Reputation Systems: An Essay

Introduction

I take it as fact that a programmatic (as opposed to ad hoc) reputation system will be one of the next major undertakings for the net. To me the question is now just a matter of what that system should look like.

Justification

The justification for a reputation is relatively straightforward. Phishing, spam, and other forms of fraud would be greatly diminished. The signal-to-noise ratio would be improved if you could look at a little graphic next to the results on Google and know that people think that site rocks or think that site is lousy. Same thing for news sites like Digg and Slashdot. For that random e-mail: you don’t know if it’s worth looking at, but it’s signed. What do others think of that person? They think that person is spam? Delete.

Existing Systems

Before we proceed with my opinion on that matter, a brief overview of some of the existing systems:

PKI Web of Trust

The PKI “Web of Trust” model is the closest thing to a distributed reputation system that I am aware of. It is directed at validating the keys rather than the reputation of the key’s owner. Having signing as part of a more general system would be useful, though.

eBay

eBay and other similar sites have a reputation system for the buyers and sellers. It works okay. It is not distributed (each node sees one piece of data, the rating, and the individual feedback that contributed to that rating). Being centralized means that gaming the system is easier. There is one model of trust, although different people can ascribe different weight to that model.

/.

Slashdot uses a moderation system as well as karma. The more highly you are moderated, the better your karma. It has also introduced a friend/fan/foe/freak system allowing you to give a single designation (neutral/friend/foe) to another user as well as see their designation of you. They also display friend-of-a-fried and foe-of-a-friend data.

This works nice within the bounds of the comment system, but you cannot friend/foe the editors, sites, etc. And it’s exclusive to Slashdot, so you can’t see a Slashdot friend automatically on Digg, for example.

DNS

The Domain Name System also has reputation built into it. The dozen-or-so root Nameservers are trusted to provide accurate information. The TLD Nameservers are the same way. You trust that the information is accurate. This is also true of routing tables. The difference here is that DNS suffers from gaming in the form of domain squatters.

A Net-wide Reputation System?

That is what I am proposing. It will not supplant the DNS system or the PKI Web of Trust, but such a system would eventually either integrate with or supplant most other general-purpose systems.

Unique IDs

OpenIDs give you a unique identifier to tag with reputation data and build a graph off of. The same goes for websites. E-mail is a little trickier by the very nature of being able to spoof the from: address. That is, until you augment it with encryption and the e-mails become signed.

Graphs

My assumption is we can build a graph and more or less crawl that reputation graph to discover how well you might want to trust someone or something from the get-go. You could then add to your graph your own reputation data for that entity, which would affect its reputation for those who give you credence.

And of course, if you found the system’s rating wasn’t accurate you would be able to crawl the graph and prune any parts that weren’t giving you accurate results.

Conclusion

I believe it is time to start work on a reputation system for the internet. I believe the existing technologies can be integrated with a system and that it will benefit the average user of the internet immensely. While I have some more technical ideas of how to do it, I am very interested in hearing the feedback of others. This is particularly true of those working on similar/related problems such as data portability.

Thank you for taking the time to read this, and I hope it will entice some useful ideas about reputations.