@ david
2024-08-22 22:16:43
One of the highlights for me at the first day of nostriga [nostriga](https://nostr.world) was a [panel discussion on web of trust](https://www.youtube.com/live/Zv766SV840k?t=8265) with [@Stuart Bowman](nostr:npub1lunaq893u4hmtpvqxpk8hfmtkqmm7ggutdtnc4hyuux2skr4ttcqr827lj), [@Pip the social graph guy](nostr:npub176p7sup477k5738qhxx0hk2n0cty2k5je5uvalzvkvwmw4tltmeqw7vgup), [@PABLOF7z](nostr:npub1l2vyh47mk2p0qlsku7hg0vn29faehy9hy34ygaclpn66ukqp3afqutajft), [@hzrd149](nostr:npub1ye5ptcxfyyxl5vjvdjar2ua3f0hynkjzpx552mu5snj3qmx5pzjscpknpr), and [@ODELL](nostr:npub1qny3tkh0acurzla8x3zy4nhrjz5zd8l9sy9jys09umwng00manysew95gx). This to me is one of the most important topics in all of freedom tech, so I'd like to write up a few thoughts I had while they're still fresh on my mind, most of which revolve around the calculation of trust scores. Apologies if it's a bit long winded, don't seem to have the time to make it shorter.
## What do we use for raw data?
There has been and on again, off again discussion during my time working in nostr over the sources of data that we should be using to calculate trust. In my mind we can think of the raw data as existing on a spectrum between two extremes. On one extreme, we have what I call *proxy indicators* of trust: follows, mutes, zaps, reactions, etc. People don't create this content with trust scores in mind, but we can and do use them as imperfect proxy indicators nontheless. And on the other extreme we have what I call *explicit trust attestations*, exemplified by the [proposed NIP-77](https://github.com/nostr-protocol/nips/pull/1208), authored by [Lez](nostr:npub1elta7cneng3w8p9y4dw633qzdjr4kyvaparuyuttyrx6e8xp7xnq32cume), the heart and soul of which is that a fully explicit contextual trust attestation should have 3 fields: a context, a score, and a confidence. You fill in these fields, you say what you mean, and you mean what you say, leaving as little room for interpretation as possible. And then there is data that's in between these two extremes. A five star rating for a host on a couchsurfing platform or a vendor on an ecommerce site? A "superfollow" option in addition to a follow? These lie somewhere on the spectrum between proxy indicators on one end and explicit attestations of trust on the other.
During the panel today, Pablo and pippellia expressed the opinion that explicit trust attestations are not the way to go. Two reasons that I recall: first, that no one wants to put an exact number to trust; and second, that no one will update those numbers even if their assessment changes. These critiques have some merit to them. But I believe they miss the bigger picture.
# The bigger picture
In the real world, there are two ways I can communicate trust: I can SHOW you, or I can TELL you. I can *demonstrate trust through the actions that I take*, such as following someone, or I can just straight up tell you that I trust someone in some context.
So here's the question: on nostr, which is the correct method to communicate trust? Proxy indicators, or explicit attestations? Do we SHOW or do we TELL?
My view is that we don't have to pick. We have to use all relevant and available raw data across the entire spectrum from one extreme to the other.
Each of these two options has its advantages and its disadvantages. The advantage of proxy indicators is that users issue them freely and easily, the result being that we are awash in a sea of data. The primary disadvantage of proxy indicators is that they often don't mean what we want them to mean. If Alice follows Bob, does that mean she trusts him? Maybe. Or maybe not. More often not. And what about context? Do we have any way of knowing?
So we use proxy indicators as a trust indicators because ... if it's the best or maybe even the only data we have, what else are we gonna do?
To do better, I argue that we need to give users more options when it comes to issuing explicit indicators of trust. But of course they're not going to do that without a reason. So to give them a reason, we have to figure out *ahead of time* how we're going to use the data once it's available. We have to know how to incorporate explicit trust indicators into our web of trust calculations. For the sake of argument, let's assume that we have a large dataset of proxy trust indicators (SHOW ME data) plus a small but nontrivial dataset with explicit trust attestations (TELL ME data). What we want to do is to pool *all available relevant data together* when we calculate trust scores. But how exactly do we do that? Which brings me to my next topic.
## The calculation of trust scores
How are we even calculating the "web of trust scores" that we see today? Wikifreedia, Coracle, and a growing list of other clients have such scores. I wish I had seen more discussion in today's panel about HOW these calculation are performed. To the best of my knowledge, most clients use the same or a similar method: fetch my follows; fetch Bob's followers; calculate the set of users who are in both sets; and count up how many you get. Sometimes adjustments are made, usually a ding based on mutes. But usually, that's it. That's the WoT score.
I'll call this the "legacy WoT score" since it is basically the state of the art in nostr. The legacy WoT score can be a useful way to eliminate bots and bad actors. But it has a few disadvantages: it is, arguably, a bit of a popularity contest. It cannot see more than two hops away on your social graph. It's not very useful to new users who haven't yet built up their follows. And it's not clear how to use it to differentiate trust in different contexts.
It seems strange to me that so many clients use this single method to calculate WoT scores, but with relatively little discussion on the merits of this method as opposed to other methods. Or whether other methods even exist, for that matter.
Indeed, I believe there is another method to calculate trust scores that in most circumstances will turn out to be much more meaningful and useful. For the sake of this article, I will call this the "Grapevine WoT score" to distinguish it from the legacy WoT score. (Elsewhere I have used the phrase "influence score" in place of "Grapevine WoT score.")
The Grapevine method is (currently) based on follows and mutes, but calculated using a method entirely distinct from the legacy method, detailed [here](https://brainstorm.ninja/#/grapevine/influenceScore) (where it is called simply the "influence score"). The Grapevine method has several advantages over the legacy method, but one in particular on the topic of SHOW versus TELL: the Grapevine method can take multiple distinct classes of data following distinct formats and pool them together, synthesizing and distilling them into a single Grapevine WoT score. By choosing different datasets, different scores corresponding to different contexts can be generated.
## The future
So here's my prediction on how the future will play out.
1. The Grapevine method of trust score calculation is going to rely -- at first -- primarily on proxy indicators of trust (follows, mutes, zaps, reactions, etc) -- SHOW ME data -- because that’s the data that’s available to us in large quantities.
2. These contextual Grapevine scores will turn out to be surprisingly useful.
3. *People will learn to game the scores by changing their behavior.*
5. Consumers of trust data will gradually discover that SHOW ME data is becoming less and less reliable.
6. Authors of raw trust data will gradually learn that if they want their voices to be heard, they will need to communicate trust more explicitly. In ways that are harder to game. They will begin to move the needle ever so gradually towards TELL ME data.
7. Over time, larger datasets of TELL ME data will be available for input into Grapevine WoT scores.
8. As SHOW ME data becomes less reliable, and TELL ME data becomes more available, contextual Grapevine WoT scores will become more fine grained in terms of context and more reliable.
Of course, none of this will happen unless and until we start calculating Grapevine WoT scores and putting them to good use. To that end, several of us are working on the generation of these scores at [brainSToRm](https://brainstorm.ninja). Right now, it's a slog to download the data to the browser. But we're working on improving the UX. And if you make it through the slog, you can export a NIP-51 list of the top-scoring pubkeys, minus the ones you're already following, and use them at clients like Amethyst or Coracle to generate a feed of content coming from the most highly "trusted" users whom you're not already following. A feed that is CUSTOMIZED by YOUR Grapevine.
So there you have it, my defense of explicit trust attestations.