News: 1725359289

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

AI firms propose 'personhood credentials' … to fight AI

(2024/09/03)


Researchers at Microsoft and OpenAI, among others, have proposed "personhood credentials" to counter the online deception enabled by the AI models sold by Microsoft and OpenAI, among others.

"Malicious actors have been exploiting anonymity as a way to deceive others online," explained Shrey Jain, a Microsoft product manager, in a Microsoft Research podcast [1]interview .

"Historically, deception has been viewed as this unfortunate but necessary cost as a way to preserve the internet's commitment to privacy and unrestricted access to information.

[2]

"Today, AI is changing the way we should think about malicious actors' ability to be successful in those attacks. It makes it easier to create content that is indistinguishable from human-created content, and it is possible to do so in a way that is only getting cheaper and more accessible."

[3]

[4]

The answer Microsoft, OpenAI, and various academic researchers propose is personhood credentials – or PHCs – which are essentially cryptographically authenticated identifiers bestowed by some authority on those deemed to be legitimate people.

The idea, described in a [5]research paper [PDF] with more than 30 authors, is similar to the way that Certificate Authorities vouch for the ownership of a website – except that PHCs are supposed to be pseudonymous as a means of providing some measure of privacy.

[6]

Beyond some of the corresponding authors' Microsoft and OpenAI affilations, the other co-authors have ties to: Harvard Society of Fellows, University of Oxford, SpruceID, a16z crypto, UL Research Institutes, Tucows, Collective Intelligence Project, Massachusetts Institute of Technology, Decentralization Research Center, Digital Bazaar, American Enterprise Institute, Center for Human-Compatible AI, University of California, Berkeley, OpenMined, Decentralized Identity Foundation, Goodfire, Partnership on AI, eGovernments Foundation, University of Minnesota Law School, Mina Foundation, ex/ante, School of Information, University of California, Berkeley, Berkman Klein Center for Internet & Society, and Harvard University.

The proposed PHC identifiers are not supposed to be publicly linkable to a specific individual once granted – though presumably unmasking a PHC holder could be done with an appropriate legal demand.

However, the paper is careful to note that PHCs would not actually provide privacy – which remains all but non-existent online thanks to the ubiquity of tracking mechanisms and the incentives to surveil.

[7]

"While PHCs preserve user privacy via unlinkable pseudonymity, they are not a remedy for pervasive surveillance practices like tracking and profiling used throughout the internet today," the paper concedes. "Although PHCs prevent linking the credential across services, users should understand that their other online activities can still be tracked and potentially de-anonymized through existing methods."

The research also mentions fingerprinting – only as an inadequate AI defense and a form of biometric identification, not as a privacy threat to PHC holders.

The paper presents more of a general framework than a specific technical implementation. The authors suggest that various organizations – governmental or otherwise – could offer PHCs as a way to accommodate various "roots of trust," to use a term commonly applied to Certificate Authorities. US states, for example, could offer them to anyone with a tax identification number and the corresponding PHC could be biometrically based, or not.

"We are concerned that the internet is inadequately prepared for the challenges highly capable AI may pose," the AI-making authors and associates state. "Without proactive initiatives involving the public, governments, technologists, and standards bodies, there is a significant risk that digital institutions will be unprepared for a time when AI-powered agents, including those leveraged by malicious actors, overwhelm other activity online."

[8]Microsoft security tools questioned for treating employees as threats

[9]Elon Musk reins in Grok AI bot to stop election misinformation

[10]Facebook whistleblower calls for transparency in social media, AI

[11]Microsoft Bing Copilot accuses reporter of crimes he covered

These and related concerns have spurred other initiatives that similarly aspire to authenticate people online with minimized information disclosure. The authors point to the World Wide Web Consortium's (W3C) [12]Verifiable Credentials and [13]Decentralized Identifiers (DIDs), European Union Digital Identity's (EUDI) privacy-preserving digital wallets, and other standards such as British Columbia's [14]Person credential .

The stated goal of PHCs is "to reduce scaled deception while also protecting user privacy and civil liberties." Doing so, however, would require a one-per-person-per-issuer credential limit. The idea is PHCs should not be available in unlimited quantities like email addresses.

Another aim, ironically, is to allow verification delegation to AI agents – so online services can ensure that AI bots have authority to act that comes from a real person.

The authors acknowledge there are still some challenges to overcome – such as ensuring PHCs are equitable, support free expression, don't provide undue power to ecosystem participants, and are sufficiently robust against attacks and errors.

Jacob Hoffman-Andrews, senior staff technologist at the Electronic Frontier Foundation, told The Register that he took a look at the paper and "from the start it's wildly dystopian."

"It provides for governments – or potential hand-wavy other issuers, but in reality, probably governments – to grant people their personhood, which is actually something that governments are historically very bad at," he said.

"Many governments have people who they're responsible for, in one way or another, or who are under their control, that they consider 'lesser people' and they would prefer not to speak online.

"So, while the proposal uses some fancy cryptography to preserve anonymity in an environment where the government grants you a credential to speak online, it doesn't really solve the problem of your government deciding who speaks online or not."

Hoffman-Andrews observed another major problem is that much of the concern about AI is state-sponsored disinformation.

"If you have different governments saying who's a person, who's granted permission to speak online, but those governments also have an interest in deceptive activity at scale, you wind up with institutions in different countries not trusting the personhood of people in other countries and restricting that speech and just further fragmenting already deeply fragmented internet."

What's more, Hoffman-Andrews said there are movements in the US, the UK, and elsewhere to limit the ability of children and teenagers to speak online.

He warned: "In a regime where you need a personhood credential to be able to log in, this actually seems like kind of a custom-built choke point for governments to prevent certain people from getting online." ®

Get our [15]Tech Resources



[1] https://www.microsoft.com/en-us/research/podcast/abstracts-august-15-2024/

[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Ztcyo6B_RdoT8WhwYRzVaQAAAZc&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Ztcyo6B_RdoT8WhwYRzVaQAAAZc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Ztcyo6B_RdoT8WhwYRzVaQAAAZc&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[5] https://arxiv.org/pdf/2408.07892

[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Ztcyo6B_RdoT8WhwYRzVaQAAAZc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/aiml&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Ztcyo6B_RdoT8WhwYRzVaQAAAZc&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[8] https://www.theregister.com/2024/08/27/microsoft_workplace_surveillance/

[9] https://www.theregister.com/2024/08/28/grok_election_misinformation/

[10] https://www.theregister.com/2024/08/27/facebook_transparency_ai/

[11] https://www.theregister.com/2024/08/26/microsoft_bing_copilot_ai_halluciation/

[12] https://www.w3.org/TR/vc-overview/

[13] https://w3c.github.io/did-core/

[14] https://digital.gov.bc.ca/digital-trust/online-identity/person-credential/

[15] https://whitepapers.theregister.com/



They cannot stop me from saying "."

Flocke Kroes

OK, [1]they can but I only said ".". That guy over there said "...".

[1] https://www.npr.org/2024/09/02/g-s1-20579/iran-sentenced-12-years-tweet-supreme-leader

bestowed by some authority

Anonymous Coward

> authenticated identifiers bestowed by some authority on those deemed to be legitimate people.

Well, that is never going to be open to abuse (from both angles, issuing ids that shouldn't be and not issuing ones that should)

> US states, for example, could offer them to anyone with a tax identification number and the corresponding PHC could be biometrically based, or not.

Neat idea, no protection unless you are literally paying for it; and just maybe we'll mess up your "biometrics" ("No idea why the camera didn't work for you, maybe something to do with the colour contrast, we'll get right onto fixing that, try back in six months time")

> The proposed PHC identifiers are not supposed to be publicly linkable to a specific individual once granted – though presumably unmasking a PHC holder could be done with an appropriate legal demand.

That can't be abused, nope, not at all.

> Although PHCs prevent linking the credential across services, users should understand that their other online activities can still be tracked and potentially de-anonymized through existing methods

And how long before the above two are used to subvert the "prevent linking the credential across services" - in a far more pleasingly reliable fashion than all the commonplace ways, which are (to an extent, and with effort) defeatable by locally deleting cookies, changing browsers, firing up VMs...

Ah yes, we will protect you against the AIs - just don't think too deeply about how we are going to do it.

> Jacob Hoffman-Andrews, senior staff technologist at the Electronic Frontier Foundation, told The Register that he took a look at the paper and "from the start it's wildly dystopian."

Indeed.

Mark White

I considered something like this a while ago, having a lot of soft identifiers for logging into websites.

You could use identifiers like computer name, browser used, tabs open, sites logged into in current session, input from webcam (both face and background) to build up a identity of the person trying to log in. If this is doesn't match, then more intrusive options can be asked for... fingerprint, password, voice recognition, etc.

It would create a constantly changing ID of you and you could specify the accuracy required for different sites. E.g. Spotify might need low accuracy but it would contribute to the accuracy required to check your emails which then would give enough of an idea that it is you to log into your online banking. If you needed direct access to a high accuracy site, then more traditional methods of identification (remember, biometrics are not a password) and a password could be used.

Shitstorm a' Brewin'

Anonymous Coward

This .. "idea" ... has far-more badness than goodness in it. It is an attempt to (among other things) use technology to fix a human flaw: gullibility.

Re: Shitstorm a' Brewin'

Flocke Kroes

A few years ago I could say "pictures or it didn't happen". Early this year I could spot the difference between a real picture of a human and an AI generated one. Now when something doesn't happen the pictures are hard to discredit and when something does happen people are skeptical of the genuine pictures.

ArrZarr

Given the reams of speculative fiction on the powers of AIs, why did we go ahead and build the bloody things with no idea how to manage the inevitable genie once it was out of the bottle?

Oh, right. Money.

Even Asimov, writing in a time functionally before electronic computers, grappled with how to prove that a person wasn't a robot in 1946 (Evidence) and wasn't able to come up with an answer - three laws or not.

I don't think AI is an inherently bad idea, but it really needs to be done more carefully than it has been done.

"personhood credentials"?

Plest

This stinks of global, liberal elitest woke BS word-speak to me!

Re: "personhood credentials"?

Irongut

Stinks of right-wing oppressive governments to me!

Pascal Monett

Let's face it : we already know that so-called social media has done far worse than 1984 could have ever imagined.

Now, we have AI as an excuse to borg every one us into the grid and make sure we are under total surveillance.

And no government is involved !

Isn't progress wonderful ?

passport.net

Dan 55

Now with added AI.

Re: passport.net

Flocke Kroes

And [1]blockchain .

[1] https://m.xkcd.com/2030/

Re: passport.net

theDeathOfRats

Please stop giving them ideas.

Irongut

> AI is changing the way we should think about malicious actors' ability to be successful in those attacks. It makes it easier to create content that is indistinguishable from human-created content,

If you educated your children in grammar, punctuation and spelling perhaps we'd be able to tell the difference between AI written nonsense and posts by Americans.

I am me.

heyrick

But, really, I don't think that proves anything.

Perhaps we should look at this the other way around. We aren't "proving" that we are human, we're "proving" that we aren't a machine. Which shows what a lovely dystopian future awaits us.

Icon, because fiction suggests that when the machines are in charge it doesn't end well.

identifiers bestowed by some authority on those deemed to be legitimate people

heyrick

And the typical way of doing that, for a fee of course, is handing over various official identity documents.

Given that most of these companies give exactly zero shits about the security of the information that they hold, and might maybe offer a couple of years of anti fraud "protection" (while your identity has been compromised potentially for life), the simplest and most logical response is...

Fuck off.

I'm not jumping through your hoop to prove I'm real. Y'all made this mess, you fix it.

Anonymous Coward

there's just so much to unpack about this proposal, but the one that jumped out to me was that one of the sponsors was “a16z crypto”, truly a cursed name to see, so many sirens ringing in my head.

In-Person Verification

Ken Moorhouse

Is the answer.

If you can turn up for an appointment and you have a pulse (just in case someone wheels Jeremy Bentham in) then you are a "person".

It may take a long time for this realisation to sink in, but that is the world we're now living in.

EFF

Dan 55

"It provides for governments – or potential hand-wavy other issuers, but in reality, probably governments – to grant people their personhood, which is actually something that governments are historically very bad at," he said.

Apart from birth and death certificates, passports, ID cards (those countries that have them), driving licences, social security, etc... In fact, if you wanted an organisation to check that someone was a real actual live person, then the government would probably be the best one to do it and they wouldn't need Microsoft, Open AI, or the rest of band of hangers on who have signed up to this to help them do that.

EFF meanwhile has a few more paragraphs railing against the government. Is that their default position or something? It's MS and Open AI that came up with this "solution" for a problem they themselves created in the first place. Perhaps the EFF could comment on that.

Re: EFF

I am the liquor

To be fair to the EFF, the paper itself does point out that the model would create a readily-abusable concentration of power in the PHC issuers, and the authors say they are "concerned about these dynamics"... but then just hand-wave it away by more-or-less saying the PHC issuers should try not to be naughty. They've come up with a model that strongly protects against abuse by the consumers of the PHCs, but provides no protection at all on the issuing side. It looks like they've only done half the job.

I don't want people to love me. It makes for obligations.
-- Jean Anouilh