Jim Flynn, firstname.lastname@example.org
March 1, 2018
Abstract: Kuwa (“to be” in Swahili) is a decentralized system that identifies unique individuals without relying on government-issued documents or other third-party directories. Instead, the system’s primary approach leverages the same methods to recognize unique individuals that humans have always used: face, voice and mannerism recognition, reinforced by real-world social bonds. Kuwa will employ artificial intelligence (AI) to auto-screen for duplicate accounts (i.e., Sybil attacks). The main objective of Kuwa is to ensure that one unique human can only have one valid account. Kuwa will provide economic incentives to reward activities that help achieve that objective and penalize actions that make it more difficult. Kuwa will not require intrusive biometrics (e.g., DNA, fingerprints, etc.), which are susceptible to misuse. The system will also not require participants to provide their real names. Kuwa could serve as the identification system for the distribution of benefits, such as a Universal Basic Income (UBI). Because Kuwa does not rely on government-issued IDs, it can resist attempts by governments to control, influence or destroy the system. When individuals physically enter public spaces, anyone can see their faces and hear their voices. Consequently, Kuwa considers that information to be public. Kuwa will also require people to identify other unique individuals in their social groups while providing a disincentive for identifying one individual multiple times. The strength of those “social bond networks” will supply additional data points for the AI screening and adjudication processes, and make Sybil attacks socially unacceptable behavior.
Kuwa shall be:
- Open – All software and algorithms developed by the Kuwa Foundation will be open source. We do not wish to collect rents from our work. Accordingly, we do not seek to create a proprietary advantage that will exclude competitors. Anyone is welcome to utilize Kuwa and contribute to the project. It is important to note, however, that we designed Kuwa to solve a specific identification problem. We hope that others will utilize Kuwa in their commercial offerings, which can be open, closed, non-profit or for-profit. We encourage participants to create open or proprietary business models so long as those models contribute to strengthening Kuwa and do not infringe on individual rights.
- Decentralized – To the greatest extent possible, the Kuwa network is decentralized and based on distributed ledger technologies (DLTs), such as blockchain. This decentralization will increase Kuwa’s security and reliability while making it difficult for any entity to exert control over or threaten the network.
- Minimally Intrusive to Privacy – Kuwa’s purpose is to identify unique living humans. The more information we gather about people (biometrics, fingerprints, financial info, etc.), the higher the danger that bad actors might use that information to do bad things. Kuwa needs information to identify humans, but our objective is always to keep that information to a minimum.
- Permissionless – Anyone can participate in the Kuwa network and perform any role without needing to get permission from any centralized authority.
- Governed by Its Community – Although there is a Kuwa Foundation. The role of the organization will diminish over time. In its place, a governance system will enable all stakeholders in the Kuwa community to have a say in new developments and adaptations going forward.
- Subject to Individual Consent – Kuwa should not be used to identify people without their consent. Individuals own their IDs and any associated data. Individuals always have the right to delete their data for whatever reason and at any time. If users store non-public information by using Kuwa, then those users will control who can access that information. Consequently, Kuwa is a “self-sovereign” identity system.
Individuals who participate in Kuwa shall be:
- Living Unique Humans – Any living human has the right to precisely one active Kuwa ID. We do not exclude any living human for any reason.
- Participating Out of Free Will – As stated previously, individuals own their ID. The designers of the Kuwa protocol will also take all steps possible to ensure that all participants are not coerced to participate.
A growing body of evidence suggests that the best way to fight poverty is via direct cash transfers to the impoverished (examples here, here and here). A Universal Basic Income (UBI) would involve giving people enough money to take care of their basic needs: food, shelter, health care, and education. Identification is the most difficult challenge for large-scale (i.e., global) deployment of a UBI. In some countries, there are no reliable government-issued ID systems. But even in places where such ID systems do exist, relying on those systems would give control of Kuwa to governments. A corrupt or authoritarian regime would use that control to reward collaborators and punish rivals. By controlling who gets authenticated, governments could exclude individuals, tribes, and whole political parties. We could also rely on private companies (e.g., Facebook) for authentication; however, those companies are still vulnerable to coercion and security breaches. Kuwa’s purpose is to identify unique individuals through a fair, corruption-resistant and non-coercive process while protecting those individuals’ privacy to the highest degree possible.
A UBI is not the only use case for Kuwa. Another potential application is e-voting. Moreover, social networking services could benefit by ensuring that accounts and activities (e.g., “likes”) originate from unique humans, as opposed to bots.
The Kuwa Registration Process
Individuals will create Kuwa IDs via a smartphone app. The primary results of ID creation will be:
- A Cryptographic Key Pair – The public key will be the registrant’s pseudo-identity.
- An Authentication Video – This recording will be the minimally invasive “biometric” information that the Kuwa network my use later to identify unique individuals and detect Sybil attacks.
- A Social Graph – To further authenticate their IDs, the smartphone app will provide a user interface to allow registrants to “connect” with other registrants in their real-world social groups.
The following section provide additional details about Kuwa’s registration process.
Individuals will take the following steps to register for Kuwa:
Step 1 – The Kuwa smartphone app creates a public-private cryptographic key pair. The public key is the registrant’s pseudo-identity.
Step 2 – The app generates a one-time registration code and uses the generated private key to create a transaction that the app will later commit to a public ledger.
Step 3 – The app prompts the registrant to speak and/or display the authentication code in a short video (example: http://zeropoverty.io/reg.mp4). The registrant will have a limited time period (e.g., five minutes) to record the video, after which the authentication code will no longer be valid. By requiring a random authentication code, Kuwa will help ensure that videos are not prerecorded. The following illustration shows what the app’s user interface might look like.
Step 4 – The app records the video and uploads it to the public ledger, where the video and authentication code are logically stored along with a digital signature. The following illustration shows how that data is stored (logically as opposed to physically) in the public ledger:
Please note that although the authentication video is accessible by anyone, no additional personal data is required by the registration process other than information that someone could capture by mounting a camera in a public place. Multiple independent and competitive “Registrars,” which continually scan the public record, inspect the authentication video to ensure that the authentication code was read or at least displayed. Also, the Registrars will analyze the video and voice recordings to ensure that no other matching valid ID exists. Provided one or more Registrars validate the registrant (i.e., no duplicates detected and a valid authentication code was displayed and/or read), the registrant may continue to complete the registration process.
Step 5 – To further validate their ID, the registrant may define their social connections. Such social relationships will enable them to link their public key with the public keys of other members of their real-world social groups, which will be categorized as the immediate family (parents, children, siblings or spouses) and non-family (fellow villagers, friends, neighbors, more distant relatives, etc.). The following illustration shows how the registration app could provide a user interface to create social connections:
The QR code shown in the preceding illustration represents the registrant’s public key. When another registrant scans that QR code, the app will prompt them to specify whether the connection is a family member or not. After reaching a prescribed number of connections, the Kuwa registration process will be complete. The following diagram illustrates a sample of the social graph information that Kuwa would maintain:
In the preceding diagram, family connections display as black arrows and non-family connections as gray arrows. The private keys numbered 1, 2 and 3 represent a family. Numbers 4 and 6 depict number 3’s parents, which also makes those links family connections. Social connections could provide valuable data points for algorithms that detect Sybil attacks. A person with 100 family members, or whose social graph is in logical proximity to known duplicates, would have a higher probability of being a Sybil attack, and, therefore, would merit additional scrutiny.
The following is a logical illustration of what a registrant’s public profile might look like after defining connections:
Requiring users to create social connections would not, by itself, prevent Sybil attacks; however, when combined with scalable Sybil detection, social relationships and the proper incentives, both positive and negative, it is possible to create a Sybil-resistant system. And because Kuwa is decentralized, it is also corruption-resistant and less vulnerable to manipulation.
Economic incentives are critical for maintaining the security and integrity of most decentralized systems. Kuwa will require registrants to “stake” something of value. That stake could be cryptocurrency tokens, or a future stream of tokens, which could be the registrant’s future UBI receipts. The following paragraphs address important questions with regards to Kuwa incentives.
Making valid social connections increases the apparent validity of a Kuwa ID. In other words, a Kuwa ID with more valid connections is less likely to be challenged by a Registrar. It would also be possible to, for example, require a minimum number of connections in order to obtain a UBI distribution. A UBI distribution could, for example, provide a higher payment for IDs with stronger social graphs.
Why search for duplicates?
A UBI could provide incentives for detecting Sybil attacks. Kuwa Registrars (KRs) could be independent businesses that scan through the public record of authentication videos searching for duplicates. One organization could, for example, build a detection system by using proprietary commercial technologies provided by Google, Apple or others. Another organization could create a Registrar entirely from open source tools. Postulating that KRs should have incentives is the simple part. Designing the specifics of those incentives is more difficult. Kuwa will take steps to ensure that KRs do not have incentives to falsely flag duplicates. Moreover, Kuwa needs to take special care that KRs don’t create their Sybils and then claim a reward.
How do we make Sybil attacks socially unacceptable?
If a UBI includes disincentives for Sybil attacks, those penalties can be allocated across the attacker’s social graph when the network identifies the Sybil attack. For example, family connections could suffer a significant UBI deduction. Non-family relationships suffer a smaller penalty, and secondary connections would get hit with a lower charge. With these types of incentives in place, members of the attacker’s real-world social groups would pressure the attacker not to cheat.
How will we keep KRs honest?
KRs will have to stake significant value with the Kuwa network. Consequently, KRs will have an incentive the protect the integrity of Kuwa to maintain that value. A voting algorithm will govern the reward system for Sybil detection. So long as the majority of Kuwa participants are honest, the voting algorithm will make it possible to reward constructive behavior while discouraging activities that damage Kuwa’s integrity.
Kuwa Registrars (KRs) will scan the public ledger of registrants’ profiles for duplicates. When an KR finds a duplicate, the KR will get an economic reward. To discourage false duplicate flagging, Kuwa will require that KRs “stake” claims. If the duplicate turns out to be valid, the KR will lose their stake. The economic incentive, however, will make accurate Sybil detection a profitable business. Eventually, there will be a network of KRs competing with each other, which will help secure the Kuwa network. The following diagram represents multiple competing KRs as they scan the public ledger.
As shown in the preceding diagram, the Kuwa Foundation will create an open source reference KR implementation that utilizes pre-existing open source tools for face and voice recognition.
Because an individual can only have one Kuwa ID, the system lends itself to a highly democratic governance process. The Kuwa Foundation will have Board of Governors (BOG). The individuals who have Kuwa IDs will elect that Board via a one person, one vote process. The BOG will oversee the future development and standards direction for the Kuwa network. The Board will also supervise the treasury function, which will allocate funds for future Kuwa development. Our intention is to minimize any potential for corruption of the BOG. Consequently, the BOG will likely fund itself through donations rather than via inflation or transaction fees.
To be scalable, Kuwa must be highly automated. But to be fair, there should be an appeals process designed to adjudicate situations when a valid account is erroneously flagged as a duplicate. The Kuwa BOG will define an appeals process to enable individuals to arbitrate disputes swiftly and, if needed, vote to have the network authenticate an account that was wrongly flagged as invalid. Other exception conditions include:
- Genetically identical siblings – Since people who are genetically identical are likely to be erroneously flagged as duplicates, the Kuwa registration process could require that they create a registration video together.
- Replacement registrations – There will be situations where a registrant will need to create a new registration (e.g., they lost their private key). In such a case, the registration app would allow individuals to declare that the registration should replace the old registration. In that way, the Kuwa network will not flag the new registration as a Sybil attack. Once the new registration is confirmed, Kuwa will mark the old registration as inactive.
- Dead people – Requiring periodic re-registration could reduce the number of accounts that should no longer be valid because account holders have died. Kuwa could also provide incentives to report the passing of connections or disincentives for not reporting. It is important to note, however, that Kuwa must not create a situation where a defenseless person is better off dead to the community than alive.
- Babies, the incapacitated, and “last resort” situations – Kuwa will provide a means to register those who are unable to register themselves. As discussed is the section of this document about private profile data, registrants can add additional personal information privately and securely to their Kuwa profiles. The Kuwa appeals or adjudication procedures could consider that information is resolving exceptions.
Private Profile Data
The information maintained in Kuwa public profiles is sufficient to identify individuals. There may be instances, however, when an individual may want to associate additional personal information in their Kuwa profile, but not make that information public. For example, if a user was erroneously flagged as a duplicate, that user could use their private key to add additional proof of their identity to their profile. The user may then grant selected access to that information to, for example, a panel attempting to decide the issue. The following represents how Kuwa would store additional information in a private profile.
Faux Registrations (FRs)
A Faux Registration (FR) is an unambiguously invalid registration attempt, the purpose of which is to test KRs. When KRs disagree about the validity of an ordinary registration, one must be wrong; however, it is difficult to determine who is wrong. But you can create an FR that is unambiguously invalid (i.e., an easily-identified Sybil). Kuwa gives KRs an economic incentive to try to fool each other with FRs.
In the private profile of the FR’s ID, the KR has to put encrypted “instructions” that tell how to reproduce the attack. For example:
Type: Fax Registration
Sybil Public Key: 1BB3X2gu58d6wASB
You must be able to detect an invalid FR by running the original video against the reference implementation KR (an open source project maintained by the Kuwa Foundation). You must be able to recreate the FR’s authentication video by using the program. All KRs that detect the Sybil within a predefined period (e.g., 1 hour) split the reward of X tokens. If they don’t recognize the FR, the KR that created the FR gets the X tokens. You must be able to perform the verification programmatically. There can also be an additional bounty for providing a counter to the Sybil attack.
There may be other ways to implement this general concept. For example, a dead-simple FR could be something obviously invalid, like a computer-generated cartoon of Elmer Fudd reading an authentication code.
A challenge for Kuwa is to determine which KRs are good at detecting invalid registrations. There could be a situation where one KR accurately identifies a Sybil, but all the other KRs erroneously disagree. In that case, voting might not be the best way. You could resort to human intervention. But human intervention is not scalable, is error-prone and vulnerable to corruption. With FRs, you can programmatically measure KR effectiveness. You want to structure the incentive so that bad KRs will stop being KRs because it would not be economically viable for them to continue.
A way to “plant and reveal” an FR without tipping everyone off would likely have to be part of the protocol. Security concerns would require a way to sandbox any program, too.
Bootstrapping Registrations and Social Graph
A way to increase the number of valid users would be to enroll the initial registrants in a geographic area in person. In a village, for example, there could be a one-day registration event. Just as when people vote in developed countries, registrants could be required to dip a specific finger in indelible ink. Since that ink would take longer than 24-hours to wash away, it would be challenging for an individual to register multiple times.
In-person registrants would form the basis of the user listing in an area. Subsequent registrants could be required to define connections with registrants who had registered in person. Such a requirement would make it difficult to mount large-scale Sybil attacks since a sudden increase in registrations would signal a problem if it occurred in an area where most of the population had already registered.
How Kuwa Might Fail
The purpose of this section is to provide a self-critique. The following points describe some of the challenges that could endanger Kuwa:
- Deep fakes – “Deep fakes” are realistic videos created by using artificial intelligence. Creating a deep fake involves “training” one video with another. Done correctly, you can make it look like a a person who appeared in one of the videos also appeared in the other. Kuwa would defeat deep fakes because the authentication codes that must appear in videos expire in a shorter time than it would take to make a deep fake. And while deep fakes are impressively good, they are not currently hard to detect. It is possible, however, that the quality and speed of deep fake software improves to the point where it can fool Kuwa. Of course, Kuwa’s AI technology will also progress, and Kuwa could implement countermeasures that could defeat attacks that utilize deep fakes.
- Unforeseen privacy issues – Although Kuwa seeks to limit the personal information it collects to a minimum, it is possible that a malevolent actor could use that information, and perhaps combine it with separately-sourced data, to carry out attacks on Kuwa or Kuwa registrants. “Mining” the videos in Kuwa public profiles to create deep fakes could be an example of such an attack. If an attack that leverages Kuwa profile information causes significant damage, it could cause a loss of confidence in Kuwa.
- Faulty AI – Kuwa’s success depends on how good AI is at detecting fakes. The AI does not have to be perfect; however, it must be good enough to enable Kuwa to catch nearly all (95%+) individual fakes and all large-scale Sybil attacks. This white paper assumes that the AI will be effective and, perhaps even more importantly, will continue to advance to keep up with the technologies employed by attackers.
- Adverse incentives – The initial implementation of Kuwa will likely be centralized; however, for the network to be corruption-resistant, fair and secure, it is essential that Kuwa become more decentralized over time. Decentralization will require carefully designed economic incentives to ensure that participants behave in ways that strengthen Kuwa. If, instead, the incentives encourage self-interested participants to, for example, cooperate to gain an advantage, it could destroy confidence in Kuwa and result in the damage or destruction of the network.
- Capture or corruption – Kuwa could be captured or unduly influenced by malevolent actors. A corrupt government, for example, could attempt to use Kuwa, or Kuwa-dependent applications, as a means of control. One way that could happen is if Kuwa becomes dependent on government-issued identification documents to verify identities. Other entities may seek to buy influence in the Kuwa Foundation or use more coercive tactics to control the organization. Hacking Kuwa-related smart contracts, or the underlying Kuwa protocol, or gaming the Kuwa incentive system, are all potential attack vectors for those seeking to control, undermine or destroy the Kuwa system.
- Failure of related applications – Kuwa is designed to enable applications that would help people in the developing world, such as basic income, voting, disaster relief, and general financial services, from which most lower income groups in the developing world are still excluded. Should any of the applications that depend on Kuwa become compromised, captured by an authoritarian government, or used by malevolent actors to harm the very people that Kuwa is meant to help, then it could cause a loss in confidence in Kuwa, which could, in turn, result in Kuwa’s failure.
The most promising solution to poverty is a basic income. An effective basic income distribution requires unconditional direct cash payments to millions of people. Every successful Sybil attack on that distribution could increase an attacker’s income significantly. Consequently, individuals and groups have a powerful incentive to create multiple personas, which could destroy the viability of a basic income project.
Existing efforts to combat Sybil attacks are ineffective. You can defeat a “one phone-one account” defense—and double your basic income—with a $10 purchase. Intricate rules that only use social graphs, rely on “attestations” or issue “personal tokens” diminish usability and introduce complexity while doing little to prevent determined attackers from establishing multiple accounts. The added complexity also creates new attack vectors that bad actors will find and exploit. Alternatively, you could require government-issued identification documents. But in doing so, you would cede control of the system to governments. Moreover, malevolent actors (e.g., identity thieves) will find a massive database of government-issued personal information irresistible.
Kuwa identifies unique individuals in the same way that humans have always recognized each other. Kuwa discourages bad behavior through an incentive system that establishes social norms. After finishing a bowl of soup from the community pot, community members know that it’s not a good idea to use the pot as a latrine. Kuwa provides an effective and efficient mechanism to detect Sybil attacks and then sanction the attackers’ social groups. Kuwa does not even need to know the attacker’s name; his social groups can look at his authentication video. They will know who has caused the group to lose income. In other words, the group will know who fouled the soup, and the group will discourage such behavior.
A baby can recognize her mother’s face within a few days of birth even without understanding a spoken language. And when the mother or all of us, the original “Eve,” first walked upright across the savannas of prehistoric Africa, she was not alone. She was in a social group. That group helped ensure the survival of individual members by enforcing norms of behavior that were beneficial for the group as a whole. By using ancient techniques to identify humans, scaled to a massive level with AI and combined with an effective social enforcement mechanism, Kuwa can serve as the basis of a Universal Basic Income and help make poverty a thing of the past.
The purpose of this white paper is to meet a need: A user identification system that would work in places where most people do not have identification documents, or where the government is corrupt and, therefore, is an unreliable authority. The proposals that this document puts forth may work, or they may not. But even in failure, the knowledge we gain will help us, or someone else, for future attempts. Because the end result could help lift hundreds of millions of people out of poverty, any good faith attempt is a worthy endeavor.