Reputation-based Systems: a security analysis

ENISA Position Papers represent expert opinion on topics ENISA considers to be important emerging risks or key security components. They are produced as the result of discussion among a group of experts who were selected for their knowledge in the area. The content was collected via wiki, mailing list and telephone conferences and edited by ENISA. This paper aims to provide a useful introduction to security issues affecting Reputation-based Systems by identifying a number of possible threats and attacks, highlighting the security requirements that should be fulfilled by these systems and providing recommendations for action and best practices to reduce the security risks to users. Examples are given from a number of providers throughout the paper. These should be taken as examples only and there is no intention to single out a specific provider for criticism or praise. The examples provided are not necessarily those most representative or important, nor is the aim of this paper to conduct any kind of market survey, as there might be other providers which are not mentioned here and nonetheless are equally or more representative of the market. Audience This paper is aimed at providers, designers, research and standardisation communities, government policy-makers and businesses.

[1]  Hector Garcia-Molina,et al.  The Eigentrust algorithm for reputation management in P2P networks , 2003, WWW '03.

[2]  E. Friedman,et al.  The Social Cost of Cheap Pseudonyms , 2001 .

[3]  John R. Douceur,et al.  The Sybil Attack , 2002, IPTPS.

[4]  Alessandro Acquisti,et al.  Balances of Power on eBay: Peers or Unequals? , 2003 .

[5]  Lorrie Faith Cranor,et al.  Phinding Phish: An Evaluation of Anti-Phishing Toolbars , 2007, NDSS.

[6]  Gheorghe Cosmin Silaghi,et al.  Reputation-based trust management systems and their applicability to grids , 2007 .

[7]  Lars Rasmusson,et al.  Simulated social control for secure Internet commerce , 1996, NSPW '96.

[8]  Chrysanthos Dellarocas,et al.  Immunizing online reputation reporting systems against unfair ratings and discriminatory behavior , 2000, EC '00.

[9]  Brian Neil Levine,et al.  A Survey of Solutions to the Sybil Attack , 2006 .

[10]  Sandra Steinbrecher Design Options for Privacy-Respecting Reputation Systems within Centralised Internet Communities , 2006, SEC.

[11]  James F. Doyle,et al.  Peer-to-Peer: harnessing the power of disruptive technologies , 2001, UBIQ.

[12]  Alfarez Abdul-Rahman,et al.  A framework for decentralised trust reasoning , 2005 .

[13]  S. Steinbrecher Privacy-respecting Reputation System for Future Internet Communities , 2007 .

[14]  Chrysanthos Dellarocas,et al.  The Sound of Silence in Online Feedback: Estimating Trading Risks in the Presence of Reporting Bias , 2006, Manag. Sci..

[15]  Marco Voss,et al.  Privacy Preserving Online Reputation Systems , 2004, International Information Security Workshops.

[16]  T. Mahler,et al.  Reputation Systems and Data Protection Law , 2007 .

[17]  Joke Kort,et al.  eAdoption and the knowledge economy, issues, applications, case studies , 2004 .