Reputation systems have been studied across a number of diverse disciplines. For example, the user feedbacks posted after the completion of a transaction in ebay is perhaps one of the most well known reputation systems. Reputation in ebay is simply a function of the cumulative positive and non-positive ratings for a seller or a buyer over the history of being an eBay member. As pointed out elsewhere, one of the most noticeable effects, so called Pollyanna-effect, is the disproportional large number of positive feedbacks and rare negative feedbacks. The Pollyanna-effect is particularly evident on eBay. Public disclosure of rating and rater information is one of the many factors attributing to eBay's Pollyanna-effect. There are also studies on the vulnerability of a reputation system and the risk of misbehavior because of the lack of reputation consequence. For example, Sybil attack is not uncommon in an environment when a participant in the reputation system can easily create multiple identities.
There are many applications to the reputation inquiry just described, e.g., reputation-based network security and reputation-based medical referral. For example, a patient may want to know the reputation of a physician from, for example, other participants in an online blog. The patient could post the reputation inquiry on the online blog and hope that those who have been treated by the physician could offer useful feedbacks on the physician. In a typical online blog, all participants, including the physicians, can see all the postings of each other. Consequently, the alias identity of the patient, the feedback providers, and the reputation feedback are now all exposed to the public and subject to manipulation, e.g., the physician could create an alias identity and enter biased feedback for himself/herself.
One of the challenges when constructing a reputation system is in establishing the system's trustworthiness and managing the risk of undesirable bias introduction. Consider party P1 solicits an opinion about party P2 from parties P3 and P4 (the referees with regard to the inquiry about P2), and party P4 solicits an opinion about party P3 from party P2 (the referees with regard to the inquiry about P3). If these solicitations are held in public, parties P2 and P3 will each know that the other party is being solicited for feedbacks. Consequently, both parties may artificially inflate/deflate their opinion about each other in exchange for a favor/revenge, thus introducing undesirable bias. When this happens, the integrity of the reputation inquiry is compromised and its trustworthiness becomes questionable.
Clearly, the success of a reputation inquiry depends on its ability to guarantee the privacy of each party on expressing its opinion about each other. A commonly encountered strategy is to introduce a mediator proxy (see FIG. 1) to achieve a double-blind process. In doing so, administrative policy is required to verify that the mediator proxy maintains the confidentiality of the information flowing through it. The compliance of the policy, however, may not be enforceable and its success relies on the voluntarily participation of the parties. For example, the eBay feedback system is one such case, which relies on voluntarily participation of the buyers and sellers.
Even if voluntarily participation exists, there can be a privacy leak from the mediator proxy. Note that in a traditional double-blind process, the mediator proxy has the information about the identity of the inquirer (party P1), the identity of the target (party P2), and the identities of the referees (parties P3 and P4). If there is a security breach on the mediator proxy, then the privacy of all parties in the above example is compromised. The mediator proxy could be compromised due to, for example, passive sniffing by the peers on the communication channel between the mediator proxy and the inquirer/referee(s), or a legal or illegal interception of the communication channel by an intruder/authority.
Two main approaches are typically encountered in regard to protecting the identity of participating parties, namely, store-and-forward proxy, and broadcasting. An example of a store-and-forward proxy approach is the Publius system relying on encryption and threshold key distributed to a static, system-wide list of servers to protect identity of a publisher. Broadcasting as discussed elsewhere, on the other hand, protects identity of a responder. Personal privacy protocol (“P5”) provides mutual—inquirer and responder—anonymity through transmitting an inquiry and a response to a broadcast group, as opposed to an individual party.
For protecting the privacy of the inquiry content and response, k-anonymity and cryptographic application are two general concepts commonly encountered. The basic idea behind k-anonymity is to introduce poly-instantiation so that an entity value is indistinguishable from (k−1) other objects assuming the same value. Exemplary privacy preserving techniques based on k-anonymity could be found elsewhere. Cryptographic application to privacy preserving has ranged from applying standard encryption techniques and PKI for protecting the “secrets” of the inquiry content and response, to creating a dining cryptographer network, such as Herbivore. A certain trust assumption is made in the cryptographic application to privacy preserving communication, particularly, the trustworthiness of the parties involved in the communication process. The embodiments of the present invention could be considered as one kind of cryptographic application to privacy preserving communication but with a provable privacy assurance similar to that of Herbivore.
The prior art generally fails to provide adequate privacy protection. Reputation inquiry without privacy protection is vulnerable to the Pollyanna effect. The Pollyanna effect, as exemplified in eBay, is a disproportional large number of positive feedbacks and rare negative feedbacks. Public disclosure of the rating and the rater information is one of the many factors attributed to the Pollyanna effect. As such, the “true value” of a reputation rating in such an environment becomes difficult to discern.
The prior art that utilizes the broadcasting approach opens itself to the possibility of establishing direct communication to the inquirer. Broadcasting approach to achieve identity anonymity typically relies on some kind of proxy to broadcast the inquiry to responders. If the responders reply directly to the inquirer, the identity of the responders is exposed, thus entailing a privacy leak. If the responders reply via the proxy, such as a personal privacy protocol P5, the proxy becomes the central point entailing the risk of a privacy leak. It is because the proxy will know the identity and the content of the inquirer, as well as the identity and the response of the responders. Although protocols relying on broadcasting provide some degree of identity anonymity, they are typically not sufficient to prevent a privacy leak. This is particularly so in an environment allowing an inquirer to construct an arbitrary reputation inquiry. For example, an inquirer constructs a query inquiring about one specific individual and targets at one specific responder. In doing so, the privacy of the reputation rating of a responder on the specific individual is no longer protected, even if broadcasting and encryption are employed.
The prior art that utilizes k-anonymity does not even attempt to protect the content of a response. K-anonymity introduces poly-instantiation so that an entity value is indistinguishable from (k−1) other objects assuming the same value, e.g., K entities assuming the same ID number so that the ID number could not be used to reverse-identify an individual entity without ambiguity. K-anonymity only protects the privacy of the inquirer and responders through broadcasting. It does not protect the content confidentiality unless technology, such as cryptography, is applied. While cryptographic application protects the content confidentiality, infrastructure for encryption and decryption key management and distribution is required. Key management and distribution are particularly difficult in a P2P environment because of its dynamic nature where peers could come and go anytime, and do not know each other.
Thus, it is an object of the embodiments of the present invention to provide a method for preserving privacy of a reputation inquiry in a peer-to-peer communication environment, which avoids the disadvantages of the prior art.
Briefly stated, another object of the embodiments of the present invention is to provide a method for preserving privacy of a reputation inquiry in a peer-to-peer communication environment. The method allows peers using their own personal agents to obtain reputation information of each other through a pair of trustworthy mediator proxies. A mediator proxy is considered trustworthy if even when it is compromised it can guarantee three conditions: (1) the anonymity of the identity of the responders and the target being inquired; (2) the privacy of the content in an inquiry and a response; and (3) the boundary limit of the reputation summary with no possibility of combining the response of multiples inquiries to reverse engineer the reputation rating of an individual responder.