought he had found an answer, but it's an unsatisfactory one. It turned out to be an electronic equivalent of a "circle of friends", the old six degrees business. If I trust Allan, and Allan trusts Bob, then he can vouch for Bob to me as follows: I have Allan's public key because I got it from him personally. Allan has Bob's public key the same way, but I've never met Bob. Allan takes Bob's public key and encrypts it using Allan's private key. I decipher it using Allan's public key which I got from him personally; this then shows that only Allan could have sent me Bob's public key. (Allan would send my public key to Bob the same way.) That then means I trust Bob and vice versa because both of us trust Allan.

The problem with this is that it assumes no-one makes a mistake or gets fooled. Any misplaced trust cascades through the system, and it may create pockets of unreliability which can't easily be eradicated. Allan might be wrong about Bob, and as a result each person Bob introduces to me might turn out to be a lying bastard. And I might in turn introduce Eric and Julian and Groucho to other friends of mine, vouching for them in turn because I trust Bob (but shouldn't have) when he introduced them all to me. By the time Allan realizes that Bob is untrustworthy and tells me, it may be too late to correct the damage. Groucho's validation might have passed through five or ten more links by then, and the "cancel" message might not find all of those introductions. (Look how hard it is to stomp out the "sick boy wants postcards" chain letter.)

Each additional link away from me in the trust chain has to be treated as less trustworthy because there's a certain chance of each link in the chain being faulty, and the reliability of the whole chain is the product of the trust levels of each link. (Assuming a 95% reliability for each link, by the time you're 6 links out the reliability is 73%, and it keeps decaying from there.) But that's a probabilistic thing; it doesn't mean that all 20 of my friends are reliable -- rather that there's a good chance that one of them is a cad. It's not 95% trust of all 20, but 100% trust of 19 and 0% trust of one.

This system didn't really take hold, anyway. Then there was a commercial attempt at this, with a trusted company who validates people or companies for a fee. Anyone needing validation goes to the company and pays a fee and presents evidence of identity, and the company grants them a digital certificate. The technical details of how this works are unimportant, but you as a user can interactively validate the certificate by directly contacting the trusted company.

Only they're not as trustworthy as all that. A really good background check like this could be prohibitively expensive, and as a result to keep prices down they've been cutting corners -- and making mistakes. Recently they granted two certificates to someone who claimed to work for Microsoft but actually didn't. Things signed with those certificates announced that they had been verified as coming from Microsoft. This wasn't discovered for more than two months, and there's not really any way of knowing how many undiscovered screwups there are in their database now. The fact is that reliable trust is too expensive using this approach -- and even the approach they're using is too expensive for individuals to use.

So people are relying on the same tools they do in everyday life, which are themselves not totally reliable. First, there's verisimilitude: if you have a long correspondence with someone and don't notice any false notes, then your trust in them increases. There's also networking effects; meeting people through friends but without encryption to at least prove the confirmation, and a number of other approaches none of which guarantee reliability. In the face of a determined and patient hoaxster, you can be taken just as you can in real life. We've never solved the problem in real life and I don't think we will online.

We have to assume that sometimes we're going to get taken in. Sometimes we'll be fooled. Sometimes we'll discover that the eager young 24 year old college student in Miami we've been communicating with all this time is actually a sour old retiree in Duluth.

It's a gamble, like everything else in life. The only real rule is: never gamble anything you can't afford to lose.

This page has been viewed 1846 times since 20010726.

Captured by MemoWeb from on 9/16/2004