| ▲ | vohk 4 hours ago |
| I think it's going to effectively kill public chat communities without either proof of identity or attestation through a web of trust. Or rather turn them into little better than comment sections on news sites; thriving but worthless. I'm active in a number of online communities that are doing just fine but the difference is those all involve ongoing relationships, built over time and with engagement across multiple platforms. I've no doubt this clock is ticking too but it's still harder to fake a user across a mix of text chat, voice and video calls, playing an online game, etc and when much of the web of relationships extends back into real life activity. But I agree the golden age of easy anonymous connections online has ended. |
|
| ▲ | folderquestion 8 minutes ago | parent | next [-] |
| The web could become a way to indicate identity if public institutions publish for example www.university-country/professors/John. And that implies that John is a professor. I designed a 6000 lines protocol, but anyone could construct that web using hmac(salt+ url). |
|
| ▲ | tardedmeme 2 hours ago | parent | prev | next [-] |
| Note that "attestation through a web of trust" means something like needing an invite from an existing user. It doesn't have to mean mass surveillance. |
| |
| ▲ | g3f32r 2 hours ago | parent | next [-] | | Private torrent trackers have been doing this for a while. If some number of your downstreams act like shitheads - you get nipped and so do your other downstreams. | | |
| ▲ | 2ndorderthought 2 hours ago | parent | next [-] | | This seems like the best way to handle it. Also, smaller communities. It's cool to do the global thing, but once you have 10k active users you can't moderate it with a team of 5 volunteers. I think the attestation approach works best if there are different reasons for the punishment. Eg someone inviting a turd doesn't ban the person who invited them. Someone going full ai spam should. | | | |
| ▲ | irishcoffee 2 hours ago | parent | prev [-] | | Was it demonoid? That was like this way back in the day? Needed an invite and if you leeched you were cut. | | |
| ▲ | platevoltage an hour ago | parent [-] | | Demonoid was semi private, but yes, most private trackers require you to keep up some kind of seeding ratio to remain a member. |
|
| |
| ▲ | michaelt 2 hours ago | parent | prev | next [-] | | PGP’s web of trust was kinda bad privacy-wise in some regards, as it basically revealed your IRL social network. If my PGP public key has 6 signatures and they’re all members of the East Manitoba Arch Linux User Group, you can probably work out pretty easily which Michael T I am. Are there successful newer designs, which avoid this problem? | | |
| ▲ | pjc50 an hour ago | parent [-] | | The IRL social network is actually the important part of the trust structure. The only one of these I've seen that really worked was the Debian developer version: you had to meet another Debian developer IRL, prove your identity, and only then could you get the key signed and join the club. | | |
| |
| ▲ | nicbou 19 minutes ago | parent | prev | next [-] | | Then how can you have a community that is welcoming to people who are not part of the ingroup? I want to create a community for immigrants. How would I make it welcoming to recent immigrants for whom no one can vouch? A web of trust is a wonderful tool, but it's exclusive by design. This is a problem for some communities, even though it makes others much better. | |
| ▲ | AnthonyMouse 23 minutes ago | parent | prev | next [-] | | > Note that "attestation through a web of trust" means something like needing an invite from an existing user. It's probably better to call this something like vouching and leave "attestation" as the contemptible power grab by megacorps delenda est. The advantage in using the same word for a useful thing as a completely unrelated vile thing only goes to the villain. | |
| ▲ | ghaff 2 hours ago | parent | prev [-] | | Which is, funnily (?) enough, how a lot of IRL organizations used to be. And basically don't be of the wrong ethnicity or religion. It still happens more informally today, of course, but it used to be a pretty (if un-spoken) part of how a lot of WASPy organizations operated to a greater or lesser degree. | | |
| ▲ | Exoristos an hour ago | parent [-] | | This was cogent in 1910. | | |
| ▲ | ghaff an hour ago | parent [-] | | A lot more recently than that--and even today but more under the table. A lot of clubs still excluded members within the past few decades. | | |
|
|
|
|
| ▲ | fidotron 3 hours ago | parent | prev | next [-] |
| > I think it's going to effectively kill public chat communities without either proof of identity or attestation through a web of trust. This seems self evident to me too. It's another factor in why I think the tech community needs to get ahead of governments on the whole "prove your ID on the Internet" thing by having some sort of standard way to do it that doesn't necessarily involve madness in the loop. |
| |
| ▲ | baxuz 8 minutes ago | parent | next [-] | | EU's ZKP implementation provides complete anonymity and untrackability: https://eudi.dev/2.8.0/discussion-topics/g-zero-knowledge-pr... | |
| ▲ | bluefirebrand 3 hours ago | parent | prev [-] | | I'd be interested in working on a problem like that. I have a strong preference for remaining anonymous or at least making it a reasonably high bar to tying my online identity to my personal identity I would love to be involved in helping to design a sort of "human verified" badge that doesn't necessarily make it possible or at least not easy for everyone to find your real identity I've been thinking about it a bunch and it seems like a really interesting problem. Difficult though. I suspect there is too much political and corporate will that wants to force everyone online to use their real identity in the open, though | | |
| ▲ | tracker1 2 hours ago | parent | next [-] | | I'm not sure that it would be too hard technically... basically, auth+social-network. Basically Facebook auth without the rest of facebook, adding attestation. IE: you use this network as your auth provider, you get the user's real name, handle, network id as well as the id's (only id's not extra info) of first-third level connections. The user is incentivized to connect (only) people that they know in person, and this forms a layer of trust. Downstream reports can break a branch or have network effect upstream. By connecting an account to another account, you attest that "this is a real person, that I have met in real life." Using a bot for anything associate with the account is forbidden, with exception to explicit API access to downstream services defined by those services. I think it could work, but you'd have to charge a modest, but not overbearing fee to use the auth provider... say $100/site/year for an app to use this for user authentication. | | |
| ▲ | bluefirebrand 37 minutes ago | parent [-] | | I don't think the main challenge is building this system, the main challenge is getting enough people using it to make it worthwhile. Personally I think it should be a government provided service, not something with a sign up fee. There's actually no point at all in building this if people have to pay to use it, because they won't |
| |
| ▲ | Morromist 2 hours ago | parent | prev | next [-] | | I agree its a very, very interesting problem. Maybe one of the biggest problems of the coming decade. I suspect it will be a long process: first there will be goverments that force people to use ID, but that will be abused, hacked and considerably restrict freedom of speech, so after that phase people will start to create better ids. The problem is really pretty simple: You need an authoratitive source to say "This person is real" - and a way for that source to actually verify you're a person - but that source can be corrupted and hacked. Some people will say "Crypto!" but money != people, so I don't see how that works. Perhaps the creation of some neutral non-goverment-non-profit entity is the way, but I can see lots of problems there too, and it will probably cost money to verify someone is real - where does that come from? Anyway, good luck on your work! | | |
| ▲ | sfjailbird a minute ago | parent | next [-] | | Crypto could be a part of it. Like you need to sign with an adress that has held some non-trivial amount for some minimum amount of time. As a component of such a system it could cut down on mass or low-effort impersonation. | |
| ▲ | baxuz 7 minutes ago | parent | prev | next [-] | | https://eudi.dev/2.8.0/discussion-topics/g-zero-knowledge-pr... | |
| ▲ | WillPostForFood 2 hours ago | parent | prev | next [-] | | *You need an authoratitive source to say "This person is real"* Does that even accomplish much? It may cut down on mass fake account creation. But, real people can then create authenticated account, and use an LLM to post as an authenticated real person. | | |
| ▲ | Morromist 7 minutes ago | parent | next [-] | | Yeah, that's a problem, you're right. There are some ways to migitate it, but they introduce their own issues. Like say you give someone only 1 ID for their lifetime, they start to spam AI crap, you ban their ID - sounds ok except who is available to police all 8 billion IDs and determine if they're spamming? Who polices the police? What if these IDs become critical for conducting commerce and banning someone is massively detrimental to their finances? Etc. These problems aren't necessarily unsolvable though - but they are super difficult. | |
| ▲ | Karrot_Kream 2 hours ago | parent | prev | next [-] | | If there's only 1 or just a handful of verifiers, then a human can at most go through a few of those credentials before they run out. The risk is of course getting someone else's credential but that isn't as big an issue, especially for smaller online communities. | | |
| ▲ | kingleopold an hour ago | parent [-] | | you under estimate human population in certain countries, literally | | |
| ▲ | Karrot_Kream an hour ago | parent [-] | | I just don't see a world where a small community ends up having to deal with a dedicated set of potentially spoofed identities. There are already tools like slow-downs and post limits for new members that can protect against this. HN is the biggest community I'm in by an order of magnitude and it's the only community I know that can the just use a slow mode type mechanic to halt this kind of attack. | | |
| ▲ | nemomarx 32 minutes ago | parent [-] | | Have you considered sock puppets? It's not out of the question to handle with human mods but detecting them automatically is pretty bad if someone is supplying credentials to each one, and sometimes it does take months or years to notice that new user Y is banned user X. |
|
|
| |
| ▲ | bluefirebrand 43 minutes ago | parent | prev [-] | | > But, real people can then create authenticated account, and use an LLM to post as an authenticated real person. They can, but ideally they wouldn't be able to make infinite accounts with that authenticated status. So it would still reduce the number of bot posters on the web |
| |
| ▲ | kingleopold an hour ago | parent | prev [-] | | it can also be "rented" btw, rented by llms? interesting |
| |
| ▲ | Karrot_Kream 2 hours ago | parent | prev | next [-] | | Verifiable credentials are all about this. You need some sort of credentialing body that generates the credential for you, but after that you'll just have an opaque identifier. Any caller that wants to verify whether you're human submits the id to a verifier and the verifier says yes or no. You can also do attestations like age, so gate a forum on 16+ or something. You never end up having to actually give away your name or any other details. | | |
| ▲ | rgblambda 35 minutes ago | parent [-] | | What happens when someone agrees to sell or give away their id? The credentialing body could catch the very worst abusers who seem to be signing in to various sites and services multiple times an hour, but would fail to catch anything else. | | |
| ▲ | Karrot_Kream 31 minutes ago | parent [-] | | I don't think you'll ever be fully free of spam, so you'll still need to filter bad content. If credentials get sold and used to spam, they'll get banned. |
|
| |
| ▲ | kolmogorov 26 minutes ago | parent | prev [-] | | world.org is doing exactly that including the privacy aspect.
the iris scan aspect is scary but the alternatives don't seem to solve the problem either. |
|
|
|
| ▲ | vlod an hour ago | parent | prev | next [-] |
| > without either proof of identity or attestation through a web of trust. Let's put aside the idea whether it will be the end of all privacy as we know it (I'm not sure if I personally think it's a good idea), but isn't Sam Altman's World eye ID thing supposed to do that? (https://world.org). How does it work (like OpenId)? Do I have an orb on my desk, or some sort of phone app? I still want to use my desktop to login to HN. Would it stop this sort of "get human id", past it into .env, so agents can use it? |
| |
| ▲ | toofy an hour ago | parent [-] | | this eye thing will never work. people in general are realizing the last people we should trust with our personal stuff are tech bro billionaires. they’ve broken trust too many times. even worse many of them are just plain vocal about their disdain for people in general. at least from what i’m seeing, people are starting to walk away from online at an increasing rate so i definitely don’t see widespread adoption of his creepy eye thing. | | |
| ▲ | cryptoz 20 minutes ago | parent [-] | | “If McDonald’s offered three free Big Macs for a DNA sample, there would be lines around the block.” - Bruce I have no idea about the eye thing taking off. But I think your comment is very HN and a bit out-of-touch with regular people. What "you're seeing" is a bubble and not representative of the general population. The eye thing is a slow frog boil and it will be commonplace before you can blink. |
|
|
|
| ▲ | TulliusCicero 2 hours ago | parent | prev | next [-] |
| > I think it's going to effectively kill public chat communities without either proof of identity or attestation through a web of trust. I'm happy to verify my identity as an honest-to-god sack of meat if it's done in a privacy-protecting way. That probably is where things are gonna go, in the long run. Too hard to stop bots otherwise. |
| |
| ▲ | jredwards 2 hours ago | parent | next [-] | | In order to make this viable, wouldn't you have to verify identity repeatedly? What's to stop me from providing a valid identity and then handing my account over to an agent after I'm verified? | | |
| ▲ | Bjartr an hour ago | parent [-] | | That's why a web of trust was suggested. You keep track of who vouched for who and down weight those who vouch for users that prove to be bots. In theory at least. It's certainly more complicated than only that in practice. | | |
| ▲ | ssl-3 5 minutes ago | parent [-] | | If the web of trust only extends to the people who I actually know to be real, then that works -- but it's a very small web. And by small, I mean: This whole trusted group could fit into one quiet discord channel. This doesn't seem to be big enough to be useful. However,if it extends beyond that, then things get dicier: Suppose Bill trusts me, as well as those that I myself trust. Bill does this in order to make his web-of-trust something big enough to be useful. Now, suppose I start trusting bots -- maybe incidentally, or maybe maliciously. However I do that, this means that Bill now has bots in his web of trust as well. And remember: The whole premise here is that bots can be indistinguishable from people, so Bill has no idea that this has happened and that I have infected his web with bots. --- It all seems kind of self-defeating, to me. The web is either too small to be useful, or it includes bots. |
|
| |
| ▲ | janalsncm 2 hours ago | parent | prev | next [-] | | I guess it would have to be something like a service which confirms whether a person already has an account on the site but doesn’t have to track which particular account it is. I’m not sure if that would work for account deletions though. | |
| ▲ | XorNot 2 hours ago | parent | prev | next [-] | | That is effectively impossible though. There's data centers of stripped down phones, so "it's actually a phone" doesn't do it. | |
| ▲ | Citizen_Lame an hour ago | parent | prev [-] | | What's stoping bots to verify identity? This will not work, especially with frequent data breaches. |
|
|
| ▲ | 20k an hour ago | parent | prev | next [-] |
| Personally I think we need to start utilising the safety features built into AI, to ensure that who we're talking to is a human. We'll start to have to only reply to people who talk in nsfw cursewords (like cocks), or profess their love of capybaras |
| |
|
| ▲ | baxuz 9 minutes ago | parent | prev | next [-] |
| It'll come back again once ZKPs become standardized and become baked into devices: https://eudi.dev/2.8.0/discussion-topics/g-zero-knowledge-pr... I personally can't wait for a mechanism to kill 99% of bot traffic. |
|
| ▲ | Galanwe an hour ago | parent | prev | next [-] |
| Im not sure proof of identity solves anything. People will still have LLMs with their real identity verified. |
| |
| ▲ | SV_BubbleTime an hour ago | parent [-] | | I’m imagining like, a physical place you would go and get your text spoken out of your personal speaker directly into someone else’s microphones. |
|
|
| ▲ | NoMoreNicksLeft 3 hours ago | parent | prev | next [-] |
| >I think it's going to effectively kill public chat communities without either proof of identity How? I have an identity. A state driver's license, birth certificate, social security number. I've even considered getting a federal license before, never bit the bullet. If I wanted to run a bot, what stops me from giving it my identity? How do I prove I'm really me (a "me" exists, that's provable), and not something I'm letting pretend to be me? You can't even demand that I do that, because it's essentially impossible. Is there even some totalitarian scheme that, if brutal and homicidal enough, could manage to prevent this from happening (even partially)? I'm limited to a single identity only as a resource constraint. Others more wealthy than I (corporations or ad hoc criminal enterprises) could harvest thousands of real identities and use those. Consensually, through identity theft. The only thing slowing it down at the moment are quickly eroding social norms (and, as you point out, maybe they're not doing that and it's not even slow at the moment). |
| |
| ▲ | tardedmeme 2 hours ago | parent [-] | | Digital totalitarianism would prevent it. The moment you were found to be running a bot, your identity would be blacklisted across the entire internet. | | |
| ▲ | bossyTeacher 2 hours ago | parent | next [-] | | > The moment someone steals your identity, your identity would be blacklisted across the entire internet. FTFY. There isn't a clear solution. And if there is, this ain't it. | |
| ▲ | NoMoreNicksLeft 39 minutes ago | parent | prev [-] | | You claim this, but you've not presented any evidence. Who would be the enforcement agency for that? Where and how would you train them? Can the money be scrounged up to do it properly? As you blacklist people from the internet, you lose their tax revenue (they're locked out of the economy), but you also make it impossible for them to tell people how bad it was... most of the deterrent effect is gone. But the incentives are only ever growing higher, as people surmise that running their own little bot farm is a way to get ahead when hustling. Any you do hunt down and disconnect are now highly radicalized and desperate, but you've just turned off the feeb's ability to monitor them and intervene. China gets away with this shit because they've been conditioning their population for 60 years... everyone's eased into it. Elsewhere, not even slightly so. |
|
|
|
| ▲ | ubermonkey 3 hours ago | parent | prev [-] |
| "I think it's going to effectively kill public chat communities without either proof of identity or attestation through a web of trust." Those sorts of places were always the only places with reliably good communities. |
| |
| ▲ | bigyabai 3 hours ago | parent [-] | | To the contrary, platforms like Facebook and X demonstrate that even personal verification won't save you from identity politics. | | |
| ▲ | pjc50 an hour ago | parent | next [-] | | People will post appalling racism in newspapers under their own bylines and photos. Identity verification does not moderate. | |
| ▲ | tardedmeme 2 hours ago | parent | prev [-] | | What is identity politics, is that age verification? |
|
|
