FaceTrust: Assessing the Credibility of Online Personas via Social Networks

Transcription

1 FaceTrst: Assessing the Credibility of Online Personas via Social Networks Michael Sirivianos Kyngbaek Kim Xiaowei Yang Dke University University of California, Irvine Dke University 1. Introdction The sccess of the Internet has significantly changed how people interact with each other. Rich social interactions nowadays take place online. Users read, shop, chat, work, and play on the Internet. However, nlike many social interactions in the physical world, the Internet has largely hidden the identity attribtes of online sers. On the Internet, nobody knows yo are a dog, says the famos Peter Steiner cartoon. While anonymity has broght mch benefit, inclding protecting ser privacy and free speech, it also poses considerable secrity threats to online activities. What to believe and whom to believe on the Internet remains extremely challenging. Naive sers may easily become victims of online scams by individals that hide their real identity attribtes. There have been nmeros incidents where scammers defraded sers [1, 6] throgh or online social networks. Users with vested interest in a company have been caght creating fake positive reviews for the company s prodcts or services [5]. Both pedophiles and nderage sers may lie abot their ages to gain access to age-restricted websites or dring online interactions. This problem largely stems from the fact that there is crrently no lightweight and effective way to verify the identity attribtes (sch as age and location) of online personas. The typical approaches for establishing online identities involve offline manal verification of sers. For instance, a bank may reqire a ser to bring a government-issed ID before opening an online accont. Additionally, sers may prchase digital certificates that are verified and issed by trstworthy athorities sch as VeriSign. These approaches, albeit effective, are heavy-weight and often an overkill for many online interactions. Manal verification is slow and costly. It may easily become the bottleneck that prevents an online service from scaling to hndreds of millions of sers. In addition, strict ser athentication typically controls access to sensitive or critical resorces sch as bank acconts or internal networks, while many realistic Internet settings do not reqire strong athentication to gard critical resorces. Instead, they may benefit greatly from partial or likelyto-be-tre ser identity information. For example, it sffices for an age-restricted site to know whether a ser belongs to an age grop, not who the ser is or his exact age. Similarly, an online dating service ser may desire to know whether another ser s location or profession information is likely to be credible before initiating contact. These examples motivate the design of FaceTrst, a system that enables online personas to cost-effectively obtain credentials that verify the credibility of their identity statements to online services. In this paper, we refer to credibility as a measre of the likelihood that a ser s assertion is correct or tre. FaceTrst achieves this goal by mining and enriching information embedded in Online Social Networks (OSNs), and extends an OSN to provide lightweight, extensible, and relaxed digital credentials. We observe that OSNs already allow sers to express a limited form of trst relationships sing friend links. We propose to extend this ability by allowing sers to tag how credible they consider their friends assertions, sch as the identity information they post on their profiles. This process is similar to real-world backgrond check employed by government agencies bt is greatly atomated by sing online social networks. As an example, a ser that wishes to obtain an age certificate from his OSN provider may post on his profile that he is above 18. The ser wold reqest from his friends to tag his assertion as tre or false. The OSN provider wold analyze the annotated social graph to obtain the credibility of the ser s friends and sbseqently compte the credibility of the ser s assertion. It wold then isse to the ser a credential in the form of {assertion, credibility}. Online services cold se this OSN-issed relaxed credential to inform their interactions with the ser. We face several main challenges in realizing the above vision. First, how can the OSN reliably verify assertions made by sers ( 3.1, 3.2, 3.3)? Second, how can an OSN provider export the credibility information of assertions to verifiers withot violating a ser s privacy ( 3.4)? Lastly, how can we evalate the effectiveness of or design ( 4)? The main body of this paper describes or initial approaches towards addressing these challenges. We begin with a high-level overview of FaceTrst and several of its motivating examples. 1

2 TRUE x Figre 1: x x=1.0 TRUE y y y=1.0 FALSE z z z=0.5 FaceTrst overview and an age verification example. We se d and w to denote direct and tagger credibility, respectively. 2. FaceTrst Overview System Components: Figre 1 presents an overview of FaceTrst. The FaceTrst architectre consists of three main components: a) an OSN provider that maintains the social graph and its sers profiles; b) online sers that maintain acconts with the OSN and attempt to access online services by presenting OSN-issed credentials; and c) verifying online services that reglate access to their resorces or characterize ser inpts based on the ser s credentials. Assmptions and Threat Model: We assme that the OSN provider is flly trsted and can isse credentials to the best of its knowledge based on the inpt of its sers. We also assme that the OSN provider protects the privacy of its sers by not revealing their tagging information. Yet, some sers may choose not to reveal many of their identity attribtes to the OSN. We frther assme that verifying services may wish to track a ser against its will. They may collde in order to link ser acconts and derive a more accrate profile of a ser s activities. On the other hand, we assme that sers wish to remain anonymos and nlinkable to verifying services. We make the assmption that, typically, benign sers do not lie on behalf of others. Therefore, the collective information gathered from a ser s acqaintances is likely to correlate positively with the trth. Of corse, this assmption does not hold if a ser is motivated to lie abot his friends, e.g., when a grop of sers collde to misrepresent their identities or when a single ser creates mltiple fake OSN acconts (Sybil attack [12]) aiming at athenticating fake identity attribtes. We discss FaceTrst s defenses against the collder and Sybil attack in 3.3, and evalate the effectiveness of these defenses in 4. A Usage Example: Before describing FaceTrst in detail, we first se an age-verification example to shed light on how its components interact. As shown in Fig- re 1, User attempts to access an age-restricted movie at the Netflix website. At the same time, is concerned with his anonymity and does not wish to reveal neither his real identity nor a linkable psedonym to Netflix. With FaceTrst, Netflix may demand an OSN-issed age credential from the ser to allow access to its content. To obtain this credential, the ser mst have posted an age assertion on his OSN profile, and reqested his friends to tag the credibility of his age assertion before he attempts to access the age-restricted content. In this example, ser has assserted that his age is 21, and three of his friends, sers x, y, and z, have tagged the assertion with boolean vales T RUE, T RUE, and FALSE respectively. Since not all sers are eqally credible, the OSN provider has compted a credibility score (w) for each ser x, y, and z by analyzing the social graph and their tagging history as we soon describe in 3.3. The OSN provider comptes an overall credibility score for ser s age assertion (0.6 in this example) by aggregating s friends tagged vales weighted by their credibility scores ( 3.2). As shown in Figre 1, the OSN isses an age credential with an overall credibility that certifies that the ser belongs to the restricted age grop, and the ser presents this credential to a Netflix software process to gain access to Netflix content. FaceTrst implements identity attribte credentials sing idemix [9], an anonymos, nlinkable and non-transferable credential system to preserve ser privacy. More Motivating Examples: In addition to age verification, we envision that FaceTrst credentials may benefit Internet sers and online services in many other ways. A few more examples inclde bt are not limited to: Assessing the athority or relevance of online reviews or ratings with profession credentials. Many Internet sers read online reviews before making prchase decisions. Intitively, expert opinions of an online prodct may appear more athoritative to others. For instance, a review on a networking textbook from a compter science professor may carry more weight than that from an average ser. With FaceTrst, if an expert ser desires to appear more athoritative, he may reqest a profession credential from his OSN provider and present this credential to an online review site when sbmitting his reviews. Verifying participant eligibility. A citizen jornalism site [4] may wish to verify that a ser actally resides in a specified area before it accepts its report on an event that took place in that area. Similar defenses can be employed by online fora, online action sites, and in general by any online service that wishes to restrict participants to certain grops of people sch as women grops, residents in a certain geographic area, or people of cer- 2

3 tain age grops. FaceTrst can assist legitimate participants to obtain credentials that certify their eligibility. Preventing online frads. Scammers commonly respond to online postings alleging to be prospective participants in legitimate transactions (e.g., a potential tenant of an apartment) bt in reality aiming to commit advancefee frad [2]. Sch attacks cold possibly be averted if scammers were nable to lie abot their location, affiliation, or age. To this end, a classifieds service sch as Craigslist cold employ FaceTrst to verify identity attribtes of sers that post or respond to ads. The classifieds service can then attach to each ad post or reply the corresponding verified assertions, enabling sers to make more informed decisions. 3. FaceTrst Design We now describe or design in more detail. A key challenge of the design is to accrately assess the credibility of ser assertions, as malicios sers may attempt to lie or collde to obtain credentials to their favor. As an initial step, we have developed a social graph analysis algorithm by leveraging prior work on attack-resistant trst metrics [17]. Or preliminary evalation in 4 sggests that this initial design is promising in mitigating varios attacks. 3.1 Social Tagging FaceTrst ses social tagging to obtain the credibility of online personas. By social tagging, we refer to OSN sers posting identity assertions on their profile and their friends assigning a binary direct credibility vale TRUE or FALSE to them. FaceTrst categorizes ser assertions into varios types sch as age, address, profession, expertise etc. A ser posts his assertions of assorted types in his OSN profile. For instance, for the type age, an assertion has the format [{<,=,>}, nmber], e.g., [> 18] means that the ser claims to be older than 18. For the type location, the assertion has the format [{contry, state, city...}, string]. For each assertion A t j of type t posted by a ser j, j s friend i may tag a direct credibility score di A j. da i j takes two vales: a) TRUE, indicating that i believes j s assertion; and b) FALSE, vice versa. TRUE is mapped to the integer vale 1, and FALSE to -1 in the crrent design. A posted assertion and the associated tags are valid for a specified period of time, which is set by the OSN provider depending on the assertion type. An assertion is niqely identified by its {type, assertion} pair, ths a ser cannot repost the same assertion and reset nfavorable tags before it expires. We note that this design assmes that sers are willing to tag their friends. There is abndant evidence that sggests social tagging may be adopted by sers. For example, the How well do yo know me? Facebook application (qiz) enables sers to answer qestions that their friends post abot themselves and has amassed 1.2 million monthly active sers. It is or ftre work to condct a sability stdy to validate the adoptability of social tagging. In addition, or evalation ( 4) on the effectiveness of the trst metric we employ is sensitive to the freqency with which sers tag each other, and we present reslts for varying degrees of tagging adoptability. To frther motivate tagging among sers we employ a rdimentary incentive mechanism nder which sers reciprocate tags to each other in a tit-for-tat fashion. Users that wish to be able to athenticate to online services need their friends to tag them. The tit-for-tat scheme dictates that a ser that wishes to be tagged by a friend has to tag his friend in retrn. In particlar, when a ser i posts an assertion and wishes to be issed credentials for it, i may explicitly reqest from a friend f to tag the assertion. f may choose to demand that i tags one of his assertions in retrn. If i does not reciprocate his friend f s tagging, the system does not consider f s tag on i in compting the credibility of i s assertion. The direct credibility tags are stored by the OSN provider and are known only to the OSN and the taggers. They are never made available to other sers, as they represent sensitive information. 3.2 Assertion Credibility In the FaceTrst design, an OSN provider plays the role of an athority that isses inexpensive and relaxed credentials. By relaxed, we mean that nlike a conventional certificate athority, the OSN does not garantee that an assertion is absoltely correct. Instead, each credential is associated with an assertion credibility measre in [0,1] that reflects the probability of the assertion being tre as estimated by the OSN. This metric resembles a wisdom of crowds approach. Let F j denote the set of friends a ser j has. To compte an assertion credibility score a A on an assertion A t j of type t and posted by ser j, the OSN provider aggregates the direct credibility tags by j s friends as follows: a A = max( w t i da i j / w t i, 0) (1) i F j i F j Tags are weighted by weight w t i becase sers are not eqally credible, e.g., a teenager s tag on another ser s age assertion shold carry less weight than those from more trstworthy sers. We employ the additional condition that if the sm of the weights of j s friends is below a specified threshold, a A is 0. We discss how we obtain these weights in the next section. 3.3 Tagger Credibility How can FaceTrst reliably determine the weights w t i? We refer to wt i [0, 1] as tagger credibility for 3

4 the assertion type t. We observe that the problem is similar to determining the trstworthiness of a ser i and ths resorting to trst metric comptation. Trst metric comptation refers to the set of mechanisms that compte the trstworthiness of a node in a trst graph. There are two types of trst metrics: global, where the trstworthiness of a node is the same to all other nodes; and pairwise, where a node s trstworthiness is relative to another node. Since FaceTrst isses credentials on grond trth facts, sch as age and profession, and not on perceptions that are relative to the qerier, sch as recommendations or taste, we consider global trst metrics, e.g. [8, 16, 17, 24] more appropriate than pairwise and sbjective ones, e.g. [7, 14, 19]. We face two challenges in incorporating trst metric comptation to determine the weights w t i. The first is defining how the edges in the trst graph are formed. A trst metric is compted sing a trst graph, where an edge between two nodes i and j is explicitly labeled with the degree of trst that i places on j. However, this explicit trst information is not available in a social network graph. One design choice is to reqire sers to explicitly tag other their friends with a trst estimate. However, nlike grond trths sch as a friend s age grop or profession, we consider it difficlt for a ser to gage the abstract trstworthiness of a friend. Instead, FaceTrst atomatically extracts trst by compting the similarity between the tags of two friends sing a formla that resembles the Jaccard [15] index as follows. Let N be the total nmber of tags by friends i and j that involve assertions of type t tagged by both i and j. Let C be the nmber of tags on common assertions for which i and j are in agreement. The tagging similarity between i and j for type t is eqal to C/N. If N = 0, the similarity is eqal to 0. After this comptation, we translate a social graph with tagging history into a trst graph where each edge between two friends i and j is labeled with an explicit tagging similarity. We refer to this transformed graph as the tagging similarity graph. The second isse is to compte the tagging credibility w t i of each ser i from the tagging similarity graph. To this end, we adopt Levien s Advogato trst metric [17], a graph analysis algorithm based on maximm flow. We choose this max-flow-based trst metric becase it has been shown to be resistant to varios attacks [18,21,25]. Next, we briefly smmarize how we compte tagger credibility w t i sing the Advogato algorithm. We apply the Advogato trst metric on the tagging similarity graph by treating the tagging similarity as the level of trst between two nodes. The Advogato algorithm determines the set of nodes that can be trsted at a certain trst level x, i.e., whose tagger credibility w t i is no less than x. In the first step, the algorithm picks a highly trsted ser, e.g., a trsted employee of the OSN provider that is also brdened with verifying and tagging assertions of many of his acqaintances. This ser acts as the sorce node in the max-flow comptation. Next, the algorithm prnes all edges with tagging similarity less than x. Sbseqently, the tagger credibility of sers in the social graph is compted as follows. An integer capacity is assigned to each node as a fnction of the ser s shortest path distance from the sorce. Users at the same distance from the sorce are said to be at the same level. To obtain the taggers that have at least x credibility, the capacity of the sorce node is set approximately to the expected nmber of sers that are at least x credible. The sm of the capacity of sers at each sbseqent level from the sorce shold be approximately eqal to the capacity of the sorce. Ths, as we move away from the sorce and the network fans ot, the capacity of the sers at each sbseqent level diminishes. The tagging similarity graph is then transformed into a new graph with additional edges from the sers to an additional artificial spersink ser. In the new graph, capacities are assigned to edges instead of sers. A ser i with capacity c i is split into two nodes i and i + and one edge of capacity c i 1 is added from i to i +. The incoming and otcoming edges of i become incoming edges and otcoming edges of i and i +, respectively. In addition, one edge of capacity 1 is added between i and the spersink. We compte the maximm flow from the sorce to the spersink sing the Ford-Flkerson algorithm in O(E c sorce ) time, where c sorce is the capacity of the sorce. For a graph in which trst edges correspond to tagging similarity greater than or eqal to x and for assertion type t, if the edge i i + has flow greater than 0, i is accepted as being a ser that is at least x credible with respect to assertions of type t. We rn this algorithm mltiple times for edges that correspond to tagger credibility at increasing vales: x {0.5,0.6,...1}. For each ser i we assign tagger credibility w t i (Eqation 1) eqal to the highest credibility x among the trst graphs in which i was accepted. If i is not accepted for any tagger credibility x, w t i = 0. Based on the analysis by Levien [17], the nmber of Sybils or otherwise malicios sers that can be accepted as being at least x credible is bond by Σ i S (c i 1), where S is the set of honest sers that have greater than or eqal to x tagging similarity with dishonest sers. Under the assmption that it is more difficlt for malicios sers to have high tagging similarity with high capacity nodes closer to the sorce than it is with lower capacity nodes frther from the sorce, the nmber of accepted malicios sers shold be low. 3.4 OSN-Issed Credentials After the OSN provider obtains the assertion credibil- 4

5 ity score for a ser j s assertion A t j, it can isse a credential for this assertion. As shown in Figre 1, a credential issed by an OSN will inclde the assertion type t, the assertion A t j, and the assertion credibility score. A credential mst be athenticated by cryptographic primitives sch as an OSN s pblic key signatre. In the FaceTrst design, we se the idemix [9] anonymos nlinkable credential system becase sers may desire to preserve their anonymity and ntraceability of online activities. The idemix system is based on an efficient non-transferable anonymos and nlinkable credential scheme introdced by Camenisch et al. [10]. An idemix credential does not reveal any identifying information of a ser that possesses the credential, which is ideal for online verifications sch as age checking. It also prevents one ser from transferring his credentials to other sers. More details on how we integrate idemix with FaceTrst can be fond in [22]. 4. Evalation To gain a better nderstanding on how or initial design works, we wold like to evalate all of the following aspects of FaceTrst: Effectiveness: How well do credibility scores correlate with the trth, and how well does the design withstand incorrect ser tagging and collder or Sybil attacks? Comptational feasibility: A social network may consist of several hndreds of millions of sers. Will an OSN provider have sfficient comptational resorces to mine the social graph and derive credibility measres? Usability: How often and how accrately will a ser tag his friends to help them obtain credentials? It will take a fll system implementation and experimentation on a real-world OSN to answer these qestions. The qestion regarding effectiveness is particlar difficlt, becase trst is inherently sbjective, and it might not even be feasible to obtain the grond trth. As a first step, we describe or preliminary approaches to evalate the effectiveness of the design. We defer the comptational feasibility and the sability stdy for ftre experimentations on compter clsters and with a Facebook application, respectively. The goal of or evalation is to demonstrate that trthfl assertions get high credibility, while dishonest assertions get low credibility even in the presence of Sybil attacks. To this end, we evalate the effectiveness of the Advogato-based trst metric and Eqation 1 sed by FaceTrst sing a 200K sample of a crawled Facebook social graph, obtained from a previos stdy [13]. The average nmber of friends of each ser in the graph is abot 12 and the maximm nmber of friends is 313. Credibility Honest(No Sybils) Dishonest(No Sybils) Dishonest(200 Sybils) % honest sers (a) Credibility Honest(No Sybils) Dishonest(No Sybils) Dishonest(200 Sybils) tags per ser (N) Figre 2: a) Credibility of tre and false assertions as a fnction of the fraction of honest nodes when the maximm nmber of friends N a ser tags is eqal to 20; b) Credibility of tre and false assertions as a fnction of N when 80% of sers are honest. In or simlation, each ser in the social graph posts a single assertion of the same type on his profile. We have two types of sers: honest and dishonest. Honest sers always post trthfl assertions and dishonest sers always post false assertions. Both honest and dishonest sers are randomly distribted in the social graph. In addition, each ser tags the assertions of at most N of his friends. We vary N to reflect varios degrees of adoptability of social tagging. The honest sers tag their friends trthflly, that is, they tag as tre the assertions made by their honest friends and as false the assertions made by their dishonest friends. The remaining dishonest sers tag all assertions as tre, regardless of whether the sers that post them are honest or not. In this way, dishonest sers collde to increase the credibility of each other s assertions. By trthflly tagging assertions of honest sers, dishonest sers attempt to increase their tagging similarity with trstworthy sers. To evalate the scheme s resilience to Sybil attacks, several dishonest sers each create 200 Sybil nodes, which are only connected to their creators. Sybils tag the assertions of their creator as tre in order to increase the credibility of his dishonest assertions. The creator arranges to have 1.0 tagging similarity with all its Sybils. Since we assme that the sers near the sorce are more reliable, only all the dishonest sers whose distance from the sorce is more than five hops create Sybils. We obtain the tagger credibility according to 3.3. We set the capacity of the sorce c sorce eqal to 80% of the nmber of sers in the graph. We randomly sample 3000 honest and 3000 dishonest assertions and compte the average credibility of each. Figre 2 plots the credibility of honest and dishonest assertions for the case in which dishonest sers do not employ Sybils and the case in which they do. The credibility of honest assertions with Sybils is not inclded becase it is almost eqal to their credibility withot Sybils. In Figre 2(a), we vary the fraction of sers that are honest from 50% to 95% in order to assess the trst metric s resilience to attacks. The fraction of honest (b) 5

6 sers is compted exclding the Sybil sers. Each ser tags at most 20 of its friends. We observe that the average credibility of honest assertions is approximately 0.9, regardless of the fraction of honest nodes. On the other hand, the credibility of dishonest assertions is very small, i.e., 0.2 even when 50% of sers are dishonest and Sybils are deployed. When dishonest sers do not employ Sybils and the fraction of dishonest sers is 5%, their opportnities for collding by tagging each other are sbstantially redced, ths the credibility of their assertions drops to almost 0. Figre 2(b) shows the credibility of honest and dishonest assertions as a fnction of the maximm nmber of friends N that each ser tags, for the fraction of honest nodes eqal to 80%. As N increases, sers obtain more accrate tagging similarity with their friends, increasing the credibility of tre assertions and decreasing the credibility of false ones (for N > 6). When tagging is infreqent, i.e., N < 6, a large portion of edges between honest sers do not have high tagging similarity, as it becomes less likely for honest sers to tag the same assertions. This lack of tagging information reslts in honest assertions getting relatively low credibility. In order to achieve reasonable assertion credibility vales, N shold be greater than Related Work The goal of FaceTrst is mostly related to the PGP Web of Trst [3, 24, 27]. Like PGP, FaceTrst aims to circmvent the expensive and often monopolized Certificate Athorities sch as VeriSign to provide lightweight credentials. Unlike PGP, FaceTrst ses the intitive OSN interface, and employs social tagging rather than key signing to obtain trst metrics. Frthermore, FaceTrst is easily extensible, and is not limited to certifying only pblic keys. Users can tag each other regarding mltiple types of identity attribtes, and this set can be extended by adding fields into a ser s profile. FaceTrst adapts a trst metric proposed in previos work [17]. However, or contribtion is not the trst metric per se. Instead, or contribtions lie in the novelty of sing OSNs to provide lightweight, extensible, and relaxed credentials, and the overall design and preliminary evalation of FaceTrst. Several systems have employed trst in social networks to improve system secrity [11, 20, 23, 25, 26]. To the best of or knowledge, this is the first work that proposes to se OSNs to provide relaxed credentials for online personas. We provide a more extensive comparison with related work in [22]. 6. Conclsion Despite the large volme of social interactions taking place on the Internet, it is still hard to assess the credibility of statements made by online sers. This paper presents FaceTrst, a system that leverages online social networks to provide lightweight, flexible, and relaxed credentials that enable sers to assess the credibility of others and their assertions. In the FaceTrst design, OSN sers explicitly tag as tre or false their friends identity assertions made available in their social network profiles. An OSN provider analyzes the social graph and the tags to assess the credibility of a ser s assertions, and isse credentials annotated by credibility scores. Or preliminary evalation sggests that FaceTrst is effective in obtaining credible and otherwise navailable identity information for online personas. 7. References [1] Craigslist scams. [2] Nigerian Advance Fee Frad. [3] Thawte web of trst. [4] Unedited. Unfiltered. News. ireport.com. [5] Belkin s Amazon Rep Paying For Fake Online Reviews. hardware.slashdot.org/article.pl?sid=09%2f01%2f17% 2F166226&from=rss, [6] Teen Accsed of Sex assalts in Facebook Scam [7] R. Andersen, C. Borgs, J. Chayes, U. Feige, A. Flaxman, A. Kalai, V. Mirrokni, and M. Tennenholtz. Trst-based Recommendation Systems: An Axiomatic Approach. In WWW, [8] S. Brin and L. Page. The Anatomy of a Large-scale Hypertextal Web Search Engine. In Compter Networks and ISDN Systems, [9] J. Camenisch and E. V. Herreweghen. Design and Implementation of the idemix Anonymos Credential System. In ACM CCS, [10] J. Camenisch and A. Lysyanskay. An Efficient System for Non-transferable Anonymos Credentials with Optional Anonymity Revocation. In EUROCRYPT, [11] G. Danezis and P. Mittal. SybilInfer: Detecting Sybil Nodes sing Social Networks. In NDSS, [12] J. R. Docer. The Sybil Attack. In IPTPS, March [13] M. Gjoka, M. Sirivianos, A. Markopolo, and X. Yang. Poking Facebook: Characterization of OSN Applications. In WOSN, [14] R. Gha, R. Kmar, P. Raghavan, and A. Tomkins. Propagation of Trst and Distrst. In WWW, [15] P. Jaccard. Etde Comparative de la Distribtion Florale dans ne Portion des Alpes et des Jra. In Blletin del la Socit Vadoise des Sciences Natrelles 37, , [16] S. D. Kamvar, M. Schlosser, and H. Garcia-Molina. The EigenTrst Algorithm for Reptation Management in P2P Networks. In WWW, [17] R. Levien. Attack-resistant Trst Metrics [18] R. Levien and A. Aiken. Attack-resistant trst metrics for pblic key certification. In Usenix Secrity, [19] P. Massa and P. Avesani. Controversial Users Demand Local Trst Metrics: An Experimental Stdy on epinions. com Commnity. In AAAI, [20] A. Mislove, A. Post, P. Drschel, and K. P. Gmmadi. Ostra: Leveraging Social Networks to Thwart Unwanted Traffic. In NSDI, [21] M. Reiter and S. Stbblebine. Athentication Metric Analysis and Design. In ACM TISSEC, [22] M. Sirivianos, X. Yang, and K. Kim. FaceTrst: Assessing the Credibility of Online Personas via Social Networks. ~msirivia/pblications/facetrst-tech-report.pdf, [23] Y. Sovran, A. Libonati, and J. L. Pass it on: Social Networks Stymie Censors. In IPTPS, [24] W. Stallings. Protect Yor Privacy: A Gide for PGP Users. In Prentice-Hall, [25] D. N. Tran, B. Min, J. Li, and L. Sbramanian. Sybil-Resilient Online Content Rating. In NSDI, [26] H. Y, C. Shi, M. Kaminsky, P. B. Gibbons, and F. Xiao. DSybil: Optimal Sybil-Resistance for Recommendation Systems. In IEEE S&P, [27] P. Zimmmerman. The Official PGP Users Gide. In MIT Press,