Blog

We argued previously that there is a need for a system of identity for Semantic Web Agents, particularly in the process of making judgements of trust.

Examining the requirements of a system of identity, we recognise that such a system cannot count on universal uptake among Semantic Web agents, and therefore it cannot require each agent to state an identity for itself. Additionally even if universal uptake could be relied upon, we cannot count on the honest and benevolent behaviour of every Semantic Web agent. Thus, as we briefly mentioned at the end of our previous post, a system of identity for the Semantic Web must be primarily built around observable characteristics as a measure of identity.

As an analogy; when surfing the Web you would not rely on a Website’s claim that it is your bank’s online portal, you would rely on the factors you can observe (such as the domain name and also the digital certificate) to inform your judgement. Digital certificates are especially important if you are connected to the Internet over an untrusted network connection.

Building on our earlier example of a rudimentary HTTP-based Semantic Web agent, suppose we request a URI from it, and receive some RDF in response. The data we collect about the identity of the agent may look something like the following:

@prefix rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#>.
@prefix xsd: <http://www.w3.org/2001/XMLSchema#>.
@prefix ex: <http://example.com/ont/>.

_:agent1
	rdf:type 	ex:HTTPAgent;
	ex:port  	80;
	ex:host  	"agent.example.com";
	ex:ip    	"10.0.0.1";
	ex:time  	"2010-04-14T14:37:37Z"^^xsd:dateTime.

Suppose at some later date we again communicate with the agent at the domain agent.example.com, and in the process observe that the DNS entry has changed, and the domain now refers to a new IP address. Do we then consider this to be the same agent which we have previous experience of? Further, is the information we have sufficient to make such a decision? Other attributes may influence the judgement of similarity if they significantly alter the behaviour of the agent, software version numbers or digital certificates, for example.

Returning to our analogy, if your browser stored the credentials for your bank’s online banking portal, you would specify very strict criteria, very similar to what we described above, to dictate which websites are permitted to see this information.

Below follows a second observation record, for an interaction with the same agent at a different IP address.

_:agent2
	rdf:type 	ex:HTTPAgent;
	ex:port  	80;
	ex:host  	"agent.example.com";
	ex:ip    	"10.0.0.2";
	ex:time  	"2010-04-14T14:37:37Z"^^xsd:dateTime.

It is possible to encode our criteria for equivalence using OWL (to some degree) such that a reasoner can identify that two agents are in fact the same entity. This involves declaring a class of all things which meet the criteria of being a particular agent such that those which meet the necessary and sufficient criteria may be considered the same.

Unfortunately the equivalence afforded by OWL causes the effective merging of the identifiers, such that, as below, the metadata from the two different requests becomes inseparable.

_:agent1
	owl:sameAs   	_:agent2;
	rdf:type 	ex:HTTPAgent;
	ex:port  	80;
	ex:host  	"agent.example.com";
	ex:ip    	"10.0.0.1";
	ex:ip    	"10.0.0.2";
	ex:time  	"2010-04-18T10:24:12Z"^^xsd:dateTime;
	ex:time  	"2010-04-14T14:37:37Z"^^xsd:dateTime.

The problem with this approach is not the use of OWL classification (though it is somewhat ill suited to this task), rather it is the result of a simplistic ontology design. We acknowledge that this crude example ontology has many flaws (the assumption that a HTTP agent operates on a sole port and network address, for example), however to fully satisfy our potential requirements we must adopt an event-based ontology design, as these observations are inherently temporal in nature.

Open Data movements are gradually gaining traction; government transparency efforts in the US and the UK have begun to release data-sets, some of which are published in Linked Data form. As the range and variety of Semantic Web data publishers grows, it is increasingly important that we address the problem of trust.

Previously we discussed the challenges of a trust layer for the Semantic Web, and more recently, how we think these challenges should be faced. We are convinced that provenance and reputation information will be a crucial basis for Semantic Web trust decisions.

Reputation and provenance are by no means new subjects in the domain of Computer Science, both are grounded in substantial bodies of literature. Existing techniques will likely require some adaption in order to match the challenges of the Web of Linked Data.

Hartig and Zhao‘s provenance vocabulary for Linked Data does exactly this, taking existing provenance techniques in a Web-friendly direction, recognising the distinctions between data curation, publishing and access. To do similar for reputation mechanisms will not be prohibitively difficult, however there remains a missing piece of the technological puzzle: a system of identity.

A notion of identity is necessary for any judgement of trust in order to fully link together available information. The FOAF vocabulary gives us identifiers for people, and the FOAF+SSL proposals allow us to prove the ownership of (Web of Trust, or PKI style) digital certificates, however there is of yet no accepted means of identifying a Semantic Web software agent (e.g. a Webserver) beyond the foaf:Agent type.

In order to properly describe the identity of a Semantic Web agent we require more information than a single URI. For example, in the case of a HTTP-Based Semantic Web agent (a Webserver), metadata such as the hostname and network port is to some purposes integral to the identity of the agent. To avoid coining a new identity with every HTTP request we must have some criteria by which we judge that the other parties of different data exchanges are the same entity.

An important point to make here is that we cannot rely on declarative identities, that is we cannot count on universal uptake among Semantic Web agents of a vocabulary in which to assert identity. Thus an appropriate identity mechanism must consider both observational identities (identities coined by another agent based on its observations) and declarative identities.

One of the issues which my internal examiner raised with my interim report was that while I described the differing definitions of trust in the field, I failed to describe the definition I was adopting for my work. This post attempts to describe my definition of trust, in the range of contexts in which it is used.

Depending on the context in which it is used, the term trust may identify a number of different forms of trust, and the distinction between them is rarely made. We describe our definition for each of these below.

Trust as an act

We consider this to be the primary meaning of the term “trust”. Trusting is the act of relying on the behaviour of another individual in an uncertain environment, where it is subjectively perceived that the outcome of the situation is contingent on the behaviour of the other individual.

Morton Deutsch’s definition of trust is perhaps the most widely accepted, it states that:

1. An individual is confronted with an ambiguous path, a path that can lead to an event perceived to be beneficial (Va⁺) or to an event perceived to be harmful (Va⁻);
2. they perceives that the occurrence of Va⁺ or Va⁻ is contingent on the behaviour of another person; and
3. he perceives the strength of Va⁻ to be greater than the strength of Va⁺.

If he chooses to take an ambiguous path with such properties, I shall say he makes a trusting choice; if he chooses not to take the path, he makes a distrustful choice.

We differ in opinion with Deutsch on two counts; we don’t consider it necessary for Va⁻ to be harmful, only that it be less preferable than Va⁺, and thus also that the relative strengths of Va⁺ and Va⁺ need not be a factor in whether it is labeled a trusting choice or not. Reference information for Deutsch’s work can be found on Google Scholar and the above passage is reproduced from Marsh’s PhD Thesis on trust as a computational concept.

As an aside, we do not believe that one can trust in an inanimate object, the true target of trust must be elsewhere. To trust in the strength of a tree branch is instead to trust that ones own internal models and estimates of its strength are correct. To trust in a safety harness is a similar situation, one does not trust the harness itself, instead one trusts first ones own personal judgement that the safety harness appears safe and then that those who are responsible for constructing and maintaining the harnesses have done so with due care and diligence.

Trust as a decision

The decision of whether or not to trust is a choice between different courses of action, of which one or more is a trusting path, and one or more is a path which does not rely on trust. When dealing with complex, multifaceted decisions, potential paths may include measures to decrease the degree of risks or selectively avoid particularly risky events, thus it is often possible to take a trusting path which does not rely on trust in every respect.

The degree of risk, the stakes, and the utility of potential outcomes may all play a role in the decision of whether to trust, however one must remember that their evaluation and weighting are inherently subjective.

Trust as a bond

Trust as a bond between two people is the notion that they are able to comfortably rely on the behaviour of each other. Thus a bond of trust is the confidence that each will act in the best interests of the other when placed in a scenario where the utility of the other is contingent on their own actions.

Trust as a property of society

Trust within society arises from the confidence that other members of the society share the same core values and ideals as oneself, and the conjecture that they will therefore behave in a manner which is consistent with these.

These behavioral expectations — or social norms — are enforced within the group and breaching them can lead to punishment and exclusion. For an extensive discussion of the roles trust plays within society, see O’Hara’s book “Trust: from Socrates to Spin”.

Previously we explored the challenges of trust on the Semantic Web and described our take on how we might go about engineering a trust layer for the Semantic Web technology stack. This post elaborates on the challenge of making a judgement of trust.

Recalling the two questions posed in the previous post:

1. Can I rely on this piece of information?
2. Can I trust this service provider?

As we observed previously, both questions call for a judgement to be made based on available information.

Consider the first question, of whether to rely on — and therefore trust in — a piece of information. We believe this decision should be based on the level of belief that is held in that statement. Furthermore, our level of belief in a statement should be grounded in an assessment of its credibility and plausibility.

To clarify further, we consider the credibility of a statement to be an assessment of the reliability and trustworthiness of the agents and processes involved in its assertion. Such an assessment would likely include analysis of the provenance data associated with the statement, as well as a review of reputation information and first-hand experiences of the actors and processes involved.

With respect to plausibility, we consider it to be a measure of how likely a statement is to be true, against the background of our existing knowledge, taking into account confirmatory or contradictory knowledge and trends.

The second question has much in common with the first; while the primary concern of the judgement is over the expected behaviour of the service provider, it too must be concerned to some degree with the provenance of information. Reputation information is valuable in judging expected behaviour and facilitates interactions with yet un-encountered providers, however the provenance of reputation information is also important because disreputable sources may provide fraudulent information when collaborating with disreputable service providers.

Therefore, if we are to construct an ecosystem of Semantic Web technologies in order to engineer trust as a macro phenomena, we must first engineer robust provenance and reputation systems for the Semantic Web.

Trust has long been foreseen as challenge for the Semantic Web research community, appearing in the upper echelons of the Semantic Web Layer Cake technology stack, however Semantic Web research around the topic of trust does not seem to have a clear idea of what exactly this challenge is.

Jen Golbeck‘s prominent work with Semantic Web technologies has harnessed trust within social networks, putting it to tasks such as Email filtering and film recommendation, unfortunately this does not really shed any light on the role trust might play in the Semantic Web technology stack.

If we unpack our expectations of a Semantic Web trust layer, taking the time to consider what we expect it to achieve,  by what questions we wish to be able to ask of it, we generally arrive at two questions:

1. Can I rely on this piece of information?
2. Can I trust this service provider?

These two questions are fundamentally different; the first pertains to the truth of a piece of information, whereas the second concerns the probable behaviour of another agent. However both are similar in that they require a judgement to be made based on information such as provenance and reputation.

To construct a trust layer we require both the capacity to make such judgements and the information on which to ground such decisions, both of which represent sizable research challenges.

The Semantic Web trust layer will not be a single technology, rather a collection of interacting techniques and standards whose emergent macro phenomena we must engineer to be trust.