Radovan Semančík's Weblog

Luke Razzell writes about "Virtual Personality":

A Virtual Personality is posited by VRI as an aggregate of all the Virtual Personas a person might have in their online life (their banking persona, blogging persona, online chat persona etc.).

But who says all the Virtual Personas belong to the same Virtual Personality?

I have written about personae before and the more I think about it, the more I'm convinced that the model fits well. But the "Virtual Personality" concept does not.

One of the most important statements of the model is that a user is an entity in the "real" world, while computers operate in the distinct "virtual" world. Computers have no direct "touch" with users, they may only describe them using data records (personae or "virtual personas").

The "Virtual Personality" concept looks to me as being nothing more as just another persona, that happens to be linked to another personae. I must agree with Luke, that the "Virtual Personality" looks as a superfluous concept.

Some time after the informal drafting of the project I've realized, that the relation between persona and physical subject (person) may not be that important as it is currently seen. And it even might not be possible to reliably determine it in practice. As I've written earlier, maybe we should really forget about the entire "physical identity" concept - as it is intangible in the virtual world of computer software.

The only "identity" thing that can be processed in the virtual world is relations between personae. Especialy the relation that I call analogy, that indicates that the personae describe the same subject (whoever that subject may be). Maybe that would be sufficient to describe the "digital identity" situation. But the model is still work in progress, needs more thinking and more work ...

I was working on a kind-of-directory-kind-of-SSO project for past three months. I was working quite hard and had no time to follow the identity buzz around. Just few days ago I found the entry in Kim Cameron's blog that features a recording of his conversation with Craig Burton. One of the topic was anonymity, especially the question if anonymity is an empty set of claims or not. After a while it came to me that the question is all wrong. More exactly, the "anonymity" is all wrong.

First of all we usually see anonymity as a boolean quality. You are either anonymous or you are not. You cannot be "a bit more" anonymous or have "quite a big" anonymity. But if you see anonymity as a boolean value, you must first define the "world" that it operates on. This is called anonymity set by some researchers. The exact definition may be found here:

The anonymity set is a collection of all possible subjects that you can choose from. For example when evaluating the anonymity of a single HTTP access the anonymity set may be "all IP-addressed devices" or "all devices accessing Internet form a single proxy server". In the former case the HTTP access is not anonymous, as it is identified by an IP address (the fact that the address may not uniquelly identify the client does not really matter). In the later case the access may be anonymous.

Or you may define anonymity as a quantitative value, measured by the size of the smallest applicable anonymity set. That way you may be "very anonymous" or "just a little bit anonymous". But in that case there's a new question: How much anonymity is enough?

One way or another, talking about anonymity without defining the anonymity set has no point. And I think that definition of anonymity set for the Internet may not be that easy. And will probably be very dynamic, anyway. Will we see the anonymity set as a collection of all Internet-enabled devices? Will we also include devices hidden behind masking proxies? Or will we see it as a set of physical users and it will not matter if a device is identified as long as a user is not? And if I can identify e.g. user's location (city) is the user still anonymous or is he not?

I think that the "anonymity" and "identity" are two extremes of quite broad and multi-dimensional identitifcation spectrum. And I also think that these two extremes cannot be reached in practice. But that may be a topic for following posts.

Maybe we should abandon the words "anonymity" and "identity" completely, as they may be very misleading. Especially while building practical systems.

Jozef Vyskoč reported(SK) today on an incident in china, where a police detained a man that stole and sold "short" IM numbers.

This looks ridiculous at first, but it is in fact a "reputation theft". The shorter IM numbers hints that a user was on-line in the early days of serivce and that may give him some kind of "reputation". This may be seen as a isolated incident, but it is not the first time I've about this kind of "inherent" reputation. A friend of mine told me that Switzerland citizens strive for car registration plates that have smallest numbers on them. The low numbers mean that the owner of the plate is long-time citizen and thus should be honored. This goes even further, as the most interesting plates are sold and bought.

There are several thoughts that came to my mind:

• In the lack of other reputation system, the people are using the mechanisms that are at hand. Like short IM numbers or low car registration plate numbers. Could this mean that there is a real need for a reputation system? That people needs it? That they even want it?
• The low numbers on Switzerland car registration plates originaly indicated an old-time citizen. But now, as the plates are being sold and bouth using market-derived prices they indicate a different value. The value shown by the figures on the plate is the mix of the time that the person lives in the city and the price that he is willing to pay for the illusion that he is honorable. The low numbers are not assigned anymore, they can only be bought. After some time this measuring system will mutate to show only the amount of money one is willing to pay for the plate. Does this mean that the reputation metrics in reputation system may have variable meaning over time? In such a case we will need some meta-reputation system that will assert the reputation of reputation systems. Or is there some different way?
• For a reputation system, one must always account for a "short-cut" value of the system. I mean, that every system may be breached, (almost) every person can be corrupted, everything has its price. There may be ways how to aquire reputation with money alone. One can get a reputation of a sound expert only by paying the "short-cut" price of the system (the price to break it, the price to buy a reputation of existing expert, etc). This may (or may not) destroy the system. As with other systems, we must know where the limits of reputation systems are and do not push the "honorability" of a reputation system beyond these limits.