Ultimate Decentralization Using Virtual ‘People Parties’ to Deliver ‘Proof of Personhood’ at Scale
Numerous teams are working on different technical enhancements to the Internet Computer blockchain (if you are looking for a quick introduction to the project, take a look at this infographic). One recently made a sudden appearance, creating some controversy, called “people parties”. This new project will reach fruition soon, and aims to help people easily anonymously prove personhood, for the very first time. It will support general aims of our ecosystem, including increasing the decentralization of governance, increasing the decentralization of the network, and help keep decentralized web3 social media clean. This has been made possible through a wonderful inventive step. Let me explain and run you through why this is so exciting.
To begin, imagine a future online world or metaverse, in which every individual human being could magically prove their personhood when required, but without revealing anything about themselves. In this future, services and benefits could be provided equally to every person, irrespective of who they were, and without their actions or preferences being tracked or profiled. Concepts such as “one-person, one-vote”, and Universal Basic Income, could easily be implemented, in which benefits are provided equally as a human right, with the only requirement being that each participant is a real person who can participate exactly once, and once only. Such “proof of personhood” capabilities could also be leveraged by decentralized systems that derive their security and resilience from dividing responsibilities between separate parties, and are undermined when apparently separate digital identities are in fact controlled by a single dishonest actor. Proof of personhood at scale would be a game changer.
For such reasons, anonymously proving personhood has been a holy grail in crypto for some time. However, technical challenges have prevented “proof of personhood” systems taking off. For example, drawing inspiration from PGP key signing parties, academics have proposed in-person “pseudonym parties” (see also), that would be thrown simultaneously at different locations around the world on some date, and be attended by those wishing to prove personhood. At these in-person events, attendees could deposit exactly one cryptographic public key, which would act as a single anonymous identity mapped to their person, because as a physical being, they could not attend multiple parties at once. While this idea makes sense, the scheme however suffers practical shortcomings: party attendance and associated travel is onerous leading to low participation; bad actors might target the parties; attendees can be identified at the parties; vast numbers of parties must be thrown around the world to ensure everyone can attend, which involves tremendous organizational effort, expense and infrastructure and ways must be found to prevent the organizers from cheating.
There are other ideas, but arguably they sacrifice decentralization or privacy. For example, WorldCoin wants to get everyone on the planet to record a unique digital fingerprint of their iris (eye) on a public blockchain — but many consider this to be a dystopian idea that exemplifies the wrong way forward. Meanwhile, for reasons explained below, if proof of personhood could be made to work at scale, it could unlock enormous value on the Internet Computer blockchain and its ecosystem. For these reasons, and to solve for specific pressing needs described below, Dfinity decided to innovate in this space, and has invented a striking new scheme that solves for the challenges. But before describing how this system can enable millions or billions to quickly prove anonymous personhood with minimum inconvenience, let’s first look at some of the ways proof of personhood can be used to improve the Internet Computer ecosystem specifically.
The Power of Proving Personhood
More Democratic Governance, And Better Economic Inclusion
The Internet Computer blockchain is governed, configured and upgraded via an permissionless public DAO called the “Network Nervous System” (or “NNS” for short). This DAO actually runs as part of the Internet Computer blockchain’s protocols, and the network automatically executes proposals it adopts, which is revolutionary in blockchain. These proposals induct nodes, form subnet blockchains, upgrade the protocol running on node machines around the world, tweak economic parameters, and much more. The Network Nervous System is a huge success, with approximately ten billion dollars in value staked inside by thousands of participants, making it the largest DAO by TVL, and important proposals are adopted and executed daily. It has enabled the Internet Computer to become the first self-directed blockchain network, which is currently rapidly evolving thanks to the large number of researchers and developers contributing to it.
To decide whether to adopt or reject proposals, the NNS leverages the votes of community members who have staked ICP tokens inside the system and created “voting neurons” (note: this staking relates only to participation in network governance, as opposed to network consensus and function, as on proof-of-stake networks). These neurons gain voting power proportional to the number of ICP staked, and the minimum time that the neuron must keep the ICP locked (known as the “dissolve delay”). They can also be configured to vote automatically by following other neurons, in a form of advanced liquid democracy, where participants are able to delegate expertise and the work involved in evaluating proposals. A challenge is that neuron voting power derives from staked ICP tokens. Essentially, a community member’s voting power, and the voting rewards that they earn by participation, derive entirely from the amount of capital they are willing — and able — to stake.
Issues with concentration of power mirroring concentration of capital are not unique to the Internet Computer. On proof-of-stake networks, in practice, many apparently independent validator nodes are controlled by much smaller numbers of “whales” who hold vast quantities of the cryptocurrency being staked. We must do better with the Internet Computer governance system. When small numbers of whales can easily control decision making, it demoralizes the broader voting community, who feel they have no agency and ability to influence the trajectory of the network. Moreover, while whales are subject to powerful incentives to vote sensibly and protect their investments, there are times when they might be on holiday, or unwell, or otherwise waylaid, which in unfortunate combination, might lead to a shortage of “sensible” votes on an important matter. Security and resilience can be improved through radical decentralization.
The solution is to enable community members to anonymously prove their personhood, and to specify a single neuron that belongs to them as a discrete human being. The Network Nervous System can then treat such neurons specially, and boost them by augmenting the real ICP that is staked inside with additional virtual ICP, thereby increasing both their voting power, and the voting rewards that the people holding them earn.
In extremis, the Network Nervous System could even add a billion virtual ICP to neurons for which proof of personhood had been assigned. This would do two incredible things:
- It would create a blockchain governed by one person, one vote
- It would create the first Universal Basic Income scheme via voting rewards in which participants are truly anonymous and cannot be discriminated against or sanctioned.
In practice, of course, the relationship between capital staked, and voting power and rewards, remains extremely important, because the need to defend capital exerts powerful incentives on those doing the staking to vote in ways that drive the long-term success of the Internet Computer. Nonetheless, there exists a continuum where there exists voting by capital is at one end, and one person, one vote at the other end, and we can greatly improve the governance of the Internet Computer by moving some way along this continuum in the direction of one person, one vote. In the process, we will activate new community members, while increasing the security and resilience of the network.
Better Network Decentralization
A key ask from the Internet Computer community, is that it should be easier to add new node machines to the blockchain’s network. This is something that Dfinity cares deeply about, and is working tirelessly to realize. Currently, the network is hosted by powerful “node machines” that must be built to a community hardware specification (if they are not, they may statistically deviate under load, for example by producing fewer blocks, and be slashed). Because the Internet Computer has been conceived and designed as a “world computer” that can one day host all humanity’s information systems and services on a public blockchain, eventually removing our dependence on traditional IT such as corporate cloud services, databases and web servers, it must be infinitely scalable, run far faster, allow smart contracts to process HTTP/S requests and securely serve web experiences and content directly to end users, and finally, run smart contracts, and store smart contract data, with hundreds of thousands or millions of times greater efficiency than other more traditional general-purpose blockchains can today.
The foregoing properties are achieved using the “chain key cryptography” schemes the Dfinity Foundation’s team of cryptographers toil on, and “deterministic decentralization”. Deterministic decentralization plays a key role, by greatly reducing the replication of computation and data necessary to meet the security and resilience requirements of a blockchain. Currently, it requires “node providers”, who are the independent owner/operators of the special node machines that host the network, providing information about themselves and the nodes they wish to join to the network. This enables the Network Nervous System to scale-out the capacity of the network by combining node machines from around the world into new subnet blockchains by carefully choosing nodes according to decentralization considerations. For each subnet, it chooses nodes that are decentralized when considering, in order of importance, the node provider operating the node, the data center they have chosen to host the node, the owner of the data center, the geography of the data center, and the jurisdiction where the data center is located (this is important since, for example, if all the nodes were hosted inside data centers in the EU, and the EU banned blockchain, then the subnet might go offline).
Deterministic decentralization works very well, but we can ease participation in hosting the network, and further increase security and resilience on some axes, by allowing a portion of nodes in subnets to be run by anonymous parties that have proven personhood. This is also important, because many in the community wish to run nodes anonymously. A further benefit will be that it prepares the ground for “Badlands” subnets, which are build from low-cost nodes run over domestic connections (whereas nodes specified for operation within traditional data centers cost upwards of ten thousand dollars each, the Badlands node specification will be derived from the Raspberry Pi, so that nodes only cost around two hundred dollars, making it less expensive and onerous for enthusiasts who wish to participate in hosting the network, while creating super highly decentralized smart contract hosting).
The reason that proof of personhood is critical to accepting anonymous nodes, is that otherwise, they might all end up being owned and operated by a small group of whales. Of course, this is already the case with validator nodes on today’s proof-of-stake networks, and this will likely result in some serious problems eventually, but those networks can partially mitigate the problem by replicating smart contract data and computation across all nodes in their network (which is one of the reasons they are so expensive to build on, and why their dapps generally maintain most of their data, and perform most of their processing, on the corporate cloud or servers). To solve this problem, there must be a way to determine that anonymous nodes are independent with some probability. This will avoid a situation where, for example, Badlands incorporates hundreds of thousands of Raspberry Pi devices, and is assumed to be highly secure, resilient and decentralized, until one day it is discovered that half of the nodes are owned by a single whale and are running out of some warehouse!
Here again, proof of personhood provides the solution. Soon, it will be possible to create an anonymous “Node Provider Profile” inside the Network Nervous System (for example, using the NNS frontend dapp, which is served from the Internet Computer blockchain, and can be found at https://nns.ic0.app). Once such profiles are associated with a proof of personhood, the owner will be able to bootstrap new node machines, and simply add their public keys to the profile, to make them available to the network. This will make participation far easier, while also greatly increasing the security and resilience of the network by allowing the network to see that nodes belong to independent persons. This will be a huge advance.
Better Web3 Social Media
The Internet Computer is the first “world computer” blockchain that supports the creation of Web3 services that run entirely from chain without the need for corporate cloud or servers. Several developers have already forged ahead with creating blockchain-hosted social media and games, many of which are planning to blend DeFi functionality in the mode of SocialFi and GameFi. Along with the metaverse, where these kinds of services will converge, these are crucial battlegrounds that will bring the first billion users into blockchain. This has not gone unnoticed by others planning to eventually win these emerging sectors for themselves. Consequently, teams of trolls have been created that firstly obtain anonymous Internet Identity blockchain authentication handles, and then create accounts on emerging social media on the Internet Computer, thereafter undermining them by posting junk content, and interacting in unhelpful ways (yes, really!). The troll farms are large, and because the trolls are often real humans, the services cannot easily stop them using CAPTCHAs. This is a challenge we must rise to!
On centralized social media, trolls and spammers are already a serious problem. However, when they are moderated or banned, centralized services can make it more expensive for them to create new accounts by anchoring account creation to external identifiers, such as phone numbers, and Google Gmail and Facebook accounts. By contrast, on Web3 blockchain social media, users may be anonymous, increasing the challenges. These problems have been brewing on social media for some time, and solutions involving proof of personhood have already been proposed.
Proof of personhood will allow users of Web3 social media to elevate their status, by associating proof of personhood with their anonymous accounts. These users can then play a role moderating other anonymous users who have not proven personhood, for example by clicking buttons that “silence” them for a period if they engage in spamming or unacceptable behavior (such systems will require that a troll is “silenced” several times, before they are actually silenced, to ensure some reasonable level of consensus). One might fear this would make those who prove personhood too powerful, but this is not the case: if those who have proven personhood act in undesirable ways themselves, they can also be moderated by others, but will be unable to create another account associated with their proof of personhood. Finally, proof of personhood will support the creation of friendly and well-functioning Web3 social media and games in a truly decentralized world where users can remain anonymous.
How The System Works
I won’t spoil the surprise by specifying the mechanisms in too much detail, and will stick to a high-level description that encapsulates the various inventive steps. Essentially, each participant attends a virtual people party using an Internet Computer dapp. By giving up only a few minutes of their time, they can then prove personhood using nothing more than their phone, in a system that is highly resistant to cheating. Because these people parties are run by smart contracts, which are able to directly interact with participants by serving web, there are no trusted intermediaries such as websites running on the corporate cloud, and there is no need to trust the “organizers” not to cheat, since there aren’t any. In principle, any number of parties can be run in parallel to allow millions or even billions of people to prove personhood at negligible cost.
To prove personhood, a participant in the scheme must first create an account in the Proof of Personhood dapp hosted on the Internet Computer. Personhood can be proven multiple times, so each account in the dapp may see re-use. At any time, there might be an upcoming proof of personhood event scheduled, which will typically be organized at weekends. Participation involves two key phases. In the first phase, prospective participants must open the dapp on their phone, and press an RSVP button for the upcoming event. They must RSVP from the location where they will attend their people party and prove personhood. The dapp will present them with the following instructions:
Please locate yourself on a street or other outside location that is verifiable by video. For example, locate yourself near a street sign. Then press OK. This will cause a commitment to your current location to be recorded with your RSVP. Your RSVP will be stored privately on the blockchain. Note that no other participant will be able to use a location within 25 meters of the location that you choose. You must return to the exact location to participate in the people party and prove personhood. If you are late, you will be excluded. Your party will take between 3 and 10 minutes to complete. The party will begin at _ on Sunday the _ of _.
The second phase involves the proof of personhood event itself. Participants must return to the location where they sent the RSVP and open the proof of personhood dapp. At the moment that the event is scheduled to start, the smart contracts behind the dapp detect who is online and wishing to attend, and organizes them into random groups of 4, each of which will participate in a separate virtual party. The virtual people parties start, and each participant attends a party with 3 others. They are given random names such as “silly-tuna” or “horse-404”.
The dapp shows each attendee the other 3 other attendees, titled by their random names. For each other attendee, the dapp displays a low resolution video feed from their phone, and a Google map showing the location from which they sent their RSVP, followed by three buttons “Not Present”, “Reject” and “Approve”. Naturally, the attendees should not show one another their faces. The first attendee is then asked to prove their location. For example, another attendee could say “silly-tuna, please show us that you are on the intersection of X and Y by showing us the street sign”, or, if the participant was in Amsterdam, say, “silly-tuna, please show us the street sign for X, and then show us the canal behind you”. Currently, an AI could not generate video in response to such commands. Each attendee thus proves their location to the others in the order specified.
In order for an attendee to prove personhood, at least two other attendees must click “Approve”. If the first attendee in the sequence succeeds in proving personhood, say, they are must still stay until the end of the party, and help the others to prove personhood, as otherwise the other attendees might change “Approve” to “Not Present”. Naturally, if an attendee does not appear to be in the location from which they sent their RSVP, the other attendees will click “Reject”.
Every party occurs simultaneously, and every participant must be online and located at the location from which they sent their RSVP. Since each location recorded by an RSVP must be at least 25 meters from any other, it will not be practical for an attendee to RSVP multiple times using multiple phones in order to cheat by proving personhood multiple times. Since the video feeds are sent directly from phone-to-phone in a peer-to-peer manner, no matter how many attendees there are, no bandwidth bottleneck is created as their numbers grow, even if millions of people participate. Parties can be completed in just a few minutes, and people will attend at weekends with minimum inconvenience. Events can be held at different times on each continent, since traveling between them will be hard.
Subject to proposals to the Network Nervous System being passed, we hope that people party events will soon run regularly, with some people attending multiple events in succession, and increasing the trust rating of their anonymous proof of personhood certificate each time. I also hope that the benefits of boosting neurons cause their numbers of grow each time. Exact details will have to wait for now, but if all goes well, this will be the very first time the world will be able to anonymously prove personhood, with great convenience, and at scale. Making this possible has been a holy grail in crypto for some long time, and I’m proud and excited that the Internet Computer ecosystem will yet again be pioneering a push into new territory.
Exciting times are ahead!