D2.2: Set of use cases and scenarios

 

Identity Management and Reputation

 Picture :Typical pseudonym types

Reputation systems as data bases for community members’ experiences with other members should be protected by means of technical data protection to ensure users’ right of informational self-determination. Because beneath the legitimate interest of the community members who inform themselves about future interactors numerous data collectors will be desirous to get access to such large data bases which contain information who interacted at which time with whom and in which context.

Figure

 

Unfortunately the reputation systems currently in use in the above example of electronic marketplace communities (Kollock, 1999) allow to generate interest and behaviour profiles of pseudonyms (e.g. time and frequency of participation, valuation of and interest in specific items). One distinguishes between different pseudonym types depending on their usage as it is also illustrated in (Köhntopp and Pfitzmann, 2004) If the pseudonym becomes related to a real name, as it typically does for trading partners, the profile becomes related to this real name as well. But surveys (Pew Internet & American Live Project, 2000, and Harris Interactive, 2002) indicate that a lack of privacy seems to reduce the success of electronic commerce. Every member wants to determine himself how much and when he wants to reveal data about his person, behaviour and interests.

User-controlled privacy-enhancing identity management (Clauß et al, 2002) gives the possibility to reach pseudonymous interaction on the Internet that tries to satisfy all parties’ security requirements. Typically the user-server scenario is considered, A user can protect against unauthorized access to information while by the use of credentials the server can be sure pseudonymous users are reliable and can be made accountable for misbehaviour. E.g., the use of an identity management system is applicable to the scenario of classical e-Commerce on the Internet (Clauß and Köhntopp, 2001). The difference to Internet communities is the change of roles (between servers and users) that happen within them. 

In the EU project PRIME (http://www.prime-project.eu.org/) a prototype for a privacy-enhanhing identity management system is built that gives the user the control over his personal data and its use for different applications e.g., e-commerce. The prototype will make an appropriate design of the user side and possible server sides. This will need application providers to install this software on the server side and provide access to their services using identity management software. 

Reputation systems are an important part to be integrated in identity management systems to lower the costs of interactions between members in Internet communities.  

To increase privacy in Internet communities instead of person pseudonyms a pseudonym type that is restricted to fewer uses should be used.  

Unlinkability between different contexts (or context types) a member of the community is involved in can be reached by using role pseudonyms regarding to the roles he has in these contexts. E.g., by this measure the contexts ‘offering goods within the community’ or ‘giving advice regarding a specific topic’ or ‘chatting about a hobby’ could be separated by using different unlinkable pseudonyms. Using this  pseudonym type has the positive side effect that reputations for these roles are collected separately. This should even increase the trust in the reputation system because members might be different trustworthy depending on the context. The definition of a context and the distinction between contexts has to be made in the reputation system to make the reputations collected under a pseudonym sensible.

All members with access to the reputation system have the opportunity to link all context information regarding the used pseudonym. Beneath using role pseudonyms for different contexts users should change the pseudonyms they use within these contexts from time to time. To give members the possibility to use their reputation with different sequenced pseudonyms a similar mechanism than for convertible credentials (Chaum, 1985) could to be used. 

The anonymity set in Internet communities usually is quite large. If the number of possible reputations is limited, e.g. by a numerical sum of ratings many members will have the same reputation and thus the anonymity set of one single member contains all members with the same reputation. If the reputation system allows the members to give additional comments regarding their rating, the possibility for the formulation of comments has to be limited as well to guarantee an appropriate anonymity set. This gives members the possibility to determine the linkability of their actions within the community. After an appropriate time the members of a certain anonymity set should change their pseudonyms to new ones to reach unlinkability to their past interactions but they will still be able to use the same reputation.  

Because the change of a pseudonym and the corresponding reputation usually is costly and needs many members to participate, there has to be made a trade-off between the costs of a pseudonym change and the linkability of information regarding a pseudonym. 

Beneath these privacy measures every member’s accountability for his interactions has to be guaranteed. Also in privacy-enhancing identity management systems every pseudonym has to be linkable to a real name for at least identity providers where the member has registered himself as a member and under a pseudonym.  

Future research on this topic and the design of a prototype within a privacy-enhancing identity management system will be executed at TU Dresden. 

 

 

61 / 69