SECURING USER REPUTATIONS IN AN ONLINE MARKETPLACE

CROSS-REFERENCE TO RELATED PATENT APPLICATIONS

[0001] This application claims priority from Provisional U.S. Patent Application 61/610,213, filed March 13, 2012, incorporated herein by reference in its entirety.

BACKGROUND OF THE DISCLOSURE

[0002] Online marketplaces allow users to buy and sell goods over the Internet. Websites associated with online marketplaces can use user reputations to distinguish between malicious users and non-malicious users. The user reputation can consist of feedback from other users concerning prior transactions. Malicious users may manipulate their reputation by, e.g., white-washing their reputation by creating a new account with a blank reputation, colluding with other malicious users to provide good feedback on each other's transactions, and/or conducting Sybil attacks where users create and use fake identities to provide positive feedback on fictitious transactions. This manipulation can lead to wasted time and monetary losses for defrauded users, and can undermine the usefulness of the online marketplace.

SUMMARY OF THE DISCLOSURE

[0003] The present disclosure describes systems and methods for securing user reputations in an online marketplace by preventing malicious users from manipulating their reputations by, e.g., white-washing, colluding, and conducting Sybil attacks. In some aspects, the present disclosure uses risk networks to maintain and judge user reputations. The risk networks are stored as multi-graph, which can improve the reputation calculation time. More specifically, in some implementations, when a buyer is about to purchase an item, the system calculates a max-flow in a risk network between the buyer and the seller. If the max-flow is below the amount of the transaction (e.g., purchase price) that the buyer is about to engage in, the system may provide a warning to the buyer that the transaction may be fraudulent.

[0004] At least one aspect of the present disclosure is directed to a method for securing user reputations in an online marketplace where at least some users conducting transactions have no previous relationship and obtaining user accounts is free. In one implementation, the method includes receiving a request to conduct a transaction with a second user. The transaction can be associated with a transaction amount, and the request can be received by a data processing system from a first user. The method can include obtaining, by the data processing system, a series of risk networks that include the first user and the second user. Each risk network of the series of risk networks can include a plurality of automatically generated weighted links between pairs of users who successfully completed a transaction. Furthermore, each subsequent risk network of the series of risk networks can be a subgraph of the previous risk network containing only those links with an exponentially higher weight. The method can include determining, for at least a highest weighted risk network of the series of risk networks, a max-flow between the first user and the second user. The method can determine this max-flow responsive to the request. The method can compare a first collective weight of the determined max-flow with the transaction amount. The method can generate, based on the comparison, an indication of a level of risk associated with the transaction.

[0005] In some implementations, the first collective weight can be greater than the transaction amount, and the method can include indicating a low level of risk. The method can also include conducting the transaction.

[0006] In some implementations, the method includes temporarily lowering the collective weight of the weighted links associated with the max-flow upon conducting the transaction. The method can temporarily lower the weights based on the transaction amount.

[0007] In some implementations, the method includes restoring, by the data processing system, the temporarily lowered weights responsive to receiving neutral feedback for the transaction.

[0008] In some implementations, the method includes restoring the temporarily lowered weights responsive to receiving positive feedback for the transaction. The method can also include automatically generating, by the data processing system, a new weighted link between the first user and the second user, the new weighted link having a new weight based on the transaction amount. [0009] In some implementations, the method includes responsive to receiving negative feedback associated with the transaction, automatically setting, by the data processing system, the temporarily lowered weights to be permanent.

[0010] In some implementations, the method includes receiving, by the data processing system from a third user, a second request to conduct a second transaction with the second user. The second transaction can be associated with a second transaction amount. The method can also include determining that a collective weight of a max-flow between the third user and the second user is below the second transaction amount. The max-flow between the third user and the second user can include at least one of the temporarily lowered weighted links. The method can also include generating, based on the determination, an indication of a high level of risk associated with the second transaction.

[0011] In some implementations, the highest risk network is at least one subsequent risk network. In these implementations, the method can include identifying that the first collective weight is less than the transaction amount. The method can also include determining, responsive to the identification, a max-flow for at least one previous risk network of the series of risk networks. The at least one previous risk network can include at least some weighted links with weights that are exponentially lower than the at least one subsequent risk network.

[0012] In some implementations, the at least one previous risk network is a lowest weighted risk network of the series of risk networks. In these implementations, the method can include identifying that a second collective weight of the max-flow of the lowest weighted risk network is less than the transaction amount. The method can also include determining, based on the identification of the second collective weight being lower than the transaction amount, that the level of risk associated with the transaction is high. The method can also include transmitting, by the data processing system, an alert that includes the indication of the level of risk.

[0013] In some implementations, the method can include determining the max-flow by applying a Ford-Fulkerson algorithm. [0014] At least one aspect of the present disclosure is directed to a system for securing user reputations in an online marketplace where at least some users conducting transactions have no previous relationship and user accounts are free to obtain. In some implementations, the system includes a data processing system. The data processing system can be configured to receive, from a first user, a request to conduct a transaction with a second user. The transaction can be associated with a transaction amount. The data processing system can be further configured to obtain a series of risk networks that includes the first user and the second user. Each risk network of the series of risk networks can include a plurality of automatically generated weighted links between pairs of users who successfully completed a transaction. Furthermore, each subsequent risk network of the series of risk networks can be a subgraph of the previous risk network containing only those links with an exponentially higher weight. The data processing system can be further configured to determine a max- flow between the first user and the second user. The data processing system can determine the max-flow responsive to the request and for at least a highest weighted risk network of the series of risk networks. The data processing system can be further configured to compare a first collective weight of the determined max-flow with the transaction amount. The data processing system can be further configured to generate, based on the comparison, an indication of a level of risk associated with the transaction.

[0015] In some implementations, the first collective weight is greater than the transaction amount, and the data processing system is further configured to indicate a low level of risk. The data processing system is configured to conduct the transaction.

[0016] In some implementations, the data processing system is configured to temporarily lower the collective weight of the weighted links associated with the max-flow. The data processing system can temporarily lower the collective weight upon conducting the transaction. The data processing system can also temporarily lower the collective weight based on the transaction amount.

[0017] In some implementations, the data processing system is configured to restore the temporarily lowered weights responsive to receiving neutral feedback for the transaction. [0018] In some implementations, the data processing system is configured to restore the temporarily lowered weights responsive to receiving positive feedback for the transaction. The data processing system can further be configured to automatically generate a new weighted link between the first user and the second user. The new weighted link can include a new weight based on the transaction amount.

[0019] In some implementations, the data processing system is configured to automatically set the temporarily lowered weights to be permanent. The data processing system can set the temporarily lowered weights to be permanent responsive to receiving negative feedback associated with the transaction.

[0020] In some implementations, the data processing system is configured to receive, from a third user, a second request to conduct a second transaction with the second user. The second transaction can be associated with a second transaction amount. The data processing can determine that a collective weight of a max-flow between the third user and the second user is below the second transaction amount. The max-flow between the third user and the second user can include at least one of the temporarily lowered weighted links. The data processing system can further generate, based on the determination, an indication of a high level of risk associated with the second transaction.

[0021] At least one aspect is directed to a computer readable storage device having instructions that are executable to cause one or more processors to perform operations. In some implementations, the instructions include instructions to receive, from a first user, a request to conduct a transaction with a second user. The transaction can be associated with a transaction amount. The instructions can further include instructions to obtain a series of risk networks comprising the first user and the second user. Each risk network of the series of risk networks can include a plurality of automatically generated weighted links between pairs of users who successfully completed a transaction. Each subsequent risk network of the series of risk networks can be a subgraph of the previous risk network containing only those links with an exponentially higher weight. The instructions can further include instructions to determine for at least a highest weighted risk network of the series of risk networks, a max- flow between the first user and the second user. This determination can be made responsive to the request. The instructions can further include instructions to compare a first collective weight of the determined max-flow with the transaction amount. The instructions can further include instructions to generate an indication of a level of risk associated with the transaction based on the comparison.

[0022] In some implementations, where the first collective weight is greater than the transaction amount, the instructions include instructions to indicate a low level of risk and conduct the transaction.

[0023] In some implementations, the instructions include instructions to temporarily lower the collective weight of the weighted links associated with the max-flow. The weights can be temporarily lowered upon conducting the transaction and based on the transaction amount.

BRIEF DESCRIPTION OF THE DRAWINGS

[0024] The skilled artisan will understand that the figures, described herein, are for illustration purposes only. It is to be understood that in some instances various aspects of the described implementations may be shown exaggerated or enlarged to facilitate an

understanding of the described implementations. In the drawings, like reference characters generally refer to like features, functionally similar and/or structurally similar elements throughout the various drawings. The drawings are not necessarily to scale, emphasis instead being placed upon illustrating the principles of the teachings. The drawings are not intended to limit the scope of the present teachings in any way. The system and method may be better understood from the following illustrative description with reference to the following drawings in which:

[0025] FIG. 1 is an illustration of an example system for providing content for display on a computing device via a computer network in accordance with an implementation.

[0026] FIGs. 2A-2D are illustrations of the life cycle of a transaction in accordance with an implementation.

[0027] FIG. 3 is an illustration of a risk network in accordance with an implementation.

[0028] FIG. 4 is a flow chart illustrating an example method for securing online user reputations in accordance with an implementation. [0029] FIG. 5 shows an illustration of an example network environment comprising client machines in communication with remote machines in accordance with an implementation.

[0030] FIG. 6 is a block diagram illustrating a general architecture for a computer system that may be employed to implement various elements of the system shown in FIG. 1 and the method shown in FIG. 4, in accordance with an implementation.

[0031] Like reference numbers and designations in the various drawings indicate like elements.

DETAILED DESCRIPTION

[0032] The following description in conjunction with the above-reference drawings sets forth a variety of implementations for exemplary purposes, which are in no way intended to limit the scope of the described methods or systems. Those having skill in the relevant art can modify the described methods and systems in various ways without departing from the broadest scope of the described methods and systems. Thus, the scope of the methods and systems described herein should not be limited by any of the exemplary implementations and should be defined in accordance with the accompanying claims and their equivalents.

[0033] The present disclosure describes systems and methods for securing user reputations in an online marketplace by preventing malicious users from manipulating their reputations by, e.g., white-washing, colluding, and conducting Sybil attacks. For example, systems and methods of the present disclosure can addresses at least these types of manipulation by (a) considering outstanding auctions, (b) taking into account the value of transactions with positive and negative feedback, and (c) discriminating between feedback provided by different users, in order to prevent malicious users from artificially inflating their reputation.

[0034] In some aspects, the present disclosure can augment an online marketplace where sellers and buyers may have no previous relationship, and accounts are free to obtain. Since buyers in these situations may have to rely on the seller's reputation, which is represented by feedback from other buyers, the present disclosure uses risk networks to maintain and judge user reputations in order to predict whether potential transactions are likely to be fraudulent. The risk networks are stored as multi-graph, which can improve the reputation calculation time. More specifically, in some implementations, when a buyer is about to purchase an item, the system calculates a max-flow in a risk network between the buyer and the seller. If the max-flow is below the amount of the transaction (e.g., purchase price) that the buyer is about to engage in, the system may provide a warning to the buyer that the transaction may be fraudulent.

[0035] In some implementations, the risk network includes weighted links between pairs of users who have successfully conducted transactions, where the weights are automatically generated. Since it may be computationally expensive to compute max-flow for the entire risk network (e.g., using an algorithm like Ford-Fulkerson), the system generates a multi- graph which contains a series of risk networks, where each subsequent network is a subgraph of the previous network containing only those links with an exponentially higher weight.

[0036] In an illustrative example, a buyer/seller pair intend to complete a transaction for $50. The system may proceed by finding the highest- weight network where both the seller and the buyer are present, and then run an algorithm, such as a Ford-Fulkerson algorithm, to identify a set of paths of collective weight w (e.g., $50). If such a set is found, then the system is finished; otherwise, the system repeats the process with the next lowest graph, thereby identifying the max-flow in the original risk network. If no set of paths are identified with a collective weight of at least $50, then the system may flag the transaction as being potentially fraudulent. The system may generate an alert to the user, prevent the user from conducting the transaction, or offer additional services to the user such as escrow services, insurance, etc.

[0037] If the transaction is completed, the system may temporarily lower the weights on these links (in aggregate) by the transaction amount (e.g., $50) until the system receives feedback about the success or failure of the transaction. Upon receiving positive feedback, the system may restore the temporarily lowered weights and additionally generate a new link directly between the buyer and seller weighted by the transaction amount. If the system receives neutral feedback, the system may only restore the temporarily lowered weights without creating a new link, while negative feedback may result in the temporary lowering becoming permanent.

[0038] In some implementations, systems and methods of the present disclosure can prevent malicious users from conducting more fraud together than they could separately, which may reduce or eliminate their incentive to collude. In another example, the amount of potential damage may be bounded because each user may be able to defraud others only by up to the amount of valid transactions the user has participated in, regardless of the number of identities the user possesses.

[0039] To participate in the online marketplace, an online marketplace operator may require participates to create a user account or identity (e.g., unique user name). In some

implementations, the user account may be free to create and a user may be permitted to create multiple user accounts. In other implementations, there can be a fee to create a user account or the number of user accounts per user may be limited. In some implementations, each user account may be linked with a payment method or a financial institution. For example, a user account can be linked with a traditional checking account at a bank, an online payment system, or a credit card. In some implementations, the user account may not be linked with a financial account; rather, the user may pay by cash, in-person, or mail a check. In yet another implementation, the online marketplace may include other types of instruments that can facilitate a transaction, such as a points system. For example, users may exchange points for goods or services, where the points were acquired by, e.g., playing an online game, or performing some task.

[0040] FIG. 1 illustrates an example system 100 for securing user reputations in an online marketplace. In brief overview, the network 105 can include computer networks such as the Internet, local, wide, metro, or other area networks, intranets, satellite networks, and other communication networks such as voice or data mobile telephone networks. The network 105 can be used to access information resources such as web pages, web sites, domain names, or uniform resource locators that can be displayed on at least one first user device 110 or second user device 125, such as a laptop, desktop, tablet, personal digital assistant, smart phone, or portable computers. For example, via the network 105 a user of the user device 110 or 125 can access information provided by at least one online marketplace operator 115. In this example, a web browser of the first user device 110 can access a web server of the online marketplace operator 115 to purchase an item provided for sale by a user of the second user device 125. For example, the first user device 110 can retrieve a web page for display on a monitor of the user device 110, where the web page corresponds to an item for sale by a user of the second user device 125. The online marketplace operator 115 generally includes an entity that operates at least an aspect of the online marketplace. In one implementation, the online marketplace operator 115 includes at least one web page server that communicates with the network 105 to make a web page of the online marketplace available to the user device 110 or 125.

[0001] The system 100 can include at least one data processing system 120. The data processing system 120 can include at least one logic device such as a computing device having a processor to communicate via the network 105, for example with the user device 110 or 125 and the online marketplace operator 115. The data processing system 120 can include at least one server. For example, the data processing system 120 can include a plurality of servers located in at least one data center. In one implementation, the data processing system 120 includes having at least one online marketplace server, such as a web server, application server, search server or data server. The data processing system 120 can also include at least one risk network manager 130, risk level identifier 135 and database 140. The risk network manager 130 and risk level identifier 135 can each include at least one processing unit or other logic device such as programmable logic array engine, or module configured to communicate with the database 140. The risk network manager 130 and risk level identifier 135 can be separate components, a single component, or part of the data processing system 120.

[0041] Still referring to FIG. 1, and in further detail, the data processing system 120 can receive a request from a first user 110 to conduct a transaction with a second user 125 via an online marketplace 115. In some embodiments, the data processing system 120 receives the request to conduct the transaction from the first user, while in other embodiments the online market place operator 115 receives the request to conduct the transaction and transmits an indication regarding the request to the data processing system 120 via network 105.

[0042] The transaction can be for any type of goods or services including, e.g., clothes, music, books, food, electronics, gift cards, repair services, carpentry services, financial services, or legal services. In some implementations, the first and second users have not previously conducted a transaction with each other. The transaction can include exchanging the goods or services for value, e.g, a transaction amount. For example, the second user may be selling a used book for $15. In another example, the transaction amount can be a number of points. In yet another example, the transaction can be for financial services and the transaction amount may be on an hourly rate, e.g., $50 per hour. In some implementations, the first user and the second user correspond to different identities that are associated with different people. In other implementations, the first user and the second user can correspond to different identities that are associated with the same person.

[0043] In some implementations, the request to conduct a transaction may be interpreted as the first user or buyer accepting the seller's offer to purchase a good or service at a set price. In other implementations, the online marketplace may be an online auction where multiple buyers can bid on items and the seller can select the highest bid, or some other bid based on various factors.

[0044] In some implementations, the data processing system 120 obtains a series of risk networks that includes the first user and the second user. In some embodiments, the data processing system 120 obtains the risk network from database 140 or another source via network 105. In some embodiments, the data processing system 120 creates and maintains the risk network. The risk network refers to a link between two identities in an undirected fashion, which is formed upon a successful transaction between the two identities. In some implementations, the weight of the link corresponds to the transaction amounts of the total amount of successful transactions between the two identities. For example, if the first user ("A") and the second user ("B") participated in two successful transactions for $5 and $10, there would be a weighted link from A to B with a weight of $15. The transitive closure of these links results in an undirected network such as the risk network, which will be described further in Figs. 2A-2B. In some implementations, there is an explicit weight that can represent the total transaction value associated with each link, and the data processing system 120 can automatically generate the weights based on the users' actions.

[0045] In some implementations, the data processing system 120 can maintain a plurality of risk networks as a series of risk networks or multi-graphs: [0046] For example, a multi-graph M can be a set of graphs where each graph d = (Vj, Ei). These graphs are related. For example, Go can be defined to be the entire risk network. Second, Gj can be defined to be a subgraph of G i defined by:

[0047] In this example, w(e) can represent the weight of edge e and k can be a configurable system parameter (e.g., 2, 3, 4 or 10). Accordingly, the multi-graph can contain a series of risk networks where each subsequent network is a subgraph of the previous network containing only those links with an exponentially higher weight, where the highest weighted risk network of the series of risk networks may be G„. For example, if the entire risk network included links with weights 4, 6, 9, 10, 16, 18, 20, 32, 36, 38, 45, 60 a series of risk networks can be broken down into the following subgraphs, where each subsequent subgraph of the previous network contains only those links with an exponentially higher weight:

..: ? f i.i.^ : — { L 2, -1. 4 0, 8. 10, 14 10 l

1 - _: ;4θ ·: > [ .. S siitip- i h -i ·.-■ ^■ ( 2 4140 4 1 4 1 4 15 )

W tr ^' is„o („5πΙ>φ ϊ. Η- i 10. _: 12, 1 5 ]

10 f ^* : ^' ? :· . .···„ : ,· _{' ·} ^c " · ^* Ϊ · ; :.™ { 0 , 10. 1 2. ! 0}

[0048] As shown above, graphs at higher levels in the multi-graph include only links with exponentially increasing weights (e.g., with k = 2, the four levels of the multi-graph would represent all links, links with weight $2 and higher, links with weight $4 and higher, and links with weight $8 and higher).

[0049] The multi-graph can contain multiple copies of a given link, the weights of which should be kept consistent. The consistency should be maintained during link addition, link weight change, and link weight temporary adjustments. For example, when the data processing system 120 adds a new link, the data processing system 120 can add the link to all of the subgraphs to which the link belongs (e.g., if the link weight is w, the link is added to {Gj : w > k ¹ }). When the weight of a link is changed, the data processing system 120 can add or remove the link from the appropriate graphs. Further to the example above, if the weight of a link changes from $10 to $2, the link may be removed from subgraph three. In some implementations, the weight of a link can be temporarily adjusted such as when there is an ongoing transaction where the data processing system 120 has conducted the transaction but not yet received feedback. In this example, the data processing system 120 can change the weight of the link upon initiating the transaction, and then accordingly change the weight of the link again upon receiving feedback.

[0050] In some implementations, the data processing system 120 determines the path between two users that includes the maximum weight, which can be referred to as the max- flow between two users. In some implementations, the data processing system 120 does not to identify the actual maximum weight (or max-flow) between two users, but whether there is a set of paths between two users that is equal to or exceeds the transaction amount. For example, the data processing system 120 can calculate whether a flow of weight w exists between a first user and a second user (e.g., a buyer and a seller). In some implementations, the data processing system 120 can apply an algorithm such as Ford-Fulkerson, which iteratively finds paths and removes them, until the sum of the removed paths is greater than w. For example, the data processing system 120 can apply Ford-Fulkerson to the entire risk network in Go.

[0051] In some implementations, the data processing system 120 can identify the highest- weight network G _m where both the first user and the second user are present. The data processing system 120 can then run an algorithm like Ford-Fulkerson on G _m , looking for a set of paths of collective weight w. In some implementations, other algorithms may be used to compute the max-flow such as the Edmonds-Karp algorithm or Dinitz blocking flow algorithm. If the data processing system 120 identifies a set with a collective weight, and then compares the collective weight with a transaction amount w to determine whether the collective weight is equal to or greater than w in G _m . Upon comparing the identified maximum collective weight with the transaction amount, the data processing system 120 may determine that the transaction amount for proposed transaction is greater than or equal to the weight w between the first user and the second user, and thus predict that there is relatively low risk in conducting the proposed transaction between the first user and the second user.

[0052] If, on the other hand, the data processing system 120 does not identify a set of paths with collective weight w in G _m , the data processing system 120 can repeat the process with the next-lowest graph G _m .i. The data processing system 120 can continue this process until either a set of paths of weight w is found, or the data processing system 120 cannot find such a set of paths in the lowest graph Go. If the data processing system 120 cannot find a set of paths in the original risk network (e.g., Go), then there may not be a set of paths in the entire risk network with collective weight w.

[0053] In some implementations, the data processing system 120 generates an indication of a level of risk associated with the transaction based on comparing the determined max-flow with the transaction amount. For example, if the data processing system 120 determines that the risk network includes a set of paths with a collective weight greater than or equal to the transaction amount, the data processing system 120 may indicate that there is relatively little or no risk in conducting the proposed transaction with the second user or seller. In some implementations, the data processing system 120 may transmit an indication regarding risk to the online marketplace operator 1 15. In some implementations, the data processing system 120 or online marketplace operator 1 15 may receive an indication from the first user device 1 10 to conduct the transaction.

[0054] In some implementations, the data processing system 120 temporarily lowers the collective weights of the weighted links of the set of paths associated with the identified max- flow. For example, the data processing system 120 can lower the weights on these links in the aggregate by the transaction amount. This results in the weight on these links being "on hold" until feedback concerning the success or failure of the transaction is received. The weight that is "on hold" cannot be used by any other potential transaction until feedback on this transaction is received.

[0055] While the weight of a set of paths of a risk is temporarily lowered, the data processing system 120 may receive a second request to conduct a second transaction. The second request can be from the first user to conduct a transaction with the second user, or a third user requesting to conduct the transaction with the second user, or two completely different users. If the data processing system 120 obtains a series of risk networks comprising a set of paths with temporarily lowered weights, the data processing system 120 can use the temporarily lowered weights to determine the set of paths between the buyer and seller with the max- flow. In some implementations, the data processing system 120 may determine that at a given time the potential transaction is a high risk transaction because the transaction amount is greater than the collective weight of the max-flow set of paths. However, the data processing system 120 may determine, at a later time, that due to changes in the risk network (e.g., the seller receiving positive or neutral feedback, or the creation of new links between the buyer and seller), there exists a max-flow between the buyer and seller that indicates that the transaction would no longer be risky. In this implementation, the data processing system 120 may alert the buyer (e.g., electronic mail, pop-up notification, prompt, text message, or in-app message) that the transaction is no longer risky. In yet another implementation, the buyer may indicate to the data processing system 120 to automatically conduct the transaction upon the data processing system 120 identifying a set of paths with a collective weight greater than or equal to the transaction amount, where the instruction to automatically conduct the transaction can terminate within a given time period (e.g., 12 hours, 24 hours, 48 hours, 1 week, 30 days, 3 months, or 6 months).

[0056] In some implementations, the data processing system 120 receives feedback about the transaction and can makes changes to the risk network depending on the type of feedback. For example, the data processing system 120 can receive feedback from the first user or the buyer that indicates whether the results of the transaction were positive, neutral or negative. In some implementations, the feedback can be a numerical score and range between negative and positive (e.g., 0 being the most negative and 10 being the most positive). The data processing system 120 can receive feedback in a plurality of ways including, e.g., via a user interface of the online marketplace, an electronic mail from a user of the first device 115, via network 105, by automatically tracking a shipping.

[0057] If the buyer reports a successful transaction, indicated by positive feedback, the data processing can restore the temporarily lowered weights. If it doesn't already exist, the data processing system 120 can also create a new link in the risk network directly between buyer and the seller that has a weight based on the transaction amount. Thus, positive feedback can both restore the network to its previous state and also create a new risk link between the buyer and the seller, which may indicate that the buyer and seller are more likely to enter into a future transaction together.

[0058] If the buyer reports a partially successful transaction, indicated by neutral feedback, the data processing system 120 can restore the temporarily lowered flow. However, the data processing system 120 may not create a new link. Accordingly, neutral feedback can result in restoring the network to its previous state, but with no changes. Neutral feedback may indicate that the auction was not fraudulent, but the users are nevertheless not completely satisfied. Thus, the buyer is not likely to enter into a future transaction with the seller, but does not wish to punish the seller by providing negative feedback.

[0059] If the first user or buyer reports an unsuccessful transaction, indicated by negative feedback, the data processing system 120 can make the temporary lowering of the weights permanent and not create any new links. This has the effect of reducing weight on the links of the seller, thereby decreasing the seller's ability to conduct transactions in the future without having them flagged. In particular, if the seller conducts many transactions that end up with negative feedback, eventually, all of the seller's links will be exhausted, and the seller may be unable to conduct any nonflagged transactions.

[0060] In some implementations, the risk network may not include a set of paths between a first user and a second user that has a collective weight greater than or equal to the transaction amount. In the event that the data processing system 120 does not identify a set of paths in the entire risk network with a collective weight greater than or equal to the transaction amount, the data processing system 120 may indicate that there is a relatively high level of risk. In some implementations, the data processing system 120 provides a warning to the first user or the online marketplace operator 115 before the user commits to a transaction or the online marketplace operator 115 conducts the transaction. In some implementations, the online marketplace can also provide better fraud guarantees by requiring users to abide by the warning. In some implementations, the marketplace could use this as an indicator to require an escrow service or insurance service, or more closely scrutinize the transaction. [0061] In some implementations, the data processing system 120 may not identify a set of paths in the entire risk network with a collective weight greater than or equal to the transaction amount because the buyer or seller are new users. For example, new users of the online marketplace may not have previously conducted any transaction, and thus may not be associated with a risk network. Therefore, these users would have a max-flow of 0 to all other users. To allow new users to still conduct transaction in the online marketplace, in some implementations, the data processing system 120 can provide users with a few "starter" links by allowing users to create virtual links to their real-world friends (in the same manner as malicious users can create links in the risk network between themselves by conducting fictitious transactions). Such a mechanism may allow users to join the marketplace without opening a new security vulnerability. In this example, since the user's friends are, in effect, vouching for the new user, the friends are putting their existing links on-the-line. If the new user begins to defraud others, not only would the new user's links be penalized, but the links of the friends would as well.

[0062] In another implementation, the data processing system 120 can allow new users to conduct transaction in the online market place by requiring new users to provide the online marketplace operator 115 with a certain amount of money to hold in escrow. In return, the data processing system 120 can create a link between the new user and some other, random user. At some later time, the new user could request this starter money back (and the data processing system 120 can remove the created link). However, if the link represented weight on hold, or if the link had been lost (due to a fraudulent transaction), the data processing system 120 can refuse to return the starter credit. This would not open up a new vector for attack, as (a) the most the new user could defraud others with is the amount of starter credit, and (b) if the user does commit such a fraud, the malicious user would not receive the starter credit back. In essence, such an attack would not allow a malicious new user to gain any money.

[0063] Referring to Figs. 2A-2D, illustrations of the state of the risk network while a first user 202 conducts a $10 transaction with a second user 206, in accordance with an implementation. In brief overview, 200A represents the state of the risk network before the transaction occurs, 200B represents the state of the risk network after conducting the transaction but before receiving feedback, 200C represents the state of the risk network if buyer 202 reports negative feedback for the transaction, and 200D represents the state of the risk network if the buyer 202 reports positive feedback. If the buyer 202 reports neutral feedback, the risk network would return to its initial state 200A.

[0064] In further detail, the nodes 205, 210, 215, and 220 of the risk networks 200A-D represent users of the online market place that are members of the risk network 200A. The buyer 205 and the seller 215 are both members of this risk network and have both conducted two transactions with other users (e.g., user 210 and user 220). As shown in Fig. 2A, the initial weights of the links between the members of the risk network are represented by 232, 234, 236 and 238. For example, the weight of the link between buyer 205 and user 210 is $10 (232), and the weight of the link between buyer 205 and user 220 is $8 (236). The weight of the link between seller 215 and user 210 is $5 (234), and the weight of the link between buyer 215 and user 220 is $10 (238). The weights can be any other units that can represent a weight of a link of a risk network and facilitate securing user reputations in an online marketplace.

[0065] In this example, user 205 intends to conduct a transaction with user 215 with a transaction amount of $10. Upon receiving the request to conduct the transaction, the data processing system can identify risk network 200A where each user has conducted

transactions with two other users (e.g., 210 and 220). Then, responsive to receiving a request to conduct the transaction, the data processing system can determine that the max-flow between user 205 and user 215 is greater than $10, and may allow the transaction to go through without a warning. In this example, there is no direct link between buyer 205 and seller 215 for at least $10. Furthermore, there is no single path between buyer 205 and seller 215 for at least $10. Rather, in this example, there are two paths with a max-flow of $5 each, which results in a set of paths having a collective weight of $10. For example, the max-flow between A^-- B^-- D is $5 as shown by link 234; and the max flow between

A<--»C<"»D is $8, as shown by link 236.

[0066] Upon conducting the transaction, the data processing system can temporarily lower the weights of the links along the max-flow paths by a total of $10. As shown in Fig. 2B, $5 is reduced from the set of paths going from the buyer 205 to the seller 215. For example, weights 232 and 234, which correspond to the set of paths from buyer 205 user 210 seller 215 are each reduced by $5, resulting in temporarily lowered weights 242 and 244, which, in this example, is $5 and $0, respectively. Similarly, weights 246 and 248, which correspond to the set of paths from buyer 205 user 220 seller 215 are each reduced by $5, resulting in temporarily lowered weights 246 and 248, which, in this example, is $3 and $5, respectively.

[0067] Once the feedback is received from one or both parties, the data processing system 120 can permanently change the risk network. For example, if the buyer reports negative feedback, the data processing system can make these weight reductions permanent. As shown in Fig. 2C, making these weight reductions permanent results in the risk network 200C eliminating the link 254 that was between user 210 and seller 215, and setting permanent weights 252, 256 and 258 to correspond to the temporarily lowered weights.

[0068] If the data processing receives positive feedback, the temporarily lowered weights can be restored to their initial values. As shown in Fig. 2D, the state of the risk network 200D reflects the restored weights 262, 264, 266, and 268, which corresponds to initial weights 232, 234, 236 and 238. Moreover, the data processing system can create a new link 270 directly from buyer 205 to seller 215 with a weight corresponding to the transaction amount, which is $10 in this example.

[0069] Finally, if the buyer 205 reports neutral feedback, the data processing system can simply restore the initial weights from prior to conducting the transaction, without creating the new link. Accordingly, Fig. 2A may reflect the state of the risk network 200A upon receiving neutral feedback.

[0070] Fig. 3 is an illustration of the risk network 300 where a malicious user is attempting to conduct a fraudulent transaction, in accordance with an implementation. In brief overview, buyer 305 is attempting to conduct a transaction with malicious user 315. Malicious user 315 has created a number of user identities 320, 325, 330 and 335, all of which are controlled or otherwise associated with malicious user 315. The single line links represent true

transactions (e.g., 340 and 345), and the double line links represent fictitious transactions (350, 355, 360 and 365). [0071] In further detail, malicious user 315 has conducted one legitimate transaction and four fictitious transactions. The legitimate transaction is with user 310, and the current weight of the link between user 310 and malicious user 315 is $5. The weight of the links between malicious user 315 and fake IDs 320, 325, 330, and 335 can be arbitrarily set by malicious user 315. For example, user 315 may have conducted fictitious transactions with fake IDs to result in a weight of $500 for a link between user ID 320; a weight of $100 for a link between user ID 325; a weight of $10 for a link between user ID 330; and a weight of $250 for a link between user ID 335. In each of these fictitious transaction, the malicious user may have actually made a payment via an online payment system. Furthermore, each user ID could be associated with a unique checking account or even mailing address.

[0072] Further to this example, buyer 305 may intend to conduct a transaction with malicious user 315. Rather than be fooled by user 315 's fictitious feedback, the data processing system can alert user 315. For example, the data processing system can secure user reputations because the fictitious transactions (350, 355, 360 and 365) do not increase the max-flow ($5) between buyer 305 and seller 315 of $5 (345), thereby preventing the reputation

manipulation. Since the fictitious transactions do not contribute to the max-flow between buyer 305 and seller 315, the data processing system can provide a warning to the user 305 even though the data processing system had no a priori knowledge that all user IDs 320, 325, 330 and 335 belong to malicious user 315.

[0073] Moreover, even if user 315 attempts to use one of the fake user IDs 320, 325, 330 and 335 to sell a product, the max-flow is still bound at $5 (345) by the real transaction with user 310. Accordingly, the data processing system can flag any transaction with a transaction amount greater than $5 as being potentially fraudulent. Furthermore, if the buyer 305 conducts a $5 transaction, the data processing system can temporarily lower the weight of link 345 to $0. If buyer 305 then provides negative feedback, the data processing system can permanently lower the weight of link 345 to $0, or eliminate the link. Thus, regardless of the number of accounts user 315 creates or the technique used to create fictitious transactions between, the data processing system can secure user reputations to prevent malicious attacks. In effect, the data processing system can require malicious user 315 to participate in successful transactions with other non-malicious users (e.g., 310) in order to increase user 315's max-flow, and penalizes these successful links whenever user 315 conducts fraud.

[0074] Fig. 4 is a flow chart illustrating an example method 400 for securing online user reputations in accordance with an implementation. In brief overview, the method 400 includes receiving a request to conduct a transaction (405). At step 410, the method 400 can include obtaining a series of risk networks. The method 400 can include determining a max- flow between the first user and the second user, where the first user transmitted the request to conduct the transaction (415). At step 420, the method 400 can include comparing the first collective weight of the set of paths corresponding to the max-flow with the transaction amount. At step 425, the method 400 can include generating an indication of a risk level associated with the transaction.

[0075] In further detail, method 400 can include receiving a request to conduct a transaction (405). The request can be received from a first user or a buyer via a network. The transaction can be for any type of goods or services in exchange for value, such as monetary value or points. In some implementations, the transaction occurs via an online marketplace, and the online marketplace indicates to a data processing system that a seller intends to conduct a transaction with a buyer. In some embodiments, the request can include information about the transaction, such as the buyer or seller's user identity (e.g., unique username), transaction amount, duration of the offer, quantity of goods being purchased, shipping information, or payment information.

[0076] In some embodiments, the method 400 includes obtaining a series of risk networks that include the buyer and the seller. The risk network can include a number of links with automatically generated weights between pairs of users who successfully completed a transaction. The entire risk network may be broken down into subgraphs where each subsequent risk network of the series of risk networks is a subgraph of the previous risk network containing only those links with an exponentially higher weight. In some embodiments, the buyer and seller are members of the same risk network if there is a direct or indirect path from the buyer to the seller; e.g., buyer directly conducted a transaction with seller, or buyer conducted a transaction with user 1, who conducted a transaction with user 2, who conducted a transaction with the seller. [0077] In some embodiments, the method 400 includes determining a max-flow between the first user (e.g., buyer) and the second user (e.g., seller). In some embodiments, the max-flow is dependent on the lowest weighted link of a path between the buyer and the seller. In some embodiments, the method 400 includes applying an algorithm, such as a Ford-Fulkerson algorithm, a subset of the entire risk network, where the subset includes only those links with at least a certain wait. This way, rather than apply the max-flow algorithm to the entire network, the method 400 can apply the max-flow algorithm to a subset of the entire network.

[0078] In some embodiment, if the method 400 identifies a max-flow in the first subset of the risk network, the method 400 can compare the first collective weight of the max-flow with the transaction amount. If the max-flow is not greater than or equal to the transaction amount, the method 400 can then apply the max-flow algorithm on the next subset of the risk network to identify a second max-flow. The method 400 can repeat this process until a max- flow with a weight greater than or equal to the transaction amount is found, or the entire risk network has been searched.

[0079] In some embodiments, if the method 400 identifies a set of paths where the collective weight is greater than or equal to the transaction amount, then the method can generate an indication of a relatively low or no risk level associated with the transaction 425. If, on the other hand, the method 400 does not identify a set of paths in the entire risk network with a collective weight greater than or equal to the transaction amount (e.g., after analyzing each subgraph of the series of risk networks), the method 400 can include generating an indication of a relatively high level of risk associated with the transaction.

[0080] In some embodiments, the method 400 can include transmitting the indication of the level of risk to the online marketplace operator 115, or the first user 110. In some embodiments, the data processing system 120 or the online marketplace operator 115 can prohibit the first user from following through with the transaction, or offer the first user additional services such as escrow or insurance.

[0081] In some embodiments, the method 400 includes temporarily lowering the weights of the links between the buyer and the seller until receiving feedback. If positive or neutral feedback is received from the buyer, the weights may be restored, while if negative feedback is received, the lowered weights can become permanent. Additionally, if positive feedback is received, the method 400 can include creating a new link between the buyer and the seller that reflects the transaction amount.

[0082] In some embodiments, the feedback can include a numerical range, e.g., 0 to 10, where 0 is negative (or positive), 5 is neutral, and 10 is positive (or negative). In this example, the method 400 can modify the risk network as explained above with respect to positive, negative and neutral feedback. In some embodiments, the method 400 can include adjusting the weights based on the degree of feedback. For example, if the feedback is positive, the method 400 can include creating a new direct link between the buyer and the seller. Further to this example, the weight of the new link can be based on the degree of positive feedback. For example, if the feedback includes a 7 out of 10, then the method 400 can include restoring the previous weights, but creating a new direct link between the seller and the buyer where the weight is a fraction of the transaction amount, e.g., 60%. In another example, if the buyer provides negative feedback in the form of a 3, the method 400 can include lowering the weights by 60% of the transaction amount rather than leaving them at their temporarily lowered value (which may represent lowering the weights by 100% of the transaction amount).

[0083] The system 100 and its components, such as a data processing system, may include hardware elements, such as one or more processors, logic devices, or circuits. FIG. 5 is an example implementation of a network environment 500. The system 100 and method 400 can operate in the network environment 500 depicted in FIG. 5. In brief overview, the network environment 500 includes one or more clients 505 that can be referred to as local machine(s) 505, client(s) 505, client node(s) 505, client machine(s) 505, client computer(s) 505, client device(s) 505, endpoint(s) 505, or endpoint node(s) 505) in communication with one or more servers 515 that can be referred to as server(s) 515, node 515, or remote machine(s) 515) via one or more networks 105. In some implementations, a client 505 has the capacity to function as both a client node seeking access to resources provided by a server and as a server providing access to hosted resources for other clients 505.

[0084] Although FIG. 5 shows a network 105 between the clients 505 and the servers 515, the clients 505 and the servers 515 may be on the same network 105. The network 105 can be a local-area network (LAN), such as a company Intranet, a metropolitan area network (MAN), or a wide area network (WAN), such as the Internet or the World Wide Web. In some implementations, there are multiple networks 105 between the clients 505 and the servers 515. In one of these implementations, the network 105 may be a public network, a private network, or may include combinations of public and private networks.

[0085] The network 105 may be any type or form of network and may include any of the following: a point-to-point network, a broadcast network, a wide area network, a local area network, a telecommunications network, a data communication network, a computer network, an ATM (Asynchronous Transfer Mode) network, a SONET (Synchronous Optical Network) network, a SDH (Synchronous Digital Hierarchy) network, a wireless network and a wireline network. In some implementations, the network 105 may include a wireless link, such as an infrared channel or satellite band. The topology of the network 105 may include a bus, star, or ring network topology. The network may include mobile telephone networks utilizing any protocol or protocols used to communicate among mobile devices, including advanced mobile phone protocol ("AMPS"), time division multiple access ("TDMA"), code- division multiple access ("CDMA"), global system for mobile communication ("GSM"), general packet radio services ("GPRS") or universal mobile telecommunications system ("UMTS"). In some implementations, different types of data may be transmitted via different protocols. In other implementations, the same types of data may be transmitted via different protocols.

[0086] In some implementations, the system 100 may include multiple, logically-grouped servers 515. In one of these implementations, the logical group of servers may be referred to as a server farm 520 or a machine farm 520. In another of these implementations, the servers 515 may be geographically dispersed. In other implementations, a machine farm 520 may be administered as a single entity. In still other implementations, the machine farm 520 includes a plurality of machine farms 520. The servers 515 within each machine farm 520 can be heterogeneous - one or more of the servers 515 or machines 515 can operate according to one type of operating system platform.

[0087] In one implementation, servers 515 in the machine farm 520 may be stored in high- density rack systems, along with associated storage systems, and located in an enterprise data center. In this implementation, consolidating the servers 515 in this way may improve system manageability, data security, the physical security of the system, and system performance by locating servers 515 and high performance storage systems on localized high performance networks. Centralizing the servers 515 and storage systems and coupling them with advanced system management tools allows more efficient use of server resources.

[0088] The servers 515 of each machine farm 520 do not need to be physically proximate to another server 515 in the same machine farm 520. Thus, the group of servers 515 logically grouped as a machine farm 520 may be interconnected using a wide-area network (WAN) connection or a metropolitan-area network (MAN) connection. For example, a machine farm 520 may include servers 515 physically located in different continents or different regions of a continent, country, state, city, campus, or room. Data transmission speeds between servers 515 in the machine farm 520 can be increased if the servers 515 are connected using a local- area network (LAN) connection or some form of direct connection. Additionally, a heterogeneous machine farm 520 may include one or more servers 515 operating according to a type of operating system, while one or more other servers 515 execute one or more types of hypervisors rather than operating systems. In these implementations, hypervisors may be used to emulate virtual hardware, partition physical hardware, virtualize physical hardware, and execute virtual machines that provide access to computing environments.

[0089] Management of the machine farm 520 may be de-centralized. For example, one or more servers 515 may comprise components, subsystems and circuits to support one or more management services for the machine farm 520. In one of these implementations, one or more servers 515 provide functionality for management of dynamic data, including techniques for handling failover, data replication, and increasing the robustness of the machine farm 520. Each server 515 may communicate with a persistent store and, in some implementations, with a dynamic store.

[0090] Server 515 may include a file server, application server, web server, proxy server, appliance, network appliance, gateway, gateway, gateway server, virtualization server, deployment server, secure sockets layer virtual private network ("SSL VPN") server, or firewall. In one implementation, the server 515 may be referred to as a remote machine or a node. [0091] The client 505 and server 515 may be deployed as or executed on any type and form of computing device, such as a computer, network device or appliance capable of

communicating on any type and form of network and performing the operations described herein.

[0092] FIG. 6 is a block diagram of a computer system 600 in accordance with an illustrative implementation. The computer system or computing device 600 can be used to implement the system 100, risk network manager 130, risk level identifier 135 and database 140. The computing system 600 includes a bus 605 or other communication component for

communicating information and a processor 610 or processing circuit coupled to the bus 605 for processing information. The computing system 600 can also include one or more processors 610 or processing circuits coupled to the bus for processing information. The computing system 600 also includes main memory 615, such as a random access memory (RAM) or other dynamic storage device, coupled to the bus 605 for storing information, and instructions to be executed by the processor 610. Main memory 615 can also be used for storing position information, temporary variables, or other intermediate information during execution of instructions by the processor 610. The computing system 600 may further include a read only memory (ROM) 620 or other static storage device coupled to the bus 605 for storing static information and instructions for the processor 610. A storage device 625, such as a solid state device, magnetic disk or optical disk, is coupled to the bus 605 for persistently storing information and instructions.

[0093] The computing system 600 may be coupled via the bus 605 to a display 635, such as a liquid crystal display, or active matrix display, for displaying information to a user. An input device 630, such as a keyboard including alphanumeric and other keys, may be coupled to the bus 605 for communicating information and command selections to the processor 610. In another implementation, the input device 630 has a touch screen display 635. The input device 630 can include a cursor control, such as a mouse, a trackball, or cursor direction keys, for communicating direction information and command selections to the processor 610 and for controlling cursor movement on the display 635.

[0094] According to various implementations, the processes described herein can be implemented by the computing system 600 in response to the processor 610 executing an arrangement of instructions contained in main memory 615. Such instructions can be read into main memory 615 from another computer-readable medium, such as the storage device 625. Execution of the arrangement of instructions contained in main memory 615 causes the computing system 600 to perform the illustrative processes described herein. One or more processors in a multi-processing arrangement may also be employed to execute the instructions contained in main memory 615. In alternative implementations, hard- wired circuitry may be used in place of or in combination with software instructions to effect illustrative implementations. Thus, implementations are not limited to any specific combination of hardware circuitry and software.

[0095] Although an example computing system has been described in FIG. 6,

implementations of the subject matter and the functional operations described in this specification can be implemented in other types of digital electronic circuitry, or in computer software, firmware, or hardware, including the structures disclosed in this specification and their structural equivalents, or in combinations of one or more of them.

[0096] Implementations of the subject matter and the operations described in this specification can be implemented in digital electronic circuitry, or in computer software, firmware, or hardware, including the structures disclosed in this specification and their structural equivalents, or in combinations of one or more of them. The subject matter described in this specification can be implemented as one or more computer programs, i.e., one or more circuits of computer program instructions, encoded on one or more computer storage media for execution by, or to control the operation of, data processing apparatus. Alternatively or in addition, the program instructions can be encoded on an artificially generated propagated signal, e.g., a machine-generated electrical, optical, or electromagnetic signal that is generated to encode information for transmission to suitable receiver apparatus for execution by a data processing apparatus. A computer storage medium can be, or be included in, a computer-readable storage device, a computer-readable storage substrate, a random or serial access memory array or device, or a combination of one or more of them. Moreover, while a computer storage medium is not a propagated signal, a computer storage medium can be a source or destination of computer program instructions encoded in an artificially generated propagated signal. The computer storage medium can also be, or be included in, one or more separate components or media (e.g., multiple CDs, disks, or other storage devices).

[0097] The operations described in this specification can be performed by a data processing apparatus on data stored on one or more computer-readable storage devices or received from other sources.

[0098] The term "data processing apparatus" or "computing device" encompasses various apparatuses, devices, and machines for processing data, including by way of example a programmable processor, a computer, a system on a chip, or multiple ones, or combinations of the foregoing. The apparatus can include special purpose logic circuitry, e.g., an FPGA (field programmable gate array) or an ASIC (application specific integrated circuit). The apparatus can also include, in addition to hardware, code that creates an execution

environment for the computer program in question, e.g., code that constitutes processor firmware, a protocol stack, a database management system, an operating system, a cross- platform runtime environment, a virtual machine, or a combination of one or more of them. The apparatus and execution environment can realize various different computing model infrastructures, such as web services, distributed computing and grid computing

infrastructures.

[0099] A computer program (also known as a program, software, software application, script, or code) can be written in any form of programming language, including compiled or interpreted languages, declarative or procedural languages, and it can be deployed in any form, including as a stand alone program or as a circuit, component, subroutine, object, or other unit suitable for use in a computing environment. A computer program may, but need not, correspond to a file in a file system. A program can be stored in a portion of a file that holds other programs or data (e.g., one or more scripts stored in a markup language document), in a single file dedicated to the program in question, or in multiple coordinated files (e.g., files that store one or more circuits, sub programs, or portions of code). A computer program can be deployed to be executed on one computer or on multiple computers that are located at one site or distributed across multiple sites and interconnected by a communication network. [00100] Processors suitable for the execution of a computer program include, by way of example, both general and special purpose microprocessors, and any one or more processors of any kind of digital computer. Generally, a processor will receive instructions and data from a read only memory or a random access memory or both. The essential elements of a computer are a processor for performing actions in accordance with instructions and one or more memory devices for storing instructions and data. Generally, a computer will also include, or be operatively coupled to receive data from or transfer data to, or both, one or more mass storage devices for storing data, e.g., magnetic, magneto optical disks, or optical disks. However, a computer need not have such devices. Moreover, a computer can be embedded in another device, e.g., a mobile telephone, a personal digital assistant (PDA), a mobile audio or video player, a game console, a Global Positioning System (GPS) receiver, or a portable storage device (e.g., a universal serial bus (USB) flash drive), to name just a few. Devices suitable for storing computer program instructions and data include all forms of non volatile memory, media and memory devices, including by way of example

semiconductor memory devices, e.g., EPROM, EEPROM, and flash memory devices;

magnetic disks, e.g., internal hard disks or removable disks; magneto optical disks; and CD ROM and DVD-ROM disks. The processor and the memory can be supplemented by, or incorporated in, special purpose logic circuitry.

[00101] To provide for interaction with a user, implementations of the subject matter described in this specification can be implemented on a computer having a display device, e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor, for displaying information to the user and a keyboard and a pointing device, e.g., a mouse or a trackball, by which the user can provide input to the computer. Other kinds of devices can be used to provide for interaction with a user as well; for example, feedback provided to the user can be any form of sensory feedback, e.g., visual feedback, auditory feedback, or tactile feedback; and input from the user can be received in any form, including acoustic, speech, or tactile input.

[00102] While this specification contains many specific implementation details, these should not be construed as limitations on the scope of any inventions or of what may be claimed, but rather as descriptions of features specific to particular implementations of particular inventions. Certain features described in this specification in the context of separate implementations can also be implemented in combination in a single

implementation. Conversely, various features described in the context of a single

implementation can also be implemented in multiple implementations separately or in any suitable subcombination. Moreover, although features may be described above as acting in certain combinations and even initially claimed as such, one or more features from a claimed combination can in some cases be excised from the combination, and the claimed

combination may be directed to a subcombination or variation of a subcombination.

[00103] Similarly, while operations are depicted in the drawings in a particular order, this should not be understood as requiring that such operations be performed in the particular order shown or in sequential order, or that all illustrated operations be performed, to achieve desirable results. In certain circumstances, multitasking and parallel processing may be advantageous. Moreover, the separation of various system components in the

implementations described above should not be understood as requiring such separation in all implementations, and it should be understood that the described program components and systems can generally be integrated in a single software product or packaged into multiple software products.

[00104] References to "or" may be construed as inclusive so that any terms described using "or" may indicate any of a single, more than one, and all of the described terms.

[00105] Thus, particular implementations of the subject matter have been described.

Other implementations are within the scope of the following claims. In some cases, the actions recited in the claims can be performed in a different order and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In certain implementations, multitasking and parallel processing may be advantageous.

[00106] What is claimed is: