AStateofTrustwithouttheState:! The!Political!Economy!of...
Transcript of AStateofTrustwithouttheState:! The!Political!Economy!of...
1
A State of Trust without the State: The Political Economy of Pseudonymity and Cybercrime Henry Farrell Draft paper – please don’t cite or circulate without permission
There’s a significant and interesting disagreement between Margaret Levi
and Russell Hardin on the relationship between trust and the state. In a key early
book chapter written for the Russell Sage project on trust, Levi (1998) argues
against scholars who suggest that the state somehow drives out trust. Here, she
suggests that while the state often “reduce[s] the need for citizens to trust each
other,” it also “may facilitate trust by solving the essential information, monitoring
and enforcement problems” (p.84) In this account, the most important attributes of
the state in creating interpersonal trust “would seem to be the capacity to monitor
laws, bring sanctions against lawbreakers, and provide information and guarantees
about those seeking to be trusted” (p.85). Even more importantly, governmental
actors can inspire trust through appearing to place principle over short term self
interest, through fair and impartial procedures, and through contingent consent.
Levi here makes the major claims that states can foster trust between their citizens
and inspire trust in themselves.
Russell Hardin (1998) takes a very different view. He argues that we do not –
and cannot – know enough about the government to trust it.1 Our understanding of
government officials’ incentives is far too limited for us to be able to say that we
trust them. Since few people understand how government operates, general social
1 See Byrne et al. (1977) for a strongly dissenting perspective.
2
acceptance of government’s social legitimacy cannot be categorized as a form of
trust, since it is not based in reasoning over knowledge. The capstone volume of the
Russell Sage project, co-‐authored by Hardin and Levi, as well as Karen Cook (2005),
goes on to argue that the state makes trust semi-‐irrelevant among citizens. On their
view, “trust is no longer the central pillar of our social order, and it may not even be
very important in most of our cooperative exchanges” (p.1). As societies become
more complex, we rely less on interpersonal relationships and trust, and more on
impersonal institutions. Trust becomes a complement, and perhaps a kind of social
lubricant, but it plays, at best, a secondary role.
The tensions over trust, the state and large impersonal institutions play out
in interesting ways on the Internet, perhaps the largest scale infrastructure for
complex exchange and interdependence that advanced industrialized societies have
ever created. The Internet plays a fundamental role in supporting social, political
and economic activities. Yet it does so in complicated ways.
On the one hand, many forms of social interaction on the Internet are
supported by the usual array of vast indifferent forces that constitute modern
society. For example, when we transact with Amazon, or even with traders on eBay,
we do so in the knowledge that our partners in exchange are governed by incentives
of both law and corporate reputation.
However, the Internet also supports a wide variety of more intimate forms of
exchange, in which, arguably, personal trust is implicated. We may never meet
someone with whom we are engaged, or even know their real name. Even so, we
may come to trust them in a real if limited sense. We can make judgments from our
3
repeated interactions about the degree to which their interests encapsulate our
own, and their likely propensity to deal with us honestly in the future.
Complicated forms of trust exchange, which combine long run pseudonymity
(an invented name or identity maintained consistently across a series of
transactions), and both costly and costless efforts to signal trustworthiness, play an
important role among criminals on the Internet. Criminals cannot usually rely on the
large scale impersonal forces summoned and maintained by the state in order to
underpin their transactions. Yet, as Diego Gambetta (1996, 2009) and others have
pointed out, they are typically equally incapable of appealing to personal character
as a source of trustworthiness. Most criminals make a significant part of their
livelihoods through behaving in untrustworthy ways – they are a self-‐selecting
group that is much less likely to be trustworthy than even randomly chosen
individuals. Finally, online criminals cannot leverage more intimate connections
such as locality and family as a source of trustworthiness, in the ways that their
offline brethren can, without forgoing the most valuable benefit of the Internet –
that it can vastly increase the supply of potential interlocutors and partners for
exchange.
Thus, online criminal behavior can be seen as a very useful laboratory for
whether and when a ‘state of trust’ can develop without a fully fledged state. It tests
whether trust can emerge under exigent conditions, where neither proper state
institutions, nor expectations about personal character, nor intimate social
networks can provide any backstop. By examining how and whether trust emerges,
4
we can begin to think more clearly about the role of trust in supporting a social
order.
On the one hand, if trust can emerge at all from so unpromising a set of initial
conditions, it suggests that trust is still relevant, and sometimes primary, even in
networks that would seem better fitted to impersonal exchange. On the other, it
allows us to think more clearly about the minimal set of characteristics that an
order-‐providing entity (such as a state) has to provide in order to sustain trust
among a significant number of actors.
As I discuss below, criminals have tended to adopt a Hobbesian solution to
the problems of online trust by outsourcing the policing of trust relations to a third
party. However, these third parties themselves can potentially be untrustworthy.
Trust among criminals – when it happens – happens without the state, since
criminals cannot rely on state enforcement. Yet the mechanisms that they do rely on
resemble radically stripped down and highly limited versions of the Hobbesian
state. They thus provide a kind of miniature world in which we can study the
relationship between the state and authority more closely.
In this essay, I first describe in greater specifics the role of online criminality,
detailing a fundamental problem of trust that plagues many criminals on the
Internet. I then go on to examine the ways in which criminals have tried to
overcome these problems, building communities and even institutions that
approximate to some of the state functions identified in Levi’s work. I conclude by
suggesting that these communities provide evidence for Levi’s contentions, and
against Hardin’s, in a rather unexpected environment. The most promising source of
5
honor among thieves (or, at least, drug dealers and their clients), appears to be a set
of institutional arrangements which, if you squint a little, resemble a stripped down
state.
Trust and Online Criminality
Criminal activity is likely very common on the Internet, but is for obvious reasons
difficult to measure. The debate about online criminals has been characterized more
by lurid speculation than by serious research. Not only do journalists have the usual
incentives to portray the risks in the most frightening manner possible, but neither
the criminals themselves, nor those who work against them, have much incentive to
provide better information. Clearly, criminals themselves have good incentive to
keep a low profile. Yet online security firms, who have more data than most about
the true extent of the threat of online criminals, have an obvious incentive to
exaggerate the risk so as to get more customers.
This is unfortunate. What evidence we do have suggests that there is a lot
there to study. Tyler Moore, Richard Clayton and Ross Anderson, in a widely cited
overview article, suggest that online criminal networks have succeeded in
recreating many of the advantages of the division of labor on a very wide scale. For
example, in online credit card fraud, hackers work to secure large databases of
stolen credit card numbers illicitly, selling them in bulk packages to brokers, who in
turn break up these packages and sell them to cashiers, who recruit (sometimes
unwitting) mules to send on goods bought with the cards.
6
So many, so various, and so complex a set of organized activities raises many
research questions. This paper focuses on one such question: what is the
relationship between pseudonymity and trust among lawbreakers on the Internet?
Some forms of criminality (e.g. spam) do not necessarily directly implicate
trust. Many spammers prey on our trust, but others may sincerely want to sell us
products that we do not want; the distinction between legitimate commercial email
and obnoxious spam is notoriously difficult to fix.
Others parasitize or predate upon the forms of impersonal exchange that the
Internet has facilitated, seeking to crack servers or fool individuals so as to gain
access to personal information that can be used e.g. to gain access to their bank
accounts. Here, there are problems of trust but they are one-‐sided; I, as a scammer,
try to fool you into believing that I have access to the hidden funds of a deposed
Nigerian dictator, in order to persuade you to provide me your financial details, and,
perhaps, money to lubricate the process of getting access to his bank account.
Successful conmen are artists of the manipulation of trust.
Others yet involve forms of exchange that are outlawed (e.g. exchange of
hacked credit card numbers; the buying and selling of illegal drugs) but potentially
of value to both transacting parties. Here, the problem of trust is two sided, and
more potentially interesting, since both parties to a potential transaction will want
the transaction to take place, but will fear deception by the other party. This means
that they have some common incentive to build arrangements that will facilitate the
transaction. Con artists and their victims have incentives that are ultimately
incompatible – the one wants to cheat, the other not to be cheated. Yet many
7
transactors, although they may reasonably fear being cheated, want to arrive at a
mutually acceptable arrangement that might foster trustworthy behavior. The
problem for these transactors is precisely how to eliminate the risk of cheating on
both sides.
These difficulties are specific examples of a broader set of problems. As Diego
Gambetta (e.g. 1996, 2009) has argued across a variety of books and articles,
criminals have difficulty both in identifying each other and in communicating
credibly with each other. The Sicilian Mafia and its American offshoot have evolved
an elaborate series of mechanisms for identifying whether someone is a member,
although these mechanisms can be gamed (ibid). More broadly:
Criminals are constantly afraid of being duped, while at the same time they
are busy duping others. They worry not only about the real identity,
trustworthiness, or loyalty of their partners but also about whether their
partners are truthful when claiming to have interests and constraints aligned
with theirs (p.xvii, Gambetta 2009).
Such concerns are described in less elegant terms by a frustrated commenter on the
“Hidden Wiki,” a site that lists addresses for both licit and illicit TOR Hidden
Services (see below for discussion of what TOR Hidden Services are).
I have been scammed more than twice now by assholes who say they’re legit when I say I want to purchase stolen credit cards. I want to do tons of
8
business but I DO NOT want to be scammed. I wish there were people who were honest crooks. If anyone could help me out that would be awesome! I just want to buy one at first so I know the seller is legit and honest.2
The anonymous commenter’s desire to meet ‘honest crooks’ nicely illustrates
problems of trust among criminals on the Internet. It is hard for a buyer to ensure
that she will not be ripped off. If she hands over the money before receiving the
goods, the seller may disappear, or provide her with expired credit card numbers
(stolen credit card numbers quickly lose their value). The vendor faces the same
problem in reverse – if she provides the goods before receiving the money, she will
likely never see the money. Each faces the strategic problem and dismal equilibrium
identified in Partha Dasgupta’s (2000) trust game; each, consequently has good
reason not to play in the first place.
This problem is exacerbated by a feature of the Internet that is otherwise of
enormous advantage to criminals in other ways. If criminals are technically adept,
they can often preserve a higher degree of anonymity than they could in physical
interactions (although even very technically adept users can make compromising
mistakes if they are not careful).
This, obviously, can benefit them greatly. Criminals do not want to be
entrapped or otherwise identified by law enforcement. Yet it also creates a far
greater burden for trust among criminals. If you do not know whom you are dealing
with in a transaction, it makes it far harder to trust your interlocutor. On the one
hand, the Internet makes it easier to conceal your identity e.g. if you are buying or
2 See http://www.thehiddenwiki.net/tor-‐links-‐directory/name/tor-‐carding-‐forums/ (checked September 18, 2014).
9
selling illicit goods or services, so that you are less likely to be caught and convicted.
New technologies (described in the next section) can greatly facilitate anonymity.
On the other, anonymity makes it harder to carry out successful economic
exchanges. It lowers the cost – perhaps dramatically – of cheating buyers if you are a
seller, and cheating sellers if you are a buyer.
The partial solution that many criminals have adopted is pseudonymity.3 If
you maintain a pseudonymous identity for a period of time, you may demonstrate a
pattern of behavior that suggests that you are trustworthy. As your pseudonymous
identity becomes identified with trustworthy behavior, it becomes more valuable. A
trustworthy pseudonym, in this context, plays much the same role as a corporate
identity can in David Kreps’ (1990) work on corporate reputation. It becomes a
marker that may be associated with expectations that those bearing the marker will
behave in a trustworthy way in situations that are impossible to anticipate perfectly
ex ante.
It is even possible, as with corporate identity, that a valuable pseudonym can
be passed on to a new individual. The individual running the illegal online Silk Road
marketplace called himself the Dread Pirate Roberts, referring to a character with a 3 Of course there are many excellent reasons why one might want to maintain a pseudonym apart from the desire to engage in illegal conduct. For example, many women find themselves systematically harassed if they say unpopular things on the Internet; they might reasonably wish to maintain a gendered or non-‐gendered pseudonymous identity so that they can maintain a consistent role in conversation while making it difficult for harassers to figure out who they were. As per Richard Sennett’s arguments about eighteenth century coffee houses, pseudonymous or anonymous identities may also allow forms of play with identity that would not be possible were individuals named. More succinctly; my intention is not to tar pseudonymity by association with criminal activity so much as to suggest that criminals, like many other classes of individuals with very different motivations, may wish to maintain pseudonymous identities.
10
serial identity from the cult movie, The Princess Bride, and also claiming that he was
not himself the original Dread Pirate Roberts, and would in time he would sell or
pass on the title to someone else.4 These claims may have been untrue – federal
prosecutors claim that they have identified one individual who both created and
held onto the identity. However, after his arrest the Silk Road was recreated under a
new individual, who claimed the same title, clearly seeing it as a valuable one. The
trustworthiness adheres to the pseudonym rather than to the individual, and to the
extent that a reputation for trustworthiness provides a valuable income stream
stretching into the future, it may itself serve to anchor trust relationships, by giving
the possessor of the pseudonym incentive to be trustworthy.
Of course, Internet based pseudonyms have their own problems. On their
own, they are costless signals. Without some external structure of validation,
anyone can claim to be the Dread Pirate Roberts, and it will be impossible to
distinguish the real Pirate from his imitators.
4 The title was likely chosen specifically so as to suggest that the role could be transmitted to others. In the script for The Princess Bride, Westley discusses the role of the Dread Pirate Roberts as follows: “Roberts and I eventually became friends. And then it happened. Well, Roberts had grown so rich, he wanted to retire. So he took me to his cabin, and told me his secret. “I am not the Dread Pirate Roberts”, he said. “My name is Ryan. I inherited the ship from the previous Dread Pirate Roberts, just as you will inherit it from me. The man I inherited it from was not the real Dread Pirate Roberts either. His name was Cummerbund. The real Roberts has been retired fifteen years and living like a king in Patagonia.” … Then he explained that the name was the important thing for inspiring the necessary fear. You see, no one would surrender to the Dread Pirate Westley. So we sailed ashore, took on an entirely new crew, and he stayed aboard for a while as first mate, all the time calling me Roberts. Once the crew believed, he left the ship, and I have been Roberts ever since. Except now that we’re together, I shall retire and hand the name over to someone else. Is everything clear to you?”
11
Other problems abound. The anonymous commenter cited above suggests
that she wants to test the quality of the goods first, by buying a single credit card,
before committing further. While this may weed out casual con artists (who will not
have any valid credit cards), it will do little to deter more sophisticated scammers,
who may deal fair at first in order better to gull the buyer into making a larger
commitment downstream. Finally, when the commenter also suggests that she
would like an introduction to someone who will not rip her off, she is not displaying
any very great understanding of the incentive structures. Since the people providing
her with recommendations are themselves anonymous or pseudonymous, there is
nothing to stop a scammer recommending herself as a trustworthy business
partner.
In short, exactly the features that recommend online interactions to criminals
make it even more difficult for them to trust each other. The Internet makes it easy
to be anonymous, or pseudonymous, concealing one’s identity from law
enforcement. But just these same features make it easy to scam other criminals,
manufacturing and discarding identities as needed in order to rip them off, without
any very great likelihood of retaliation.
New tools for exchange on the Internet
Many early prominent boosters of the Internet were libertarians, convinced that it
provided an alternative means of social organization that would, over time,
12
undermine the state. Early believers emphasized the way in which the Internet had
no central node that e.g. a government could seize to control communication, but
instead was a ‘distributed network,’ which provided a proliferation of multiply
redundant routes through which information could move from one point to another.
In the words of one frequently repeated aphorism, the Internet “interpreted
censorship as damage, and routed around it.”
However, these grand pronunciations turned out to be wildly over-‐
optimistic. In fact, governments have been able to successfully identify a variety of
weak points in the Internet, and employ censorship technologies exploiting them to
e.g. crack down on political and religious dissidents (Deibert ed. 2008).
Furthermore, claims that the Internet was a true distributed network turned out to
be incorrect, making the Internet significantly more vulnerable to censorship.
Finally, mainstream online payment technologies involve banks and credit card
issuers, and are far more vulnerable to state oversight and investigation, thwarting
many criminal networks. For example, when authorities have been able to take over
pedophile websites, they have often been able to use credit card payment histories
to identify and prosecute the sites’ members across multiple jurisdictions.
Some so-‐called ‘cypherpunks’ advocated more far reaching ways of building
exchange networks that could evade the surveillance of the state, and over time
corrode it. The mathematician and activist David Chaum proposed so-‐called ‘mix
networks,’ which would combine strong public key encryption and carefully
designed protocols, allowing people to exchange information in ways that made it
extremely hard to work out who was talking to who. Chaum and others also sought
13
to use encryption to develop cybercurrencies, which would again use encryption to
make it hard to work out who was paying who.
Cypherpunks hoped that these and other technologies would weaken and
perhaps destroy the state, as its fiscal base dissolved into a plethora of untraceable
transactions. They recognized that these technologies could be used for malign
purposes – one notorious paper proposed the creation of an anonymized market in
assassinations, but saw this either as the necessary price of freedom, or as
potentially beneficial (if e.g. the people assassinated were high government
officials).
These sweeping prognostications have not come to pass, nor are likely to.
However, they did lead to two broadly deployed technologies, which have been used
by actors interested in avoiding government attention.5 Chaum’s “Mix Network” is a
direct ancestor of TOR (‘The Onion Router’) a widely used system piggybacking on
the Internet that provides a far greater degree of anonymity than conventional
Internet protocols. In particular, Tor allows users to access ‘Hidden Services’ – sites
that are completely invisible to users who have not installed specific browser
software, are unreachable unless you already have the address, and are effectively
nearly impossible to trace unless the site owner makes a technical error.6
5 The claims made in this paper are sufficiently broad that they do not require a detailed description of the specifics of these technologies. For an introduction to TOR’s Hidden Networks service, see https://www.torproject.org/docs/hidden-‐services.html.en. For a useful and user friendly discussion of Bitcoin, see Michael Nielsen’s primer at http://www.michaelnielsen.org/ddi/how-‐the-‐bitcoin-‐protocol-‐actually-‐works/. 6 Documents leaked by Edward Snowden suggest that even national intelligence agencies have enormous difficulties in cracking TOR. The FBI claims that the “Silk Road” website, which will be discussed in the main part of the paper, was made
14
Chaum’s and others’ proposals for digital currencies based on encryption
foreshadowed the creation of Bitcoin – a distributed currency that has enjoyed
enormous publicity and significant growth in acceptance over the last eighteen
months. While it is not completely impossible to trace Bitcoin transactions (the
protocol relies on a publicly shared ‘blockchain’ recording all transactions), it is
difficult and inconvenient. Furthermore, there are ways in which transactors can
‘mix’ Bitcoin transactions together, making it harder to distinguish them from each
other.
These two technologies have a very wide variety of legitimate uses. For
example, the TOR network was used by dissidents to access websites during the
Arab Spring. Bitcoin is not a generally recognized currency, but is accepted by many
legitimate businesses for a variety of transactions. Even so, these technologies are
obviously attractive to some criminals. Few lawbreakers want to be caught. Just as
TOR helps dissidents communicate in a clandestine fashion, it helps criminals to
communicate with each other so as to find vendors, customers and partners. Bitcoin
allows criminals to exchange money using a system that is far more opaque than the
conventional financial system (which may flag unusual movements, report
suspicious transactions under ‘know your customer’ laws, or provide aggregate data
to law enforcement authorities for analysis).
Even if these technologies help criminals avoid law enforcement, they do
little to make it easier for criminals to trust each other, and may indeed make it
vulnerable by a configuration error. However, technically minded critics have suggested that there are inconsistencies in the FBI’s account, and that it may be engaged in “parallel construction” to conceal the actual methodologies involved.
15
harder. They promote anonymity or pseudonymity at the expense of accountability.
Tor Hidden Services allow individuals to set up exchanges that are more difficult for
law enforcement to track, but also make it hard for individuals who feel they have
been cheated to find recourse. Unless they have specific personal information, they
will find it hard to track down cheaters offline. Similarly, Bitcoin provides a
distributed and difficult-‐to-‐track currency that supports payments, but one that is
vulnerable to fraud – once Bitcoins have been transferred, like cash, they are very
nearly untraceable.
The problems described in this and the previous section create a major
challenge for criminals seeking to make use of the Internet. Specifically, they create
a need to build mechanisms of accountability and identification. If a criminal wishes
to gain trust from others, she will be well advised to somehow make herself
accountable to them. As Thomas Schelling notes (1960), the right to be sued is a
very valuable one. Criminals, who cannot be sued in ordinary legal processes, have a
strong incentive to come up with some proxy. If she furthermore wants to take
advantage of pseudonymity to build a long term reputation for reliability, she will
need to somehow to prevent others from using her pseudonym to cheat the gullible
and trashing her reputation.
Sometimes, it will be possible to develop these mechanisms offline. There is
far less good research than one would like on the relationship between offline and
online criminal networks. However, one reason why they might merge is that online
16
criminals can benefit from the accountability provided by the offline network to
facilitate engaging in certain kinds of sophisticated transactions.7
Sometimes, it may make better sense to create online mechanisms for
underpinning trust and accountability. I turn to this in the next section.
Creating Order Without a Full State
The most obvious solution to the problem of trust on the Internet is to join or
create some kind of community. As scholars such as Michael Taylor (1987) have
observed, communities provide a space for multi-‐faceted transactions in which
people can get to know each other over time, and hence potentially solve the
problems of anarchy. Well working communities enforce honest behavior through
decentralized mechanisms. Everyone is aware of the norms governing the
community, and upholds them. People who do not conform to these norms are
punished, or actively shunned or driven away.
However, Taylor’s anarchic communities only offer a highly imperfect
solution to online criminals trying to solve the problem of trust. First, they scale
badly. As game theoretic models demonstrate, organizations with centralized
enforcement are able to enforce honesty over much larger populations than
7 Of course this is not the only possible reason. It may also be that offline criminal organizations can use their notoriously effective powers of persuasion to encourage online criminals with lucrative businesses to come under their protection. It may also be that offline criminal networks have better opportunities to provide political protection, especially in countries like Ukraine and Russia, where the distinction between gangsters and legitimate businessmen with strong state connections is often less distinct than one might like.
17
communities that rely on purely decentralized enforcement (Calvert 1995). Second,
they assume a relatively static population of actors. If people are free to pretend to
be other people within the community, or to leave the community under one
identity and rejoin under another or to maintain multiple independent and
apparently unconnected identities within the community, then community
enforcement becomes far easier to game, and far more difficult to enforce.
Criminals have created communities online, but typically have tried to
combine elements of community enforcement with elements of hierarchy. The most
obvious – and most crucial – way in which hierarchy structures community is
through assigning (and to some limited extent policing) identities. For example,
Afroz et alia use data dumps (presumably generated by hostile actors) to examine
five shady online communities. These communities were involved in very different
activities, ranging from generic online crime and malfeasance, through ‘black hat’
search engine optimization (which is not illegal, but liable to get perpetrators
punished severely by search engines if detected), credit card fraud and exchanging
pirated movies. Despite this, all five shared similar forms of organization.
Afroz et al. identify each community as having a very small group of
administrators, who were often founders of the community or their very close allies.
These administrators appointed moderators who carried out many day to day
administrative tasks, helped by a variety of tools aimed e.g. at detecting multiple
accounts. Ordinary members also played a role in reporting bad behavior – they
could tag inappropriate content, and affect other users’ reputations by providing
positive or negative feedback that moved the latter’s reputation score up or down.
18
Some forums maintained specific lists of identified bad actors with evidence of their
bad behavior; one also had an elite zone, where only those with a high reputation
were allowed to trade. Moderators also have the power to ban identified bad actors.
In addition, specialized actors evaluated the qualities of the goods on offer in
commercial forums in exchange for a percentage of the profits.
In large part, these similarities between different criminal communities are
the result of software code: the founders of these communities run recognizable
cousins of common online community building software packages. They hence
resemble not only each other, but legitimate online communities such as Wikileaks,
Slashdot and MetaFilter.
However, these communities have turned these generic tools towards the
specific problems of trust among criminals. Rather than simply trying to ensure that
contributors are e.g. reasonably polite and substantive, these tools are used to
provide information about criminals’ reputations, as buyers, sellers, or members of
a diffuse community. This, in turn gives criminals some incentive to behave
honestly, so as not to endanger their reputation, and hence their ability to trade with
others in the future. Reputation becomes valuable, because it is attached to a
community, and certified through mechanisms such as password protection that
make it difficult for one actor to simulate the identity of another. And because it is
valuable, it can act as a partial anchor for honest behavior.
To some extent, these communities run themselves – users comment on each
other and rate each other for honesty. Yet they only work because of software which
has hierarchical elements designed in, granting an extraordinary degree of authority
19
to the community’s administrators, and those to whom the administrators have
delegated authority. Without this authority (and indeed the ability of the
administrators to tweak elements of the system in response to perceived failures), it
is highly unlikely that these communities would work at all. As Yip et al. (2013)
hypothesize in their study of online marketplaces for stolen credit card numbers:
the inherent hierarchical management structure and network boundary offered by forums greatly assists cybercriminals in implementing a well coordinated management system for monitoring and regulating behavior in the underground market.8
Criminals who participate in these communities have thus made a semi-‐
Hobbesian choice. They have effectively agreed to hand over ultimate control over
their interactions within the community to figures who have absolute authority over
how the community is run, and indeed whether it exists at all. Furthermore, they
have made this choice in the likely belief that unchallengeable authority is superior
to the alternative of taking their chances through engaging in one-‐to-‐one exchanges
without any outside power of policing.
This is not to say that they have no bargaining weight whatsoever. Unlike the
citizens of Hobbes’ commonwealth, they always have the possibility of exit, which
both allows them to terminate anything that looks too much like systematic long
term exploitation, and to threaten escape if they feel that the administrators are
abusing their authority. Yet, as the next section will discuss, they can still be highly
vulnerable.
8 P. 3, Yip et al. (2013).
20
Perhaps the best public example of such a forum is the previously mentioned
Silk Road, a notorious market for drugs and other illegal commodities, which was
closed down in September 2013 after its chief administrator, the eponymous Dread
Pirate Roberts, was identified by federal law enforcement officials as Ross Ulbricht,
a San Francisco based libertarian and hacker. In its heyday, Silk Road was highly
sophisticated, using Tor Hidden Services, Bitcoin and Bitcoin ‘mixing’ facilities to
make it hard for law enforcement officials to track down the site’s owner and users.
It appears to have facilitated drugs transactions on a very large scale; when Ulbricht
was arrested, he allegedly held tens of millions of dollars worth of Bitcoin on his
computer, earned through facilitating transactions. 9
Security weaknesses allowed Nicolas Christin, a Carnegie Mellon based
computer scientist to monitor activities on the Silk Road for several months, and to
gather together a detailed database of transactions. The forum, like those previously
described, provided community and hierarchical mechanisms intended to underpin
honest transactions between people looking to buy and sell a variety of illegal and
legal commodities, most commonly drugs. However, Silk Road went significantly
further – it provided an escrow service for buyers and sellers. People looking to buy
commodities via Silk Road would transfer money to Silk Road’s escrow account. Silk
Road would then communicate the fact that the money had been received to the
seller. Once both buyer and seller were happy that the deal had gone through as it
should, the money in escrow would be sent, minus commission, to the seller.
9 Fluctuations in the value of Bitcoin, which is highly unstable as a store of value, make it difficult to provide an exact figure.
21
A trustworthy escrow mechanism clearly greatly eases problems of trust and
trustworthiness between buyers and sellers. So long as both trust the escrow, there
is far less incentive to cheat, since the cheated party can either refuse to pay (if she
is the buyer and has not gotten the good as promised) or refuse to send the good (if
she is the seller and the money has not been placed in escrow). Feedback on
transactions suggests that this mechanism was highly successful – Christin finds
that 97.8% of feedback on consummated transactions was positive. While this likely
exaggerates people’s happiness with the service, it suggests that incidents of fraud
were relatively rare.
However, well established vendors with high reputations were able to
demand that buyers settled early with them. This created the possibility of long con
attacks, in which fraudulent vendors establish a good reputation, and then cash out
by cheating all their customers simultaneously and disappearing. Christin records
one apparent incident of a “whitewashing” strategy, in which a well established
vendor declared a substantial discount for people ordering marijuana on “Pot Day,”
attracted an unusually large amount of customers, and then absconded with their
money. Of course, there is a second and more systematic risk associated with
escrow accounts. They do not so much solve the problem of trust as transfer it from
the parties to the transaction to the actor (typically the site administrator) who runs
the escrow system.
In conclusion, there is evidence that criminals can trust each other online –
so long as their transactions take place in the context of a community where they
can build up long term pseudonymous identities and use these identities to anchor
22
trust relationships. However, joining such a community requires a semi-‐Hobbesian
tradeoff. If a criminal uses the community’s automated and social systems to
validate and protect her pseudonymous identity, she is also, necessarily, placing her
assets at risk. Her ability to maintain this identity depends on the continued good
will of the community’s administrators. If she makes use e.g. of an escrow system
run by the administrators, then this puts her money as well as her reputation at risk
of being expropriated.
This points to a second crucial set of trust relationships – trust not only of
one’s fellow transactors, but of the authorities which oversee and perhaps
intermediate directly in these transactions. They too may have incentives to behave
in an untrustworthy fashion. They too may want to use reputation as an anchor. I
turn to these problems in the next section.
Trusting the Leviathans of Cybercrime
Online moderated communities do not solve the problem of trust among
criminals, so much as they displace it. If criminals do not trust the community
administrators and moderators, then they will not trust other criminals within the
system that these administrators and moderators oversee. Administrators must act
as a kind of micro-‐Leviathan, deploying a near absolutist authority in pursuit of the
general good if they are to underpin free exchange among the many community
members.
23
This presents an obvious chicken and egg problem. Someone who sets
herself up as the administrator of a community aimed at online lawbreakers is
asking others to trust that she will run the community fairly. But since she herself
has no good means of validating her identity, potential members of the community
will have no good reason to trust her. These problems of trust were presumably
even harder for the first wave of people creating these sites, who had to contend not
only with distrust in their intentions, but also skepticism that the scheme could
work even if everyone were honest.
It isn’t clear exactly how these problems were solved by the initial creators of
Silk Road and other such communities. It is possible that shared ideology proved a
significant early inducement for people to trust others who they should perhaps not
have trusted. Casual empirics would suggest that many of the users and
administrators of these sites are fervid libertarians, whose attachment to online
illegal markets goes beyond making money into a commitment to fundamentally
remake politics. This may have provided sufficiently strong perceptions of common
ground that people were willing to trust others who sent the right signals, even if
they had no grounded reason, beyond political signals of a common ideology, to
trust them.
However, shared ideology is probably not sufficient in itself. The
administrators of new sites may possibly have tried to send costly signals that they
were honest and committed to trading honestly in the long run rather than cheating
people and running for the hills. Anecdotal evidence suggests that the founder of
24
Silk Road offered free merchandise to early members.10 This plausibly served as a
costly, though imperfect signal that the Dread Pirate Roberts was committed to long
term relationships, and to the long haul – if one invests significantly in building up
relational capital, one probably is not going to cheat immediately.
More generally, the only way that would-‐be administrators can attract
potential members to their community is by signaling they are reliable. However,
such signals need to be credible, and generating credibility is hard. Malign
administrators are more than a theoretical danger. The community of online illicit
marketplaces has been roiled by fraud and allegations of fraud for the last year.
Shortly before the collapse of the first version of Silk Road, another major
marketplace, Atlantis, disappeared, taking a lot of its customers’ Bitcoin with it.
After Silk Market fell, one of its major competitors, Black Market Reloaded closed
business, saying that it wasn’t able to handle the surge of new customers, while
another, the aptly named Sheep Marketplace, sheared its customers of tens of
millions of dollars worth of Bitcoin, closing after it claimed that its security had been
compromised by one of its vendors. Dissatisfied customers suspected an inside job,
and speculated that the entire site had been a scam from the beginning. The
administrator of a third, less significant market admitted after closing that he had
stolen his customers’ Bitcoin.11
10 See e.g. http://silkroad5v7dywlc.onion/index.php?topic=58102.0 checked October 4 2014 (only available via Tor Browser). 11 Andy Greenberg, “Silk Road Competitor Shuts Down and Another Plans to Go Offline After Reported $6 Million Theft,” Forbes.com, December 01 2013. Available at http://www.forbes.com/sites/andygreenberg/2013/12/01/silk-‐road-‐competitor-‐shuts-‐down-‐and-‐another-‐plans-‐to-‐go-‐offline-‐after-‐6-‐million-‐theft/ (checked October 4, 2014).
25
Given credible fears of fraud, some actors have adopted a signaling strategy
of linking themselves to reputations established on a previously trustworthy site.
This approach was taken by the administrators of “Silk Road 2.0,” which was
announced by a former Silk Road moderator, “Libertas,” on the original site’s
forums, displaying his PGP key (a key facilitating encoded communications which
can also serve as a reasonably reliable indicator of identity. This replacement site
started business a little over a month after the initial site’s demise.12 Libertas and
his or her colleagues were able to build both on the brand name of the previous site,
and leverage their own reputations acquired in the course of transacting on that
site. A new “Dread Pirate Roberts” emerged as senior administrator.
Initially, the site appeared likely to succeed, because it was able to build on
the success of its prior incarnation. In Christin’s description:
Silk Road has history since a number of old vendors have re-‐appeared on the new marketplace— and with history you can build reputation, which is paramount in the commerce of illicit goods, be it online or offline.13
However, the new version of Silk Road soon found itself plagued by serious
problems. The first was generated by law enforcement – US legal authorities have
drawn up indictments against three individuals, claiming that they were key site
administrators of Silk Road 2.0, including ‘Libertas.’ Shortly after the arrests, the
new Dread Pirate Roberts disappeared, saying that his account had been
compromised, although claiming that the site as a whole was still secure. He has not
12 Digital Citizens’ Alliance (2014). 13 Quoted in ibid., p. 8.
26
appeared, nor, apparently has his appointed successor, leaving the site to be run by
a former administrator. Worse was to come. The Silk Road 2.0 was compromised,
perhaps thanks to a subtle bug in the implementation of the Bitcoin protocol,
allowing unknown individuals to make off with a very large amount of Bitcoin from
Silk Road 2.0 customers.
This led Silk Road 2.0, which was on the verge of complete collapse to adopt a
new and different signaling strategy – of ceasing to operate an escrow service until
it was able to implement a variant that did not rely on any single actor, and
promising that it would fully refund all customers who had lost money through
fraud. While Silk Road has still not implemented a safer form of escrow, and has lost
some customers to other services, it has refunded the majority of customers
continues to operate with reasonable success. This is likely because it has sent out a
highly costly signal – that it is prepared to make good customer losses even if it has
to bear substantial losses itself to do so. It is unlikely (though not impossible) that a
genuine scam operation would employ such a costly signal. Rather extraordinarily,
this avowedly criminal enterprise is behaving a little like a state, putting
commitment to principle above its short term interests, and hence creating an
environment in which it can (over the longer run) begin again to extract revenues,
and promote trusting relations within its community.
Conclusion
Trust among online drug dealers is obviously not a particularly socially
valuable form of trust. Many of these drug dealers, for all their appeals to libertarian
27
philosophy appear to be highly unpleasant people (Ulbricht appears to have
conspired to have enemies of his murdered).
Even so, it provides a very interesting laboratory in which one can see how
trust can grow even in highly unpromising conditions. People who only interact
with each other online do not – and cannot – know each other in the thick sense of
knowing that some theorists of trust talk about. When they are criminals, they
cannot appeal to character either. Nor do they usually have social networks that
they can fall back on, other than those they can construct themselves online. Even
so, they appear to be able to build quite substantial forms of trust that support
mostly honest interactions where the risk of cheating would appear, on the face of it,
to be very high.
This is in large part because they have been able to come together in
communities of actors with (relatively long lasting pseudonyms). These
communities work in some of the ways that offline communities do – they facilitate
the exchange of gossip and information, which both provides incentives for
individuals to be trustworthy and provides means to sanction those who are not. Yet
they require a substantial degree of hierarchy to work. Someone has to manage the
system, police pseudonyms, identify and ban cheaters and underpin transactions.
That someone has a remarkable degree of hierarchical power. Yet without such
power, the system would be unworkable. Perhaps, in future, we will see truly
distributed systems of identity maintenance to parallel distributed currencies such
as Bitcoin. Yet at the moment, no properly developed system of this kind is available.
28
The need for hierarchy displaces the problem of trust back one level. Trust
among community members can only be maintained if they trust the administrators
who are running their community. However, administrators do not have meta-‐
communities of their own to guarantee their good behavior, and hence need to fall
back on costly signaling and other hacks to signal their trustworthiness (and also,
sometimes, deliberately to abuse it).
These online communities resemble stripped down societies and states in
crucial respects. Specifically, they bear a distinct resemblance to the “states of trust”
depicted in Margaret Levi’s work. They are cousins of these states – from the distaff
side of the family to be sure, but with enough physiognomic similarities that one can
see them as family members. Just like Levi’s states, they support trust and
trustworthy activity among their ‘citizens,’ so long as the ‘states’ are seen
themselves as committed to long term principle rather than short term gain.
Because these communities operate in reduced form, one can easily see that
they support Levi’s, rather than Hardin’s account of the relationship between states
and citizen trust. Community members surely trust the administrators of their little
islands of criminal stability to some degree, since they have to. This is not to say that
this trust is always well placed or well advised. But no theory should limit trust only
to cases where it is ex post merited, since abuses of trust are as important to its
constitution as its justification by events.
Very obviously, criminal communities are not a perfect model for the larger
societies that they are embedded in. There, very plausibly, vast institutional forces
play a more important role than the more intimate forms of knowledge we associate
29
with trust. Yet as these communities show, trust of the traditional kind can turn up
in the most unlikely of places. It is plausible that there are other (and more readily
attractive) forms of trust to be found elsewhere in the interstices of our
technologies.
Bibliography
Afroz, Sadia, Vaibhav, Garg, McCoy, Damon and Rachel Greenstadt (2013), Honor among Thieves: A Commons Analysis of Cybercrime Economics (eCrime Research Summit). Byrne, David (1977), “Don’t Worry About the Government,” 1977. New York: Sire. Calvert, Randall (1995), “Rational Actors, Equilibrium and Social Institutions,” in Explaining Social Institutions (eds. Jack Knight and Itai Sened). Ann Arbor, MI: University of Michigan Press. Christin, Nicolas, “Traveling the Silk Road: A Measurement Analysis of a Large Anonymous Online Marketplace,” Proceedings of the 22nd International Conference on the World Wide Web, 213-‐224. Cook, Karen, Hardin, Russell and Margaret Levi (2005), Cooperation without Trust. New York: Russell Sage. Dasgupta, Partha (2000), “Trust as a Commodity,” in Trust: Making and Breaking Cooperative Relations (Diego Gambetta ed.). Oxford UK, Basil Blackwell. Deibert, Ronald (2008) ed. Access Denied: The Practice and Policy of Government Internet Filtering. Cambridge, MA: The MIT Press. Gambetta, Diego (1996). The Sicilian Mafia: The Business of Private Protection. Cambridge, MA: Harvard University Press. Gambetta, Diego (2009), Codes of the Underworld: How Criminals Communicate. Princeton, NJ: Princeton University Press. Hardin, Russell (1998), “Trust and Government,” Trust and Governance (Valerie Braithwaite and Margaret Levi, eds.). New York: Russell Sage Foundation.
30
Kreps, David (1990), “Corporate Reputation and Economic Theory,” in Perspectives on Positive Political Economy (James Alt and Kenneth Shepsle eds.). Cambridge UK: Cambridge University Press. Levi, Margaret (1998), “A State of Trust,” Trust and Governance (Valerie Braithwaite and Margaret Levi, eds.). New York: Russell Sage Foundation. Moore, Tyler, Richard Clayton and Ross Anderson (2009), “The Economics of Online Crime,” Journal of Economic Perspectives, 23,3:3-‐20. Schelling, Thomas (1960). The Strategy of Conflict. Cambridge MA: The Belknap Press. Taylor, Michael (1987), The Possibility of Cooperation. Cambridge UK: Cambridge University Press. Yip, Michael, Shadbolt, Michael and Craig Webber, “Why Forums?: An Empirical Analysis into the Facilitating Factors of Carding Forums,” Proceedings of the 5th Annual ACM Web Science Conference, 453-‐462.