The MetaCert Protocol White Paper: Design Goals

This section covers design goals including reputation behavioral signals, interface, as well as our adoption strategy, and Protocol integrations.

Paul Walsh
METACERT
Published in
10 min readJun 17, 2018

--

Download a PDF version of the White Paper

Contents

Clicking on each heading will take you that section’s medium post.

1. Index

2. Introduction

3. The MetaCert Protocol

4. Token Mechanics

5. MetaCert’s Prior and Related Work

6. Design Goals

7. Solution: The MetaCert Protocol

8. Future Work

9. Token Sale Breakdown *(This section is not in the PDF)

Design Goals

The Protocol can become the world’s biggest decentralized, categorized registry of URI intelligence with the highest quality of data. If this comes to fruition, we expect the Protocol to be the de facto protocol layer for determining trustworthiness and reputation of URIs. The Protocol will also be designed with ease of use in mind, so participants can contribute to it through any of their connected devices and applications.

The tokenized economy of the Protocol is being developed to scale faster than any previous or existing threat categorization methods because of its built-in incentives and it will be infinite because it is hosted on the blockchain. The Protocol will enable participants to contribute to something that is profound, benefiting people today as well as future generations.

Our Protocol will enable anyone to submit URIs for categorization. The Token allows us to incentivize good behavior while removing the attraction for bad actors to submit poor quality data.

Individuals who are considered experts in their respective fields can quickly become Validators while others that are not classified as experts or experienced in a particular category can submit URIs on day one. They can strive to become Validators once they have achieved “expert level” reputation for categories on the Protocol.

Reputation Behavioral Signals

We are designing an incentive system whereby Submitters and Validators are each given a weighted reputation score based on behavioral signals and other data points from interaction with the Protocol.

The system is constantly attributing reputation points towards each participant’s reputation score based on the recorded outcome from each of their submissions and validations.

The following list displays how reputation points may be allocated to each participant. Some or all of these may be considered depending on the resource type being categorized and the information that is being attributed to that resource. These signals include:

  • Total number of submissions
  • Percentage of submissions that were validated successfully
  • Percentage of submissions that were unsuccessfully categorized
  • Percentage of submissions that fail to resolve (e.g. there is no content on the domain name)
  • Length of time a participant has been in the Protocol
  • Number of submissions associated with specific resource types or categories (e.g., if a Submitter always submits URIs to be validated in the Sports category and they are always validated, they might be flagged to become a Validator of future Sports submissions)
  • The utility of submissions (e.g., if a Submitter has a low frequency of participation but the quality of their submissions is high and the utility is high due to the consumption of the data, they may be considered for becoming a Validator)

This is not an exhaustive list as the Token mechanics are far more complex in reality. While we don’t yet apply Artificial Intelligence (“AI”) to further improve the reputation system for our Token, we will implement machine learning techniques from the start so we can build a big enough dataset from which to apply AI in early 2019.

User Interface

MetaCert is building two user-friendly interfaces, a website and mobile app that will allow anyone to submit, review and validate information about URIs to help categorize the Internet. These interfaces will be available within 28 days of the first Tokens being allocated to participants.

It will now be possible for anyone anywhere in the world to submit, review and validate URIs into the the most appropriate category type. All that is required to participate and be rewarded in Tokens, is a computer or smartphone.

Submitters propose a category and other additional information, and Validators review and validate their submissions. Participants will be able to check their Token rewards from the website dashboard or app.

When someone submits a URI for categorization such as “Pornography,” crawlers and other tools are used to automatically validate submissions. Each URI that is not categorized is added to a review queue. Validators may access the review queue and earn Tokens by helping to validate these URIs via the web interface.

With nearly one million unique domains waiting to be reviewed, both Submitters and Validators will be able to review and propose a suitable category for each domain on day one — earning Tokens immediately.

Authorized add-ons such as MetaCert’s own Cryptonite, or others such as the popular MetaMask [24] extension, may be used to enable submission and validation of links for registered users. These add-ons will also have the capability to store Tokens earned that users can then add to their wallets at a later date.

User interaction touch points will be created in our Slack, Telegram, Skype, and Messenger bots to easily submit as well as potentially validate URIs.

Adoption Strategy

MetaCert currently has paying customers that consume and contribute to our proprietary, centralized, categorized registry. To kick-start participation in the Protocol we will incentivize our existing community and End Users to become contributors by rewarding them for the participation they already contribute as goodwill.

The early participation of existing users to submit and validate URIs will greatly encourage future participants. This effort will help create and demonstrate best practice principles to users of other products from companies such as messaging platforms, browser vendors, and others that build upon the decentralized Protocol.

Many companies install MetaCert to protect their end-users from phishing scams inside Slack, some of which comprise of communities consisting of greater than 10,000 users. Every End User is a potential participant in our registry as their submissions and validations would improve the registry that is used to protect them.

Many customers and End Users already report phishing links on a daily basis. We look forward to being able to reward them for their work and automating the process of validation through the Protocol, thereby removing MetaCert as a central authority in the validation process. Participants and stakeholders will use multiple channels to report these links — via email, Twitter, their own Slack community or through our own Slack group.

When a crypto company installs MetaCert for Slack, it automatically protects their public and private channels. However, users must activate the MetaCert Slack bot if they want their direct messages (DMs) protected. Given that most phishing scams are sent via DMs, it is vital that users activate this security feature. While customers do their best to encourage users to activate the bot, it remains an uphill battle to educate them.

We will reward End Users with Tokens upon their activation of MetaCert provided security feature(s) required to protect their DMs. We will also reward customers for every user who activates the bot. By rewarding each stakeholder for diligent security practices, we will end up with a better protected community and an amazing content marketing strategy for MetaCert. Customers and End Users who report suspicious links will also be rewarded with Tokens.

By getting the MetaCert brand and value of the Token in front of every community protected by our software, we increase the number of Token participants in our Protocol. MetaCert is the company Crypto companies turn to when they require advice about security or better protection for their community, and our customer base is growing.

Who Will Use The Protocol?

We envision the Protocol as an additional layer to the Internet Protocol Stack. It can serve as an integral protocol on the Internet or it can be integrated within hardware or software that sits on top of the Internet. The Protocol will therefore be employed by a variety of users, from those browsing the Internet with safety in mind, to developers and companies wanting to purchase access to the data in order to focus their efforts on building their products and services.

Information stored on the Protocol and accessible by Purchasers will include (i) ownership identity, (ii) reputation ratings, (iii) content category type, (iv) submission information, (v) validation records and (vi) dispute timestamps.

The Protocol will provide purchasers an opportunity to integrate the data directly into their existing products and allow innovators to create new products that would not have been possible without it.

The following are some of problems we believe the Protocol can and will address:

Web Browsers

Problem: There are a variety of third party blocklists used by web browsers to help identify and block known malicious and phishing websites, including cryptojacking malware and fake cryptocurrency exchange websites. However, these lists are either controlled by a central authority or populated by members as community service without monetary reward. As such, these lists are prone to false positives and these authorities are slow to respond to new cyber threats as they rely on legacy review procedures. Additionally, these browsers do not offer a native way to block content categories, such as XXX, entertainment and others.

Security Software/Products

Problem: Security companies currently provide software and hardware based products using a mix of proprietary and third party data to identify and block well known phishing, malware and ransomware websites and applications, yet these firms are not nimble enough to promptly keep up with newly discovered cyber threats.

Certificate Authorities (CA)

Problem: With the introduction of free, automated certificates, there has been an uptick in the number of HTTPS phishing websites using these certificates. One particular CA has issued over 15,000 certificates for “PayPal” phishing sites. As users have been conditioned to look for the padlock, they are given a false sense of security when visiting a phishing site. In addition to free certificate abuse, industry experts are warning that Extended Validation (EV) certificates, which require a more robust verification process, can also be spoofed and used by malicious actors.

Social Networking Services

Problem: On Social Networks, identity is paramount. Unfortunately, identity remains broken on these services as they are inundated by fake celebrities, influencers and brands that peddle affiliate spam and phishing websites to their users.

Web Browser Extensions/Add-Ons

Problem: Existing browser security add-ons utilize centralized data, typically hosted on a few servers or vendor accounts which could be compromised. Additionally, fake versions of these add-ons are regularly installed by thousands [25], in some cases millions of users who have few ways to verify their authenticity. Recently, Google failed to shield as many as 20 million consumers who downloaded malicious add-ons purporting to provide various services from the Chrome Web Store. [26]

Mobile Apps with a WebView

Problem: Developers creating mobile applications that utilize WebView to display Internet content or allow users to share links have no straightforward way to block malicious content or warn users about unwanted content.

Platforms and Advertising Networks

Problem: Most consumers don’t know the difference between real and fake news, and brands, agencies and platforms don’t want to risk their reputation by being associated with false content in their advertising. With bot armies on social networks elevating false stories, it is challenging for small, disparate teams to tackle these head on.

Crypto Exchanges and Block Explorers

Problem: Currently, cryptocurrency exchanges and block explorer websites have no robust way to identify and report wallet addresses used in suspicious activity like phishing scams. Additionally, these websites do not have a way to verify known good addresses associated with Initial Coin Offerings (ICOs) or legitimate projects.

Messaging Platforms

Problem: The ubiquity of messaging platforms across the Internet and mobile devices is astounding, so much so that they’re largely replacing email as a preferred method of communication. As such, these platforms are hotbeds for malicious spam and phishing scams. If a messaging platform uses any third party blocklist, it is centrally controlled and isn’t robust enough to react to newly discovered threats.

App Stores/Marketplace Integration

Problem: Authenticity for mobile applications in app stores and marketplaces is a problem facing End Users and developers. Over the last several months, the Google Play Store has been rife with cryptocurrency related scams [27], from fake cryptocurrency exchanges and wallets, gift offers to mobile cryptomining [28]. These fake applications would lead to monetary loss for End Users and tarnish a company’s image while cryptomining could damage one’s device. Trying to keep up with fake applications is challenging enough for a central authority, verifying legitimate applications is an ongoing process and it’s unclear how long verification takes. This leaves a window of opportunity for scammers to take advantage of users.

Bot Verification

Problem: With the rise of messaging applications and the subsequent development of chatbots, users and developers face similar challenges as mobile applications. Companies that utilize these bots give away much of their privacy. It is unclear how their information may be used in the future. Unverified bots could also be used to trick users into downloading malware or lead to phishing websites.

Contents

Clicking on each heading will take you that section’s medium post.

1. Index

2. Introduction

3. The MetaCert Protocol

4. Token Mechanics

5. MetaCert’s Prior and Related Work

6. Design Goals

7. Solution: The MetaCert Protocol

8. Future Work

9. Token Sale Breakdown *(This section is not in the PDF)

🖌 Please feel free to respond with questions or comments about anything you read in our White Paper or Technical Paper directly within Medium, and be sure to engage with other members of the community who also have questions or comments.

🔐 MetaCert Protocol is based on established enterprise-grade technology that powers live products. These products protect hundreds of thousands of people on the Internet today, but this is just the start. We need the community to help us iterate this work. Together we can help make the Internet a safer place for everyone.

Don’t forget to click 👏🏻 to let MetaCert and others know how much you appreciate this post.

Install Cryptonite to help protect your crypto from phishing scams. https://metacertprotocol.com/cryptonite

Use our Telegram Security Bot to check the status of links and crypto addresses, and warn users about phishing in Telegram communities. https://metacertprotocol.com/telegram-bot

Join our Telegram channel where you can engage with the core team and the community. https://t.me/metacert

Download a PDF version of the White Paper

--

--

Paul Walsh
METACERT

MetaCert CEO. Passionate about Cybersecurity, Blockchain, Crypto, Snowboarding & Red Wine. Part of the AOL team that launched AIM. Co-founded 2 W3C Standards.