Are you a bot or a person? That is difficult to ascertain from across the Internet – but often essential. For instance, social media platforms provide more meaningful interactions if the content is provided by real humans, decentralized governance processes benefit from power being distributed more evenly across many voters, and the bootstrapping of token economies becomes fairer if tokens can be distributed evenly to individuals. All of the above are highly relevant for the IC, which hosts multiple social networks, provides decentralized governance processes, and allows for the tokenization of the dapp services that run on it. But the IC is not only a beneficiary of thwarting bots - it can also provide the solution!
Virtual people parties, coordinated by the Internet Computer, establish the personhood of otherwise pseudonymous identities. In a virtual people party, a small group of users validates each others’ personhood in a process that is fast, easy, and anonymous! For the time of the party, users provide a deposit of 1 ICP which can be withdrawn after the party is complete. During the party, which only takes a few minutes, users are divided into small groups and meet in a special video-chat application on mobile phones. But, unlike a typical video call, users do not show their faces or reveal their identity. Instead, users prove their personhood by directing the camera at the environment and reacting appropriately with camera movements to the requests of other users. At the same time, the video stream of the environment serves to validate the user’s location. This ensures that no user can participate in multiple groups simultaneously.
Next step (as mentioned in the timeline section) is that @bjoern will post a richer 1-pager on the details of the people parties (implementation, benefits, risks, etc…). This is something which Bjoern is the expert and can better explain. But please do not hesitate to ask any questions.
There will have be iterations through which we expand the set of people who can participate more and more. Let us see what works first and then iterate. For example, the first limitation will be that everyone has to speak the same language (English). Then we can iterate and introduce more languages and group people of the same language together.
So regarding disabilities, yes, it requires speaking and hearing. But that can also be replaced by on-screen written instructions. Just not in the first iteration.
Nobody is supposed to show their face, only the surroundings. The app will use the outward facing camera, not the selfie camera. If someone doesn’t do that (show surroundings) then the others can immediately vote “deny” and once a majority has voted then the prover’s stream will immediately end. We could improve this behavior by introducing another button that allows each individual to mute any stream immediately without having to wait for a voting majority.
I think this is a fantastic idea and is definitely needed at this time. I think it should be pursued as soon as possible, so I really like the timeline that has been proposed.
Is this going to be incorporated into the NNS in some way where it can be known by the governance canister and ledger canister that specific neurons have been validated at the people party? Will the people party validation apply to a single neuron or multiple neurons. Will the people party validation apply by Principle ID or by internet identity? I’d like to know more about what specifically will be validated on the back end at the people party.
Is this going to be incorporated into the NNS in some way where it can be known by the governance canister and ledger canister that specific neurons have been validated at the people party? Will the people party validation apply to a single neuron or multiple neurons. Will the people party validation apply by Principle ID or by internet identity? I’d like to know more about what specifically will be validated on the back end at the people party.
A user that is validated will be able to designate a neuron that will receive a voting power boost. The NNS will obtain the ids of those designated neurons from the people party backend canister. Our current plan is to have each validated user designate one neuron to receive the boost.
The validation applies per principal. The people party canister is independent of Internet Identity; of course, Internet Identity can be used to authenticate toward the people party canister. But there is no reason why other authentication methods would not work.
The backend actually does not validate a lot – it coordinates. The validation will be performed by other users in the same group, which vote on each participant. The backend canister does the tally. I hope to give a few more details in the 1-pager (may become a 2-pager) that I am just writing.
This is great. Thank you for the clarification. There is a downside to only boosting one neuron per person that affects me and I’m sure many others. Very soon after genesis I decided to set up two neurons and stake them equally because I wanted one to go to each of my kids some day. Now I kind of wish this was a single neuron. There has been previous discussion about being able to merge neurons and/or split neurons, but that is not available yet. I just wish there were a way to address this issue if it turns out that I am not able to get full benefit of people parties due to my decision to stake multiple neurons in the early days.
Anyway, thanks for working on people parties. I’m looking forward to learning more and can’t wait to participate.
The boost will be additive, in that it will give an additional x “virtual” ICP worth of voting power for some amount of time. The boosted neuron will receive increased rewards for that time. But you can spawn those rewards any time and use them to top up the other neuron – I think it will not be hard to make both neurons equal through this mechanism.
If you are going to have this feature it would be nice to have a merge/split neuron feature in the NNS. I separated them out for family inheritance reasons, but if I could merge and split easily I wouldn’t have to do this. If I only get to boost one neuron I want all my #8yeargang neurons participating!
Hmm…I’m interested to see the fuller explanation. Hopefully we’ll all consider every possible way it could be gamed.
For example, what stops me from staking 100 ICP and overwhelming my own people party?
I suppose if the people parties all happen at one particular time, and the voting has to be unanimous, as long as one honest human is present, perhaps this could be mitigated.
But even in a simple attack, I could just stake 2 ICP and hold up two phones, especially if I end up getting into the same people party, I’ll just wait my turn for each phone
We’d be more than happy to get your thoughts. The one-pager (actually, it’s two pages) is now almost complete and should be posted here within the next hour or so. Just coordinating internally.
Depositing more than 1 ICP does not give you any direct advantage.
Correct, all calls happen at the same time, and every user must be in a distinct location. Which means you could be able to join with two phones, but only one will show the expected locations, which should be detected by the verifiers on the call.
I’ve thought about this a fair amount and I’ve come around to the idea. Although I am slightly concerned that the proposal will dilute the returns of my 8-year neurons, I think that the value this could add to ICP is immense. First, if we do the people parties, the returns for holding a 1 ICP neuron–which I believe is the minimum–will be staggering. Because of those returns, millions of people could be incentivized to buy and stake 1 ICP and attend a people party to supercharge their neuron. That would lock away millions of ICP and provide constant demand for the token as more and more people try to supercharge a neuron. Second, if millions of people buy at least 1 ICP to stake and supercharge, millions of people will then have an incentive to use and grow the network. Moreover, those people would (by definition) already have an internet identity, so it would be seamless for them to join any upcoming dapps built on the platform. Finally, it could also help solve the “bot” problem that a lot of dapps face now.
Am I the only one that gets worried every time the foundation steps into app building? I get it that NNS and Ledger, etc. are essential to the functioning of IC. But People Parties seems like it could be built by anybody in the community? Am I missing the point? Is there any essential feature here that cannot be tackled by the community?
I don’t mean to sabotage this effort, but it can be seen as platform risk, not unlike what Microsoft/Apple/Google/Facebook/… does.
Or maybe I shouldn’t be worried, because so far only II is a semi-good quality app, and all the others are disappointing to say the least. If it turns out to be another nns.ic0.app, the community probably will just have a good laugh and move on.
The virtual people parties have some perks over in-person people parties. Virtual is a lot more accessible. Anyone can join, even if they are geographically isolated from other internet computer users or even if they are at a work or with family or at another commitment (just take a few minutes break at the time of the meeting). One of my questions is what radius will be used on the location sensor? I can imagine that in densely populated areas that if two+ people tried to verify who lived in the same high rise, they could both be disqualified. Maybe for now we could assume people are few enough and distributed enough, but as the internet computer gets more users over the years, the user location overlap could become an issue. Maybe at the party time those users just have to go to a less dense area? I don’t think this location uniqueness requirement is a bad trade-off for now, but it is one that the proposed model makes.
One problem that I think gets addressed well with the proposed format is duplication. I think what @lastmjs is asking about is what stops a person from making 100 different accounts (via 100 ICP) and overloading their people party? I think this question assumes a local people party. But the advantage of the virtual method is that we have a (I assume) geographically randomly distributed people party since all of them happen at the same time. So a bad actor would have to have many of their bots picked out of a pool of all internet computer users into the same random group. The odds are just so poor that I don’t think it’s worth it.
The other logistical trade is the universal time. For 1/3 of the world’s time zones, the party will occur during obscure times when they would normally be asleep. It’s a price we pay, but it might be a nice gesture to cycle the time of the party through time zones.
I’m also curious about the setup of not showing your face in the party. Is this to help against any sort of discrimination? Protect privacy? What if instead you have to just mimic various finger movements and/or foottaps or in extreme disability cases face movements. You could still preserve privacy while proving a bit more explicitly your humanity. I think the possible concern now would be that a bot maker could still manipulate the phone using a setup of motors controlled remotely while listening remotely to the instructions for many bots in many locations. This hack wouldn’t be trivial though, so this proposal is not a bad workaround for now.
Groups may eventually need to be organized by language (not just English default), but we would need to ensure a large enough user pool to assure that you couldn’t game the system with a flood of bots in a poorly represented language.
I’m also curious to know the location check mechanism. If the video app is web app, hacking that location check I believe is trivial. I can simply set a breakpoint on the frontend and change the coordinates before sending them to the canister or to another user.
If an Android or iOS app is used, I think hacking the location check is more complicated, but still doable, especially if the source code to the application is available, easily allowing users to install locally modified binaries.
The only solution I see, which is still subject to side-channel attacks, is a secure hardware module that can sign location information generated from within the module. To my knowledge retail electronics do not have these types of modules in most phones or desktops/laptops.