DeWitt Clinton

Occasionally I receive comments regarding unto.net via email that are so involved, so compelling, that I’d like to respond to them publicly for all to read. Fortunately, the authors are often accommodating. This is one of those cases. Evan Miller, currently of WSO fame, but certainly poised for much greater accolades, wrote me the following email. He raises many insightful points about a trust-based communication platform. I’ll post his email in one long quote below, and respond at the bottom.

To: DeWitt Clinton
From: Evan Miller
Subject: unto.net

[Ed., introduction snipped.]

I think ubiquitous trust sliders create more problems than they solve. Humans have extremely sophisticated ways of evaluating, storing, and sharing how much they trust something. Unfortunately, there’s not a great computer interface for accessing it directly; that would require first, a way to record trust in a format that a computer can understand, and require second, a whole lot of trust in the computer we’re telling all of these things to. I’m not sure that a “trust value” makes sense, at least as a measure that I am supposed to conjure up to associate with everyone I know and every post I encounter. To me, trust values only make sense as ordinal numbers; in other words, I can tell you whether I trust something more than something else, but I can’t tell you how much I trust someone on a scale from 0 to 10. Well, I could, but I might give you a different figure tomorrow, because what I eat for breakfast just might re-calibrate my trust-o-meter. There’s a similar problem in economics: in the economist’s dream-world, we would all assign numbers to how much we value things. Did you take Micro? Some economist came up with the concept of the “utile”, which is a fictitious unit of value. Well, the problem is that no one can say how many utiles something is worth to them. They can give you a figure in dollars or yen, but not on some made-up scale.

So economists reworked the theory in terms of something concrete. Imagine the possibility of something really good happening to you, and the possibility of something really bad happening to you. Now, you can express your value for anything as a percent chance of either thing happening. For example, I might trade my books for a 1% chance of winning the lottery, or I would accept a 0.5% of contracting malaria in exchange for a new car. It’s still a little hokey, but this system of valuation can produce a number to store in the computer, and it presents the human with something concrete. At any rate, it’s probably more repeatable than associating the number 10 with “I want it a lot”, and 0 with “I am completely indifferent.”

Anyway, I think a trust system might need to do something similar. Don’t give us trust sliders of an abstraction; at the least, give us scenarios. E.g., “If X claimed that there were gold in them thar hills, how much would you invest in the venture?” Come to think of it, unlike value, trust doesn’t fit onto a single scale. I trust my sister’s judgment when it comes to art, but when it comes to music, her opinion has to yield to my brother’s. To take examples from your post, I am going to trust people to different degrees based on whether I’m asking about choosing a processor architecture or whether I need advice on what to program next. And I *certainly* don’t want to spend a few minutes assigning trust values to everyone I know for every question I am going to ask.

That’s why I think our built-in trust mechanisms–the ones in our brains already–are just better. If I get a lot of advice from people I trust to different degrees, it’s easier for me to scan through, evaluate all the opinions and their purveyors, and finally make a decision than it is to maintain a set of numbers for every person I know based on my current evaluation of their judgment, expertise, and likelihood of trying to screw me in a variety of respects. And, do you really anticipate receiving so much advice on a personal poll that you need an external evaluation mechanism? Maybe you just have more friends than I do… but in any event, perhaps a more successful approach would be to infer people’s trust of things, rather than asking them to evaluate it. PageRank basically infers trust by what you link to. Unfortunately, I don’t know what the equivalent would be for survey responses.

Also, I would never visit your site again if I had some information to share on a particular subject but my “trust value” wasn’t high enough to share it. As a rule, I would give people equal rights to speak, but by exercise as necessary my right not to listen.

I think a lot of this comes back to what a community is, something I’ve been thinking about for a while now. A community is not “me and my friends”, or “me and people I trust”. I believe that is the major fallacy of the Web 2.0 “community” projects I’ve seen. There are several problems with this approach. First is just a matter of logistics: building up your trust list is burdensome, and even a buddy list is inefficient. Think of a place where “everyone knows everyone”, a small company or a small college. If everyone is using buddy lists, there have to be N^2 connections maintained. Now, if we try a different approach; say, instead of building buddy lists, you belong to a discrete community; then we only need N connections, that is, a connection between each person and the larger concept, the community. I’m not concerned about the limits of storage and computing power, just all the wasted effort of a large group of people all confirming and vetting one another.

The second problem is: how the hell am I supposed to meet people if the only people I interact with are already on my buddy list? Some services have mechanisms for “introducing a friend,” or other jive. I call it jive because people don’t go out of their way to introduce their friends to each other. They get introduced because they’re at a party or lunch or a bowling alley together and are looking at each other awkwardly until someone says something. Among my favorite friendships, interactions have invariably come before introductions. I’ll make a joke about the context we both find ourselves in, and then introduce myself. If I’m virtually “introduced” to somebody, what the hell am I going to talk about, except for how weird the mechanism is?

Third, people help each other for more reasons than being friends. They want to be seen as helpers, or as experts, or as trustworthy, or whatever, among a group of people whose approval they want. Yahoo!’s “social search” means that I mark stuff for my friends. Well, I’d have a much greater incentive to use it if my high-quality markings were appreciated beyond my buddy list.

The web projects that have achieved something resembling community are the ones that have built general trust among the users. They have done this by being exclusive, either explicitly (Facebook) or culturally (del.icio.us). And they evoke something of a group identity, either to existing concepts (your college) or to the service itself. If you were to ask me, I think that many of the successful Web 2.0 concepts could be reinvented with greater success by attaching themselves to existing and, yes, exclusive communities. Most people don’t care about what the world finds interesting, but they do care about what people around them are reading and uploading. The way I see it, there is a Web 2.0 community, comprised mostly of with-it young people in coastal cities, but the technologies are not going to affect the other 99.9% of the U.S. population until they are adapted to other social sets.

Now let’s take this back to the computers, specifically Orchard. At first I found this distributed authentication mechanism appealing and conducive to community applications. I don’t remember what post it was, but somewhere you mentioned how this system would be distributing the information about people among local servers, so that Michael Mega-Corp didn’t get his hands on the data; the next step in the Web, you wrote (and I paraphrase), is to decentralize the information and the power.

But I couldn’t help but to be reminded of the Federalist Papers, number 10 I think. There are certain dangers to decentralizing power. If you are just an average user, would you rather have the local system administrator know what you’re writing and reading and who you’re looking up, or would you rather Google or Microsoft know? If Google deduces that I’m a sex-crazed pinko atheist, there’s not much they can do. They could care less. Now, if I live in Tennessee (like I do) and Cooter the Root User finds out things I don’t want my family, church, or town to know, I’m vulnerable. People who know me are far more capable of exploiting private information than are faraway corporations, just as local democracies can be more damaging to rights than national ones. It is a noble sentiment that wants to let the information disperse itself among servers throughout the world, but you may be doing a greater service to the world by managing all of the data yourself. Not to mention how much more reliable a single, properly scaled application is than a thousand independent ones…

And who decides who belongs to a community? And when someone gets the boot? I don’t think the invitation model scales. Once you hit a certain point, then just about anybody can sign up, and then you’re trying to figure out when a user or a tree of users needs to be pruned. It’s nice in theory–”well, we’ll just kick out the abusive users”–but someone has to make that call, and pretty soon Cooter has a whole new set of powers at his disposal. Think, in 10 years, if this sort of application is used for discussions, politics, commerce, and news, I’d be pretty terrified of the guy who could cut me out of the community if he wanted.

Anyway, all of this is to say, I think that trust mechanisms are unnecessary for personal applications, discrete communities are more efficient than buddy lists, and centralized information is less threatening to people’s happiness than distributed information. The challenge, as I see it, is to figure out how to draw meaningful boundaries around communities of web users in a way that balances, on the one hand, the utility of sharing information with people who trust you, and on the other, the serendipities of interacting with total strangers.

Evan

I first have to thank Evan for writing such an articulate and considered email. If everyone wrote something to me like that once a week, I wouldn’t have to do any work to maintain unto.net. Of course, that’s almost the point behind the the new project, isn’t it?

Since Evan laid out his points in such an orderly fashion, I’ll just try and repond (where I can), in turn. If I don’t respond to something it is simply because his text stands so well on its own.

Regarding the comparision of trust values to “utils” from microeconomic theory, I think that is particularly accurate. I’ve wrestled a bit with what exactly the slider would represent. In the context of another user, is it how much I trust them? How much I like them? How well I know them? Or is it how much I value their input? Or is it how much I would prioritize their communication to me over that of someone else? The fact is, it is a little of all of those and more. I even thought about trying to come up with an abstract “util” of my own. (Anyone remember “Flooz”?) But in the end, as Evan points out, it is better to somehow ground trust values in something that people can at least get some intuitive and immediate handle on without deeper analysis.

I’m very keen to go with a more pragmatic scale than “floating point numbers between 0 and 1.” I agree that a “0.68″ means nothing to most people. One thought is to keep the floating point slider, but as Evan suggests, display meaningful text labels alongside the input. Another is to use a straightforward “five star” rating system that has been so effective for sites like Amazon and Netflix, among others. Really, what I should do is allow the user to pick the system that they like the best. The values can ultimately all be mapped back to the “0 through 1″ scale.

(Someday I need to write about the technology I started developing a few years ago, and would like ultimately to reincarnate again, on probabalistic computing model where all computations were assigned a “likeliness” value according to how accurate they might be.)

None of this addresses the problem Evan raises — that “trust” is dependent on context. That I know I trust Evan to talk to me about technology, but I don’t know how much I trust him to give me advice on buying tires for my car. Fortunately, I trust Evan to know that he’s smart enough not to spam me with automotive recommendations unless he has something valuable to say. If I could right now, I would probably set my slider to around “0.8″ for Evan, which would mean that his messages to me would show up in my inbox but it would not be sent to my pager at 4:00 AM. His comments on unto.net would be automatically approved, but he probably wouldn’t have permission to edit my existing entries. If he voted in a poll his vote would count roughly twice that of a stranger, and perhaps three times that of an anonymous user. And people that I have not personally rated, but are trusted by Evan, would be pulled up a bit by association.

Can I put a convenient label on those types of trust relationships? No, not really. But I’m not sure I need to.

Also, the plan would be that I could also affix a score to any comment or post or message, etc., that Evan writes. This score would represent the degree to which I found that particular bit of input valuable. 9 times out of 10, I imagine I wouldn’t bother changing the score at all. But if the message was spam, I’d swing the slider down to zero (”it has no value at all”), or if, like the email quoted above, I’d slide it up to “0.9″ or so (”this is really worth reading.”).

Is it a perfect system? Hardly! In fact, by keeping so many variables in flux at one time I hope to keep people from thinking that it could be perfect. I partly want the mechanics to lie beyond the potential for human comprehension. By tuning the algorithms (which I will make transparent, by the way), it would be neat to see the proper balance evolve. And, as I mentioned before, I’d like to see the algorithms be customizable to some extend by each user so that they can adjust how the content appears to them.

(As an aside, I’d like to get to the point where the community itself set the parameters for what appears on the site. In other words, I’d like to make “DeWitt” a perfectly normal user, which no special priviledges in the end…)

Which gets to Evan’s observation that computing the full universe of trust-values is an exponentially complex problem. This would immediately bring even a system with a small number of users and messages to its knees. The way around this, no doubt imperfect, is to approximate a true relativistic behavior by dynamically adapting a universal trust value according to relative values. In other words, each and every entity in the system will have some global trust value that is used as a starting point for queries. This global trust value is computed as the aggregate of the individual ratings that have been applied, weighted by their own global trust value. This, by the way, is not entirely unsimilar to the algorithmic page ranking algorithms Evan refers to. And, similar to web search page ranking, individual queries will have their local relevance adjusted according to a personal bias. These personal biases are computed based on the relative ratings that are stored relating any two entities.

To give an example, say all entities (users, messages, whatever), start with a global ranking of 0.5. I, as an individual, explicitly add a relative rating to the user “Evan” of 0.8. This event is remember as “DeWitt -> Evan : 0.8″. The occurrence of this event will cause the global value of “Evan” to increase slightly (depending on the global value of “DeWitt”), say up to “0.55″. If a message is subsequently posted by Evan, I will receive that message with a starting score of “0.8″, whereas “Bob”, a user that has never met Evan, will see it as a “0.55.” If “Bob” doesn’t like the message, he may score the message downward, which will in turn marginally impact Evan’s global ranking, and could also bring down the implicit ranking “Bob -> Evan” a bit as well.

Clearly there are a million things that need to be fleshed out in the algorithms. But the basis is that each entity has a global ranking, and each entity can maintain an arbitrary list of rankings to other entities. Since the number of explicit mappings requires some manual intervention, it remains O(N) in complexity (perhaps with some high constant), bounded by O(N^2) at the unreachable extreme. Obviously, compression and pruning of old/obsolete rankings can trim the problem down to more managable sizes if necessary.

All of this would be useless on a practical level if the problem was unable to be partitioned. Fortunately, the entities themselves are highly partitionable, as are their global rankings. And since all queries will be performed by a single entity, the application of the entity-to-entity rankings are also partionable (according to the first entity in the relationship).

In other words, Evan was right on with the “Buddy List” analogy, though in this case I hope to infer those buddy lists through the use of “trust values”, rather than explicitly maintaining lists of friends. (On the other hand, adding a list of friends may make a convenient short-hand for establishing a default trust value between entities…)

Phew. Let us pause for a second to catch our collective breath.

Next, Evan discusses the distributed model for Orchard. Orchard, as you will recall, is the server that will manage the user identities. I’ve been thinking for months now about what it means for Orchard to be distributed, and have come to the conclusion that it means two things. The first is a “local” distribution, or more of a partitioning solution for a single network. In other words, a way of running multiple Orchard servers such that they appear as one. This is a relatively straightforward problem, and one that I don’t need to go into here.

The second meaning is more interesting, and is what Evan calls into question when bringing up the clever comparison to the Federalist Papers. Taken to the ultimate conclusion, Evan is exactly right. If every person on the planet had full and total control over their own identity server, then while this would be fantastic from the perspective of local privacy, it would be largely useless in the sense of establishing relative global identity within one system. As such, I am leaning toward a “federated” model of identity (what an apt comparison that was, Evan!), whereby each Orchard identity server can explicitly enumerate a finite list of other Orchard (or other identity servers) that it trusts and will honor. So unto.net, running Orchard, could say that it honors its own credentials, or those of Microsoft, Google, Ebay, Yahoo, and Amazon. Amazon, on the other hand, would have no obligation to (and frankly, no reason to), honor the credentials of unto.net.

So Orchard is distributed, in the sense that it can be configured to honor the identity from third parties. You could run an Orchard server for your own website and keep your own local list of users, but also allow them to authenticate via other sites.

This, by the way, isn’t a particularly novel idea. Federated identity systems exist already to some degree. LDAP has much of the infrastructure it already needs for this model — Orchard will interoperate with LDAP, if not be based on it outright, albeit with a HTTP REST interface. And OpenID is a protocol that can be leveraged to do much of this. Although I do want to build in a signed key exchange protocol that aids in distribution.

So to address Evan’s final points, is this a model that would work for everyone? No, I highly doubt that it is. Most people right now are content with how email works, how blogreaders and RSS work, and how traditional forum systems work. But for some of us, (okay, perhaps just me), there may be more than can be done. “The new project” is a constellation of niche applications, and I suspect it will always be a niche community. Then again, Slashdot, del.icio.us, and Digg, and Upcoming, etc., are all also niche applications, and I would be content with just a small fraction of the community they have all built up. If unto.net provides value to even a handful of people — heck, even if it just provides value to me — then the time has not been wasted.

Thank you for the note, Evan. I hope that someday you could post this to the homepage yourself.

This entry was posted on Saturday, January 7th, 2006 by DeWitt Clinton and is filed under work. You can bookmark this post at delicious. You can digg this post. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.