WEBVTT

00:00:00.791 --> 00:00:01.347
[MUSIC]

00:00:01.347 --> 00:00:08.800
AMBER TINGLE: Welcome to Abstracts, a Microsoft 
Research Podcast that puts the spotlight on  

00:00:08.800 --> 00:00:18.040
world-class research—in brief. I'm Amber Tingle. 
In this series, members of the research community  

00:00:18.040 --> 00:00:28.186
at Microsoft give us a quick snapshot—or a podcast 
abstract—of their new and noteworthy papers.

00:00:28.186 --> 00:00:28.690
[MUSIC FADES]

00:00:28.690 --> 00:00:35.400
Our guests today are Shrey Jain and Zoë Hitzig. 
Shrey is a product manager at Microsoft, and  

00:00:35.400 --> 00:00:43.400
Zoë is a research scientist at OpenAI. They are 
two of the corresponding authors on a new paper,  

00:00:43.400 --> 00:00:50.080
“Personhood credentials: Artificial intelligence 
and the value of privacy-preserving tools to  

00:00:50.080 --> 00:00:57.600
distinguish who is real online.” This exploratory 
research comprises multidisciplinary collaborators  

00:00:57.600 --> 00:01:07.080
from across industry, academia, and the civil 
sector. The paper is available now on arXiv. Shrey  

00:01:07.080 --> 00:01:13.428
and Zoë, thank you so much for joining us, and 
welcome back to the Microsoft Research Podcast.

00:01:13.428 --> 00:01:15.323
SHREY JAIN: Thank you. We're happy to be back.

00:01:15.323 --> 00:01:15.827
ZOË HITZIG: Thanks so much.

00:01:15.827 --> 00:01:20.280
TINGLE: Shrey, let's start with a brief overview 
of your paper. Why is this research important,  

00:01:20.280 --> 00:01:22.860
and why do you think this is 
something we should all know about?

00:01:22.860 --> 00:01:28.120
JAIN: Malicious actors have been exploiting 
anonymity as a way to deceive others online.  

00:01:28.120 --> 00:01:35.360
And historically, deception has been viewed as 
this unfortunate but necessary cost as a way  

00:01:35.360 --> 00:01:43.120
to preserve the internet's commitment to privacy 
and unrestricted access to information. And today,  

00:01:43.120 --> 00:01:48.000
AI is changing the way we should think about 
malicious actors' ability to be successful  

00:01:48.000 --> 00:01:52.480
in those attacks. It makes it easier to 
create content that is indistinguishable  

00:01:52.480 --> 00:01:58.000
from human-created content, and it is possible 
to do so in a way that is only getting cheaper  

00:01:58.000 --> 00:02:03.720
and more accessible. And so this paper aims 
to address a countermeasure to protect against  

00:02:03.720 --> 00:02:10.720
AI-powered deception at scale while also 
protecting privacy. And I think the reason  

00:02:10.720 --> 00:02:17.720
why people should care about this problem is for 
two reasons. One is it can very soon become very  

00:02:17.720 --> 00:02:22.480
logistically annoying to deal with these various 
different types of scams that can occur. I think  

00:02:22.480 --> 00:02:25.760
we've all been susceptible to different 
types of attacks or scams that, you know,  

00:02:25.760 --> 00:02:32.640
people have had. But now these scams are going to 
become much more persuasive and effective. And so  

00:02:32.640 --> 00:02:37.520
for various different recovery purposes, it can 
become very challenging to get access back to your  

00:02:37.520 --> 00:02:42.800
accounts or rebuild your reputation that someone 
may damage online. But more importantly, there's  

00:02:42.800 --> 00:02:47.200
also very dangerous things that can happen. Kids 
might not be safe online anymore. Or our ability  

00:02:47.200 --> 00:02:53.360
to communicate online for democratic processes. A 
lot of the way in which we shape political views  

00:02:53.360 --> 00:02:59.960
today happens online. And that's also at risk. 
And in response to that, we propose in this  

00:02:59.960 --> 00:03:07.200
paper a solution titled personhood credentials. 
Personhood credentials enable people to prove  

00:03:07.200 --> 00:03:12.000
that they are in fact a real person without 
revealing anything more about themselves online.

00:03:12.000 --> 00:03:15.080
TINGLE: Zoë, walk us through 
what's already been done in  

00:03:15.080 --> 00:03:19.560
this field, and what's your unique 
contribution to the literature here?

00:03:19.560 --> 00:03:28.000
HITZIG: I see us as intervening on two separate 
bodies of work. And part of what we're doing in  

00:03:28.000 --> 00:03:35.600
this paper is bringing together those two bodies 
of work. There's been absolutely amazing work for  

00:03:35.600 --> 00:03:42.840
decades in cryptography and in security. And what 
cryptographers have been able to do is to figure  

00:03:42.840 --> 00:03:51.000
out protocols that allow people to prove very 
specific claims about themselves without revealing  

00:03:51.000 --> 00:03:58.360
their full identity. So when you think about 
walking into a bar and the bartender asks you to  

00:03:58.360 --> 00:04:06.400
prove that you're over 21—or over 18, depending on 
where you are—you typically have to show your full  

00:04:06.400 --> 00:04:12.840
driver's license. And now that's revealing a lot 
of information. It says, you know, where you live,  

00:04:12.840 --> 00:04:19.600
whether you're an organ donor. It's revealing a 
lot of information to that bartender. And online,  

00:04:19.600 --> 00:04:26.480
we don't know what different service providers 
are storing about us. So, you know, the bartender  

00:04:26.480 --> 00:04:32.560
might not really care where we live or whether 
we're an organ donor. But when we're signing up  

00:04:32.560 --> 00:04:40.920
for digital services and we have to show a highly 
revealing credential like a driver's license just  

00:04:40.920 --> 00:04:48.040
to get access to something, we're giving over 
too much information in some sense. And so this  

00:04:48.040 --> 00:04:55.520
one body of literature that we're really drawing 
on is a literature in cryptography. The idea that  

00:04:55.520 --> 00:05:01.480
I was talking about there, where you can prove 
privately just isolated claims about yourself,  

00:05:01.480 --> 00:05:07.680
that's an idea called an anonymous credential. 
It allows you to be anonymous with respect to  

00:05:07.680 --> 00:05:12.800
some kind of service provider while still 
proving a limited claim about yourself,  

00:05:12.800 --> 00:05:20.680
like “I am over 18,” or in the case of personhood 
credentials, you prove, “I am a person.” So that's  

00:05:20.680 --> 00:05:26.720
all one body of literature. Then there's this huge 
other body of literature and set of conversations  

00:05:26.720 --> 00:05:36.320
happening in policy circles right now around 
what to do about AI. Huge questions abounding.  

00:05:36.320 --> 00:05:43.400
Shrey and I have written a prior paper called 
“Contextual Confidence and Generative AI,” which  

00:05:43.400 --> 00:05:51.920
we talked about on this podcast, as well, and in 
that paper, we offered a framework for thinking  

00:05:51.920 --> 00:05:59.760
about the specific ways that generative 
AI, sort of, threatens the foundations of  

00:05:59.760 --> 00:06:09.120
our modes of communication online. And we outlined 
about 16 different solutions that could help us  

00:06:09.120 --> 00:06:18.480
to solve the coming problems that generative AI 
might bring to our online ecosystems. And what we  

00:06:18.480 --> 00:06:25.040
decided to do in this paper was focus on a set of 
solutions that we thought are not getting enough  

00:06:25.040 --> 00:06:33.320
attention in those AI and AI policy circles. 
And so part of what this paper is doing is  

00:06:33.320 --> 00:06:41.280
bringing together these ideas from this long body 
of work in cryptography into those conversations.

00:06:41.280 --> 00:06:44.800
TINGLE: I'd like to know 
more about your methodology,  

00:06:44.800 --> 00:06:48.460
Shrey. How did your team go 
about conducting this research?

00:06:48.460 --> 00:06:55.480
JAIN: So we had a wide range of collaborators from 
industry, academia, the civil sector who work on  

00:06:55.480 --> 00:07:01.120
topics of digital identity, privacy, advocacy, 
security, and AI policy which came together to  

00:07:01.120 --> 00:07:06.000
think about, what is the clearest way in which we 
can explain what we believe is a countermeasure  

00:07:06.000 --> 00:07:10.240
that can protect against AI-powered deception 
that, from a technological point of view,  

00:07:10.240 --> 00:07:14.080
there's already a large body of work that 
we can reference but from a “how this can  

00:07:14.080 --> 00:07:19.600
be implemented.” Discussing the tradeoffs that 
various different types of academics and industry  

00:07:19.600 --> 00:07:24.360
leaders are thinking about. Can we communicate 
that very clearly? And so the methodology here  

00:07:24.360 --> 00:07:31.320
was really about bringing together a wide range of 
collaborators to really bridge these two bodies of  

00:07:31.320 --> 00:07:36.560
work together and communicate it clearly—not just 
the technical solutions but also the tradeoffs.

00:07:36.560 --> 00:07:42.340
TINGLE: So, Zoë, what are the major findings 
here, and how are they presented in the paper?

00:07:42.340 --> 00:07:49.240
HITZIG: I am an economist by training. Economists 
love to talk about tradeoffs. You know,  

00:07:49.240 --> 00:07:53.840
when you have some of this, it means you have 
a little bit less of that. It's kind of like  

00:07:53.840 --> 00:08:00.920
the whole business of economics. And a key 
finding of the paper, as I see it, is that  

00:08:00.920 --> 00:08:09.200
we begin with what feels like a tradeoff, which 
is on the one hand, as Shrey was saying, we want  

00:08:09.200 --> 00:08:17.920
to be able to be anonymous online because that 
has great benefits. It means we can speak truth  

00:08:17.920 --> 00:08:26.640
to power. It means we can protect civil liberties 
and invite everyone into online spaces. You know,  

00:08:26.640 --> 00:08:33.480
privacy is a core feature of the internet. And 
at the same time, the, kind of, other side of the  

00:08:33.480 --> 00:08:40.760
tradeoff that we're often presented is, well, if 
you want all that privacy and anonymity, it means  

00:08:40.760 --> 00:08:48.200
that you can't have accountability. There's no way 
of tracking down the bad actors and making sure  

00:08:48.200 --> 00:08:55.400
that they don't do something bad again. And we're 
presented with this tradeoff between anonymity on  

00:08:55.400 --> 00:09:03.320
the one hand and accountability on the other hand. 
All that is to say, a key finding of this paper,  

00:09:03.320 --> 00:09:10.360
as I see it, is that personhood credentials and 
more generally this class of anonymous credentials  

00:09:10.360 --> 00:09:18.280
that allow you to prove different pieces of 
your identity online without revealing your  

00:09:18.280 --> 00:09:26.360
entire identity actually allow you to evade 
the tradeoff and allow you to, in some sense,  

00:09:26.360 --> 00:09:32.320
have your cake and eat it, too. What it allows 
us to do is to create some accountability,  

00:09:32.320 --> 00:09:42.960
to put back some way of tracing people's digital 
activities to an accountable entity. What we also  

00:09:42.960 --> 00:09:48.360
present in the paper are a number of different, 
sort of, key challenges that will have to be  

00:09:48.360 --> 00:09:55.640
taken into account in building any kind of 
system like this. But we present all of that,  

00:09:55.640 --> 00:10:02.800
all of those challenges going forward, as 
potentially very worth grappling with because of  

00:10:02.800 --> 00:10:11.760
the potential for this, sort of, idea to allow us 
to preserve the internet's commitment to privacy,  

00:10:11.760 --> 00:10:18.420
free speech, and anonymity while also 
creating accountability for harm.

00:10:18.420 --> 00:10:23.760
TINGLE: So Zoë mentioned some of these 
tradeoffs. Let's talk a little bit more  

00:10:23.760 --> 00:10:29.680
about real-world impact, Shrey. 
Who benefits most from this work?

00:10:29.680 --> 00:10:35.520
JAIN: I think there's many different people that 
benefit. One is anyone who's communicating or  

00:10:35.520 --> 00:10:40.280
doing anything online in that they can have more 
confidence in their interactions. And it, kind of,  

00:10:40.280 --> 00:10:44.840
builds back on the paper that Zoë and I wrote last 
year on contextual confidence and generative AI,  

00:10:44.840 --> 00:10:49.720
which is that we want to have confidence in 
our interactions, and in order to do that,  

00:10:49.720 --> 00:10:53.640
one component is being able to identify who 
you're speaking with and also doing it in a  

00:10:53.640 --> 00:10:59.640
privacy-preserving way. And I think another person 
who benefits is policymakers. I think today,  

00:10:59.640 --> 00:11:03.760
when we think about the language and 
technologies that are being promoted,  

00:11:03.760 --> 00:11:08.720
this complements a lot of the existing work that's 
being done on provenance and watermarking. And I  

00:11:08.720 --> 00:11:13.080
think the ability for those individuals to be 
successful in their mission, which is creating  

00:11:13.080 --> 00:11:19.880
a safer online space, this work can help guide 
these individuals to be more effective in their  

00:11:19.880 --> 00:11:25.400
mission in that it highlights a technology that 
is not currently as discussed comparatively to  

00:11:25.400 --> 00:11:30.520
these other solutions and complements them 
in order to protect online communication.

00:11:30.520 --> 00:11:37.880
HITZIG: You know, social media is flooded 
with bots, and sometimes the problem with  

00:11:37.880 --> 00:11:44.400
bots is that they're posting fake content, 
but other times, the problem with bots is  

00:11:44.400 --> 00:11:49.680
that there are just so many of them and 
they're all retweeting each other and it's  

00:11:49.680 --> 00:11:55.600
very hard to tell what's real. And so what a 
personhood credential can do is say, you know,  

00:11:55.600 --> 00:12:02.940
maybe each person is only allowed to have five 
accounts on a particular social media platform.

00:12:02.940 --> 00:12:09.080
TINGLE: So, Shrey, what's next on your research 
agenda? Are there lingering questions—I know  

00:12:09.080 --> 00:12:14.180
there are—and key challenges here, and 
if so, how do you hope to answer them?

00:12:14.180 --> 00:12:19.240
JAIN: We believe we've aggregated a strong 
set of industry, academic, and, you know,  

00:12:19.240 --> 00:12:22.880
civil sector collaborators, but we're only a 
small subset of the people who are going to  

00:12:22.880 --> 00:12:28.560
be interacting with these systems. And so 
the first area of next steps is to gather  

00:12:28.560 --> 00:12:32.240
feedback about the proposal of a solution 
that we've had and how can we improve that:  

00:12:32.240 --> 00:12:35.840
are there tradeoffs that we're missing? Are 
there technical components that we weren't  

00:12:35.840 --> 00:12:41.240
thinking as deeply through? And I think there's 
a lot of narrow open questions that come out of  

00:12:41.240 --> 00:12:45.960
this. For instance, how do personhood credentials 
relate to existing laws regarding identity theft  

00:12:45.960 --> 00:12:53.000
or protection laws? In areas where service 
providers can't require government IDs,  

00:12:53.000 --> 00:12:59.240
how does that apply to personhood credentials that 
rely on government IDs? I think that there's a  

00:12:59.240 --> 00:13:04.360
lot of these open questions that we address in 
the paper that I think need more experimentation  

00:13:04.360 --> 00:13:08.680
and thinking through but also a lot of 
empirical work to be done. How do people  

00:13:08.680 --> 00:13:12.480
react to personhood credentials, and does 
it actually enhance confidence in their  

00:13:12.480 --> 00:13:17.920
interactions online? I think that there's a lot 
of open questions on the actual effectiveness of  

00:13:17.920 --> 00:13:21.340
these tools. And so I think there's a large 
area of work to be done there, as well.

00:13:21.340 --> 00:13:26.680
HITZIG: I've been thinking a lot about the early 
days of the internet. I wasn't around for that,  

00:13:26.680 --> 00:13:35.200
but I know that every little decision that 
was made in a very short period of time had  

00:13:35.200 --> 00:13:41.040
incredibly lasting consequences that we're 
still dealing with now. There's an enormous  

00:13:41.040 --> 00:13:48.520
path dependence in every kind of technology. And I 
feel that right now, we're in that period of time,  

00:13:48.520 --> 00:13:55.080
the small window where generative AI is this new 
thing to contend with, and it's uprooting many of  

00:13:55.080 --> 00:14:02.920
our assumptions about how our systems can work 
or should work. And I'm trying to think about  

00:14:02.920 --> 00:14:10.880
how to set up those institutions, make these 
tiny decisions right so that in the future  

00:14:10.880 --> 00:14:18.704
we have a digital architecture that's really 
serving the goals that we want it to serve.

00:14:18.704 --> 00:14:22.600
[MUSIC]
TINGLE: Very thoughtful. With that, Shrey Jain,

00:14:22.600 --> 00:14:25.560
Zoë Hitzig, thank you so 
much for joining us today.

00:14:25.560 --> 00:14:27.300
HITZIG: Thank you so much, Amber.

00:14:27.300 --> 00:14:32.040
TINGLE: And thanks to our listeners, 
as well. If you'd like to learn more  

00:14:32.040 --> 00:14:37.680
about Shrey and Zoë's work on personhood 
credentials and advanced AI, you'll find  

00:14:37.680 --> 00:14:45.720
a link to this paper at aka.ms/abstracts, or 
you can read it on arXiv. Thanks again for  

00:14:45.720 --> 00:14:59.040
tuning in. I'm Amber Tingle, and we hope 
you'll join us next time on Abstracts.

00:14:59.040 --> 00:15:00.013
[MUSIC FADES]