FaceTrust: Assessing the Credibility of Online Personas via Social

Networks

Michael Sirivianos, Kyungbaek Kim and Xiaowei Yang

in collaboration with J.W. Gan, C. Carlon and D. Jiang

Duke University and UC IrvineAug 11 @ HotSec 2009

Motivation

Online world without identity credentials:o Makes determining who and what to believe

difficult

Outline

Why do we need a stronger online identity?

Design

Social Tagging

Assessing Credibility

OSN-issued Credentials

Evaluation

Conclusions and work in progress

Trustworthy online communication:o Dating websites, Craigslist, Amazon reviews,

eBay transactions, first contact in OSNso “I work in ...”, “I am a good seller”, “My name

is ...”

Access controlo Age-restricted siteso “I am over 18 years old”

Malware defenceo “I am a reputable software author”

How can Identity Credentials help?

Our Solution

Relaxed (not absolutely verified) credentials

o bind an online statement (assertion) to

the probability this assertion is true

o for not very critical applications, but they

can help users or apps make informed decisions

Online social network users verify their friends’

verifiable identity assertions

OSN providers issue credentials on a user’s

assertions using his friends feedback

Outline

Why do we need stronger online identity?

Design

Social Tagging

Assessing Credibility

OSN-issued Credentials

Evaluation

Conclusions and work in progress

Design: Social Tagging

Users post facts/assertions on their OSN profiles:

o “Am I really over 18 years old?”

Friends tag those facts as TRUE or FALSEo OSN-based crowd-vetting

o Challenges:o Friends can collude and lie for each othero Dishonest users may create many fake OSN

accounts, aka Sybil attack

Our approach: assess the credibility of taggers

using a trust metric

Design: Assessing Credibility (1)

Advogato Trust Metric:

Attack-resistant [Levien et al., Security ’98]

Input: Graph with trust edges that indicate a trust

level X between nodes.

Output: The nodes that can be trusted by at least X.

Design: Assessing Credibility (1)

Advogato Trust Metric:

Input: Graph with trust edges indicating trust level X between nodes.

Output: The nodes that can be trusted by at least X. 100% trusted

node

100%75%25%

50% 75%

75% trusted node

Design: Assessing Credibility (2)

Trust edges annotated with tagging similarity

between friends

o #same-tags / #common-tags

o e.g., if two friends have tagged 2 common facts

of the same user and agree on only one tag,

they have similarity 50%

Design: Assessing Credibility (3)

Use Advogato to compute the tagging credibility

(or weight) in [0, 1] of tags made by each user i : wi

Use weighted average of tags by friends i of j on

j’s assertion (dij = +1 if TRUE, -1 if FALSE) to

compute credibility of j’s assertion:

max(i wi * dij/ i wi , 0)

Design: OSN-issued Credentials

Relaxed credentials issued by the OSN provider:o {assertion type, assertion, credibility}

idemix [Camenisch et al. EuroCrypt 01, CCS 02]o Obtain cryptographic credential from credential

authorityo Prove possession of credential to verifying

authority

without revealing identityo Verifying authorities cannot link credential

showingso Firefox plugin based on idemix Java code

If unlinkability (surveillance-resistance) not required or

if required but the user does not mind creating multiple

credentials for the same assertion:o use simple web based credential, e.g.,

An Age Example

Credential Request:[u, age, > 18]

FacebookUser u

TRUEdxu=1

FALSEdzu=-1

User u[age=21]

User xwx=1.0

TRUEdyu=1

User ywy=1.0

User zwz=0.5

OSN

Verifier

An Age Example

Credential Request:[u, age, > 18]

Credential:[u, age, > 18, 0.6]

FacebookUser u

TRUEdxu=1

FALSEdzu=-1

User u[age=21]

User xwx=1.0

TRUEdyu=1

User ywy=1.0

User zwz=0.5

OSN

Verifier

An Age Example

Credential Request:[u, age, > 18]

Credential:[u, age, > 18, 0.6]

FacebookUser u

Credential:[age, > 18, 0.6]

TRUEdxu=1

FALSEdzu=-1

User u[age=21]

User xwx=1.0

TRUEdyu=1

User ywy=1.0

User zwz=0.5

OSN

Verifier

Outline

Why do we need a stronger online identity?

Design

Social Tagging

Assessing Credibility

OSN-issued Credentials

Evaluation

Conclusions and work in progress

Evaluation

How well do credibility scores correlate with truth? Can the design withstand dishonest user

tagging and

Sybil attacks?

Experimental Setting: Honest and dishonest users make one

assertion each Dishonest users tag both dishonest and

honest

assertions as TRUE Obtain average credibility of honest and

dishonest

assertions

The #tags per user matters

10% dishonest As #tags increase, honest users have more

credibility Dishonest users always have low

credibility Sybils have slightly more credibility than

dishonest

Credibility is robust as %dishonest increases

at most 20 tags per user Honest users always have high

credibility Dishonest user credibility not high even

when 50% Sybils have slightly more credibility than

dishonest

Conclusions

FaceTrust is:

An OSN-based approach to identity verification:o crowd-vetting through social taggingo relaxed and lightweight credentials

Employs robust trust metric for attack resistance

Employs anonymous credentials to preserve privacy

Work in Progress

Need to validate our hypotheses: That users are willing to tag o do they find tagging fun and useful?

That users mostly tag accuratelyo are there many honest taggers?

Facebook application up and runningo we are collecting usage data, tags and social

graph

Exploring other trust metrics: TrustRank [Gyongyi et al. VLDB 04]

Thank You!

Facebook application “Am I really?” at: http://apps.facebook.com/am-i-really

Questions?Questions?