Our registration policy - how we check identities
In our pilot project, we’ve gone through several different registration policies, adapting to growth and finding the right one. We began, in the first couple of months, with a policy that required a CV or resume, plus supporting Web links, from everyone who applied. On about January 22, we opened up the wiki to self-registration. At the time, we required only a bio from authors; so, we relied upon the “honor principle,” but we still required a CV and proof of identity from editors. More recently, as of February 16, we have shut down self-registration on account of rampant vandalism. We have had no vandalism either before or after the self-registration period.
Since we have moved back to hand-approval of new applications (you’re welcome to join us, by the way!), the Executive Committee and the Constabulary have been doing a bit of soul-searching. It isn’t just that we don’t want to waste our valuable time babysitting idiot vandals. We are very concerned about the credibility of the Citizendium as a reference work. If we rely heavily on the “honor principle” (used for example by my alma mater) for determining real identities, we assume that most of our contributors will be, well, honorable. Perhaps we are too old and jaded but I think most of us believe that too many contributors are not really honorable at all. We simply do not want to wake up in five years, to find that someone has done a study of the Citizendium and demonstrated that in fact 25% of all of our contributors are using neither their real names nor pre-approved pseudonyms. In short, we’ve reluctantly concluded that the honor principle, even coupled with a willingness instantly to ban people like Essjay who are exposed for using false personas, really isn’t due diligence.
We’ve come to this conclusion “reluctantly” because we also know that ease of registration is absolutely essential to really rapid growth and dynamism. So we are planning two things:
- While we still need human beings involved in the application approval process, we’re writing requirements for a new system, to be integrated with MediaWiki, that will greatly automate the approval process. Constables will be able to approve new applications with the press of a button, which should speed things up a lot.
- But we will also give authors at least three alternatives for establishing their identities. They can either (1) allow an existing Citizen to vouch for their identity; or (2) provide a link to a corporate or institutional Web page, or other credible Web page, that provides their name and relevant details of their identity, that (if we wished) we could check up with; or (3) point to the Web page of a person we can e-mail to confirm their identity.
Ultimately, (1) might prove to be the method of registration used most often. The notion, then, is that if a person is discovered to have a fraudulent persona, the member who vouched for that person is also either reprimanded or banned. But it should be quite easy, ultimately, to automate this recommendation system, since the recommenders are already in our system. We’ll be able to help ourselves to it once we do our public launch–hopefully just a few short weeks away.
Credentialists and Impostors…
The recent intrigue over Wikipedian Essjay’s phony credentials has inspired Larry Sanger to reconsider Citizendium’s registration policy . . . ….
Trackback by XODP Blog — March 3, 2007 @ 2:17 pm
Actually, XODP Blog is incorrect. It wasn’t the Essjay scandal that inspired us to reconsider the policy. We were done reconsidering it several days before the story broke, and it wasn’t just I who reconsidered the policy.
Comment by Larry Sanger — March 3, 2007 @ 2:46 pm
I’d think that the problem with allowing Citizens to vouch for other Citizens is that one person could pretend to be multiple people, which is just as damaging as one person pretending to be something he or she is not.
I’m fairly sure that this happens on Wikipedia, although due to the nature of the Internet it’s hard to verify. But it’s always easy to “win” a vote on a Talk page when you’re ten people and your honest opposer is one person.
-Max
Comment by Max — March 5, 2007 @ 2:56 am
Max, excellent point. We’ll certainly be thinking about this. Thanks for the input.
Larry
Comment by Larry Sanger — March 5, 2007 @ 8:30 am
What i would like in citizendium is copyright attributation. i’m willing to “donate” my articles as long as copyright is retained and the ability to approve changes is with the original author. if you want it to grow, copyrights are a must.
Comment by none — March 5, 2007 @ 11:19 am
Max pointed out the problem with option 1. With option 2, how do you know more than that the person just found some random person’s page and submitted it as their own, unless you require that the page have contact information so that Citizendium can use it to verify that the applicant is who they claim to be (and Citizendium would then have to actually follow through to make this meaningful)? With option 3, what’s to keep people from pointing to their own (or their friends’/partners-in-crime’s) pages and “confirming” their identities? I don’t think that these proposed verification systems verify squat.
Comment by Tommy McDaniel — March 9, 2007 @ 9:39 pm
Tommy, if your point is that there are loopholes, that’s not exactly news to us. There’s no perfect system, and we cannot help ourselves to any system as reliable as a credit card verification system, particularly if we want to keep the project as open as we do. So the best protection we have is to require liars to spin elaborate lies, and then be willing to eject the miscreants immediately when they do their dirty business.
Comment by Larry Sanger — March 10, 2007 @ 2:59 pm
It’s not just that there are loopholes, it’s that there are big honking loopholes in every single method that render them about 99% useless and no more than a false sense of security. A low wall is better than no wall, but that’s about all that can be said about a system that can be subverted in a few seconds, max. And it only takes one broken mechanism to render the entire procedure useless, nevermind when all three aren’t going to stop pretty much anybody. A more secure mechanism would involve people having copies of their transcripts sent before being able to claim any relevant expertise, but that might drive away a lot of people (but then again, without proof of expertise, anyone can claim to have it, which renders this as just another Wikipedia).
I actually have a constructive idea about how to at least make sure that people have to climb a much higher wall to have multiple accounts: implement a way for anyone to check whether different accounts are using the same IP address, but without letting users know what the IP addresses are. This could be done in several ways. The site could provide hashes of IP addresses, so that anyone could check for matching IP addresses without being able to find out what the actual addresses are. Alternatively, the site could provide a form where anyone could enter multiple usernames and get a simple yes/no response on whether they are using the same IP address. A variation of this idea, which would discourage shenanigans even more (by making it easier to detect), is to have a form where people can enter a username and receive a list of all usernames that have used the same IP address as that user (without being told what the IP address is). A human would need to examine the details before anyone got booted, but these things would make it much easier to detect foul play, especially if sockpuppets are supporting each other. Of course, this idea has nothing to do with verifying who people are, and is certainly not a perfect solution to the problem that it addresses, but it can help minimize some of the inevitable damage from being unable to verify who people are.
Comment by Tommy McDaniel — March 11, 2007 @ 10:23 am
“It’s not just that there are loopholes, it’s that there are big honking loopholes in every single method that render them about 99% useless and no more than a false sense of security.” They are loopholes, but not “big honking loopholes.” With less security than this — merely requiring that people write us an e-mail including their name, a declaration of their support for the Statement of Fundamental Policies, and a biography — we have had very few behavioral problems and no evidence (yet) of people using unauthorized pseudonyms. We still do rely on “soft security,” i.e., punishment after a rule-breaker is exposed as opposed to heavy security up front. Anyone who is familiar with the nature of open projects like this knows that there is no other way to proceed.
“A low wall is better than no wall, but that’s about all that can be said about a system that can be subverted in a few seconds, max.” This is simply false. While a good faith contributor can construct a successful application in a matter of minutes — not much more time than it takes to write a bio — a bad faith contributor has to construct an elaborate lie, and do various other things to make sure that his lie appears to check out. Then, we have a low enough tolerance for disruption that miscreants are out on their ears quite quickly. The system isn’t at all easy to subvert.
A situation like Essjay’s couldn’t be replicated on CZ for a whole host of reasons. We require that we know the identities of everyone involved. So Essjay would have to impersonate someone who exists–which would be literally criminal behavior–or else create a new full-bodied person out of whole cloth. How hard would that‘ be? Then, he’d have to be able to impersonate an actual expert in front of other experts, which is laughable, considering what a poor job he did (what with ”Catholicism for Dummies” and all sorts of tell-tale signs on his user page). Finally, if someone were to commit fraud, of one sort or another, successfully, and then exposed his own fraud in order to apply for a job, I can absolutely guarantee one thing: we wouldn’t hire him and then promote him to an Arbitration Committee. We would instantly ban him from the project, and we would look into the possibility of a lawsuit or criminal prosecution.
Comment by Larry Sanger — March 11, 2007 @ 10:40 am
Tommy,
Your method relies on identifying a person based on their computer’s IP address. This simply won’t work; IP addresses can be spoofed. Several different legitimate contributors might be sitting behind the same proxy server and therefor have the same IP address. A miscreant would happily use several open proxies to ‘prove’ that they are several different people. Ever heard of DHCP? Contrary to what most law enforcement agencies seem to believe, an IP address is nothing like a finger print.
Comment by Nathan Adams — March 28, 2007 @ 8:45 am
It looks like there are some natural alignments between establishing your citizen’s identities and the goals of OpenID [http://openid.net/], or is this already implied by the latest patches available for MediaWiki [http://www.openidenabled.com/software/mediawiki].
This technology would seem to alleviate some of Tommy’s concern, since in order to use Person A’s web url (to login to CZ), you would have to also know Person A’s password (or authentication credentials), since OpenID’s protocol would require authentication at A’s site.
Comment by Larry Kyrala — March 28, 2007 @ 9:41 am
Just a quick point regarding Tommy McDaniel’s suggestion regarding hashes of IP addresses. It’s possible to create a “book” of hash values of IP addresses, since the number of all IP addresses is limited, and those that are actually used are only a subset of all possible addresses. Additionally, it’s possible to hide one’s address using one of several methods.
Comment by David — March 28, 2007 @ 10:05 am