# The economic security of Proof of Personhood services
Decentralized quadratic funding, democratic voting, fair airdrops, basic income, etc depend on there being a set of keys which are each controlled by a unique person acting under their own agency.
Services like Proof of Humanity, BrightID, Idena, etc attempt to provide this guarantee by having a process for approving particular keys.
## Economic security
Ideally, it would be free for someone to obtain their first approved key, and then any subsequent approved keys would have infinite cost. In practice, there will be ways for a single person to collect more than one approved key. We can quantify security by asking *how much it costs* an attacker to obtain their 2nd, 3rd,... nth approved keys (we can call these additional keys *illicit keys*.)
- Let's call the cost of acquiring $n$ illicit keys $C(n)$
- Let's call the value of having $n$ illicit keys $V_{attacker}(n)$
- Note that this value depends on who the attacker is: for example, an attacker who owns an oil company has more to gain from attacking a democratic vote on energy policy than most other attackers.
In general, an amoral attacker will acquire the number of keys that maximizes their profit:
$$\underset{n}{\operatorname{argmax}} V_{attacker}(n) - C(n)$$
Hopefully, we can set things up so that generally $V(n) < C(n)$ because in that case attackers won't acquire many illicit keys.
***TLDR: people will get extra keys if they're worth more than they cost.***
## Estimating the cost of illicit keys
Eventually, we'll be able to just look at the [prices listed in darknet markets](https://www.privacyaffairs.com/dark-web-price-index-2021/). Prior to key markets maturing to that extent, we can predict how much illicit keys will cost by estimating the variable cost of the cheapest known attack.
The cheapest attack I'm aware of is the *puppeteer attack*, in which an attacker obtains additional illicit keys by paying someone else for access to their biometrics. The attacker is the *puppeteer* and the person they pay is their *puppet*.
For example:
- **Proof of Humanity**: Could pay someone on Amazon MTurk for a picture/video that lets the puppeteer approve register an additional account. Total cost: ~$30? ($20 for registration gas fees and $10 for paying the puppet)
- **BrightID**: Could pay puppets to show up for a scheduled video identity confirmation party where they use an app that *looks* like the BrightID app but that secretly proxies signing requests back to the puppeteer. Total cost: ~$50? (for paying puppet)
- **Idena**: Could pay puppets to attend recurring validation ceremonies while the puppeteer maintains control of all keys. Total cost: ~$20/month?
The variable cost of this attack is constant, so $C(n) \propto n$.
***TLDR: With the puppeteer attack, illicit keys cost ~$20–$100 each***
## Estimating the value of illicit keys
The value of illicit keys depends on the interests of the attacker and what they expect they'll be able to accomplish with the keys.
Applications that rely on a proof of personhood service will generate a stream of *extraction opportunties* $E_0...E_t$ across time. For example:
- **Democratic voting**: every vote offers an extraction opportunity. In particular, holding enough illicit keys $n$ to make a decisive difference in the vote allows value to be extracted:
$$E_{t}^{\text{democratic vote}}(n) =
\begin{cases}
\text{value of winning}, & \text{if $n$ is greater than the counterfactual vote margin}
\\0, & \text{otherwise}
\end{cases}$$
- **Quadratic funding**: every round offers an opportunity to extract from the subsidy pool by creating a project that solely pays the attacker and then donating to it using each illicit identity. $α$ is the parameter which determines how much grant money comes from the subsidy pool (see: [capital-constrained quadratic finance mechanism](https://arxiv.org/pdf/1809.06421.pdf)). Note that the below does not account for [pairwise coordination limits](https://ethresear.ch/t/pairwise-coordination-subsidies-a-new-quadratic-funding-design/5553).
$$E_{t}^{\text{quadratic funding round}}(n) =
\begin{cases}
\text{multiple on capital of $n*α$}, & \text{$n > \frac{1}{\alpha}$}
\\0, & \text{$n \le \frac{1}{\alpha}$}
\end{cases}$$
- **Other applications** (e.g. fair airdrops, credit scoring, spam prevention, universal basic income, social media manipulation prevention, etc) each have their own unique $E$ functions.
Overall, the value of holding $n$ keys is the discounted stream of all future extraction opportunities:
$$V_{attacker}(n) = \sum_{t=0}^\infty \frac{E_{t}(n)}{(1+r)^t}$$
***TLDR: the more chances there are to use illicit keys, the more each key is worth***
## Will attackers purchase a significant number of illicit keys?
On the current trajectory, they will (if they haven't already):
- Each new application that integrates with a proof of personhood service creates additional extraction opportunities, which means that the value of illicit keys $V(n)$ increases as the ecosystem grows.
- The cost of acquiring keys $C(n)$ currently doesn't change as the ecosystem grows.
- So as things stand, $V(n)$ will eventually outstrip $C(n)$, and attackers will acquire lots of illicit keys.
Economic security for proof of personhood seems to be a "common-pool resource" (it's rivalrous and non-excludable). That means it's subject to a potential tragedy of the commons where every application relies a reasonable amount on the economic security budget, but in sum the budget surpassed.
***TLDR: we're probably screwed unless we can make the cost of obtaining illicit keys scale up with adoption. Also, we need to coordinate on not going over our shared security budget.***
---
## Making the puppeteer attack more expensive in Proof of Humanity
Proof of Humanity currently relies on a registration picture, video, and a security deposit. If the registration picture and video aren't challenged as being off spec or a duplicate of another registry entry, then the registration is successful and the deposit is returned. [Sidenote: there are a ton of usability/UX improvements that could be made](https://hackmd.io/ov_cmX8UQCSBuX7xllNkdA?view).
Brief reminder: in the puppeteer attack, an attacker pays someone for permission to record a picture and video of them uttering the registration words. The puppeteer can then use that picture/video to create an additional registration that they control.
To make the puppeteer attack more expensive, it's necessary to come up with strategies that defend against all the various populations of potential puppets, e.g.:
- random people in the street
- Amazon MTurk workers
- poor people in slums without internet access, etc
Ideally, it would be difficult to use people from any of those populations as puppets. Anything that cuts down on the pool of cooperative puppets is helpful, although ultimately what matters is the price of bribing the most-willingly-bribed puppets.
Proof of Humanity could add in:
- **Oaths:** Make people registering swear an oath on video that they are signing up on their own accord for themselves, and that they're aware that if they're signing up for someone else they're signing over their online voting rights, basic income, etc.
- **Reclaiming:** Make a way for puppets to accept payment from the puppeteer and then turn around and reclaiming the profile (and the puppeteer's registration deposit!) as their own.
- If $r$ is the portion of would-be puppets that reclaim their profiles, then the price of an illicit registration increases by $(\frac{1}{1-r}-1) * \text{depositSize}$
- Need to make it *really easy* for people to reclaim — UX is a security feature here.
- The registration video could require "proof of education", i.e, that the registrant say something like, "I understand that if I am registering on someone else's behalf, I can take their money and then afterwards go to www.proofofhumanity.id and claim an additional free $150"
- This might not work for puppets that don't have internet access or the know-how to reclaim their deposit.
- But the people who are most vulnerable to becoming puppets (because they need the cash a puppeteer is offering) *also* have the greatest drive to reclaim their deposit.
- As the number of reasons to have Proof of Humanity increases (e.g. receiving basic income, being able to vote, receiving airdrops, etc), the incentive for someone reclaim their own profile increases. This might increase the cost of obtaining a cooperative puppet as the ecosystem grows.
- Reclaiming also doubles as crowdsourced account recovery: if you lose your private key, you can just reclaim your profile.
- **Whistleblowing:** Make a way for people to blow the whistle on lists of compromised accounts. Greyhat investigators could receive bounties for publicly listing multiple registered private keys (which would cause those identities to be burnt).
- Could combine well with measures that force attackers to e.g. build a mobile app that looks like the real one but actually behaves differently internally — the more digital infrastructure that attackers have to maintain, the larger the trail for greyhat investigators to follow.
- **Live video interview**: Instead of an offline video, require a live recorded registration video chat with a community notary who checks to make sure the registrant understands the language they are speaking, can ask if anyone is pressuring or paying them, can ensure they know that if someone is paying them to register that they can reclaim their profile afterwards to receive additional free money, etc. (If a puppeteer is in the room off camera silently intimidating the puppet, or if they've trained the puppet sufficiently on how to lie their way through the interview, this would fail — but those things are more difficult for the puppeteer to achieve).
- **Multiple check-ins across time**: Perhaps registering requires two checks: one initial one, and one a few days later. Beating this would require puppeteers to maintain an ongoing relationship with their puppet, which would make it more expensive.
- Alternatively, actually *using* proof of humanity for something important could require a quick additional check at the time of usage. This way, puppeteers would need to maintain a months-long relationship.
- **Community detective-work and extra verifications**: If something seems "off" in a registration video, community members could flag it for an additional check (this would require a fee, but if their suspicions prove correct, they might win the deposit). Services like gitcoin.co that use PoH and also have their own fraud checks could also flag suspect accounts for additional checks.
- A light check might involve a second video interview
- A thorough check might involve a registrant meeting up with multiple community notaries in a public space; that way the notaries can verify that there isn't a puppeteer present to apply pressure.
- These community notaries could offer to pay the puppet cash in exchange for destroying the registration (the deposit would then be paid to the notary who shelled out money). TODO: can we use MACI and zero knowledge proofs to make it so the puppeteer cannot even tell that their registration was burnt? (i.e. hellbanning).
- The community notaries could also verify that the registrant is personally in possession of their private key by verifying that their mobile wallet software can accurately sign a random QR code challenge while not connected to the internet (phone in airplane mode, or inside a foil container) — this would be proof that signing requests aren't being proxied to a puppeteer who is in control of the key.
- **Web of trust**: Could require that to join Proof of Humanity, you have to have an existing registrant vouch for you. This vouch could require mutual trust: the person you vouch for could have the ability to steal your deposit (and vice versa). Could then use something like [EigenTrust](https://en.wikipedia.org/wiki/EigenTrust).
- Could also look for areas of the graph that can be partitioned without needing to cut many edges (a sign that they might be a population of puppets); the connecting edges/adjacent accounts could be subject to additional checks.
- These trusted links could double as social account recovery for your wallet!
Of particular note are **reclaiming**, **web of trust**, and **whistleblowing** because these mechanisms might provide economic assurances that grow along with the ecosystem. **Oaths** are notable because they likely exclude large populations of potential puppets and are cheap to implement. Things like **live video interviews**, **multiple check-ins**, and **community detective-work** probably on their own only create a constant-sized increase in illicit key cost, but may combine multiplicatively with some of the other items on the list.
---
## Conclusion
Will this all work to keep proof of personhood registrations broadly secure? It's unclear, but it seems that may be at least a fighting chance. The proof of personhood primitive can unlock so much potential value that it's probably worth scaling up and finding out the hard way.
### Open questions
1. Given that PoP security seems to be a common-pool resource, how can we avoid blowing past our shared economic security budget?
2. How else could we defend against the puppeteer attack?
3. As the cost of illicit keys increases, how much additional total social benefit can be created by applications that rely on PoP services? (This could tell us how much we should be willing to pay to increase $C(n)$)
4. What does this document get wrong in its approach? How should we be thinking instead?
---
Thanks to Justin, Zargham, and Paula for discussions on these topics