Designing To Facilitate Genuine Accommodation Sharing: Identity and Reputation Verification

Designing To Facilitate Genuine Accommodation Sharing: Identity and

Reputation Verification

SUBMITTED IN PARTIAL FULLFILLMENT FOR THE DEGREE OF MASTER OF SCIENCE

INDRĖ LEONAVIČIŪTĖ

MASTER INFORMATION STUDIES

HUMAN-CENTERED MULTIMEDIA

FACULTY OF SCIENCE

UNIVERSITY OF AMSTERDAM

July 8, 2016

1st _{Supervisor 2}nd _Supervisor Dr. André Nusselder Dr. Frank Nack

Designing To Facilitate Genuine Accommodation Sharing:

Identity and Reputation Verification

Indrė Leonavičiūtė

University of Amsterdam, Faculty of Science Science Park, 904

1098 XH, Amsterdam

Indre.leonaviciute@student.uva.nl

ABSTRACT

In this paper, the model of how Airbnb, an accommodation sharing service founded in the United States, designs for trust is criticized. Design requirements from literature study, interviews and an open design workshop are extracted and a prototype of an alternative accommodation sharing application, Houseweb, is provided. Houseweb uses blockchain technology and a network approach to verify identity and reputation. It removes the need for a middle man and provide users with control of their data. It offers an option of a genuine share and is community based.

General Terms

Design, Experimentation, Security, Verification.

Keywords

Sharing economy, accommodation sharing, identity verification, reputation verification, Airbnb, blockchain, privacy.

1.

INTRODUCTION

The widespread adaptation and usage of Information and Communication Technology (ICT) has evoked novel collaborative behaviors on exchanging goods and services through online platforms, such as accommodation sharing. A well known example of accommodation sharing is Airbnb, “a trusted community marketplace for people to list, discover and book unique accommodations around the world — online or from a mobile phone or tablet”1_{. Founded in 2008 in San Francisco, California, at}

the moment of writing the thesis, the site has reached a figure of over 60 million guests. As Airbnb claims on their website, trust is what makes the service so successful.

However, establishing trust with owners who are willing to open the doors of their homes remains the greatest challenge of accommodation sharing services2_{. Botsman and Rogers divide the}

sharing economy into three systems – product service systems, redistribution markets and collaborative lifestyles and assigns Airbnb to the latter category. The high amount of trust is generally demanded in the collaborative lifestyles because the focus of exchange is usually human-to-human interaction and not a physical commodity.3 _{Despite the success, Airbnb has received sufficient}

criticism on their designing for trust model, which is based on three main aspects: Verified ID, Profile & Reviews and Messaging. The Verified ID model, launched in 2013, requires guests and hosts to connect to their social networks, such as Facebook or LinkedIn. Another method is to scan an official ID and send it to the admins of the website. Concerns have been raised that the Verified ID model disrupts privacy.4 _{Criticism is also spread to the reliance on}

social networks, which opens up issues of surveillance, identity theft and fake identity use.

According to the big data management company Zettaset, in 2013 a staggering 2.5 quintillion bytes of Big Data was captured daily from consumers and 80% of data captured were posts to social media sites, purchase transaction records, and cell phone GPS signals.5 _{Identity theft is the fastest growing crime in America, with}

9.9 million incidents per year.6 _{Moreover, due to the massive}

amount of big data used by third parties in different means such as tracking or social profiling, researchers started to call this era as surveillance society.7 _{The possibility to ‘fake’ one’s social media}

account also remains unresolved.8

Airbnb’s design for trust is also based on Detailed Profiles & Reviews. However, reputational systems have a risk to be non-representative and biased. A study by Slee has shown that the ratings in Airbnb site had a “J-curve”, where the bulk of the ratings were at very high values.9 _{In addition, ratings and reviews do not}

provide any opportunity to check the reputation of a new user at the moment.

Lastly, Airbnb has been accused of having little to do with sharing at all. The reason of such criticism is that in a genuine sharing economy, we would all be lending and borrowing based on trust. 10

However, something different has happened with the former vision. As Slee points out in his book “Against the sharing economy”, the former vision of “What’s mine is yours”, has become “What’s yours is mine”. 11

Other names of the sharing economy have been also synonymously used such as collaborative consumption, the mesh economy, peer-to-peer platforms, the gig economy, concierge services or on-demand economy.12 _{Sharing economy will be used in this research}

despite disagreements about the name “sharing economy”. Initiatives to develop pilot accommodation sharing applications, whose design would be based on technically distributed stores with a decentralized authority, emerge. An example of such an initiative is the Decentralized Citizen Owned Data Ecosystem (Decode) project, participated by 20 European organizations. Coming up with an alternative to centralized sharing economy platforms, such as Airbnb, is included in the list of Decode’s use cases that provide public value. The vision is that the application would use blockchain technology in a fair and transparent way. The pilot would involve small and local initiatives. 13

Bitcoin’s ecosystem’s blockchain – a decentralized system, ownerless, open source, fully transparent and supported by advanced cryptography – is seen as a radical response to the fundamental lack of private data security managed by central authorities.14 _{A new and potential blockchain technology is aiming}

to remove ‘the middle man’ in transactions, such as a bank.15 _To

put simply, blockchain is a secured database, where transactions are recorded and confirmed by a network of computers. The transactions are valid only if the network agrees. The network’s decision is based on the history of previous transactions.16

Despite the fact that blockchain emerges from the financial domain, a belief that it can be applied to the sharing economy movement has spread in recent years. While some of the applications are still in speculation, others have already been implemented.17 _{Ethereum, a}

blockchain app platform, is one proof. For example, La’Zooz, a decentralized ride sharing application, is developed on Ethereum. Several identity and reputation management initiatives that could possibly be applied to sharing economy applications also exist.18

Accommodation sharing applications on the blockchain platform have not been found during the research. Also, the lack of study on understanding the technical and social design requirements for a blockchain based approach to identity and reputation management in accommodation sharing applications is notified. This research aims to design a new concept for identity and reputation verification in an accommodation sharing platform. To evoke experiences that would be trustworthy, easy to understand and feel natural to the end users, the concept is applied to the graphic user interface. The research question of the thesis is: “What are the social and technical design requirements for identity and reputation verification in a privacy preserving accommodation sharing application”.

Houseweb, a prototype of a decentralized accommodation sharing application that uses blockchain technology and a network approach to verify identity and reputation is introduced in the thesis. The main features of Houseweb are: the application puts users in control of their data; it removes the need for a middle man; it provides genuine accommodation sharing without financial exchange; it strongly relies on the input of community; it respects the user’s privacy and aims for transparency. The design of the application was based on three methods: literature study; semi-structured interviews with users, experts of the blockchain and experts of digital networks; and an open design workshop. The thesis is structured as follows: Related work, Research methodology, Research results and the outcome – a clickable Web prototype of an accommodation sharing application, Discussion, Conclusion & Future Work.

2.

RELATED WORK

A blockchain based approach to the sharing economy and accommodation sharing in particular is a very new idea and there has been a relatively small amount of research done in the area. However, there are some early stage prototypes that were already developed in 2015 and 2016.

One of such decentralized applications (dapps) is Fermat, a blockchain-enabled decentralized platform for the P2P exchange of assets, data, goods, and services. According to the Fermat vision, “Internet of People” are connected to each other in peer-to-peer fashion only through their devices, without any third parties involved. Fermat’s White paper Version 0.719 _{describes the system}

in alpha testing. In comparison Houseweb, Fermat serves not as a single service, but as a platform for sharing apps. In other words, services such as Airbnb, Uber, LinkedIn, Tinder and eBay are incorporated into Fermat in a p2p format. One or more Fermat apps usually belong to a certain platform. A list of 25 platforms includes the Lodging platform. In this p2p version of Airbnb the user is free to choose between no third party or partial involvement in cases of guest and host matching, insurance and marketing. Fermat’s identity management is privacy preserving. The users are not required to use their real life IDs nor connect to social network accounts. Fermat users acquire multiple types of identities (actors) that can be used for many instances corresponding to a role in real

life. They can choose to what extent and to whom to expose information to identify themselves. Private and public keys secure their identities. Fermat does not give an extensive explanation about how reputation is managed. However, the Reputation platform is introduced, which perhaps could be combined with other platforms, such as Lodging.

Another blockchain based platform for dapps is Ethereum.20

Ethereum includes various types of dapps for different use cases, including sharing. Ethereum dapps run on the network without any third party interference and are based on ‘smart contracts’, agreements between two parties involved, encoded on the network.21 _{In July, 2016 there were 245 open source dapps listed}

on Ethereum22_{, presented in either under the states of development,}

prototype or working. By the time of this research Ethereum did not have a dapp for accommodation sharing. However, there was an extensive list of dapps that share associated use cases such as operating as identity (Trustery23_{, Ether-ID}24_{, uPort}25_{) and}

reputation (PublicVotes26_{, BitVote}27_{, Trust Davis}28_{, Thanks Coin}29₎

management systems. As in Fermat, Ethereum dapps for identity and reputation management preserve the user’s private information, give the ability to be in control of their own data, use multiple identities and attributes as well as build a credible reputation. The solution could be easily applied in the Airbnb equivalent30_,

automatically unlocking the doors for the visitor who has met certain conditions, for example, has paid both the rent and the deposit.

La’Zooz31 _{is one type of Ethereum dapp. La’Zooz is a genuine}

decentralized ride sharing platform owned and managed by the community. Released in June, 2015, La’Zooz is a decentralized version of ride sharing apps such as Uber or Lyft. The genuine approach of La’Zooz, where rides are shared without commercial profit, is very close to the values of Houseweb. Instead of using real money, the community members hold digital cryptographic tokens. The users are rewarded with tokens by simply using the app or contributing to it in various means such as programming or inviting new members. However, La’Zooz does not aim to decentralize the identity management. The app uses a standard Facebook or Google account log in procedure for identifying. The method for managing reputation is a little bit different than the common practice. La’Zooz White Paper broadly describes how the reputation is managed and trust is built. Each member of the community has a rating weight. It is given once a month by all members during the community voting. For example, a user who created a rich profile that includes personal details or a photo will have a higher value and can be even awarded with tokens. The weight is equal to the trust and power the community awarded to the member.

La’Zooz is an example of a blockchain’s Decentralized Autonomous Organization (DAO).32 _{End-users, being part-owners,}

part-users and part-nodes on the network, have a high impact on DAO’s governance. A key attribute of DAO is that each user is a contributor, who participates collectively and adds value to the DAO.33 _{The idea of DAO can be conceptualized for government,}

where the Bitnation project, a supporter of Do It Yourself Government, currently plays the leading role. The belief is spread that blockchain can even lead to the Decentralized Autonomous Society (DAS).34

Sieve, a decentralized cloud for encrypted private data is not a sharing economy application, but could be a good match for secure identity management within these platforms. Created by researchers at MIT and Harvard University, Sieve lets users store their personal data in the cloud, in an encrypted form. Whenever any app wants to access specific user data, it has to send a request

to obtain a secret key that decrypts only the specific item. If a user wants to cancel the access, data would be re-encrypted with a new key. Sieve provides selective disclosure: attribute-based encryption lets the user provide only specific attributes, for example, a name, a zip code, but not a street name. The researchers integrated Sieve into two open-source web services – mHealth and Piwigo – and the application has proven to be a practical method for restricting access to sensitive information.35

OpenBazaar36 _{is an online open source decentralized network for}

peer to peer commerce that uses bitcoin. OpenBazaar is not a sharing economy dapp and could be considered a decentralized version of eBay or Amazon. However, the way the founders of OpenBazaar decided to design for trust and preserve privacy has some connections to Houseweb, especially when it comes to dispute handling. OpenBazaar manages identity and reputation by giving all control to the users and leaving freedom to remain anonymous. In OpenBazaar, a transaction, or in other words, a digital signature has to be witnessed by one member of the community whom the buyer and seller trust. This member creates a multisignature bitcoin account, requiring two or three people to agree additionally until the final transaction has been made. In cases of disputes, every user can ‘Start a Dispute’. The moderator sees the chat of both parties from that moment and determines which party was right. Even though the OpenBazaar approach to trust preserves private data, it requires immense involvement of the community itself.

3.

RESEARCH METHODOLOGY

To provide a grounded answer to the research question, qualitative research and open design methods were used. The research outcome was based on literature study, semi-structured interviews and an open design workshop.

3.1. Literature Study

The literature study has been implemented to get insight into designing for trust in accommodation sharing. The first part of the literature study aimed to point out the criticism of the methods that Airbnb uses to design for trust. The second part of the literature study aimed to extract alternative solutions to the criticized design approach of Airbnb.

3.2. Semi-structured Interviews

In order to get knowledge about the perception of digital identity and reputation, current ID and reputation verification problems and preferences, as well as blockchain’s technology potential in accommodation sharing domain, semi-structured interviews were conducted. 8 interviews were conducted in total, including 6 interviews with experts and 2 interviews with users. The expert group consisted of 1 hacker, 3 experts of blockchain, 1 expert of network culture and 1 expert of digital trust. The user group included two young professionals who were willing to use accommodation sharing, but were highly concerned about their privacy. The interviews were designed as semi-structured interviews. The questionnaire contained two parts – Identity and Reputation. The interview started with general questions and then focused on the accommodation sharing domain. Both groups had similar questionnaires, but from the perspective of expert and user. The average length of an interview was 30 minutes. Before the interview started, all participants were informed about the purpose of the study and asked for their permission to record. The interview protocol for the experts can be found in Appendix A, while the protocol for the users can be found in Appendix B. The coding

schemes of the interviews are included in Appendix C and the transcripts can be found in Appendix D.

3.3. Open Design

The open design approach method was used in this study. The potential users and experts were invited into an open design workshop in Waag Society, an institute for art, science and technology, which is based in Amsterdam, the Netherlands. The event, called “Designing for trust in accommodation sharing” was held on 16-th of June, 2016.

Users as Designers is the main design philosophy of Waag Society. It states that real users should be the ones to define design requirements. When the user and designer work together according to this design philosophy, they both take on multiple roles throughout the design process.37

The workshop raised a question: “How to create an online accommodation sharing community in which the members trust each other without massively exposing their private data” and invited participants to design an alternative accommodation sharing platform.38 _{Before the start of the workshop, two experts of}

blockchain gave presentations about its potential in accommodation sharing. The event lasted for three hours and was attended by 15 participants.

4.

RESULTS

This section presents results of the research. The findings are presented in this order: findings in literature, findings in interviews, findings from the workshop. At the end of each section, design requirements are extracted. Lastly, based on the requirements, outcome of the results is presented – a prototype of an accommodation sharing application. Special letter and number is given to each design requirement. Same letter and number combinations are reused when presenting design decisions to show on which requirements the decisions were based on.

4.1. Findings in Literature

In a famous sharing economy book by Botsman and Rogers – gurus of the movement39 _{– trust between strangers is presented as one of}

the core elements of the sharing economy. The other three principles are critical mass, idling capacity and belief in the commons.40 _{This section presents research in recent years that}

shows a critical approach to how Airbnb designs for trust between strangers and alternative recommendations are given.

4.1.1. How Airbnb Designs for Trust: Criticism

4.1.1.1. The Notion of “Sharing”

Use of a certain rhetoric can play an important role in providing the feeling of trustworthiness in online sharing applications. However, Airbnb’s use of term “sharing” has received criticism, claiming that the exchange offered by Airbnb is more of a commercial, than a genuine one.

Trust in Airbnb is strongly based on the act of a financial transaction. In his critical article, Broughton states that in a genuine sharing economy, we would all be lending and borrowing based on trust, and suggests to rename the sharing economy as a transactional economy, where technology businesses inflict indignities on the consumers and presents them as virtues.41

Nicholas refers to the term “gift economy”: “neighbors always borrowed cups of sugar and children’s toys were handed down within families”. According to him, what is novel, is not the sharing economy itself, but the network metaphors used to advocate these

practices, explicitly the notion of “sharing”.42 _{While platform}

providers, such as Airbnb, participate in creating and strengthening the rhetoric of the new “sharing”.43

4.1.1.2. Verified ID

In a sense, the new rhetoric includes not just promoting the “sharing” of goods or services, but sharing personal data to build trust. The idea comes from the radical transparency movement and is supported by Facebook’s founder Marc Zuckerberg. It states that disclosing information makes us transparent and trusted.44 _{In the}

early stages of Facebook log-on, the company declared a goal to become a tantamount of online identity itself, a passport for other platforms, such as Airbnb, to become members of the so called Facebook’s ecosystem.45

Social media connection is a part of Airbnb’s ID verification process.46 _{The other two methods of Verified ID include a scan of}

an official ID and photo, phone number and email verification. The massive use of social media for identity verification is a new symptom of an open and transparent internet. The internet is growing into a market of citizens’ data, an identity marketplace. User activities are incorporated into the process of production, constantly tracked, measured and monetized through advertising.47

The possibility to ‘fake’ one’s identity on Facebook also is alive and kicking.48

A multi-account case study by Vapen et al. has shown privacy implications when authentication was based on third-party identity provider. All of the relying parties could easily impersonate the user’s account. Additionally, the study has shown that users were often asked to provide more information for the identity provider than was required for the local profile.49

4.1.3. Reputational Systems

One claim is that Airbnb’s trust model does not exclude the risk happening between the first users of the platform. Morgan and Kutch discuss the principle from a legal frame. According to the authors, ‘trust between strangers’, managed with identity verification, graded profiles and reputational feedback systems, is used as a substitute of formal law in shared economy platforms such as Airbnb or Uber. However, any harm committed in the first instance cannot be prevented by ratings or reviews that occur later with an active engagement.50

As Slee points out in his critical response to Botsman and Rogers, ratings are not designed to deal with the extreme collapse of trust. While hosts are provided with the Guarantee policy51_{, guests are}

left on their own. Airbnb advises guests to make a detailed research into the potential host and neighborhood before booking, buy travel insurance, trust their intuition or, in an emergency situation, call the local police or emergency services52_{. In 2015 a young American}

was locked by his host in a room in Spain and sexually assaulted. He contacted his mother before the crime was committed and she immediately called Airbnb. Airbnb employees advised to call Madrid police and ask them to contact the company.53

Slee also notifies the problem of bias in the use of ratings. His research in the distribution of ratings in Airbnb for four representative cities (Amsterdam, New York, Barcelona and San Francisco) on four random days in 2015 has revealed the problem of “J-Curve”, where the majority of ratings had very high values. The reasons for this might have been that only customers who were happy with the experience rated the accommodation or other factors led to rate something else than the experience itself.54 _{In a TED talk}

by Botsman reputation has been named as a valuable asset in sharing economy.55 _{However, labeling a reputation as an asset is}

seen as dangerous. Services such as Reputation.com emerge, where reputation can be boosted by paying money. Slee argues that investing in actions that promote the reputation stops how it works from a social point of view.

4.2. Recommendations

4.2.1. Reclaiming Digital Identity

In order to manage digital identity, it is important to understand its definition and core aspects. Digital identity can be defined as usernames and the digital footprint users leave when using the Internet for different reasons.56 _{It can also be understood as the}

formation of a personal profile, cultural capital and records.57 _In

other words, the identity formation is strongly connected to fragmentation, multiple sides of a person.58 For Besley identity is a social presentation that takes place in different times and contexts.59 _{For Turkle digital identity is a decentered self that exists}

in many worlds, with many simultaneous roles.60

A response to strict user data policies and surveillance is seen in proposing business models that allow users to take over the control of their data. The control of data can be done by customizing the information sharing settings or enabling advanced technical solutions.

In the project D-cent, research on the identity ecosystem, cryptography is seen as a necessity for balancing both identity and anonymity. In other words, cryptography serves as a good tool to authenticate an identity and attach it to a person, but also hide the identity of an unwanted entity such as third-party access. However, in addition to the use of cryptography, decentralization of systems is required to enable privacy preserving.61

4.2.2. Enabling Trust

In search for what types of techniques are required to design for trust, it is very important to understand how trust is defined and how it operates.

For English-Lueck et al. trust is a psychosocial construction, ‘the subjective expression of one actor’s expectations regarding the behavior of another actor (or actors)’.62 _{Whereas for political}

economist Fukuyama it is ‘the expectation that arises within a community of regular, honest and co-operative behavior, based on commonly shared norms’63_{. Trust is not static, it can change, can}

be negotiated, depends on the context and can have different forms. However, trust among strangers is possible and there are several factors that can increase its level. English-Lueck et al. suggest a sense of confidentiality, personal networks, ‘common ground’, personal communication and social dependency. First, the amount of trust can be increased if a user is aware that information is secure and cannot be easily accessed by others. Providing more personal information and letting a stranger closer to a private setting can also help to establish trust. Third, according to the researchers, sharing something in common with the stranger is also a factor. Bialski and Batorski research on Couchsurfing, a hospitality sharing application, proves this claim. Trust was notably higher within homophilus relations than heterogeneous ones. For example, similarity in age has resulted in much greater trust.64 _Fourth,

communication on a personal level is much more effective in building trust than just performing a formal negotiation despite any cultural differences. Finally, a common social awareness, when people care about a certain cause, want to share knowledge and collaborate is also a significant aspect in forming trust.

When trust has to be built in a network, a consensus of what is the norm is mandatory. It is recommended to construct networks with

strong ties, where community members are dependent on one another. Applying accountability is a way to manage norms – it has to be clear what is proper and improper within a network.65

4.2.3. Empowering Networks

Light emphasizes the need for interdependence when designing networks. The author urges to balance user experience with more social and enduring value rather than focusing on existing user preferences, stakeholder needs, legacy systems and temporal improvements.

Several recommendations are given in order to design for interdependence in digital collaborative networks: design resources and interfaces to resources of materials time and enthusiasm; design for connectivity and its absence; design for active membership of the society; design for sharing; design to engage the powerful and protect the vulnerable. It is advised to use terms that capture supportive relationships, such as “cohabitants”, “inhabitants”, “neighbors” and “citizens”. In the case of trust, Light recommends to balance integrity and anonymity, secure exposed roles and sensitive information.66

4.2.4. Summary of the Literature Study

This section presents the design requirements for identity and reputation verification in an accommodation sharing application that were extracted from the literature study. Based on these findings, accommodation sharing application could:

 Give users a choice of a genuine accommodation share(L1).  Solve an issue how to verify reputation for new users who do

not have any reviews(L2).  Exclude user rating(L3).

 Highlight the need for credible reputation(L4).

 Have a solution how to solve an extreme collapse of trust(L5).  Treat digital identity as fragmented, representing multiple

sides of a person(L6).

 Let users be in control of their data. Use cryptography to balance identity and anonymity(L7).

 Impose confidentiality, personal networks, ‘common ground’, personal communication and social dependency on the application(L8).

 Induce homophilus relations, such as similarities in age(L9).  Design for active membership of the society. Use terms that

capture supportive relationships(L10).

4.3. Interview Results

In this section the results of semi-structured interviews with experts and users are presented. The first part of the interviews aimed to extract identity verification requirements. The aim of the second part was to extract reputation verification requirements. In the last section of this part, the requirements are summarized.

Interviewee list:

 P11_{: blockchain expert}

 P2: blockchain expert  P3: blockchain expert

1 _{“P” stands for “person”. Interviewees are anonymous in this}

research.

 P4: hacker

 P5: digital network expert  P6: digital trust expert  P7: user

 P8: user

4.3.1. General Questions

Interviews started with general questions about digital identity and the level of control users currently have over it.

The perception of what digital identity is and where it is reflected online varied among the 6 participants from the expert group, showing that there is no common consensus on the definition of digital identity. The answers varied from what could be called low level to a very high level of identity. For example, digital identity could be seen as a user name, password or email address. In addition, digital identity could be defined as a collection of specific attributes: “There are more important areas, where specific

attributes are important, for example where you can only buy specific products if you are over 18”, - P1, blockchain expert.

While some experts saw digital identity as a broader concept that reflects search history, digital footprints, and is something all over the internet. From the user perspective digital identity was seen as something very private: “Term ‘digital identity’ for me doesn’t say

that much. Because I try to keep my digital identity to a minimum”,

- P7, user.

In the next general question category the participants were asked if users are in control of their online data. 7 out 8 interviewees said that the level of control is low: “At this moment there is a relatively

low level of control, because now they are basically forced to use whatever identity system is provided and third parties”, - P1,

blockchain expert. The current resistance was seen in faking: “I

went to a Google store, where I was asked to provide my email, so I faked it”, - P4, hacker, or using anonymization tools: “The only way to get in control over that is to actually take measures to protect privacy, for example, using anonymization software”, - P2,

blockchain expert. The users also confirmed feeling in low control of their own digital identity: “It’s very difficult to control my online

identity. I think these companies, such as Airbnb, or social media, such as Facebook, are actively inflicting into my online identity”, -

P8, user.

4.3.2. Airbnb’s Identity Verification

Airbnb uses social login, such as Facebook or Google, and an official ID scan for identity verification. The interviewees were asked to share their opinion on both methods.

All 8 interviewed people expressed concerns that a social login can be used for surveillance: “So we know that if you allow Facebook

to use your data, they can also sell it to data brokers, you don’t know what’s happening to it”, - P3, blockchain expert. Also, using

Facebook as an identification means was seen as untrustworthy due to the simplicity of faking an account: “If I wanted to look

legitimate, creating a Facebook account would be something I would completely use”, - P4, hacker. One user did not use Facebook

at all: “I am not comfortable with it (Facebook/Google login) at all.

I am not on Facebook due to privacy issues”, - P7, user. However,

the advantage of social media login was its convenience: “I like the

management of usernames and passwords is a bloody nightmare now”, - P2, blockchain expert. Interviewees also expressed the

need of offering diverse login choices.

In the case of an official ID scan, opinions differed. ID scan was seen as a inevitable method by two experts: “I am going on Airbnb,

I would like to have a verified profile. I think it’s the best option so far”, - P4, hacker. However, 6 participants argued that ID attributes

should not be shared: “Your passport photo, nationality, social

security number - those are very strongly restricted attributes that shouldn’t be shared with anybody”, - P1, blockchain expert. Users

were also not in favor of scanning their IDs: Not comfortable with

that at all. I just get the feeling that I give something very valuable to an invisible subject”, - P8, user.

4.3.3. Identity Verification Alternatives

The participants gave significant insight into what identity verification alternatives could overcome the problems identified above.

Experts divided into two major groups: 4 experts supported blockchain technologies and 2 experts supported the network approach. In the first case, the solution was seen in putting the user in control of his/her private data, for example, by using a decentralized and encrypted personal data service. This could be an external application that splits identity and allows to expose separate attributes: “Your personal data is in your locker and you

give people access to it only for the things you need to do the processing. And it’s fully encrypted so they can’t store it in their own system”, - P3, blockchain expert. For additional information

check, for example, the proof of ownership, potential was seen in using online notary service via blockchain: “It is used as an online

notary service. They are taking the documents, grouping with a time stamp, creating a cryptographic hash of those documents and embedding them in the blockchain”, - P2, blockchain expert.

Experts opposing the use of blockchain claimed that full trust should not be put in the software. Rather, the potential of identification was seen in approaching networks: “I check in the

network who this person is. And I use the peer-to-peer approach”, - P5, digital network expert. Another suggestion was the need to

impose accountability on people: “Well, I would never trust a

software. I always need people at the end. In the end there have to be people who are accountable”, - P6, digital trust expert.

Users required specific communication from the platform itself, assuring that their data will remain secure. One user was willing to pay a fee in order to be sure that the data is secure: “I would even

be willing to pay a bit more for a service, if I knew 100 percent that they respect my data. So a membership or something for encrypted community”, - P8, user. A concern was also expressed to have

custom privacy settings.

4.3.4. Airbnb’s Reputation Verification

In the second part of the interview participants were asked to share their opinions on reputation verification methods used by Airbnb. Interviewees were not in favor of using detailed profiling as a means to disclose reputation. Requiring detailed information such as name, surname, email and phone number, occupation, social networks accounts, was seen as redundant: “For a reputation

system it is not needed for me to know all of the details of that person. I can just know his pseudonym and the reputation connected to this”, - P1, blockchain expert. However, 4 out of 6

experts were against trusting an anonymous person in accommodation sharing platform: “As the owner of accommodation you want to know if you are renting your

accommodation to two little old ladies from Newcastle who just like to sip tea and not to a group of English rugby fans”, - P2,

blockchain expert. Asked what information they would need to see in the profile of the accommodation sharing platform, the users emphasized the importance of knowing the name and seeing a picture and description of a person. The ability to have a conversation by messages or a phone call was also seen very valuable: “It would be nice if the communication was encrypted

with just me and the other person, without any third party”, - P8,

user. Other types of detailed information, such as a social network account was not required by the users: “Social networks, I don’t

think that it’s necessary to share even if I had it. It’s an almost absurd idea, why should someone else need to know that information, to know who I am in contact with”, - P8, user.

The participants were in favor of reviews: Writing a good review is

a skill, it is a sign of culture, so I don’t mind it. Because it tells something about the society that reflects on it”, - P5, digital

network expert. However, experts emphasized the need to connect reviews to the actual transaction: “I think what is really important

is to connect the review with the transaction. So it’s important to have an objective review system”, - P3, blockchain expert.

4.3.5. Reputation Verification Alternatives

The interviewees have given significant ideas on how reputation could be verified differently in accommodation sharing.

An alternative solution to detailed profiling was to allow custom data exposure: “Maybe you can also let users choose themselves if

they want more information to verify”, - P4, hacker.

Blockchain experts were in favor of using transactions that are based on smart contracts, when both parties meet certain conditions. Reputation could be seen in checking previous transactions: “The accommodation sharing site could sort of query

your previous transaction history to be shown in order to get an idea if you can be trustworthy or not”, - P2, blockchain expert. In

a case of a new user, reputation export could be used: Using that

Blockchain based identity system would allow “Airbnb” to see what your “Snap Car” record is”, - P2, blockchain expert.

Digital network and trust experts preferred to use networks for reputation verification: “If the network can prove your identity,

then the trust and reputation in the network is much more reliable, than a paper, or a file”, - P5, digital network expert. It was

suggested to use the “Friends of friends” logic: “I would say that

there is still a slight possibility for humankind that the friend of a friend logic will survive the Facebook era”, - P5, digital network

expert.

4.3.6. Dispute Handling

In the last question category the research participants were asked to share their ideas on how disputes could be handled in accommodation sharing.

A potential was seen in creating a Decentralized autonomous organization (DAO). In this case, the platform would be owned by users and the middle man could be replaced by a community arbitrator: “Maybe it could be a neighborhood organization. Or

maybe there could be a decentralized arbitration system where 1000 randomly selected people are asked to arbitrate on the dispute and make a collective decision on it”, - P2, blockchain experts.

However, the experts claimed that in certain cases users could use external services, such as audit and notary companies and in the worst scenario go directly to the police having their proof embedded in the blockchain.

A key requirement for the platform was transparency and the feeling that it is initiated by the community itself. “These new

initiatives have to come through the networks themselves, because only then it could work”, - P5, digital network expert. Both users

also expressed the need for transparency: “If I felt very excited

about the community and about the system, then I would definitely just go for it and trust it”, - P7, user.

4.3.7. Summary of Interview Results

This section presents the design requirements for identity and reputation management in accommodation sharing application that were extracted from 8 conducted interviews. According to the interview results, the accommodation sharing application could:  Treat digital identity as private and sensitive. Define it as a

collection of specific attributes that could be split and exposed separately(I1).

 Provide users with control of their digital identity by using a decentralized and encrypted private data service. Connect to an online notary service for document verification(I2).  Use social login as a means of login, but not for identity

verification. Provide users with diverse login choices(I3).  Use the network approach and make users accountable for

their actions(I4).

 Assure users that their data is secure and impose a small fee to maintain the community. Allow custom privacy settings(I5).  Expose only the most necessary attributes on the application

itself (profile), such as name, picture and description. Provide users with an ability to have an encrypted conversation(I6).  Use reviews, but connect it to the actual transaction(I7).  Allow custom data exposure via the blockchain(I8).

 Base transactions on smart contracts and enable users to check the transaction history, as well as to export their reputation from similar sharing applications(I9).

 Additionally, rely on networks and implement “Friend of a friend” logic(I10).

 Be based on principles of DAO’s or inherit some of the features for dispute handling. Allow use of external services, such as audit, notary or police. (I11).

 Be transparent and community based(I12).

4.4. Workshop Results

In this section the results of the “Designing for trust in accommodation sharing” workshop are presented. The last requirements for identity and reputation verification in the accommodation sharing application are also extracted and summarized below.

As an introduction to the workshop, two expert presentations on blockchain’s potential in accommodation sharing were given. Richard Kohl, board member of Stichting Bitcoin Nederland and founder of its most visible project, BitcoinWednesday, gave his presentation on “Trust is the new currency: Identity, reputation and exchange on the blockchain”. While Dave Pearce, one of the founders of the Nxt Foundation, an advanced blockchain platform, spoke on “Little old ladies and football fans: Reputation management and the sharing economy”.

Picture 1. R.Kohl is giving his presentation.

After the presentations, the workshop started. Participants were divided into three groups. Each group was given a scenario: “Proof of identity”, “Proof of reputation” and “Handling a dispute”. The first scenario involved Lisa, a host, who had to prove her identity in order to rent her houseboat, but preserve her privacy as much as possible. The second scenario involved Mark, a young American who wanted to rent a temporary accommodation in Spain, but needed to be sure about the host’s reputation. The third scenario was about Angela, an old lady, who found her house damaged after accommodation rental. These scenarios are later elaborated in the Interaction design section (4.5.2.).

The workshop participants were asked to put themselves in the situation of Lisa, Mark and Angela. They had to come up with a process of approximate 6 steps that each of these users had to undergo in order to solve their challenges. Where possible, participants were asked to sketch how their ideas could look on a web platform.

The group that was dealing with the first scenario came up with an idea of a weighted attribute verification service. According to the outcome, Lisa could verify herself by sending an encrypted SMS to her friends who are also using the application. For example, if Lisa wants to verify her ownership of the houseboat, she sends her address asking her friends to verify her. If they do so, she collects a certain number of points, depending on how many points each of the friend has.

The group that worked on the second scenario emphasized the need to involve neighborhoods to verify reputation. In this case, accommodation units that are used for sharing would be connected into networks, helping neighbors to vouch for one another. The role to verify reputation could also be given to an independent neighborhood organization. The blockchain approach could be used in checking past transactions or a previous reputation, for example, on a similar sharing application.

The last group had different opinions on how Angela’s scenario could be solved. Two ideas were given. One was to create a Decentralized Autonomous Organization (DAO). The system would be based on deep learning: the interested parties would be chosen by the software according to similar preferences and attributes. The user’s ID and IP would be preserved on the blockchain. The second idea was to create a community based on crowdfunding. Each user of the application would pay a certain fee to the common funds, assuring that high trust will be maintained.

In the case of a dispute, the money could be taken from the fund and given to the party that suffered the loss.

Picture 2. Third group brainstorming during “Designing for trust in accommodation sharing” workshop.

4.4.1 Summary of Workshop Results

This section presents the design requirements for identity and reputation management in accommodation sharing application that were extracted from the workshop. Based on the workshop results, accommodation sharing application could:

 Ask friends to verify specific attributes of a user via SMS and reward both parties with points that can be used in the application(W1).

 Involve neighborhoods or neighborhood organizations for reputation verification(W2).

 Check previous transactions and reputation on the private data service(W3).

 Handle disputes based on a collective community decision(W4).

 Handle disputes based on a collective high trust fund(W5).

4.5. Houseweb: an Accommodation Sharing

Application

The main goal of this research was to come up with the design requirements needed for identity and reputation verification in an accommodation sharing application. A basic prototype of Houseweb, an accommodation sharing application, was created in order to put the results into practice and test it with the users. Blockchain technology, as well as the applications that use the technology, are still in the early development stage. Therefore, the design decisions are focused on user experience in interaction design and interface design.

In the beginning of this section, the process of developing the prototype is described. The design decisions are presented in Interaction design (4.5.2) and Interface design (4.5.3) chapters.

4.5.1. Process

A website (1280×768) platform was chosen to implement the application. The decision was clear from the beginning: accommodation sharing is most likely done on the Web, as it is seen by the example of Airbnb. However, the possibility to develop a mobile version of Houseweb remains.

The findings of the research was firstly materialized on a paper prototype, so that it would be possible to visualize the design decisions in the form of sketches. The paper prototype was tested with a few fellow students to see how the users perceive the main functions of the application and if the design decisions are clear enough.

During the paper prototyping stage, several changes based on user feedback and general decisions were made: exclude My Network screen and include in Reputation screen; add Facebook log in option; remove the request for surname and username in registration.

Picture 3. Paper prototyping of Houseweb.

The final step of the design process emerged in a clickable prototype in proto.io, which was tested on 5 users, including the users who were interviewed for the research. Multiple reiterations were done during this phase, improving the prototype after each given user feedback. These improvements were made: allow password confirmation; explain why birthdate and phone number is needed for Houseweb and why logging in trough Facebok is safe; make the first month use for free; let users implement the search without registration; reward participants who solve disputes with reputation points instead of money; add Identity and Reputation screens together and name it the Profile screen; make share options more clear in “Listings”; highlight boost reputation options; highlight the host’s profile in “Listing”; use more simple terminology; add default demand to verify surname; highlight “How it works” in Home Screen. Overall, the users were excited about the application. Users mostly liked identity and reputation verification, reputation boost, use of community based terminology, feeling in control of their data, safe Facebook log in option, and even supported a decision to impose a fee.

4.5.2. Interaction Design

This section describes a process of interaction that users will experience by using the application in a certain situation. Interaction design is presented by providing three possible scenario descriptions and UML diagrams. The user types and scenarios are based on the findings from literature study, interviews with the users and experts and the workshop. Each design decision is marked with a letter and a number. For example, combination “L1” corresponds to the first design requirement from the literature study.

4.5.2.1. Scenarios

Lisa lives in a cozy houseboat, moored along the Amstel River, in the heart of downtown Amsterdam. Lisa is a person who is very into sharing, so she thought it would be nice to let somebody she could trust stay in her houseboat for two weeks while she is on vacation. However, Lisa has to prove it is not a scam and that she is who she claims to be. Lisa is very concerned about her privacy, so she would not like to expose her identity attributes to everyone. She is on Facebook, but she has never used it to log in to different sites, because she is afraid of being surveilled.

Lisa has just heard about this accommodation sharing application called “Houseweb” from her friend Bob. She puts it in her browser. Assured(L8) that the application will use only her name, profile picture and email(L6, I1) for public profile creation she chooses Facebook login(I3), because it’s very convenient. She finds out that she will have to pay a monthly contribution(I5) of a symbolic 0.003403 BTC (1.99 euro) the community fund(L10, I12, W5). However, she is lucky – first month she can use the application for free. Lisa is logged in, but has to set up her profile. She is asked to add a description(I6) about herself, her phone number(W1) and birthdate(L9). She reads that phone number is needed to approach friends who can verify her(L4, I10) and it will not be shown publicly(I1). She also reads that only her age will be shown publicly, not her birthdate. She clicks on “Accommodation” screen where she chooses to “Add accommodation” and provides the following information: pictures, exchange type, a description, date of availability, general rules, safety and fills up Additional(L10,

I12) section. In exchange type(L1), she chooses payment and asks

40 euro (0.07054 BTC) per night. Soon she gets notified about the first interested guest: Anna from London, who wants to stay in her houseboat for the weekend. At first, Anna wants to access Lisa’s private data service(L7, I2) to verify her name, surname and proof of ownership(I8). While Lisa wants Anna’s name, surname and birthdate to be verified same way. The application asks to open these attributes for both of the parties and reveal it directly to each other(I1). Both parties are satisfied and the smart contract of an accommodation share is made (Figure 1).

Figure 1. Identity verification process in Houseweb. The figure shows that a guest and a host initiate smart contract of an accommodation sharing. The guest sends query to host’s private data service asking to open name, surname and proof of ownership attributes. The host sends query to guest’s private data service asking to open name, surname, birthdate and also make a payment (if there is such). Houseweb serves as a connector and only sees the verification, but not the data itself. If everything is verified, Houseweb makes a smart contract.

Mark’s scenario: Proof of reputation

Mark is just about to make his first major trip overseas. He is a 19 year old American who will be visiting Madrid, Spain. Mark is thinking to search for a host who is willing to share his/her apartment with him and propose an exchange(L1), because his cozy studio in San Francisco will be empty as well. However, Mark feels very insecure about trusting a host. He’s just found out that his fellow countryman of the same age has been locked inside an apartment and assaulted by their host in Madrid few days ago. Mark respects the privacy of others, but reputation is very important for him.

Mark goes to Houseweb and lets the application know that he’s interested in going to Madrid on the period of July 21-23. He notices a very nice proposal, and try to find more about the host, Alejandro, by reading trough his reputation(L4). Alejandro, just started to use the application and currently has no reviews(I7). However, Alejandro’s reputation field says that he has 100 reputation points, given by his friends, long-time users of Houseweb(L4, I10, W1). Alejandro’s profile also states that he is a user of a decentralized car sharing application “LaZooz” and Mark can query his reputation there(L2, I9, W3). The reputation field also states that Alejandro is a member of his local accommodation sharing neighborhood(L2, I4, W2). Mark decides to query(I2,

I8,W3) both options, and he also queries Alejandro’s phone number

– he would like to have a conversation, just to be sure(I6). Alejandro gets a notification from Mark, asking to open up his previous reputation, membership in the community neighborhood and phone number on his private data service (L7, I2). He confirms. The deal is made. (Figure 2).

Figure 2. Three possible ways for a new user to verify reputation in Houseweb. One way is to use a network approach: send SMS query to a friend who is a user of Houseweb. If the friend verifies reputation, the user receives reputation points, which are equal to 10% of friend’s reputation points. This verification method could later be automated and used for identity verification as well. Second option is to import reputation from other online sharing communities, by accessing the reputation on a private data service. The third option is to become a member of local neighborhood. The membership has to be approved by 3 neighbors. Becoming a member of a local neighborhood requires to expose an approximate location to Houseweb, so that the neighbors could be matched accurately.

Angela’s scenario: Handling a dispute

Angela is feeling frustrated. She just had her first accommodation share with two 60 year old ladies from London, or at least that is what she thought. However, when she opened the doors of the apartment after the stay, she was shocked. There were a lot of broken glass on the ground accompanied by hundreds of beer cans. The apartment was damaged. It felt like an English rugby team just had their visit here instead of the two tea sipping ladies.

Angela has contacted the guests, but they claim they didn’t do anything wrong. The exchange was done on Houseweb, without any third party involved on a decentralized service and Angela is about to start a dispute. She fills up the dispute form, where she explains about the situation, describes the damage and attaches pictures that prove the damage. She also uploads the transaction record from her private data service(I2). She finalizes the dispute and Houseweb sends a notification to randomly selected 100 members of the community who will make a decision if the damage should be reimbursed (L8, L1O, I11, W4). The opposing party also gets a notification and has a chance to explain to the selected members(I12). There is no obligation to make a decision, but if a member makes a decision, he is rewarded with reputation points

(L8). If a decision is made by 50% of the randomly selected

members, who state that Angela was right, she gets damage reimbursement(W5) up to the amount of 0.175 BTC (100 euro) and the record of involvement in a dispute is placed in the opposing party’s reputation profile(I4). If Angela is not satisfied or if the situation is much more problematic, she is advised to go to the police(L5, I11)

4.5.3 Interface Design

The graphic user interface of Houseweb is divided into 5 main screens: Home Screen, Profile, Accommodation, Dispute and

Houseweb. Click here to access the prototype. Complete application would certainly have more screens and functionalities. But the emphasis is put on these screens in the research, because it is where the design decisions are reflected. In this section each screen is described separately.

Home Screen

Top features in the Home Screen are similar to the dominant accommodation sharing applications such as Airbnb or Couchsurfing. The Home Screen has clear “Join” and “Log In” buttons on the top right corner and its logo with the name in the top left corner. Users can choose diverse login options(I3). One option is to register is by filling name, birthdate, phone number, email and a password. The other option is to use Facebook log in(I3). Users get clear notifications which of their data is used and how(L8, I12). At the bottom of the registration field, user also gets early notification about a small monthly fee to the collective fund. The most visible area of the screen is a picture of a neighborhood with a search bar where users can type a destination and choose their preferred date and number of guests. Users can search for accommodation directly, but are soon asked to register. Due to the new design model for identity and reputation verification, users can press “Learn more” link and go to the second part of the screen that is aimed to highlight the main features of the application. Lastly, the third container of the Home Page shows how Houseweb is dealing with identity and reputation verification and safety. This layout is chosen for two main reasons: to point out the alternative concept of accommodation share and to give the feeling of transparency for the users, as they requested in the interviews. Special terminology is also used, such as “We”, “Community”, “Neighbors”(L10).

Picture 4. Scrollable Home Screen.

Picture 5. Registration.

Profile

The most important screen in this research is the Profile. The screen is divided into two pages: Identity and Reputation.

In Identity page, basic user information and a picture is stored(L6,

I1). Firstly, user is asked to finalize the ID here, for example, by

uploading a picture and giving a brief description about himself/herself to the community. The user ID table contains the basic information that was asked during the registration. Phone number, email and password are not shown publicly and only the age is shown, but not the birthdate. There is also an option to change the status of the hosts: “Accepting” or “Not accepting” guests. The

user is able to edit their personal details in this screen. On the left side user can see a “To do list” and a progress bar. At the bottom page the choice was made to emphasize how privacy is secured on Houseweb(I12) (not shown in picture).

Picture 6. Fragment of ID Page. (The back arrow is introduced temporality, for an easier navigation through the prototype).

When a user submits the corrections and presses “Save” button, the notification is given to check reputation status. Reputation is another significant page on the Profile screen.

In the first container of the Reputation screen, similarly to My ID, the user can see the status of reputation. The Reputation table is divided into reputation points, number of reviews, neighborhood membership and content of reviews. This information is also displayed in the public profile of a user, helping other community members to check the reputation(L4). On the top left corner the user can see a To do list and Reputation balance tables. There are several active interactions areas (“Boost your reputation” and “Get/Ask/Join”) that transfers directly to reputation boost options, if clicked. This is done in order to emphasize the importance of boosting the reputation.

The second container is where the user can simply boost the reputation. The field includes a picture and three reputation boost options on the bottom of it. The options to boost reputation are: approach friends, import reputation and join local neighborhood(W1, W2, W3). Users can interact with the options easily and are notified about the outcome directly.

Picture 7. Scrollable Reputation Page.

Picture 8. Import Reputation Query to Private Data Service.

Accommodation

Accommodation screen is where a user can add the accommodation or see listings added by other members of the community. In this prototype, only the Listings page is active. The Listings page is also very significant in reflecting the main design decisions.

After implementing a search or clicking “See Listings” on a global navigation bar, users are redirected to “See Listings” page (Not displayed here). “See Listings” page is similar to Airbnb’s design: the accommodation offers with pictures are on the left screen and the right screen shows the map. One difference is that in Houseweb different types of sharing options are displayed(L1).

When a user clicks “Know more” on a certain option, the Listing page appears. Same as Airbnb, pictures and icons are used to simplify the information. The general information tends to be very simple and informal(L10).

However, information about the host of an accommodation is highly emphasized according to Houseweb’s design(L8, I12). If a user clicks on “Learn more about the host” he/she is transferred to the host’s profile, which is at the bottom of the page. The default option is to verify everything the hosts claim, but users can delete certain attributes or ask something else(I2, I8, W3). The selected options are put as the conditions for accommodation sharing contract. Host has the right to ask any kind of verification as well(I9). Once both parties meet the conditions, the contract is made.

Picture 9. Scrollable “Listing” Page.

Disputes

“Disputes” is a very simple screen, where a user can start a dispute in case of damage reimbursements. Firstly, the user explains the situation and damages, if there were any. It is required to upload the transaction record from the private data service. “Start a