A fully distributed reputation system for m-commerce via ad hoc wireless networking

Trust development among traders in an ad hoc m-commerce trading system is vital to mitigate uncertainty and risks involved in transactions. It helps traders decide whether to trade with potential trading partners as well as to gauge the degree of confidence that they should give these parties. One way to facilitate such trust is through use of a reputation system. However, the potential for ill-intentioned traders to subvert the reputation system makes the task challenging. This paper discusses key issues in designing a reputation system that can effectively facilitate trust development in such a loose and dynamic trading community. It proposes a fully distributed approach that employs a sanction-backed mechanism to encourage traders to be truthful in providing reputation reports. It advocates letting traders maintain their own reputation information as well as share knowledge about other traders’ trading behavior in a peer-to-peer (P2P) manner without relying on network services that are always available. A security analysis on the proposed design shows that it can help traders detect or mitigate the identified misbehavior-related threats to a sufficient degree.


Introduction
*To be a viable means to conduct online trading, ad hoc m-commerce (Osman and Taylor, 2008) must mitigate uncertainty and risks in its transactions by providing a means to foster trust among traders. A reputation system can be an effective means to do this. It provides a collaborative method for traders to assess the trustworthiness as well as predict the future behavior of other traders based on sharing past trading history and testimonials of trade worthiness. It helps traders choose reputable parties to trade with and avoid dealing with dubious ones.
However, designing a reliable reputation system for ad hoc m-commerce trading systems is challenging as traders cannot be expected to spend lengthy periods of time to obtain their potential trading counterparties' reputation reports. Casual online trading is likely to take place over fairly short periods and not on an extended basis due to unpredictable network connectivity and irregular participation by its members. Traders in this type of online trading will sometimes have to make rapid decisions whether to trade or not with a potential trading counterparty. Delays in making such decisions due to having insufficient reputation information might cause a trader to lose a rare opportunity to trade for a valuable resource or item as he might not be offered the same chance again in the foreseeable future.
Another important issue is that ill-intentioned traders might try to subvert the reputation system by compromising the reliability of its reputation reports. To be effective in assisting traders make fast and reasonably founded trust decisions, a reputation system for ad hoc m-commerce trading systems must provide high availability and efficient retrieval of relevant reputation information as well as be robust against the sort of attacks that could compromise the reliability of this information.
This paper presents the design of a distributed reputation system that lets traders maintain their own reputation information locally and share their knowledge about other traders' trading behavior in a totally P2P manner without having to rely on network services that are always available. It advocates reinforcing this with a sanction-backed mechanism that lets traders collaborate to exclude any member that has misbehaved or has a poor trading history from a trading forum's membership (Osman and Taylor, 2010).

Ad hoc m-commerce trading system overview
An ad hoc m-commerce trading system is a platform for mobile users to engage in mobile commerce transactions using ad hoc wireless networking. It is a self-organized and self-configured m-commerce venue that can be initiated anywhere by any two or more traders that are in close proximity with each other and does not require any third party infrastructure to support it. To participate in the trading system, traders must be equipped with a Wi-Fi capable mobile device and an appropriate ad hoc m-commerce application. Traders can join the trading system as a seller or buyer or both. The trading system does not limit its participating parties to engage in ad hoc mcommerce transactions only, but it allows the traders to communicate and collaborate with each other to control and manage its group membership management (Osman and Taylor, 2010) and security and trust service (Osman and Taylor, 2011) which include the following:  Give recommendations about other traders' online identities, trading histories, testimonials and reputations.  Attest other traders' digital certificates that bind together their identity information with their public keys, membership information, testimonials and trading histories.  Evaluate each other after each transaction by providing deal evaluations. The deal evaluations are used by the traders as a means to express their satisfaction about their trading counterparts' behavior in fulfilling their transaction agreements.  Share negative evaluations about their trading partners with other traders in the forum.  Sanction those traders who misbehave or have a history of being given poor evaluations.
Each trading system will operate a trading model such as for swapping of digital resources or selling or buying items or for conducting online auctions and so on and have policies governing how it handles dissemination of trust data and deals with forum membership and sanctions. Some forums will have an open membership while others will have a closed membership or be open to all but banned parties. To join a trading forum, traders must first activate the appropriate m-commerce application on their mobile device and create an online identity to represent them in the trading system. Prospective traders are expected to send a join request together with their identity credentials to any available peers that are within communication range with them. Once accepted as a member of a particular trading forum, traders can engage in m-commerce transactions as well as participate in any of the trading system's activities as mentioned above.

Trust and reputation
This section characterizes the concept of trust from the perspective of online trading and discusses how reputation information helps facilitate trust development among traders.

Trust
Various views on trust have been offered in numerous papers in the literature. In this paper, trust will be taken to be evidentially founded belief that one party has about another with respect to their reliability and honesty in carrying out cooperative actions where there are significant risks of loss to the first party. This definition emphasizes three aspects of trust in the context of a transaction namely belief, evidence and associated risks.
A trust relationship is established between two traders when both parties have a belief supported by appropriate evidence that the other party is a reliable and honest party to trade with. Such trust enables the parties to view the downside risks in transactions such as being cheated through nonpayment, the traded items not being as described and so on, as acceptable. A reliable trader is a party that can be depended upon to carry out a transaction in an expected way. An honest trader is a party that is truthful in his representations, e.g. does not deceive or give misleading information. The supporting evidence could include testimonials of a trader's trustworthiness, history of evaluated trades, digital certificates attesting identity and so on.
A transaction that is potentially risky becomes acceptable if supporting evidence is sufficient for a trader to believe that his trading counterpart is a reliable and honest trader and the likelihood and impact of downside losses are low enough for that trader to expose himself to those risks. Risk in a transaction depends on several factors such as the value at stake in a transaction, opportunity costs of the transaction and so on. A transaction can be considered as risky if engaging in it makes traders vulnerable to significant loss, which can be in terms of the following:  The item being traded-Loss can be incurred if a trader does not get what he has paid for or has received items or money in exchange for goods that are found to be less than promised or not as described in the trading agreement.  Trading opportunities-A trader may lose opportunities to trade with other traders on better terms if his trading counterpart, who has agreed to trade with him, withdraws from their deal or forces inferior terms on the deal under the threat of withdrawal.  Reputation-Loss of reputation is another way of incurring loss. Engaging in a transaction with an ill-intentioned trader who then provides an unfair negative evaluation after their transaction, could negatively affect a trader's good reputation.  Time and effort-Loss can also be incurred if one party does not turn up after making an agreement to meet up at a certain place to do the exchange. In this case, the significant loss is in terms of the time and effort to get to that place.

Reputation
Reputation is correlated with trust. Trading reputation can be defined as a perception about the trading behavior of a party based on their past trading behavior, which is derived from personal experience with that party or based on recommendations from other parties in a community. A party's good trading reputation would be built up through its honest, reliable and agreeable behavior in previous trades. Thus, acquisition of a good reputation can be used as an incentive for the parties to be more trustworthy, because parties that do not behave in a trustworthy way will lose reputation and thus will be less likely to be accepted as partners in future interactions or will only tend to be offered less generous terms of trade. In online trading, reputation reports to some degree reflect the trustworthiness of a trader. They can be a useful reference in assisting traders making trust decisions. Positive experience with a particular trader can help ease other traders' perceptions of risk and uncertainty when transacting with that same trader. Parkhe (1998) showed that a reputation system helps to reduce transaction risks by providing a means for traders to develop trust relationships among themselves based upon their past trading history. It is likely that other traders' trust will increase significantly when a trader is perceived to have a good reputation. This motivates traders to act honestly in each of their transactions to maintain a sufficient reputation to remain active in that marketplace.
Furthermore, reputations can encourage traders to maintain a persistent identity to continue to benefit from having established a good reputation. Thus, supporting and exploiting usage of reputation can be an effective way to encourage cooperation and honesty in ad hoc m-commerce transactions.

Design issues
A fully distributed reputation system for ad hoc m-commerce with high availability, efficient retrieval and reliable reputation information raises the following issues.

Storage of the reputation information
Reputation information needs to be stored and managed in a reliable way to ensure that it is readily accessible and made available upon request. Thus, an important factor to consider when designing a reputation system is to determine where to store the reputation information, so that it can be retrieved efficiently and be available when required. In an ad hoc m-commerce trading system, because it lacks a network service infrastructure, is self-organized and has no centralized authority to manage a trader's reputation reports, its reputation system has to be fully distributed. One of the challenges of a distributed reputation system in such a dynamic trading system is to determine the most appropriate location to store reputation reports.
One approach is to store a trader's reputation reports with his trading counterparties who have evaluated their trades with him or created testimonials recommending him. However, this approach requires a trader who is considering transacting with another trader to send reputation requests to as many potential recommenders as possible to elicit such reputation reports. This might generate unacceptable communication delays and could overburden other traders. Furthermore, due to dynamic participation in an ad hoc m-commerce trading system, those third parties may also be unreachable or no longer active in the trading system at the time the reputation reports are required. It also cannot be expected that all traders in the trading system will be willing to use up their mobile device's storage to store other parties' information.
A second approach would be to store all reputation information in a trusted shared store that is always accessible and access it on demand. However, this approach is infeasible in ad hoc networked communities. These communities have no computing components that are omnipresent to host such a store. Nor does it seem viable that such a store could be established in some distributed way across whatever nodes of the community happen to be connected by ad hoc networking at the moment.
A third approach is called a self-maintaining approach where traders store their own reputation reports locally. This approach minimizes communication overhead and delay as it does not require any reputation request to be sent to any other third parties and the requested party does not need to wait for recommendations from others. It will also make the retrieval of reputation information more efficient as it is stored locally and can be provided anytime by its owner when requested by others. Furthermore, it makes it possible for traders to get a detailed view of his potential trading counterparty's trading history.

Integrity of the reputation information
The integrity of reputation information is an important element that is directly connected with the reliability of a reputation system. In an ad hoc mcommerce trading system, there are several ways in which ill-intentioned parties can try to compromise the integrity of reputation information. One of the most obvious ways would be to intercept or alter other parties' reputation information during its transmission over an insecure ad hoc wireless network. Another possible way is to alter their own reputation information while it is being stored on their mobile device. Thus, transmitting and storing such information should be done in a secure manner in order to ensure its integrity.

Reliability of the reputation information
The usefulness of a reputation system depends critically on the reliability of its reputation information. Unreliable reputation information will expose traders to the risk of significant loss if it incorrectly supports a good reputation for a dishonest trader. In an ad hoc m-commerce trading system, ill-intentioned traders might try to compromise the reliability of such reputation information by providing unfair deal evaluations (overstating or slandering) or by colluding with their accomplices, either to increase their own reputation (hyping) or harm other parties' good reputation (bad mouthing). Another way an ill-intentioned trader can try to manipulate reputation information is by creating and using multiple identities to create many bogus deal evaluations. For example, a trader creates multiple trading pseudonyms and corresponding credentials to enable him to create bogus transactions with those identities. He then uses those identities to provide good evaluations for each of the transactions that he has created, so that his own reputation will apparently be increased. Thus, to ensure traders obtain reliable reputation information, a reputation system for ad hoc mcommerce needs to be robust against Sybil Attacks and misbehavior-related threats such as unfair deal evaluations and collusions.

Related work
The emergence of online trading communities has changed many aspects of conducting business and demands corresponding means for trust development among participating parties in such a community to minimize transaction risks. A considerable amount of research has been conducted into this issue and a number of solutions have been proposed in the literature (Xiong and Liu, 2003;Aberer and Despotovic, 2001). Xiong and Liu (2003) have proposed a dynamic trust model for P2P e-commerce communities using a transaction-based feedback system where a trader's trustworthiness is measured based on five factors namely satisfaction, number of transactions, credibility of feedback, transaction context and community context. It is a fully decentralized system that uses an overlay for supporting trust propagation and a public key infrastructure for securing remote trust scores. This proposal is among the most credible yet for supporting decentralized support for P2P online transactions that require trust judgments. However, the assumption made in the proposal that network connectivity is always available for traders to obtain reputation information seems to be unlikely to be fulfilled in ad hoc m-commerce trading communities. This proposal also assumes that a reputable party will provide accurate deal appraisals, which may not always happen. Jurca and Faltings (2003) have proposed an incentive-compatible mechanism using a sidepayment scheme to encourage agents to report reputation information accurately. The side-payment scheme is organized through a set of agents that act as brokers to buy and sell reputation information. These broker agents are called R-agents. Agents can buy another agent's reputation information from an R-agent at a certain cost F1 and then sell reputation information to the same R-agent at another cost F2. The integrity of reputation information and its binding to its owner is protected using a cryptography mechanism. However, this approach is vulnerable to collusions even when only two agents are involved. Any agent can collude with an R-agent to provide fake reputation information to other agents. Furthermore, it is not useful for trading parties in ad hoc m-commerce trading systems to store their reputation information with a third party as the availability of such reputation information cannot be guaranteed every time it is required. This is because the party who stores the reputation information may not be participating in the trading system during the transaction period or may no longer be an active participant. It will take unpredictable periods of time for the requestor of the reputation information to get in contact with that party.
Another approach by Aberer and Despotovic (2001) is based on a binary valued concept of trust, where an agent can only be trustworthy or not. In their approach, only information on dishonest transactions is used to evaluate the trustworthiness of each agent. If an agent discovers that its counterpart is dishonest in their transaction, that agent can forward a complaint about its counterpart's misbehavior to other agents. To store the complaints in a P2P network, a decentralized storage method, called a P-Grid is used. To evaluate the trustworthiness of a particular agent, an agent will search the leaf level of the P-Grid for complaints on that agent. The main interest in this approach is that it does not require any centralized infrastructure for agents to assess the trustworthiness of other agents as well as to store complaints on each agent's misconduct. However, the use of complaints as the only relevant data to assess trustworthiness is not an adequate way of evaluating an agent's reputation. The absence of complaints is not positive evidence of an established reputation. Only a reasonable number of recently conducted mutually satisfactory trades are evidence of that. In addition to that, in this approach, no consideration is made of the possibility of an agent making an inaccurate complaint. It is important to consider this issue to ensure that there is little likelihood of a malicious agent undermining the purpose of the reputation system by compromising the reliability of a complaint.

Methods
This section presents the design of a distributed reputation system that aims at providing an effective way to facilitate trust development among traders in an ad hoc m-commerce trading system by addressing the three key design issues discussed in Section 1.4. To enable efficient retrieval as well as a high availability of reputation information, it is proposed that the reputation system for ad hoc m-commerce trading systems let traders maintain their own reputation information locally and share their knowledge about other traders' trading behavior in a totally P2P manner without having to rely on network services that are always available. It is also proposed that a sanction-backed mechanism be employed to encourage traders to provide truthful reputation reports in order to ensure the reliability of such information.

Reputation information
In many existing reputation systems, traders build their reputation by means of deal evaluations which are provided after the completion of each transaction that they participate in. Positive evaluations can be used as proof that a trader has engaged in transactions before in a proper manner whereas negative evaluations are evidence that a trader has misbehaved or at least failed to satisfy in his previous transaction agreements. To help traders make sensible trust decisions, the proposed reputation system for ad hoc m-commerce uses both positive and negative evaluations. However, the use of deal evaluations as the only relevant reputation information to evaluate a trader's trustworthiness will make it difficult for new members in a particular trading system to begin participating in transactions. They will struggle to get started as they can only build a reputation after they have participated in several transactions. A testimonial recommending that a trader is worth dealing with from a respected member of the forum could help them get started. Testimonials provide a secondary method for a trader's good faith and professionalism to be supported. Their worth depends on trusting the judgment of their provider and their provider's own reputation is a good basis for deciding on that.

Deal evaluation
In ad hoc m-commerce trading systems, traders are expected to generate a deal evaluation of their counterparty's trading conduct after the completion of each transaction, digitally sign it and then send it to their trading counterparties. This will enable the traders to store reputation information about their trading conduct on their mobile device, which will make such information readily accessible when it is required in their future transactions. A deal evaluation that is signed by its sender's digital signature before it is sent to its recipient will ensure that no other third party can alter it during transmission without the knowledge of both its sender and receiver. Any attempts by the recipient to modify it when it is stored on his mobile device will also be detectable. Thus its authenticity and integrity can be guaranteed. To prevent both parties from repudiating offers or bargain struck between them, the deal evaluation will also contain a transaction contract that is digitally signed by them (Osman and Taylor, 2010) as a proof that they have agreed to engage in the transaction. There are many ways in which traders can evaluate their trading counterpart's behavior in satisfying their trade.
A rather simple one would use a one dimensional evaluation parameter where 1 is used to indicate a good transaction, -1 to indicate a bad transaction and 0 to indicate neutral, as is used in eBay's reputation system. This approach, although simple to understand, is too unspecific and does not allow traders to clearly specify the variations in the quality of the items being traded or the quality of the behavior of a trader in fulfilling their transaction agreement. A reputation system with such a common or subjective evaluation parameter would blur pertinent detail into a rating that merely gives an overall impression, which could subsequently lead to ill-founded trust decisions.
A second approach adopted by some existing reputation systems evaluates trades by means of a rating using a single numerical value. For example, trader A gives a value 0.9 to trader B for satisfying their transaction agreement on a scale of 0 (bad) to 1 (good). However, single numerical measures like this misleadingly suggest that one dimension of valuation sums up all the key qualities at stake to quite a fine degree of precision.
A third approach is to use a scheme that differentiates out different quality aspects based on several parameters such as:  Honesty in describing what is traded-This expresses a trader's satisfaction as to the quality of the traded items being as described.  Conformity to agreement-This expresses a trader's satisfaction with how well the other party has fulfilled the transaction agreement, e.g. made payment or delivered the traded items as agreed.  Manner of dealing-This expresses a trader's satisfaction with how well the other party behaved in doing the deal. Did they act in good faith or did they try to take unfair advantage or cheat.
To express the amount of satisfaction for each parameter, a 4-category grading scheme as shown in Table 1 might be used to signify fully satisfied, satisfied, unsatisfied or wholly unsatisfied. Traders can also qualify their satisfaction by leaving short textual comments.
Consider for example, a scenario where trader A has bought a second hand bike from trader B in a selling or buying items trading forum. Trader B describes the bike as new and never been used but when trader A goes to collect the bike and pay for it, it is not exactly as described but is still in an acceptable condition. After the trade is completed, trader A might give the following evaluation to trader B, as shown in Table 2.  To aggregate such evaluations data, a simple summation scheme might be used by trading software to total up the number of reliable ratings received by a trader for each parameter. For example, a trader with 10 recent transactions in the past 6 months might have the following deal evaluations summary as depicted in Table 3. The third approach seems to be more suitable for an ad hoc m-commerce trading system as it enables the evaluation given by different parties to be comparable using several categories of degree as well as being simple for traders to understand and make fast trust decisions. Flea market traders using an ad hoc m-commerce application for low value trading might not be keen to use a more complex evaluation scheme as it might require them to spend a lengthy period of time in order to understand how it functions. If the traders fail to understand properly how the evaluation scheme works, there is a possibility that they might unintentionally give inappropriate or inaccurate evaluations to their trading partners. In addition to that, a reputation system with complex evaluation parameters would require participants to spend substantial amounts of time grading deals on all these parameters. Busy traders with no big ticket risks might be tempted to skip doing this thoroughly which could lead to incomplete or ill-considered evaluations that undermined its value.
However, as this paper only focuses on addressing three key design issues as discussed in Section 3, the suggested scheme for evaluating deals is not presented as preferable to use over any other scheme of evaluation. The key point is that whatever scheme is used to evaluate deals, it should clearly distinguish well from bad evaluations to suitable degrees so that software can summarize such data in a readily understood form. It should also suit the type of trading involved so that capturing deal evaluations after every trade or attempted trade is realistic to expect will happen. Ad hoc m-commerce trading forums might be expected to design their own deal evaluation templates to suit the stakes involved in trading, the manner in which exchanges take place and the norms of acceptable conduct in such trading.

Testimonials
One way for traders to share their expressions of trust about a particular trader's honesty in performing transactions is by providing trade worthiness recommendations in the form of a testimonial. Testimonials from respected and well known reputable traders can be an effective means for new comers in an ad hoc m-commerce trading system to build trust with future trading partners, which will then help them to get started and quickly participate actively in the trading system's activities. Recommendations of this kind would also help established traders be accepted as reputable in addition to favorable evaluations of their past deals. Testimonials have value as well in helping traders who have been unsatisfactorily evaluated in a few deals to have these evaluations put in a wider perspective of relevant evidence. One approach to capture such trade worthiness recommendations in an ad hoc m-commerce trading system is to use the testimonial template as shown in Fig. 1. Its structure helps elicit key aspects and makes comparisons easier to make. An alternative would be to use unstructured text of a certain maximum size. Either might be employed, or an ad hoc m-commerce trading forum might design their own testimonial template to reflect the norms and forms of the style of trading accomplished within.

Fig. 1: Testimonial template
To ensure that a testimonial is authentic and not a fake recommendation by an ill-intentioned party, it needs to be digitally signed by its sender before it is sent to its recipient.

Reputation information storage
As discussed above, the most appropriate and reliable way to store and manage reputation information in an ad hoc m-commerce trading system is to allow traders to maintain their own reputation information in their mobile device local repository. The benefits of allowing traders to store their own reputation information locally are:  The retrieval of such information will be more efficient as it can be accessed immediately by its owner when requested by others without having to rely on any third parties to supply it. This reduces communication overheads among traders.  It addresses the availability issue for much of the reputation information. If such information is stored on any other third party's mobile device, it might not be available when it is required because that third party may not be available or no longer participate in the trading system.  It simplifies the storage issue in an ad hoc mcommerce trading system and also reduces each trader's storage overheads.
However, if traders store their own reputation information locally, two issues need to be addressed. The first issue is the integrity of the reputation information as ill-intentioned traders might attempt to alter it while it is in their local repository in order to increase their reputation dishonestly. The other issue is that traders may refuse to supply or fail even to store negative evaluations about themselves. For the first issue, it will be difficult for the illintentioned traders to tamper with the reputation information in their local repository without being detected by other traders who receive their reputation reports. This is because these reports will be signed and so long as a checker has access to the public key in the signer's public key certificate, the checker will be able to detect any changes made to the document after it is signed and thus its authenticity and integrity will be guaranteed. It will also ensure that the evaluator cannot credibly deny having made that deal evaluation or testimonial. To guard against traders discarding or withholding poor evaluations of their trades, traders are expected to multicast markedly poor evaluations of trades within the trading community. Recipients would be expected to store such data but could condense or expire it as it ages or threatens to exceed allocated storage space. It is also recommended that trading software implementing this approach provide no software supported means for users to discard or alter out unwanted recent evaluations of their dealing behavior when sharing evaluation data. This would make it difficult for all but the most technically sophisticated to selectively edit the presentation of their trading history.

Sanction-backed mechanism
A sanction-backed mechanism is potentially useful in handling misbehavior among traders. One example type of misbehavior in online trading is where a buyer pays the seller for an item but the seller does not transfer the traded item at all to the buyer, or transfers an item to the buyer that is not as described or promised in their deal agreement or has undisclosed quality deficiencies. In this case, if the seller is not sanctioned after receiving a series of poor deal evaluations from his trading counterparts due to his misbehavior in several transactions, then he has no incentive beyond a poor reputation to behave properly and honestly in all of his transactions. This will subsequently affect other traders' confidence to participate in such trading system as there could be perceived to be insufficient disincentive to constrain traders from misbehaving or cheating in their transactions. Thus, it can be useful to employ a sanction mechanism in an ad hoc m-commerce trading system as an inducement to encourage traders to behave in a proper manner and comply with the rules and regulations of the trading system, especially when participating in a deal, or providing deal evaluations or testimonials to other traders, or attesting other traders' credentials. A sanction-backed mechanism can also be an effective way to restrict an ad hoc m-commerce trading system's membership to only parties that are regarded as reasonably trustworthy by other participating parties. Without a centralized authority and established network infrastructure, it can be a challenging task to administer sanctions in an ad hoc m-commerce trading system. The mechanism needs to be distributed and controlled by the traders themselves in a fully P2P manner. This paper advocates using exclusion from membership of a trading forum to sanction traders that misbehave or have a series of poor deal evaluations. This mechanism enables any trader who has evidence about a particular trader's misbehavior to multicast a proposal to exclude that trader from a trading forum's membership to other traders in the trading forum. The exclusion proposal will consist of the target party's trading pseudonym, brief reasons for the exclusion, relevant evidence and also the digital signature of the party who makes the proposal. To reduce the risk of traders being unfairly excluded from a particular trading forum's membership, traders are expected to verify the identity of the sender of the proposal exclusion is whom he claims to be by checking his PGP certificate through the certificate authentication process and check his credibility, whether poor evaluation reports have been broadcast about him or whether he himself is the subject of an exclusion proposal. As the decision for the exclusion will be based on collective decision making by any sufficiently large number of current forum members, depending on each trading forum's exclusion policy (Osman and Taylor, 2010), traders with views on the proposal will have the opportunity to give their vote. If they do not regard the sender of the exclusion proposal as a credible party, they can vote their disapproval. Having a vote based exclusion policy helps diminish the possibility of unfair exclusions due to collusion among ill-intentioned traders as they would need to have a substantial number of associates in order to obtain a quorate decision for the exclusion. The sender's digital signature on the exclusion proposal will ensure that he is accountable for any exclusion proposal that he has made. Any unfair exclusion proposal can be used as an evidence for other traders to exclude him in turn from a trading forum's membership for his misbehavior. Thus, a trader who makes a habit of providing unfair negative evaluations or colluding with accomplices to harm other traders' reputations or unfairly tries to exclude them, will also be open to the risk of being excluded from membership of a trading forum if other traders receive poor reputation reports and an exclusion proposal from one of his unsatisfied trading counterparties. Testimonials from respected reputable traders in the trading forum can be valuable evidence to rebut a trader's poor evaluation report if they can be obtained. The sanction mechanism will be a significant incentive for traders to desist from behavior that creates negative evidence that other traders can use as a basis for excluding them from a trading forum's membership. The proposed identity support scheme (Osman and Taylor, 2011) will also make it difficult for them to reenter with a whitewashed new identity once they are excluded.

Results and discussion
Misbehavior by ill-intentioned traders is a major threat to the effective operation of an online trading system. The existence of such traders may subvert the reliability of a reputation system and the functionality of a trading system, which will subsequently cause loss of trust among traders if the system fails to detect them in a timely way and constrain their misbehavior effectively. Generally, illintentioned traders can do such damage by working alone or in coalitions, such as by behaving dishonestly in their transactions or manipulating reputation information through collusion with associates or multiple identities in order to gain personal benefits, and so on. Thus, this section examines the means by which the ill-intentioned parties in an ad hoc m-commerce trading system can pose threats to compromise the reliability of its reputation system and discusses how the proposed design of a reputation system can detect and mitigate such threats to a sufficient degree.

Mitigating poor trading behavior
In an ad hoc m-commerce trading system, traders can act dishonestly in their transactions in many ways, which include the following:  Provide misleading information to their trading partners about the items to be traded in terms of their price, quality, originality, condition and so on. For instance, a seller can advertise a used computer as a brand new one, or a fake designer watch as a genuine one.  Deceive in their transactions. For instance, a seller does not provide the item that has been traded to the buyer or a buyer does not pay the seller for the item that has been traded between them and so on.
To mitigate such poor trading behavior in an ad hoc m-commerce trading system, traders are encouraged to multicast negative evaluations about a particular dishonest trader to the whole community of the trading system. By sharing such negative trading experience with other members of the trading system, the opportunities for the dishonest trader to participate in future transactions, especially the profitable ones are likely to be reduced. This is because when negative information about a trader is spread over the whole community, the other members who receive such information may refuse to deal with that trader to avoid from being exposed to significant risks of loss. Negative evaluations that a trader receives, even from a single transaction are likely to damage that trader's reputation, which will significantly diminish the other traders' confidence and trust to engage in a deal with that trader. Thus, the sharing of negative trading experience among members of a trading system helps to motivate traders to behave and fulfill each of their transactions honestly as the gain that they obtained from their misbehavior might be smaller if compared to their future losses due to their poor trading history. In addition to the sharing of negative trading experience among traders, a trader that receives a series of negative evaluations from his trading counterparts is open to the risk of being excluded from membership of the trading system. An exclusion mechanism is used as a means to encourage cooperative behavior among traders in an ad hoc m-commerce trading system by inflicting indirect punishment on the users who cheat or misbehave. Such a mechanism can assist in the establishment of trust among traders in such an ad hoc trading community by excluding traders that misbehave or have a history of poorly evaluated trading deals.
However, the sharing of negative evaluations among traders might create another risk for an ad hoc m-commerce trading system. An ill-intentioned trader might provide unfair negative evaluations about an honest trader with the intention of damaging that trader's reputation, through either slandering or badmouthing. The issues of slandering or badmouthing in an ad hoc m-commerce trading system are addressed using testimonials and an exclusion mechanism. Testimonials from trusted and well known reputable traders in the trading community can be used as relevant evidence to support a trader's explanation to other members that he has been evaluated unfairly by his trading counterpart(s). Another way to address the issues of slandering and badmouthing is to use an exclusion mechanism to sanction traders who provide unusually high numbers of negative evaluations. In this case, a trader can also include his testimonials as evidence to support his exclusion proposal to exclude ill-intentioned traders that have given him unfair negative evaluations from a trading system's membership.

Mitigating overstating and hyping
The issue of overstating and hyping is challenging to tackle. It requires a mechanism that provides significant incentives for traders to remain honest under any circumstances. Overstating and hyping are not necessarily harmful. They are only so if traders use artificially boosted reputations to defraud others. To boost their reputation through overstating or hyping, ill-intentioned traders may cooperate with their associates or use multiple identities to create bogus transactions and so provide good evaluations for those transactions. For this reason, it is important for traders when considering deal evaluations to take into account who they are from. If the evaluations are from known cronies of a dubious trader, then they can be accorded little weight however ecstatic they are. If they are from completely unknown parties with no other known participation in trading with parties the assessor is familiar with, then they should equally be accorded little weight. Only evaluations from parties the assessor has favorable knowledge of either directly or indirectly can be accorded credence. Traders can also be provided with a means to verify the authenticity of a transaction. This can be achieved by requiring participants to produce a transaction contract after both parties have agreed to engage in a deal. A trader needs to send the transaction contract that has been time stamped and digitally signed by both parties together with a deal evaluation to his trading counterpart after the completion of each transaction as a proof that the transaction is real and has occurred between them.

Mitigating Sybil collusions
Sybil collusion is a major collusion hazard that can occur in any reputation systems that has weak identification processes. Ill-intentioned traders in a trading community may exploit weak identification processes to generate multiple new identities. A study has shown that a user can then use these identities to collude to boost his own reputation or his associates' or damage another trader's reputation, which may subsequently lead other members of the trading system to making inaccurate trust decisions. In order to prevent Sybil collusions, a trading system needs to provide a means to constrain a trader from generating and also exploiting multiple identities, which can be achieved through the following approaches:  Restrict the generation of multiple identities in the identity establishment process.  Detect the presence of multiple identities within the identity verification processes.
In an ad hoc m-commerce trading system, it might be difficult to restrict the generation of multiple identities as ill-intentioned traders might compromise the digital certificates generation process. This is due to the fact that traders are allowed to create their own self-signed digital certificates and there is no centralize authority or a CA to control such process. Thus, the only way to mitigate Sybil collusions is by detecting the presence of Sybils through digital certificates verification processes. The use of a photograph in a trader's PGP certificate will make it difficult for traders to operate with multiple identities without this becoming apparent (Osman and Taylor, 2011).

Discussion
This section discusses the things that a trader in an ad hoc m-commerce trading system should do when dealing with reputation reports or testimonials in order to mitigate misbehaviorrelated threats. Before relying on any reputation reports or testimonials from other traders, traders of an ad hoc m-commerce are expected to do the following:  Perform a trading software check to ensure that nothing has changed since the last digital signature was applied to any of the deal evaluations in the reputation report or the testimonials. This is to ensure that the integrity of such documents has not been compromised when it is stored in its owner's local repository or during transmission.  Verify the validity of the digital certificate of each party that provides the deal evaluations or testimonials to ensure that there is no Sybil collusion attempt.  Check the credibility of the trader who sends a negative evaluation whether poor evaluation reports have been broadcast about him or whether he himself is the subject of an exclusion proposal.  Check the membership status of the parties that provide the deal evaluations or testimonials to ensure that they are not recorded as being excluded from membership or a subject of an exclusion proposal in their local membership list.

Conclusion
This paper has discussed three key design considerations in implementing a fully distributed reputation system that can provide effective ways to facilitate trust development among traders in ad hoc m-commerce trading systems namely reputation information storage, integrity maintenance and reliability assurance. It also has presented the approach to address the three key design issues in order to assist traders in making faster and more reliable trust decisions. To enable efficient retrieval and high availability of reputation information, the proposed approach lets traders maintain their own reputation information locally and share their knowledge about other traders' trading behavior in a totally P2P manner without having to rely on network services that are always available. It advocates reinforcing this with a sanction-backed mechanism that lets traders collaborate to exclude any member that has misbehaved unreasonably or has an overly poor trading history from a trading system's membership to encourage traders to provide truthful reputation reports.
This paper also has examined the means by which the ill-intentioned traders in an ad hoc mcommerce trading system can pose threats to subvert the reliability of its reputation system and discussed how the proposed design of a reputation system can detect and mitigate such threats to a sufficient degree. With support from the proposed group membership service and identity support scheme (Osman and Taylor, 2011), the aim is that this type of reputation system will make ad hoc mcommerce a viable means to conduct online trading via ad hoc networking.