This technology would seem to alleviate some of Tommy’s concern, since in order to use Person A’s web url (to login to CZ), you would have to also know Person A’s password (or authentication credentials), since OpenID’s protocol would require authentication at A’s site.

Your method relies on identifying a person based on their computer’s IP address. This simply won’t work; IP addresses can be spoofed. Several different legitimate contributors might be sitting behind the same proxy server and therefor have the same IP address. A miscreant would happily use several open proxies to ‘prove’ that they are several different people. Ever heard of DHCP? Contrary to what most law enforcement agencies seem to believe, an IP address is nothing like a finger print.

“A low wall is better than no wall, but that’s about all that can be said about a system that can be subverted in a few seconds, max.” This is simply false. While a good faith contributor can construct a successful application in a matter of minutes — not much more time than it takes to write a bio — a bad faith contributor has to construct an elaborate lie, and do various other things to make sure that his lie appears to check out. Then, we have a low enough tolerance for disruption that miscreants are out on their ears quite quickly. The system isn’t at all easy to subvert.

A situation like Essjay’s couldn’t be replicated on CZ for a whole host of reasons. We require that we know the identities of everyone involved. So Essjay would have to impersonate someone who exists–which would be literally criminal behavior–or else create a new full-bodied person out of whole cloth. How hard would that‘ be? Then, he’d have to be able to impersonate an actual expert in front of other experts, which is laughable, considering what a poor job he did (what with ”Catholicism for Dummies” and all sorts of tell-tale signs on his user page). Finally, if someone were to commit fraud, of one sort or another, successfully, and then exposed his own fraud in order to apply for a job, I can absolutely guarantee one thing: we wouldn’t hire him and then promote him to an Arbitration Committee. We would instantly ban him from the project, and we would look into the possibility of a lawsuit or criminal prosecution.

I actually have a constructive idea about how to at least make sure that people have to climb a much higher wall to have multiple accounts: implement a way for anyone to check whether different accounts are using the same IP address, but without letting users know what the IP addresses are. This could be done in several ways. The site could provide hashes of IP addresses, so that anyone could check for matching IP addresses without being able to find out what the actual addresses are. Alternatively, the site could provide a form where anyone could enter multiple usernames and get a simple yes/no response on whether they are using the same IP address. A variation of this idea, which would discourage shenanigans even more (by making it easier to detect), is to have a form where people can enter a username and receive a list of all usernames that have used the same IP address as that user (without being told what the IP address is). A human would need to examine the details before anyone got booted, but these things would make it much easier to detect foul play, especially if sockpuppets are supporting each other. Of course, this idea has nothing to do with verifying who people are, and is certainly not a perfect solution to the problem that it addresses, but it can help minimize some of the inevitable damage from being unable to verify who people are.

Larry

I’m fairly sure that this happens on Wikipedia, although due to the nature of the Internet it’s hard to verify. But it’s always easy to “win” a vote on a Talk page when you’re ten people and your honest opposer is one person.

-Max