The Inability to Simultaneously Verify Sentience, Location, and Identity

Really interesting “systematization of knowledge” paper:

“SoK: The Ghost Trilemma”

Abstract: Trolls, bots, and sybils distort online discourse and compromise the security of networked platforms. User identity is central to the vectors of attack and manipulation employed in these contexts. However it has long seemed that, try as it might, the security community has been unable to stem the rising tide of such problems. We posit the Ghost Trilemma, that there are three key properties of identity—sentience, location, and uniqueness—that cannot be simultaneously verified in a fully-decentralized setting. Many fully-decentralized systems—whether for communication or social coordination—grapple with this trilemma in some way, perhaps unknowingly. In this Systematization of Knowledge (SoK) paper, we examine the design space, use cases, problems with prior approaches, and possible paths forward. We sketch a proof of this trilemma and outline options for practical, incrementally deployable schemes to achieve an acceptable tradeoff of trust in centralized trust anchors, decentralized operation, and an ability to withstand a range of attacks, while protecting user privacy.

I think this conceptualization makes sense, and explains a lot.

Posted on August 11, 2023 at 7:08 AM10 Comments


TimH August 11, 2023 10:06 AM

I suggest that with so many nation states trying to control opinion anmd argument about current affairs, “centralized trust” is a high risk concept.

Clive Robinson August 11, 2023 11:17 AM

@ ALL,

“The Inability to Simultaneously Verify Sentience, Location, and Identity”

A Heisenberg Uncertainty Principle for a new century and problem domain.

No I don’t want to make AI Security sound like the new Quantum Mechanics, but that title sure draws some threads across.

Clive Robinson August 11, 2023 1:27 PM

@ ALL,

The paper introduction begins with a quote that effectively describes a loss of importance or relavance in a world increasingly not based on a shortage of information but an avalange of the irrelevant and effectively false information.

In a way it’s describing the issue of,

“One can fool some men, or fool all men in some places and times, but one cannot fool all men in all places and ages.”

(translation of, Jacques Abbadie 1864).

But in more modern times, what people tend to forget more often than they should is that extracting usefull information is a reductive process of lifting a signal out of what we call for want of a better name “noise”, which is it’s self a multiplicity of signals.

It’s well known to engineers that noise is it’s self a signal comprised of signals that are combined and at a certain point cease to be strictly meaningfull as individual signals at a point or time in space, thus are only amenable to statistical evaluation. Thus the techniques of statistical mechanics can be used as a simplification.

From a single point of observation the signals are like individual particles that go behind the broad effect we call “Brownian Motion”.

However the important thing to remember is that the noise I perceive at point A is not the same noise you perceive at point B. Thus a desired signal can be lifted from the noise if there is a way to synchronise all the different measurments[1].

Thus with multipoint observations “statistical mechanics” nolonger applies as it does at a single point of observation.

This is “known knowledge” that people need to move from one domain to another.

This paper defines it’s domain as being one or more points on the Internet trying to determin from received signals if the originator possesses,

1, Sentience
2, Location
3, Uniqueness

This is not the best way to go about things.

If we look at finding enemy agents in WWII certain techniques were developed to solve the last two issues of Location and Uniqueness as Sentience was considered a given. The techniques have been called “Find, Fix, Finish”.

It did not take long for Sentience to become an issue. As a method of defence the “operator” would set up an automated system that ran on a time switch that transmitted a tape. That way they could be safely away from the transmitter. Or as in some cases it was used as a “duck decoy/call” where the hunting forces got drawn into an ambush and got “Finished” themselves as “Dead Ducks”. Thus to protect themselves trying to establish if the operator was real became of importance to the hunting forces.

The same game started playing out with airwarfare in the cold war as radar and similar systems developed. It was not long befor “Electronic Counter Measures”(ECM) were developed. Initially it was “false echo” systems that had a similar effect to “chaff/window” that used halfwave length rsonators made out of foil. Where each one of the hundreds launched gave a false echo atlrast as strong as an aircraft. Thus “Electronic counter counter measures”(ECCM) had to be developed, these worked on the fact that “ECM Pods” were always at a single location and that could be worked out using an offset receiver system. In essence the signal at Receiver B was identical other than a time delay to the prime Receiver A, which it would not be the case if there were multiple signals…

I don’t need to say how ECM-ECCM-ECCCM developed into an “arms race” of it’s own.

Thus there are many lessons to “port” from the “Electronic Warfare”(EW) domain into the Internet domain.

But also consider the aim of the attacker is to get a message across in a small region. If they are to obvious it fails as their transmitters get recognised for what they are.

This is where MIMO LPI systems come into the picture. In general MIMO is used to hide the “message” by using “synthetic noise” so the message is coherant at a single place.

Lets invert that by the notion of a message with wide coverage but specific holes. If you aline the holes with those looking for Trolls they won’t see the Trolls but many others will see the message.

This is effectively what the more advanced disinformation campaigns are trying to do. That is if I claim there was a successfull missile strike in some village, I actually want to put a “Message hole” around that area so my claims do not cause me to loose creditdability there.

This type of propaganda was tried during WWII against the Germans. It mixed truth in with inuendo, such that it always sounded truthfull thus gained considerable credability against the German Hierarchy.

Thus we need to jump forwards quite a few paces in the current faux-news information war.

[1] Taking multiple points to transmit and receive a signal is part of “Multi-Input, Multi-Output”(MIMO) signalling. Which is currently under investigation by many to be a new form of “Low Probability of Intercept”(LPI) signalling. To see why imagine two transmitters that are sending a signal that consists of information modulated by noise. The differenc is one is I+Nf the other I-Nf individually I is unrecoverable but if you add the two I becomes easily recoverable,

I = ((I+Nf)+(I-Nf))/2

Nf can be shifted with regards position thus I becomes recoverable on a grid system. The more points used the more sparce the grid becomes. When combined with other directional systems the number of places I becomes recoverable is minimal. Look on it as being an updated version of the WWII beam system that has given us our modetn high precision navigation systems.

Winter August 11, 2023 2:27 PM


This is not the best way to go about things.

It is, but the point is not the technology, but the sociology.

Human societies are about trust. Gossiping is exchanging information about trust. But in real face-to-face human interactions, we can keep track about who says what. And every gossiper is self an subject of gossip. That way, the words of the one gossiper is weighted differently of the words of the other one.

Online, there is no real trust when the people you interact with have no real face. It is not possible to track who said what, and there is no gossip about the gossiper.

There are ways to get trust relations online. I do know how I should weight the words of our host. He has an offline personality and a long, verified track record. In short, he exists and can intervene when someone Impersonates him.

None of you have any reason to trust me. You do not know me other than through some comments posted on this blog. Only the moderator can see whether I am the same Winter that used this handle before.

The only thing you as a reader is to weight my words as if written by some stranger you have never heard from and may never hear from again.

I expect you to judge me like that, as some Anonymous commenter on the internet.

It is different on social media. No effort is shunned to enforce the impression that the accounts are real people like you, who are your friends, and who behave just like your friends from the pub or school.

And we, the first generation on social media do not know how to distinguish between real, human, friends and paid “influencers” and propagandists and sybils with a thousand faces and bots. We cannot see whether the person who once used an account is the same that posts now.

What I see with young people around me is that they leave social media because there is no meaningful interaction anymore.

modem phonemes August 11, 2023 3:11 PM

@ Clive Robinson

“One can fool some men, or fool all men … “

Pareto optimal fooling: Fool enough of the people enough of the time

(told me by an economist)

iAPX August 11, 2023 5:00 PM

There’s a lot to say about this paper.

Troll. Is it malevolent or someone loudly disagreeing?
You might agree to disagree. But you could also loudly disagree.
What is the real definition of a “troll” on Internet?
I am certainly not certain, and in fact I have been dubbed as “troll”, maybe you too.

Disinformation and misinformation: except if we have a Ministry of Truth, and I am sure many of you will agree to disagree on this, truth, or put it differently certainty is not an easy feat. Consensus are not, except if you except those that disagree.
And science more than anything other, people that made the most incredible advancement are the ones that question, disagree, somewhat loudly and offer new theories.

There’s something I totally agree with, it’s the quotes from Orwell and Huxley, two visionaries. And they envision our actual world from two different point-of-view. Think about it, they are both wrong and right, and entangled…

Chris Bonatti August 11, 2023 8:13 PM

Interesting? Yes.

Unfortunately, this paper seems to conflate too many topics and does not really seem to prove what is presumed to be the central thesis, to wit that this Ghost Trilemma is truly a uncertainty principle. It seems their thesis should be that it is difficult to establish verified identity from sparse data scraped from various kinds of common Internet transactions. It’s kind of an indictment of the state of the art, but doesn’t actually seem to prove a fundamental impossibility akin to the uncertainty principle.

Ted August 13, 2023 3:58 PM

Would I go to a location with a Point-of-Sale (PoS) system to verify my identity for, let’s say a social media platform? Based on what I am reading, well I guess I probably would. Especially if the network effect was in play

Table 3 lists alternate designs for the PoS scheme. I’d like to look at those more closely, but a lot of thought has gone into this.

Plus, such a system may allow someone to filter out accounts with less recent attestations?

In this way, users will be able to filter content they will see in their feed. Depending on the age of attestation of different accounts, users can pick and choose time ranges whose content they will see.

This is such a cool concept, imo, that I wish the paper had a ‘drive by’ splash page so more people might be exposed to these ideas and consider a closer look at the implementation designs.

Clive Robinson August 14, 2023 3:02 AM

@ Ted, ALL,

Re : You are not a document, nor is a document you.

“Would I go to a location with a Point-of-Sale (PoS) system to verify my identity for, let’s say a social media platform?”

You need to realise that access to a “document” is not a method by which “your identity” can be established, and anyone claiming otherwise is almost certainly doing it for monetary gain reasons.

The same is not your identity, is true for all “instant” “authentication factors” of,

1, Something you know.
2, Something you have.
3, Something you are.

It’s just more obvious…

In the case of the first two nothing there is “unique to you” or actually “secret to you” thus available to many others. So certainly not usable to “identify you”. We’ve had this nonsense with Social Security Numbers for years, and still some people think “it’s proof of identity”…

As for the third the likes of bio-metrics have been shown to be either unreliable or easily forgable so often you have to wonder why people just don’t laugh at the idea… Even non instant testing of DNA can be forged due to failures in the testing methods employed as I pointed out quite some years ago.

But in all cases these instant autheticators are attested to via another entity or authenticator, which is ultimately not in any way secure, so the whole thing could be likened to a “house of cards”, just less reliable.

Before you start thinking I’m being a little odd because if you look around “everyone goes along” with the idea… Not everyone does and some with solid reasons,

The once head of the UK Security Agency MI5 made this point quite clearly many years ago when the politicians greased by certain donors in the Smart Card Industry were pushing a national ID Card…

“My angle on ID cards is that they may be of some use but only if they can be made unforgeable – and all our other documentation is quite easy to forge.

Note the “unforgeability” requirment can not be met and thus importantly,

“If we have ID cards at vast expense and people can go into a back room and forge them they are going to be absolutely useless.”

As we subsequently have found out some of those donors have supplyed defective ID Cards to other nations in Europe and South America at great expense to the nations concerned. And in some cases fraud has occured using these ID Cards because of these failings…

But the fundemental point Dame Stella Rimington made still holds today. What you call “identity” is not something you can hold in your hand, thus anything used to represent it is at best an illusion or worse bogus / fake.

But what she also knew back then still holds today,

“At the root of all identity proofs is a single piece of paper, your Birth Certificate.”

The reality is that’s all it realy is is, just a piece of paper with a few details and a serial number on it. That number is an entry in a “register” and the “certificate” you have is just a pointer to it. Importantly,

“Whilst the register entry might be unique, the pointer to it is certainly not.”

All you have to do to get a duplicate is,

1, Walk into a building
2, Ask for a replacment
3, Answer a couple of questions
4, Pay a modest fee
5, Walk out with it.

Then you can start to build a whole duplicate identity from it…

This has been known publically for over half a century since the book “Day of the Jackal” was published back in 1971. In it the process is described in sufficient detail to be almost a guide…

Fun note, the author Frederick Forsyth has said that whilst being a freelance journalist he was also acting as an unpayed agent for MI6. So many people have “come out of the woodwork” saying they worked unpayed for MI6, you have to wonder how many there are compared to the number that were paid employees. In fact anyone could say it and I have doubts MI6 could reliably confirm it even if they wanted to 😉

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.