Comment by gabipurcaru
5 years ago
the legal system deals with a finite number of people; the internet enables that finite number of people to act as a potentially infinite number of entities, without a great way of disaggregating them into people.
E.g. if a spammer can pretend they're 10 million different people, and each of those "people" requests an explanation, the whole system grinds to a halt.
This is the reason behind a push for more KYC-like verification on these platforms (e.g. asking for IDs). But this comes at a huge privacy cost for legitimate users. So one way or another people who are real, legitimate and with good intentions somehow pay the cost of the harm that is being done on the internet. This is a hard problem.
Source: am thinking/working on this sort of stuff; not representing my employer, my opinions are my own etc. etc.
> This is the reason behind a push for more KYC-like verification on these platforms (e.g. asking for IDs). But this comes at a huge privacy cost for legitimate users.
A way to square this circle is to have rights engage at the point of payment.
A truly pseudonymous account with no monetization (going either way) has little intrinsic value, and less need for KYC-like identification.
On the other hand, an account with some sort of payment history (either giving money in the case of purchases or receiving money in the case of developers/website hosts placing advertising) faces a higher standard. There's a reasonable probability of real economic harm if the account is nuked arbitrarily, and at the same time any money flow is open to theft or money laundering concerns, triggering moral if not legal KYC obligations.
The latter should also help prevent the proliferation of straw bad actors, since providing payment imposes a direct cost, while the KYC rules open up the possibility of more direct action for flagrant breaches of contract / use of the platform for other abuses.
The "spammer" can only pretend to be 10 million different people because e-mail is free. Paying a tenth of a penny per e-mail has been one of those long-standing impossible anti-spam measures, but walled gardens can implement something like this at their whim.
> The "spammer" can only pretend to be 10 million different people because e-mail is free. Paying a tenth of a penny per e-mail has been one of those long-standing impossible anti-spam measures, but walled gardens can implement something like this at their whim.
Maybe. A few problems here:
1. payments come with privacy concerns, unless maybe you're talking about zero-knowledge-based blockchains, but we're a LONG way from such functionality being widespread
2. $0.001/email is actually very reasonable for an attacker; they'd probably gladly pay even up to $1 or more, depending on their exact needs, especially if that comes with an elevated privileges account
3. all of this is easily defeated by fanouts. E.g. if they sign up with bob@gmail.com and then are able to use bob+1@gmail.com, bob+2@gmail.com etc. to sign up for a different service, this defeats the purpose
> E.g. if a spammer can pretend they're 10 million different people, and each of those "people" requests an explanation, the whole system grinds to a halt.
Again, it's not a "request".
If spam detection and account suspension can be automated, then suspension notifications can also be automated.
I'm not sure I understand where the 10 million number is coming from. Are you suggesting that 1 spammer can create 10 million accounts on your system (which appears to be Facebook)?
Regardless, no spammer has the time to get on the phone and personally dispute 10 million account suspensions — disputes which are unlikely to succeed if there is good evidence — so I'm not sure how the system grinds to a halt.
> How many innocents have to get caught in the crossfire before we start protecting them?
> Again, it's not a "request" [..] suspension notifications can also be automated.
Can you clarify what you mean by "protecting" them? I'm not sure suspension notifications qualify as meaningful protection
This was specified in my original comment: "At the very least, companies must be legally required to present you in writing with the so-called violation of terms they're accusing you of, evidence of the violation, and a phone # or other immediate contact so that you can dispute the accusations." https://news.ycombinator.com/item?id=26063660
Temporary account suspensions that you can quickly reverse on appeal are annoying but could be justified to fight abuse, as long as they don't happen too often. On the other hand, indefinite account suspensions that are impossible to reverse, such as the case of Andrew Spinks of Terraria, are simply indefensible, there's no justification whatsoever for that.
2 replies →
Out of curiosity, what's current thinking (broad strokes) on methods to address this?
My first guess would be third-party attestation of identity, with stored credential disposal on a short schedule? Essentially normal-user-verification-as-a-service?
Self-sovereign identities (https://en.wikipedia.org/wiki/Self-sovereign_identity) are one attempt to address this issue.
privacy, online safety, no false positives
Pick two.
Different companies do different trade-offs. The optimal solution depends on how the internet community weighs each individual axis
Two would be amazing. One would be nice. Currently we get zero.