Hey guys I just made this logo, inspired by this thread:
I also made logos for all the other unique app ideas, and you can see them on my site here!
David the answer to the “proof of human” in my mind is very simple, and I want you to really think about it.
You use a challenge response system with the device’s accelerometer.
Really, think about it.
The human supplies no real identifying information, but their human interaction with the device is clear as day.
I see it like this. It spits out initial voice commands to get a baseline “put device on ground” “hold device above head” “hold device out” (logging arm length/height/other basic metrics).
With the initial human data the challenge starts saying commands “shake up and down” “hold still” “move device in a figure eight” “move device in a circle” displaying the desired motion on screen, and records from the accelerometer. (think wiimote)
This human challenge can go on for as long as is needed, continuously telling the human new commands until a decision is made.
Maybe AI is advanced, and programmers are dedicated, and physics equations are easily understood… but mother of god have fun writing the program that will render the device in 3d space with perfectly fluid motion from every command to every other without delay or hickup.
The real secret sauce is in the commands given, “shake vigorously” can get an estimate of the person’s strength, which can be compared to the “hold above head” height.
You could of course add some voice challenge (count to 10 while putting arms up).
At the very least you can verify it’s human, not necessarily a unique one (although I’m sure there are commands you could give to figure that out), but this will dramatically reduce the millions of fake accounts generated by common scripts.
Desktops are an issue but smartphones and laptops all have accelerometers now.
lol “backseat” truly is a great username for you
That means Professor Hawking could not be seen as human And anyone with such disabilities like limited arm movement.
Also it would give jobs to low paid sweatshop “employees” who respond to the bot which relays the movements back to the app trying to verify if human.
Too many ways to fool it without even hacking or programming a voice activated response system. No need for AI, and is being developed for robotic response systems.
SAFE network does this by requiring payment for account to persist
I think you gloss over the really difficult problem. It is easy to get lots of people in a room going through this process (just as with generating game currency, filling in online forms etc.). The difficult part is the “unique” bit, and so if you think you can solve that part please go on. Then you will have found something no-one here has yet. I like the idea you present, but I don’t see how you can tie those responses to particular people. I’m not saying you can’t, but I think it needs to be demonstrated - or a theory of how presented that is worth someone exploring.
Maybe someone will pick up on the basic idea, but if you think you can solve it, don’t stop there!
David mentioned that in the 1st post:
David mentioned in this thread that he was more concerned with proving that you are human, not specifically unique.
But yes you are correct, the unique element is the golden-goose.
The reason I mention this was that the current captcha system is being bypassed now with bots sending out the images/puzzles to unsuspecting users to solve (& dedicated solvers). Thus a bot operates as a human and proof fails. Ever been to that site asking for captcha to be solved for access to the article, yet the captcha always says you failed (to get the person to solve many)? Its increasing and saves the need of AI, or other recognition systems.
The movement challenge and response reminded me of that and how easily I could rig up a mechanism to fool such a system. (engineering is my expertise ) Easier than that captcha fooling system although a tad more expensive.
I also gather that the human proof for account creation has basically been replaced by paying a coin. Thus I gather it is more a quest for unique now.
Personally I feel that the need for human proof and unique human should be for things that really need it like voting and a number of other APPs that want humans and not bots. There is a lot of resistance to wanting people to prove things in order to use a system unless they feel its necessary. The more they have to do the less likely they will do it.
Uniqueness & human proof is very difficult and mostly fooled because the input has to be converted to digital. I’d say the best would be a DNA analyzer that creates a hash of a person’s DNA so personal info is kept private. Then the problem is cost, identical twins and those that actually have 2+ DNA sequences. (the case of the mother who is not the “mother” depending on where the DNA sample is extracted from.)
I just read this entire 229-post thread inone fell swoop. Disclaimer: I’m new to MaidSafe.
It certainly seems that this thread needs clarification on the “is this integrated in the network or built in apps on top of it” point. For the higher-level apps, then, the point is moot, since the apps will do whatever they want, including their own seperate ways of verifying humans if they so desire, and we can’t and shouldn’t stop them. All of the discussion about upper-level authentication, while interesting and valid, is therefore only useful as suggestions to new app developers.
So all that really matters is if PoUH should be implemented at a network level, and if so, how?
Well… it shouldn’t. Here’s what the thread has taught me:
- Biometrics are fun and interesting and as discussed, plausible. Unfortunately, they’re also never truly unique. Sharing a thumbprint with someone is rare, but it happens. Even less likely so for retinal scanners. Even less likely for heartbeat rhythyms, and even less for DNA. Yet, all of the above, are not perfectly unique. (To test any such idea, always apply the limit as the nimber of living humans approaches infinity) In each method there is also accessibility issues (blind people, fingerless people, inconsistent heartbeat, etc). It was also mentioned that this would promote acceptance of biometrics in general, including the other proprietary/insecure/spying methods out there.
- Combination of Biometrics seems like the obvious answer to the above, and many people would say it’s “unique enough” for our purposes. It comes in two forms:
- Mandatory combinations, say a heartbeat, an eye, and a fingerprint, exhibit the issues discussed about being far too complex, introducing high barriers to entry; not to mention hardware cost.
Optional combination of biometrics, like “eye scan or voice print, whichever you want!”, solves almost all of the accessibility issues but defeats the security gained. Bad actors simply go after the most exploitable method, and don’t have to worry bout the rest.
In either case, biometrics are obviously cirumvented by physical coercion, as usual.
- Defining “human” in an operational way for the network is also necessary - if not different than “a user who provides value”, which would invalidate the need for PoUH (only bad actor elimination would be necessary), then we have no leg to stand on. For example, take the definition “rational animal”. If a non-animal with rationality comes along then why not give it the same resources and opportunites? If an AI had the rationality of a normal human user (such that it were indistinguishable from one) then does it not deserve disk space and resources to use the network as an other user can? Or are we really concerned wih precluding value added by “animals” only for some reason? I may have just watched Bladerunner last night, but you have to admit, defining human is… completely arbitrary.
- Voting, which should never need to be done on whole-network scale anyway, is not meant for this low level. We can use higher level layers and apps, to vote, and even then, among mutually-verified subgroups of users. So let’s rule that out.
- Joining the network seems to take three schools of thought:
- Join and get paid, a.k.a. free space/resources for new users
- Just join, and get/give nothing, all the way to
Pay to join, such as requiring a safecoin for an account.
Each of the extremes leads the user incentives astray. We don’t want to incentivize the mass creation of accounts, so giving away free space, while generous and easy, won’t work. We can gain the benefit from this approach, though by simply making it easy to immediately earn a first safecoin (for example). This also has the disirable effects, such as psychological value, of the “pay to join” approach, except the barrier isn’t actually there. What we don’t want to deal with is the imposible task of charging the whole world a sensitively fair amount, not to mention that telling people they need to pay for internet 2.0 is not going to go over well.
Charging nothing and giving nothing has the pros of both extremes, with none of the cons. We can simply value the coins, rather than the accounts - and hey, we can even use that invitation-network-effect idea - we simply pass around “invites” wih coin attached!
- Seperating personal lives into multiple ‘accounts’ seems to be objected to, on the basis that it would be desirable and the PoUH would interfere with this. I’m arguing against PoUH, but this is not a good reason. First of all, we still want everyone to have only one account, or at least I think so. I was under the impression that you could deal with the seperation-of-personal-life issue via something called Personas, which aren’t as permanent/anonymous as your actual maidsafe account. I may have the terminology backwards, but what they’re arguing for is PoUH for the account, which should suffice for all of the Personas under it. I still think everyone should have one account, and that there should be no point in having multiple (fragmentation of your stuff! multiple authentications to remember!).
This makes other processes fall into place - accounts will tend towards coinciding 1:1 with a single human because the incentives are set up that way.
Passports are used to identify unique human beings across the world. It is safe to assume that members of society have a passport. It is also safe to assume that given this form of identification, one can prove that one is not a bot.
Of course the problem is that people do not under any circumstances want to compromise their passport information.
Is it possible to generate a unique signature using a passport number as a one off without compromising the safety of said number, and still retain enough cryptographic information in the network to be able to verify this signature? Would this be illegal or impossible or just not secure enough? Since a lot of sites demand identification these days it got me curious as to why this type of solution would be infeasible.
Can’t people buy fake passports on the deep web?
I don’t have a passport
This is way off I’m afraid. Even in the USA, having a passport is less likely than not.
Hmm I see the problem.
Noob question - Is this actually intended to become part of the network, or is this just a conversational thread?
I can see how an identity verification service can be useful for some users and some applications. As a core concept though, someone should point out that “proof of unique human” at a network level by definition can only eliminate anonymity. This would increase risks and annoyances.
Suppose ‘Jay’ wants to back up his private e-mail every morning 2am, whether he’s at his desk or not. Jay also has a completely separate service that provides a REST interface to some unrelated weather data he’s been collecting and storing on the network.
Two options. One is that each of those “bots” can have it’s own separate account. The other is that Jay is only allowed one account, and all his tools have to automatically authenticate as Jay.
With account separation and anonymity, people might build bots that do harmful things. You might have to counteract those bots with tools like spam filtering, and ensuring that coins are only automatically issued to systems that have done useful work.
The second scenario could be a huge problem for Jay when it turns out that his weather data interface was not as well designed as he’d hoped, and some script-kiddie used it to steal his credentials and all his coins and e-mail (instead of being limited to whatever that specific app had access to).
Or maybe Jay has the misfortune of living in a totalitarian regime, and the government, which actually printed his ID in the first place, decides to execute him for documenting their activities with a foreign human-rights group.
Of course that’s all very dramatic and I just made it up. Real life problems for me would include:
- Testing development of an application that has different permission levels when you can’t create multiple accounts.
- Building automated tools for an employer without giving them access to your private data (Am I really the only person with a separate private and employee e-mail address?)
- (inverse) Hiring someone to build an app without giving them the credentials for your entire business.
- Simply not wanting to provide personally identifying information to a system that’s not accountable to me.
To be clear, unique identity validation can be incredibly useful tool. I can easily see a business case for a specialized service provider doing manual ID checks and certain application writers insisting that only “EZ ID Verified” accounts will be allowed to vote in their election. But from a design perspective I don’t see anything good about making this a requirement for participation at the network level.
Very good points, but not necessarily the outcome.
First, your question: no it is not planned, because it is not yet possible to achieve this. The discussion is because there are things that would make this useful, but they need not lead to de-anonymising the user, so long as you can have none-unique accounts.
So for example, if you could have POUH this might be required for certain account benefits: voting, a free initial storage allowance etc, which would avoid spamming and similar abuse. But you could still allow other accounts, just without these features or benefits.
So we could have the best of both worlds. If only we could figure out how to do POUH!
Why not combine different strategies? For instance for your average job the wiimote idea would probably work fine to validate they are human. Then combine this with personal data and you have a login. To defeat the sweatshop problem tie one’s personal data to one’s biometric data. That is to say if the network knows you’re 6 feet tall, weigh 300lbs and shake your wiimote like a maraca and login one time then try logging in again and suddenly are 4ft tall, 90lbs and shake your wiimote like you’re trying to turn cream into butter there’s a difference and the system knows “Hey wait a sec this isn’t the same human here!” And an alarm is tripped. In short if someone hires someone ELSE to login for them as the “human” element then it becomes a permanant position until they reset the whole process, because you know that option would be nessesary because things happen just like wanting to change your password.
For the motion impaired there are options like using a passport or nymi heartbeat monitoring device. And couldn’t we rig some kind of motion tracking system using the camera? Even a person in a wheelchair could follow commands to “move forward, move backward, go over to your left, move back again, move to your right, spin round, now perform a figure eight while bobbing your head” and so on. Quadrapalic issues, like many handicaps, are a greyscale. So one would need to input that into the system, which in itself would be identification data. If you know your human is handicapped and a human comes along who passes tests that they normally couldn’t either a miracle has occured or there’s a security breach. Of course we’d need to account for miracles as they do on occasion happen but it’s rather unlikely.
Thanks for clarifying!
I’ve never heard of anyone solving 100% automated PUOH validation, and now that you point it out, it does seem like a valuable enough service that if someone had figured it out, they would be famous billionaires.
I don’t know enough about MaidSafe yet to understand whether it could be done with the account authentication system as written or whether it’d have to be a separate tool, but treated as a customer-service rather than an automation problem and POUH looks like a simple modification of PGP: Show “EZ Validation Service” a meaningful form of identification and they sign one, and only one, of your public keys. Give the market a bit of a trial period and we’ll know whether “EZ Validation Service” is more reliable than “Background Checkmaster.”
Obviously a purely automated solution is beyond my skills here. To be fair though, everyone who uses an SMS text or government issued ID is also just outsourcing the work to particularly well-established vendors.
Here’s my current thinking on the topic:
I don’t think there’s been a pressing need for POUH, prior to Davids invention and hence no race to achieve it.
I wouldn’t call POUH an ‘identification’ system, as it does not identify anything. All it does is (1) prove we are human (2) prove we are unique i.e not the same as any other human on the network.
When planning this algo, we should take into consideration cloned humans also…apparently the tech is on the shelf, awaiting humanity’s ethical readjustment.
When taking clones into consideration, a factor that might be important: ‘proof of unique experience’ and since this is experience within the confines of a network that stores next to nothing about our activity, what’s on there that we can verify? What activity on the network could be used to assess a user on their unique safe experience?
You’d need a minimum amount of time/activity on the network, before you could even qualify to apply for Unique status.
So when we have 2 or more identical (DNA) humans as an accepted part of society, say 2 clones ‘created’ at the same instant in ‘time’…how else are you going to accept their uniqueness, if not by their experience transacting with the network…
What about robots wanting to join up? Proof of unique machine? (MAC address)… Robots + AI with multiple accounts…not good for business.