Enlarge / All scammers, always: my Keybase message inbox.
Keybase started as co-founder and developer “Krohn project” of Max Krohn – a way for people to share PGP keys with a simple username-based lookup. Then Chris Coyne (who was also co-founder of OkCupid and SparkNotes) became involved and $ 10.8 million in financing came from a group of investors led by Andreesen Horowitz. And then it became more and more complicated. Keybase aims to make public key encryption accessible to everyone, from everything from messages to file sharing to the discarding of a few crypto coins.
But because of that level of accessibility, Keybase is confronted with a very OkCupid-type problem: after attracting people who are interested in simple public key crypto-based communication and then attracting blockchain enthusiasts with his partnership with (and financing of) Stellar .org, Keybase has also been attracted to spammers and scammers. And that has a large number of warnings and messages that once created a fairly clear communication channel, merged into a channel full of unwanted warnings, messages and other unpleasantness – which evoked a chorus of complaints in the open chat channel of Keybase.
It appears that there is a reason that spell-checking always wants to tell me that Keybase should be spelled as “debase.”
Full disclosure: I have been a Keybase user and fellow Ar editor Lee Hutchinson for several years and I have experimented with using Keybase as a possible way to secure part of our workflow. Nobody needed to host our data (and therefore own it) seemed like a good thing. But Lee recently canceled his Keybase account and says he won’t be back because of how annoying it is.
Keybase’s leadership promises to do something to solve the spam problem – or at least makes it easier to report and block abusers. In a blog post, Krohn and Coynes wrote: “Just to be clear, the current spam volume is STILL not bad. Keybase still works great. But we have to act quickly.”
But the measures that Keybase promises will not completely solve the problem. And Keybase execs have no interest in getting involved in extra steps that they see as censorship. “Keybase is a private company and we retain our rights to kick people out,” the co-founders said in the blog post. “That hammer won’t be used because someone doesn’t like it as long as they play nicely on Keybase.”
Romancing the scam
Part of the appeal of Keybase is that it allows trouble-free access from Tor’s anonymous network and via VPNs, making it harder to trace the source of abuse through the service. But much of the spam traffic goes through unhindered network connections, and although part of it comes from Europe and North America, most of it comes from Russian and Nigerian IP addresses.
Other platforms have seen the same type of problem. Romantic scammers started on instant messaging platforms and quickly switched to dating apps. Earlier this decade, OkCupid became a den for this scam – where someone (often in Nigeria) poses as someone looking for love and then moves the conversation to pleas for financial support, calling cards or other investments. And as I reported earlier this year, this and other scams have taken place on Twitter.
At this time it is possible (with some navigation) to prevent someone from sending you a message on Keybase and hiding messages they send. But there is no effective way to report them for abuse, except by contacting administrators directly. And there is no way to completely filter out the requests at all, because anyone can create a Keybase account and send a message to you.
-
A romantic scammer skips me.
-
I’m sure this is legitimate.
-
You are certain.
-
This profile uses a Twitter account to verify, but .
-
That Twitter account is certainly convincing.
Talk to the block
As part of the changes in Keybase being pushed in a subsequent release, users can now report spam or abusive messages directly from the Keybase chat interface – blocking that user with a click or tap, with the option to report the user to Keybase administrators . The report allows a quick classification of the message as spam, intimidation, “obscene material” or “other” with a field for additional details. “You can also send Keybase administrators the transcript of your chat – something we would normally not have access to, since Keybase is end-to-end encrypted,” Keybase execs said in their mail.
Another measure that Keybase calls the “nuclear option” is also being prepared. Similar to Twitter’s secure account capabilities, it allows users to select a set of rules that determine who can follow them or send messages – based on whether they are already connected in one way or another. “These options will create a custom walled garden experience,” the Keybase execs explained. “It will not be necessary for most people – especially after starting the block functions – but it will close all unwanted contacts 100%.”
More fixes are promised in the future. Given that Keybase already offers ways for people to confirm their identity to provide confidence in communication, it would be conceivable that you can filter requests based on the quality and number of those certificates – confirmations by posting messages on social media accounts, GitHub accounts and other accounts associated with online identity (mine is linked to Twitter, GitHub, Hacker News, Reddit and a personal domain name, as well as my PGP key). Most fraudulent accounts do nothing more than the free Stellar wallet address, and accounts that often add a fake Twitter account.
None of this will bring Lee Hutchinson back. “When a tool I don’t need or think about often starts spamming me and I need documentation to stop spamming,” Lee said, “I’m not going to take time for my (edited) day to get the documents read and browse around with privacy settings. I’m just going to uninstall the utility. I did that. “