What extra information will distributed markets leak?

I've been thinking about distributed markets, and what information to reveal and hide. Just like in Bitcoin, your identity is a pseudonym---so in concept, you can make everything except the link between that pseudonym and your real identity public, and nothing bad happens.

But, also like in Bitcoin, your pattern of activity may suggest that link. So if you're a buyer, then do you want to reveal that you, a single person, placed multiple orders to:

Of course, a buyer can change pseudonyms whenever she wants. If she needs the escrow agent's help with transaction D, then she can even sign messages proving that she's the same person responsible for transactions C, B, and A, and get the benefit of that reputation, retroactively disclosing as much of that link as she thinks helps her specific situation. That's pretty complicated for the buyer. It's also not as convincing as a single pseudonym, because she can cherry-pick, by not mentioning any past transactions that would hurt her case.

Along the same lines:

This is basically a tradeoff between anonymity and reputation. The more I think about this, the more I feel a need for some kind of aggregation of transaction history, whether that's a person with incentives not to scam, or code running on trusted hardware, or fancy crypto. That system doesn't have to be perfect---as long as most of the time, it aggregates and destroys, occasional leaks of complete history probably aren't enough to put the pieces together. Without that, either reputation or anonymity (or both) seem likely to be much worse than in existing centralized markets, which barely hold together already...

This is obviously a smaller problem in an open market, where anonymity is less important, and other sources of reputation (like from the person's real identity) are available.

So am I paranoid? Or is this something that would concern most users as much as it does me? What will you feel comfortable disclosing?


Comments


[1 Points] six--pack:

As you are starting to realize - only aggregating the feedback and distributing it works well. This is what we are doing with /r/axis_mundi by getting the notaries to perform this function, primarily becasue they are the only party (other than buyer and seller) who have some visibility over a transaction.

This means that every notary is responsible for internally tracking each time a given buyer or seller uses them and tallying up their transaction count and feedback and then making the summaries available. For each rated user the notary also provides a value called key_diversity which shows how many different parties have left the feedback. Later we will extend that concept further with other parameters that indicate how likely the feedback leavers are to be legitimate. At no point will the notary ever show both parties to a transaction (buyer and seller) - one side will always be anonymized.

To get a buyer or sellers feedback you have to query every notary (in fact we have the Looking glass servers which do this for you although any client can request it directly from each notary if they want).

If a notary decides to shutdown or disappear it is still possible to get the signed, aggregated/summarized feedback scores.

We spent months thinking about this - there is no perfect answer of course - but spreading the risk/responsibility is nearly always the best course of action and prevents any one party knowing too much. Over at Openbazaar they seems to be coming around to a similar conclusion.

You certainly don't want a situation where one party knows everything (centralized market style).

Method such as ring signatures do not have any obvious (useful) application to solve this particular problem in our humble opinion.

/u/-el_presidente- posted this to the Hub in July describing our high level feeback structure - it has changed a little since but not too much:

Re: Axis Mundi - secure, distributed market platform - testing now

« Reply #172 on: July 25, 2015, 01:57:51 pm »

Feedback proposal

1) Buyers and Sellers can leave feedback for each other after any transaction

2) However only feedback that is validated (signed) by a notary may be published

3) A user who wishes to view, say, a sellers feedback will in see the feedback in the sellers profile but also contacts the notary pool to make sure the numbers stack up

4) The user leaving the feedback may choose to hide certain fields such as the item being traded

Each users client is responsible for publishing their own feedback/ratings once said feedback has been verified/signed by a notary and received.

Users can have multiple feedback rating scores - each notary they use keeps a separate record and signs feedback to prove its authenticity. It is up to the user to publish each piece of feedback although notaries will also make available a summary comprised of the number of transactions, number of different buyers and average rating.

Example: Buyer_A orders from Vendor_A and uses Notary_A to act as an escrow party.

During finalization Buyer_A rates the transaction on a scale 1-5 and may leave some written feedback. Because Notary_A is involved in this transaction this feedback is also passed to them. Notary_A then signs this feedback using its PGP key and sends it back to the seller and vendor. Vendor_A can also leave feedback for the buyer and the process is the same, the feedback is passed from Vendor_A to Notary_A who will sign the feedback.

Feedback messages look like this:

[MESSAGE SIGNED BY NOTARY] Transaction Item : (What was purchased, this may be redacted if desired although the value of the feedback will be diminished)

Feedback For: PGP key of the user who has received this feedback

Rating : 1-5

Note : Additional info from the leaver of feedback.

Feedback Leaver: Anonymized but will give clue as to leaving party (e.g. number of transaction, time first seen etc)

[END MESSAGE SINGED BY NOTARY]

Each notary will keep track of how many transactions it has notarized for a given user and what the average feedback rating is.

A user may choose not to publish feedback that they have received and that is there choice however the notaries will make available number of transactions and average rating for any user they have notarized - they just won't keep detailed feedback messages. If a user is not making much feedback available but the notaries suggest that they have a much higher transaction count then the counter-party in the transaction may have cause to question this.

If a notary goes bad or becomes untrustworthy then other users may choose to ignore any feedback signed by that notary, or if more granulation is required then to ignore any feedback signed by that notary after a given date say.

There is some refinement but this is the basis of the feedback/rating mechanism.

We envisage that nodes will appear who aggregate this information (a la AMVD or Grams Infodesk) - to make it more accessible

This works or do you want to have the notary responsible for publishing feedback rather than the feedback receiver? Not a big difference, the signing chain would be the same but it makes it harder for receivers of bad feedback to hide the fact.


[1 Points] 93d9jdjj99:

Its more important that a buyer have a long and diverse history than it does the amount of the transaction. New accounts can be faked too easy. Do what existing markets do, give data ranges, instead of letting users provide bloat with useless written feedback set it up with a 5star system for various things.

What steps are decentralized markets taking to prevent blockchain analysis? This is a bigger problem, for vendors especially everything they do can be mapped, the most important features of markets is the tumbling into and out of the market as well as the hosting platform itself, which is also important as no one will use a market that they have to keep running just to sell on.


[0 Points] loxsey:

Your really over analysing the whole thing, just get your bitcoins and order your drugs, that's what we all do.