[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[freehaven-cvs] changes, some from alessandro

To: freehaven-cvs@freehaven.net
Subject: [freehaven-cvs] changes, some from alessandro
From: arma@seul.org (Roger Dingledine)
Date: Mon, 16 Sep 2002 17:12:24 -0400 (EDT)
Delivered-To: archiver@seul.org
Delivered-To: freehaven-cvs-outgoing@seul.org
Delivered-To: freehaven-cvs@seul.org
Delivery-Date: Mon, 16 Sep 2002 17:12:27 -0400
Reply-To: freehaven-dev@freehaven.net
Sender: owner-freehaven-cvs@freehaven.net
Update of /home/freehaven/cvsroot/doc/fc03
In directory moria.seul.org:/home/arma/work/freehaven/doc/fc03

Modified Files:
	econymics.tex 
Log Message:
changes, some from alessandro


Index: econymics.tex
===================================================================
RCS file: /home/freehaven/cvsroot/doc/fc03/econymics.tex,v
retrieving revision 1.25
retrieving revision 1.26
diff -u -d -r1.25 -r1.26
--- econymics.tex	16 Sep 2002 17:39:33 -0000	1.25
+++ econymics.tex	16 Sep 2002 21:12:21 -0000	1.26
@@ -145,6 +145,10 @@
 \section{The Economics of Anonymity}
 \label{sec:overview}
 
+Anonymity can be studied from an economic perspective. The actual
+protection of anonymity does not simply involve technical cleverness ---
+it also requires understanding the incentives of heterogeneous parties
+and solving the intricate web of their trade-offs.
 Single-hop web proxies like the Anonymizer can probably protect
 end users from simple threats like profile-creating websites.
 On the other hand, users of such commercial proxies are forced to
@@ -156,7 +160,8 @@
 others to provide cover. Yet those others don't want to trust their
 traffic to a single entity either. The only viable solution is
 to distribute trust. Each organization or other entity runs
-a node in a shared \emph{strong anonymity} infrastructure. Users with
+a node in a shared \emph{strong anonymity} infrastructure, if its
+incentives are large enough to support the associated costs. Users with
 more modest budgets or shorter-term interest in the system also
 benefit from this decentralized model, because they can be confident
 that a few colluding nodes are unlikely to uncover their anonymity.
@@ -180,7 +185,9 @@
 creates anonymity for others. Thus users are always better off going
 where the noise is provided.
 
-High traffic is necessary for strong anonymity. High traffic and
+High traffic is necessary for strong anonymity, which means that the
+incentives of several agents must find a common equilibrium. High
+traffic and
 better performance complement each other: a system that processes
 only light traffic must delay messages to achieve adequately large
 anonymity sets. Thus better performance attracts users both for its
@@ -254,7 +261,7 @@
 anonymity in the system, $p_{a}$ (the probability that sender and message
 will remain anonymous); and the perceived level of reliability in the
 system, $p_{r}$ (the probability that the message will be delivered). The
-subjective value of the information being sent anonymously can be related
+subjective value of the information being sent anonymously could be related
 to the profits the agent expects to make by keeping that information
 anonymous, or the losses the agents expects to avoid by keeping that
 information anonymous. We represent the level of anonymity in the system
@@ -265,10 +272,10 @@
 space, $p$.\footnote{%
 Information theoretic anonymity metrics \cite{Diaz02,Serj02} probably
 provide better measures of anonymity: such work shows how the level
-of anonymity achieved by an agent in a mix-net system is associated to
-the particular structure of the system. But probabilities are simpler
-(and better than the common ``anonymity set'' representation), so we
-use them for now.} In particular:
+of anonymity achieved by an agent in a mix-net system is associated
+to the particular structure of the system. But probabilities are more
+tractable in our analysis, and better than the common ``anonymity set''
+representation.} In particular:
 
 \begin{itemize}
 \item  The number of users of the system is positively correlated to the
@@ -277,20 +284,19 @@
 \item  Acting as a node (which we represent as $a_{i}^{h}=1$, under the
 assumption that the honest node is interested in its own anonymity) is
 strongly positively correlated to preserving the anonymity of one's
-information. For example, suppose agents send
-messages at regular intervals (no more than one message per agent is sent
-to any incoming node at a time), that the probability of any node being
-compromised is $0.1$, and that messages pass through three nodes before
-exiting the network. Assume that routes are chosen at random unless the
-sender owns a node, in which case the sender uses his own node first
-and chooses the next two at random. If an agent does not run a node,
-the probability that he will by identified with certainty as the sender
-of a message that exits the mix network is $.001$.  If an agent runs
-a mix node with batch threshold of $50$, then amongst messages leaving
-the mix-net a passive adversary can with certainty reduce the anonymity
-set (the set of possible messages that might be the sender's) only to
-$50$. And the probability of even doing that is the probability that all
-of the messages from the relevant batch pass only through bad nodes on
+information. For example, suppose agents send messages at regular intervals
+(no more than one message per agent is sent to any incoming node at a time),
+that the probability of any node being compromised is $0.1$, and that
+messages pass through three nodes before exiting the network. Assume that
+routes are chosen at random unless the sender owns a node, in which case the
+sender uses his own node first and chooses the next two at random. If an
+agent does not run a node, the probability that he will by identified with
+certainty as the sender of a message that exits the mix network is $.001$.
+If an agent runs a mix node with batch threshold of $50$, then amongst
+messages leaving the mix-net a passive adversary can with certainty reduce
+the anonymity set (the set of possible messages that might be the sender's)
+only to $50$. And the probability of even doing that is the probability that
+all of the messages from the relevant batch pass only through bad nodes on
 the remaining two hops: $10^{-100}$. If we pessimistically equate the
 probability of guessing a message with the probability of identifying it
 with certainty, then the increase in anonymity achieved by running one's own
@@ -299,29 +305,29 @@
 of sending messages and adversary passivity. Nonetheless, it should be clear
 that there is a large potential gain from running one's own node.}
 
-\item  The relation between the number of (other) nodes and the
-probability of remaining anonymous might not be monotonic. At parity of
-traffic, sensitive agents might want fewer nodes in order to maintain high
-anonymity sets. In particular, if no dishonest nodes exist, everybody
-should prefer a small number of nodes. But if some nodes are dishonest,
-users may prefer more honest nodes (to increase the chance that messages
-go through honest nodes). Agents that act as nodes may have less desire
-for more nodes, because they want to maintain high anonymity sets at
-their particular node. Hence the probability of remaining anonymous is
-inversely related to the number of nodes but positively related to the
-ratio of honest/dishonest nodes.
+\item  The relation between the number of (other) nodes and the probability
+of remaining anonymous might not be monotonic. At parity of traffic,
+sensitive agents might want fewer nodes in order to maintain high anonymity
+sets. In particular, if no dishonest nodes exist, everybody should prefer a
+small number of nodes. But if some nodes are dishonest, users may prefer
+more honest nodes (to increase the chance that messages go through honest
+nodes). Agents that act as nodes may have less desire for more nodes,
+because they want to maintain high anonymity sets at their particular node.
+Hence the probability of remaining anonymous is inversely related to the
+number of nodes but positively related to the ratio of honest/dishonest
+nodes.
 \end{itemize}
 
-If we assume that honest nodes always deliver messages that go through
-them, the level of reliability in the system is then an inverse function
-of the share of dishonest nodes in the system, $n_{d}/n_{h}$.
+If we assume that honest nodes always deliver messages that go through them,
+the level of reliability in the system is then an inverse function of the
+share of dishonest nodes in the system, $n_{d}/n_{h}$.
 
 \item  Benefits of acting as a node (nodes might be retributed for
 forwarding traffic or for creating dummy traffic), $b_{h}$.
 
-\item  Benefits of acting as a dishonest node (dishonest nodes might
-benefit from disrupting service or might make use of the information
-that passes through them), $b_{d}$.
+\item  Benefits of acting as a dishonest node (dishonest nodes might benefit
+from disrupting service or might make use of the information that passes
+through them), $b_{d}$.
 \end{enumerate}
 
 The possible costs can be enumerated as follows:
@@ -333,22 +339,22 @@
 \item  sending messages:
 
 \begin{itemize}
-\item  through the mix-net system, $c_{s}$. This cost includes both direct
-financial costs such as usage fees, as well as implicit costs such as the
-time to build an anonymous message, learning curve to get familiar with
-the system, and delays incurred when using the system. At first these
-delays seem positively correlated to the traffic $n_{s}$ and negatively
-correlated to the number of nodes $n_{h}$. But counterintuitively, more
-messages per node might instead \emph{decrease} latency because nodes can
-process batches more often; see Section \ref{sec:alternate-incentives}. In
-addition, when message delivery is guaranteed, a node might always
-choose a longer route to reduce risk. We could assign a higher $c_{s}$
-to longer routes to reflect the cost of additional delay.
+\item  through the mix-net system, $c_{s}$. This cost can include both
+direct financial costs such as usage fees, as well as implicit costs such as
+the time to build an anonymous message, learning curve to get familiar with
+the system, and delays incurred when using the system. At first these delays
+seem positively correlated to the traffic $n_{s}$ and negatively correlated
+to the number of nodes $n_{h}$. But counterintuitively, more messages per
+node might instead \emph{decrease} latency because nodes can process batches
+more often; see Section \ref{sec:alternate-incentives}. In addition, when
+message delivery is guaranteed, a node might always choose a longer route to
+reduce risk. We could assign a higher $c_{s}$ to longer routes to reflect
+the cost of additional delay.
 
 \item  or through a conventional non-anonymous system, $c_{n}$.
 
-(Perception of the delay caused by using the mix-net system can be
-reflected in the difference of $c_{s}$ and $c_{n}$.)
+Perception of the delay caused by using the mix-net system can be reflected
+in the difference of $c_{s}$ and $c_{n}$.
 \end{itemize}
 
 \item  receiving dummy traffic, $c_{r}$.
@@ -356,10 +362,10 @@
 
 \item  Costs of acting as an honest node, $c_{h}$, by receiving and
 forwarding traffic, creating dummy traffic, and being an exit node (which
-involves potential exposure to liabilities or abuses). There are both
-fixed and variable costs of being a node. The fixed costs are related
-to the investments necessary to setup the software. The variable costs
-are dominated by the costs of traffic passing through the node.
+involves potential exposure to liabilities or abuses). There are both fixed
+and variable costs of being a node. The fixed costs are related to the
+investments necessary to setup the software. The variable costs are
+dominated by the costs of traffic passing through the node.
 
 \item  Costs of acting as dishonest node, $c_{d}$ (e.g., being exposed as a
 dishonest node carries a monetary penalty).
@@ -375,13 +381,15 @@
 here will also be a function of the probability of being exposed as a bad
 node).
 
-These reputation costs and benefits can be considered ``internal'' to the
-system (for example, being perceived as a honest node brings that node more
-traffic, and therefore more possibilities to hide that node's messages;
-similarly, being perceived as a dishonest node might bring traffic away from
-that node). Thus they do not enter directly the utility functions of the
-agents, but rather enter indirectly through the changes they provoke in the
-behavior of the agents.
+Some of these reputation costs and benefits can be modeled endogenously (for
+example, being perceived as a honest node brings that node more traffic, and
+therefore more possibilities to hide that node's messages; similarly, being
+perceived as a dishonest node might bring traffic away from that node). This
+way they would not enter directly the utility functions of the agents, but
+rather enter indirectly through the changes they provoke in the behavior of
+the agents. In other cases, reputation costs and benefits might be valued
+per se. While we do not consider this option in the simplified model below,
+we later comment on the impact that reputation effects can have on the model.
 
 We assume that agents want to maximize their expected utility, which is a
 function of expected benefits minus expected costs. We represent the payoff
@@ -397,7 +405,7 @@
 a_{i}^{s}-c_{h}\left( n_{s},n_{h},n_{d}\right) a_{i}^{h}-c_{d}\left(
 ..\right) a_{i}^{d}-c_{r}\left( ..\right) a_{i}^{r}-c_{n}
 \end{array}
-\right) 
+\right)
 \end{equation*}
 
 where $u, \theta, \gamma$, and $\partial$ are unspecified functional forms.
@@ -412,8 +420,8 @@
 message being delivered and a message remaining anonymous, respectively.
 These probabilities are weighted with the values $v_{r,a}$ because different
 agents might value anonymity and reliability differently, and because in
-different scenarios anonymity and reliability for the same agent might
-have different impacts on her payoff.
+different scenarios anonymity and reliability for the same agent might have
+different impacts on her payoff.
 
 While messages might be sent anonymously to avoid costs or to gain profits,
 the costs and benefits from sending the message might be distinct from the
@@ -421,7 +429,7 @@
 example, when Alice anonymously contacts a merchant to purchase a book, she
 will gain a profit equal to the difference between her valuation of the book
 and its price. But if her anonymity is compromised during the process, she
-will incur losses completely independent from the price of the book or her
+might incur losses completely independent from the price of the book or her
 valuation of it. The payoff function $u_{i}$ above allows us to represent
 the duality implicit in all privacy issues, as well as the distinction
 between the value of sending a message and the value of keeping it anonymous:
@@ -432,24 +440,24 @@
 \textit{Anonymity} & \textit{Reliability} \\ \hline
 {\tiny \ 
 \begin{tabular}{c}
-{\tiny Benefits from remaining anonymous /} \\ 
-{\tiny costs avoided remaining anonymous, or}
+Benefits from remaining anonymous / \\ 
+costs avoided remaining anonymous, or
 \end{tabular}
 } & {\tiny 
 \begin{tabular}{c}
-{\tiny Benefits from sending a message which will be received /} \\ 
-{\tiny costs avoided sending a message, or}
+Benefits from sending a message which will be received / \\ 
+costs avoided sending a message, or
 \end{tabular}
 } \\ \hline
 {\tiny \ 
 \begin{tabular}{c}
-{\tiny Costs due to losing anonymity /} \\ 
-{\tiny \ profits missed because of loss of anonymity}
+Costs due to losing anonymity / \\ 
+\ profits missed because of loss of anonymity
 \end{tabular}
 } & {\tiny 
 \begin{tabular}{c}
-{\tiny Costs due to not having sent a message /} \\ 
-{\tiny \ profits missed because of not having sent a message}
+Costs due to not having sent a message / \\ 
+\ profits missed because of not having sent a message
 \end{tabular}
 } \\ \hline
 \end{tabular}
@@ -461,19 +469,20 @@
 their dual opportunity costs or avoided costs. Nevertheless, the above
 representation allows us to formalize the various possible combinations.
 
-For example, if the message is sent to gain some benefit but anonymity must
-be protected in order to avoid losses, then $v_{r}$ will be positive while $%
-v_{a}$ will be negative and $p_{a}$ will enter the payoff function as $%
-\left( 1-p_{a}\right) $.\footnote{%
-In such scenario, being certain of staying anonymous would therefore eliminate
-the risk of $v_{a}$, while being certain of losing anonymity would impose on
-the agent the full cost $v_{a}$.} On the other side, if the agent must send
-a certain message to avoid some losses but anonymity ensures her some
-benefits, then $v_{r}$ will be negative and $p_{r}$ will enter the payoff
-function as $\left( 1-p_{r}\right) $, while $v_{a}$ will be positive.%
-\footnote{Similarly, guaranteed delivery will eliminate the risk of
-losing $v_{r}$, while certainty of delivery failure would impose on the
-agent the full cost $v_{r}$.}
+For example, if a certain message is sent to gain some benefit, but
+anonymity must be protected in order to avoid losses, then $v_{r}$ will be
+positive while $v_{a}$ will be negative and $p_{a}$ will enter the payoff
+function as $\left( 1-p_{a}\right) $.\footnote{%
+In such scenario, being certain of staying anonymous would therefore
+eliminate the risk of $v_{a}$, while being certain of losing anonymity would
+impose on the agent the full cost $v_{a}$.} On the other side, if the agent
+must send a certain message to avoid some losses but anonymity ensures her
+some benefits, then $v_{r}$ will be negative and $p_{r}$ will enter the
+payoff function as $\left( 1-p_{r}\right) $, while $v_{a}$ will be positive.%
+\footnote{%
+Similarly, guaranteed delivery will eliminate the risk of losing $v_{r}$,
+while certainty of delivery failure would impose on the agent the full cost $%
+v_{r}$.}
 
 With this framework we are able to compare, for example, the losses due to
 compromised anonymity to the costs of protecting it. An agent will decide to
@@ -501,22 +510,25 @@
 without using the mix-net, or by not sending the message at all). Thus
 initially we do not consider the strategy of choosing to be a bad node, or
 additional honest strategies like creating and receiving dummy traffic. We
-represent the game as a simultaneous-move, repeated-game because of the large
-number of participants, plus the fact that earlier actions indicate only a
-weak commitment to future actions. With a large group size there might be no
-discernable nor agreeable order for the actions of all participants, so
-actions can be considered simultaneous. The limited commitment produced by
-earlier actions allow us to consider a repeated-game scenario.\footnote{%
+represent the game as a simultaneous-move, repeated-game because of the
+large number of participants, plus the fact that earlier actions indicate
+only a weak commitment to future actions. With a large group size there
+might be no discernable nor agreeable order for the actions of all
+participants, so actions can be considered simultaneous. The limited
+commitment produced by earlier actions allow us to consider a repeated-game
+scenario.\footnote{%
 In Section \ref{sec:model} we have highlighted that for both nodes and
-simpler users variable costs are more significant than fixed costs.} These
-two considerations suggest against using a sequential approach of the
-Stackelberg type.\cite[Ch. 3]{fudenberg-tirole-91}  For similar reasons we
+simpler users variable costs are more significant than fixed costs.} 
+%Roger, is this the case or not? ie are traffic related costs the highest ones? 
+These two considerations suggest against using a sequential approach of the
+Stackelberg type.\cite[Ch. 3]{fudenberg-tirole-91} For similar reasons we
 also avoid a ``war of attrition/bargaining model'' framework.\footnote{%
-Wars of attrition and bargaining games (see for example \cite{rubinstein-82})
-are timing games where the relative impatience of players plays an important
-role. We have seen in the previous Section and we will confirm again below
-that agents with high sensitivity to anonymity actually have an interest in
-being among the (first and few) nodes in the system. %Hence a timing game
+Wars of attrition and bargaining games (see for example \cite{rubinstein-82}%
+) are timing games where the relative impatience of players plays an
+important role. We have seen in the previous Section and we will confirm
+again below that agents with high sensitivity to anonymity actually have an
+interest in being among the (first and few) nodes in the system. 
+%Hence a timing game
 %approach does not seem appropriate in our scenario.
 }
 
@@ -547,20 +559,20 @@
 length free routes, so that we can write $c_{s}$ as a fixed value, the same
 for all agents. Users send messages at the same time, and only one message
 at a time. We also assume that routes are chosen randomly by users, so that
-traffic is uniformly distributed among the nodes. If a user decides to be a
-node, costs increase with the traffic; we focus here on the traffic-based
-variable costs. Given that there are no active bad nodes (our adversary is
-restricted to watching messages), reliability is deterministically complete (%
-$p_{r}=1$). We also assume that all agents know the number of agents using
-the system and the number of them acting as nodes, and that each specific
-agent's actions are observable. Furthermore, we initially assume that the
-type of an agent is publicly known (a high sensitivity type cannot pretend
-to be a low type). We later relax this assumption. We also assume that all
-agents perceive the level of anonymity in the system (based on traffic and
-number of nodes) the same way. Further, we imagine that both agent types use
-the system because they want to avoid potential losses from not being
-anonymous. This sensitivity to anonymity can be represented with the
-variable $v_{i}$, which we treat as uniformly distributed between 0 and 1.
+traffic is uniformly distributed among the nodes.\footnote{%
+Reputation considerations might alter this point. We comment on this in
+Section \ref{sec:alternate-incentives}.} If a user decides to be a node,
+costs increase with the traffic; we focus here on the traffic-based variable
+costs. We also assume that all agents know the number of agents using the
+system and the number of them acting as nodes, and that each specific
+agent's actions are observable. We also assume that all agents perceive the
+level of anonymity in the system (based on traffic and number of nodes) the
+same way. Further, we imagine that agents use the system because they want
+to avoid potential losses from not being anonymous. This sensitivity to
+anonymity can be represented with continuous variable $v_{i}=\left[ \text{\b{%
+v}},\bar{v}\right] $. In other words, we initially focus on the goal of
+remaning anonymous given an adversary that can control other nodes or snif
+all communications. We later comment on the addition reliability issues. 
 
 These assumptions let us reformulate the framework above in a simpler way.
 The utility function can be re-written as:
@@ -570,14 +582,13 @@
 -c_{s}a_{i}^{s}-c_{h}\left( n_{s},n_{h},n_{d}\right) a_{i}^{h}-c_{n}
 \end{equation*}
 
-Thus each agent $i$ tries to \textit{minimize} the costs of sending messages
-and the risk of being tracked. $1-p_{a}\left(
+For Thus each agent $i$ tries to \textit{minimize} the costs of sending
+messages and the risk of being tracked. $1-p_{a}\left(
 n_{s},n_{h},n_{d},a_{i}^{h}\right) $ is the probability that anonymity will
 be lost given the number of agents sending messages, the number of them
 acting as honest and dishonest nodes, and the action $a$ of agent $i$
 itself. $v_{i}$ is the disutility an agent derives from its message being
-exposed, assumed to be a continuous variable $v_{i}=\left[ \text{\b{v}},\bar{%
-v}\right] $. $c_{s},c_{h}\left( n_{s},n_{h},n_d\right),$ and $c_{n}$ are the
+exposed. $c_{s},c_{h}\left( n_{s},n_{h},n_{d}\right) ,$ and $c_{n}$ are the
 costs of sending a message through the mix-net system, acting as a node when
 there are $n_{s}$ agents sending messages over $n_{h}$ and $n_{d}$ nodes,
 and sending messages through a non-anonymous system, respectively. Each
@@ -618,7 +629,9 @@
 %reference here]].} 
 %[[Go back to this in later sections, discuss the ``why bother having anonymity'' question.]]
 
-We now consider various versions of this model with increasing details.
+While this model is simple, it allows us to highlight some of the dynamics
+that might take place in the decision process of agents willing to use a
+mix-net. We now consider various versions of this\ model.
 
 \subsubsection{Myopic Agents}
 
@@ -686,17 +699,17 @@
 We start from a simplified scenario where we consider only one-on-one
 interactions. The interactions we have in mix-net systems obviously involve
 a much larger number of players, but the following analysis can give us a
-taste of the issues to be considered when strategic agents are interacting.
-Initially we study the case where each agent knows the other agent's type,
-but we then extend this case to study what happens when there is uncertainty
-about the other agents' types.
+starting point to consider the issues to be considered when strategic agents
+are interacting. Initially we study the case where each agent knows the
+other agent's type, but we then extend this case to study what happens when
+there is uncertainty about the other agents' types.
 
 We can consider agent $i$ and agent $j$. Each agent will have to consider
 the other agent's reaction function in her decision process. Let:
 
 \begin{equation*}
 A_{w}=-v_{w}\left( 1-p_{a}\left( \bar{n}_{s}+2,\bar{n}_{h}+2,n_{d},a_{w}^{h}%
-\right) \right) -c_{s}-c_{h}\left( \bar{n}_{s}+2,\bar{n}_{h}+2,n_{d}\right) 
+\right) \right) -c_{s}-c_{h}\left( \bar{n}_{s}+2,\bar{n}_{h}+2,n_{d}\right)
 \end{equation*}
 
 \begin{equation*}
@@ -710,12 +723,12 @@
 
 \begin{equation*}
 D_{w}=-v_{w}\left( 1-p_{a}\left( \bar{n}_{s}+2,\bar{n}_{h}+1,n_{d},a_{w}^{h}%
-\right) \right) -c_{s}-c_{h}\left( \bar{n}_{s}+2,\bar{n}_{h}+1,n_{d}\right) 
+\right) \right) -c_{s}-c_{h}\left( \bar{n}_{s}+2,\bar{n}_{h}+1,n_{d}\right)
 \end{equation*}
 
 \begin{equation*}
 E_{w}=-v_{w}\left( 1-p_{a}\left( \bar{n}_{s}+1,\bar{n}_{h}+1,n_{d},a_{w}^{h}%
-\right) \right) -c_{s}-c_{h}\left( \bar{n}_{s}+1,\bar{n}_{h}+1,n_{d}\right) 
+\right) \right) -c_{s}-c_{h}\left( \bar{n}_{s}+1,\bar{n}_{h}+1,n_{d}\right)
 \end{equation*}
 
 \begin{equation*}
@@ -776,57 +789,63 @@
 One of the interesting economic aspects of this scenario is that the highly
 sensitive agents \textit{do} want some level of free-riding, from the less
 sensitive types that will provide traffic and therefore noise. On the other
-side, they might not want too much free-riding if this involves too high
-traffic costs. This latter point however must be specified: highly privacy
-sensitive types, at parity of traffic, prefer to be a node (because
-anonymity and reliability will increase) and prefer to work in systems with
-fewer nodes (otherwise traffic gets too dispersed and the anonymity sets get
-too small). So, if $-v_{i}-c_{n}$ is particularly high, i.e. if the cost of
-not having anonymity is very high for each very privacy sensitive type, then
-each highly sensitive type might tend to act as node regardless of what the
-others do. %{extend}
-Also, if there are enough low types, again a high type might have an
-interest in acting alone if its costs of not having anonymity would be too
-high compared to the costs of handling the traffic of the less sensitive
-types. %{extend}
+side, they might not want too much free-riding - for example from highly
+sensitive type pretending to be agents with low sensitivity - if this
+involves too high traffic costs. This latter point however must be
+specified: highly anonymity sensitive types, at parity of traffic, prefer to
+be a node (because anonymity and reliability will increase) and prefer to
+work in systems with fewer nodes (otherwise traffic gets too dispersed and
+the anonymity sets get too small). So, if $-v_{i}-c_{n}$ is particularly
+high, i.e. if the cost of not having anonymity is very high for the most
+sensitive agents, then the latter might decide to act as node regardless of
+what the others do. %{extend}
+Also, if there are enough agents with lower $v_{i}$, again a ``high'' type
+might have an interest in acting alone if its costs of not having anonymity
+would be too high compared to the costs of handling the traffic of the less
+sensitive types. %{extend}
 In addition, certain nodes with higher sensitivity might indeed prefer to
 incur all the costs and be the only nodes in the system.
 
-When the valuations are continously distributed this is likely to create
-equilibria where the agents with the highest evaluations $v_{i}$ will become
-nodes, and the others, starting with the ``marginal'' type, will provide
-traffic (see also \cite{bergstrom-blume--varian-86}). At this point an
-equilibrium level of free-riding might be reached. This condition can be
-compared to \cite{grossman-stiglitz-80}, where the paradox of
-informationally efficient markets is described.\footnote{%
+In fact, when the valuations are continously distributed this is likely to
+create equilibria where the agents with the highest evaluations $v_{i}$ will
+become nodes, and the others, starting with the ``marginal'' type, will
+provide traffic. This problem can be mapped to the solution in \cite
+{bergstrom-blume--varian-86}. At that point an equilibrium level of
+free-riding might be reached. This condition can be also compared to \cite
+{grossman-stiglitz-80}, where the paradox of informationally efficient
+markets is described.\footnote{%
 The equilibrium in \cite{grossman-stiglitz-80} relies in fact on the
 ``marginal'' agent which is indifferent between getting more information
-about the market and not getting it.}
+about the market and not getting it. We are grateful to Hal Varian for
+highlighting this for us.}
 
-The problems however start if we consider now a different situation. Rather
-than having a continuous distribution of evaluations $v_{i}$, we consider
-two types of agents: the agent with a high valuation, $v_{H}$, and the agent
+The problems start if we consider now a different situation. Rather than
+having a continuous distribution of evaluations $v_{i}$, we consider two
+types of agents: the agent with a high valuation, $v_{H}$, and the agent
 with a low valuations, $v_{L}$. Fudenberg and Levine \cite{fudenberg88} have
 a model where each player plays a set of identical players, each of which is
 ``infinitesimal'', i.e. its actions cannot affect the payoff of the first
-player. In this setup what we want to study is, instead, the concatenated
-interactions in a large but finite set of players. The approach in this case
-is to define the payoff of each player as the average of his payoffs against
-the distribution of strategies played by the continuum of the other players.
-In other words, for each type, we will have: $u_{H}=\sum_{n_{s}}u_{H}\left(
-s_{H},s_{-H}\right) $ where the notation represents the comparison between
-one specific $H$ type and all the others. We can assume that the $v_{L}$
-agents will simply participate sending traffic if the system is cheap enough
-for them to use, and we can also assume that this will not pose any problem
-to the $v_{H}$ type, which in fact has an interest in having more traffic.
-This allows us to focus on the interaction between a subset of users: the
-identical high-types. Here the marginal argument discussed above will not
-work, and coordination might be costly especially when nodes do not trust
-each other. In this scenario where the mix-net system is self-sustaining and
-free and the agents are of high and low types, the actions of the agents
-must be visible and the agents themselves must agree on reacting together to
-respond to any deviation of a marginal player, thus re-establishing the
-trigger strategy of the 2-agents case. %{extend}
+player. The approach in this case is to define the payoff of each player as
+the average of his payoffs against the distribution of strategies played by
+the continuum of the other players. In other words, for each type, we will
+have: $u_{H}=\sum_{n_{s}}u_{H}\left( s_{H},s_{-H}\right) $ where the
+notation represents the comparison between one specific $H$ type and all the
+others. We can assume that the $v_{L}$ agents will simply participate
+sending traffic if the system is cheap enough for them to use,\footnote{%
+We will go back to this assumption when we will discuss the bootstraping of
+the system and the incentives of people with low sensitivity to anonymity.}
+and we can also assume that this will not pose any problem to the $v_{H}$
+type, which in fact has an interest in having more traffic. This allows us
+to focus on the interaction between a subset of users: the identical
+high-types. 
+
+Here the marginal argument discussed above will not work, and coordination
+might be costly especially when nodes do not trust each other. In this
+scenario where the mix-net system is self-sustaining and free and the agents
+are of high and low types, the actions of the agents must be visible and the
+agents themselves must agree on reacting together to respond to any
+deviation of a marginal player, thus re-establishing the trigger strategy of
+the 2-agents case. %{extend}
 In realistic scenarios, however, this will involve very high
 transaction/coordination costs, and will require an extreme (and possibly
 unlikely) level of rationality on the side of the agents. One option to help
@@ -854,7 +873,7 @@
 introduction, see \cite{fudenberg-tirole-91}). The mechanism is designed to
 maximize the expected utility - for example of a ``principal'' agent.
 According to the revelation principle the principal can concentrate on
-mechanisms where all the agents truthfully reveal their types. } The
+mechanisms where all the agents truthfully reveal their types.} The
 Anonymizer offers basic service at low costs to low sensitivity types (there
 is a cost in the delay and the hassles of using the free service), and
 offers better service for money. With usage fees, the cost of being a node
@@ -869,8 +888,8 @@
 \item  ``Special'' agents. Imagine having a ``special agent'' whose utility
 function has been modified to consider the social value of having an
 anonymous system, or which is being paid for or supported to provide such
-service. The risks here are congestion and non-optimal use \cite
-{mackiemason-varian-95}.
+service. The risks here are congestion and non-optimal use of the resources 
+\cite{mackiemason-varian-95}.
 
 \item  Public rankings and reputation. The incentives regarding reputation
 can come in the form of wanting a higher reputation to get more cover
@@ -880,7 +899,11 @@
 incentive to participate. The incentives of public recognition and wanting
 to donate service for the public good are very important to consider, even
 if they don't fit in our model very well, because to date that's where most
-node operators come from.
+node operators come from. As discussed above, reputation can enter the
+utility function indirectly or directly (when agents value their reputation
+as a good itself). If we modify the function presented above to consider
+reputation, we will find an even higher incentive for certain agents to act
+as nodes.
 
 If we publish a list of mixes ordered by safety (based on number of messages
 each message is expected to be mixed with), the high sensitivity users will
@@ -930,16 +953,16 @@
 
 \subsection{Pseudospoofing and dishonest nodes}
 
-Our discussions so far indicate that it may in fact be plausible to build
-a strong anonymity infrastructure from a wide-spread group of independent
-nodes that each want good anonymity for their own purposes. In fact,
-the more jurisdictionally diverse this group of nodes, the more robust the
+Our discussions so far indicate that it may in fact be plausible to build a
+strong anonymity infrastructure from a wide-spread group of independent
+nodes that each want good anonymity for their own purposes. In fact, the
+more jurisdictionally diverse this group of nodes, the more robust the
 overall system.
 
 However, volunteers are problems: users don't know who they're dealing with.
-We have primarily focused on the strategic motivations of honest
-agents, but the motivations of dishonest agents are at least as important.
-An anonymity-breaking adversary with an adequate budget would do best to
+We have primarily focused on the strategic motivations of honest agents, but
+the motivations of dishonest agents are at least as important. An
+anonymity-breaking adversary with an adequate budget would do best to
 provide very good service, possibly also attempting DoS against other
 high-quality providers. None of the usual metrics of performance and
 efficiency will help tell who the bad guys are in this instance. Further,
@@ -966,64 +989,77 @@
 Another potential solution, a global PKI to ensure unique identities, is
 unlikely to emerge any time soon.
 
-\subsubsection{Why lazy nodes are more likely than flat-out dishonest
-nodes}
+\subsubsection{Why lazy nodes are more likely than flat-out dishonest nodes}
 
 On the other hand, when we consider strategic dishonest nodes we must also
 analyze their motivations as rational agents. A flat-out dishonest agent
 participates only to compromise anonymity or reliability. In doing so,
-however, a dishonest agent will have to consider the costs of reaching
-and maintaining a position from which those attacks are effective ---
-which will probably involve gaining reputation and acting as a node for
-an extended period of time. Such adversaries will be in an arms race with
-protocol developers to stay undetected despite their attacks
-\cite{casc-rep}. The benefits from successful attacks might be financial,
-as in the case of discovering and using sensitive information, or a
-competitor's service being disrupted; or they could be purely related
-to personal satisfaction. The costs following being discovered as a
-dishonest node include rebuilding a new node's worth of reputation;
-but being noticed and exposed as the adversary may have very serious
-negative consequences for the attacker itself. (Imagine the public
-response if the NSA were found running dishonest nodes.)
+however, a dishonest agent will have to consider the costs of reaching and
+maintaining a position from which those attacks are effective --- which will
+probably involve gaining reputation and acting as a node for an extended
+period of time. Such adversaries will be in an arms race with protocol
+developers to stay undetected despite their attacks \cite{casc-rep}. The
+benefits from successful attacks might be financial, as in the case of
+discovering and using sensitive information, or a competitor's service being
+disrupted; or they could be purely related to personal satisfaction. The
+costs following being discovered as a dishonest node include rebuilding a
+new node's worth of reputation; but being noticed and exposed as the
+adversary may have very serious negative consequences for the attacker
+itself. (Imagine the public response if the NSA were found running dishonest
+nodes.)
 
-All things considered, it might be that the law of economics works
-against the attacker as well.
+All things considered, it might be that the laws of economics work against
+the attacker as well.
 
-A ``lazy'' node wants to protect
-her own anonymity, but keeps her costs lower by not forwarding or
-accepting all of her incoming traffic. By doing so this node decreases
-the reliability of the system. While this strategy might be sounder than
-the one of the flat-out dishonest node, it also exposes again the lazy
-node to the risk of being recognized as a disruptor of the system. In
-addition, this tactic, by altering the flow of the traffic through her
-own node, might actually reduce the anonymity of that agent.
+A ``lazy'' node wants to protect her own anonymity, but keeps her costs
+lower by not forwarding or accepting all of her incoming traffic. By doing
+so this node decreases the reliability of the system. While this strategy
+might be sounder than the one of the flat-out dishonest node, it also
+exposes again the lazy node to the risk of being recognized as a disruptor
+of the system. In addition, this tactic, by altering the flow of the traffic
+through her own node, might actually reduce the anonymity of that agent.
 
-Surveys and analysis on actual attacks on actual systems (eg
-\cite{nymserver98}) can help determine which forms of attacks are
-frequent, how dangerous they are, and whether economic incentives
-or technical answers are the best way to counter them.
+Surveys and analysis on actual attacks on actual systems (eg \cite
+{nymserver98}) can help determine which forms of attacks are frequent, how
+dangerous they are, and whether economic incentives or technical answers are
+the best way to counter them.
 
 \subsection{Bootstrapping the system and perceived costs}
 
-Our models so far have considered the strategic choices of agents facing
-an already existing mix-net. We might even imagine that the system does
-not yet exist but that, before the first period of the repeated-game,
-all the players can somehow know each other and coordinate to start with
-one of the cooperative equilibria discussed above.
+Our models so far have considered the strategic choices of agents facing an
+already existing mix-net. We might even imagine that the system does not yet
+exist but that, before the first period of the repeated-game, all the
+players can somehow know each other and coordinate to start with one of the
+cooperative equilibria discussed above.
 
-As this might not be a realistic scenario, we must discuss how a
+But this does not sound as a realistic scenario. Hence we must discuss how a
 mix-net system with distributed trust can come to be. We face a paradox
-here: agents with high privacy sensitivity want lots of traffic in
-order to feel secure using the system. They need many participants with
-lower privacy sensitivities using the system first. The problem lies in
-the fact that there's no reason to believe the lower sensitivity types are
-more likely to be early adopters. In addition, their perceived costs of
-using the system might be higher than the real costs --- especially when
-the system is new and not well known --- so in the strategic decision
-process they will decide against using the mix-net at all.
-Correct marketing seems critical to gaining critical mass in an anonymity
-system: in hindsight, perhaps Zero-Knowledge Systems would have gotten
-farther had it emphasized usability rather than security.
+here: agents with high privacy sensitivity want lots of traffic in order to
+feel secure using the system. They need many participants with lower privacy
+sensitivities using the system first. The problem lies in the fact that
+there is no reason to believe the lower sensitivity types are more likely to
+be early adopters. In addition, their \textit{perceived} costs of using the
+system might be higher than the real costs\footnote{%
+Many individuals tend to be myopic in their attitude to privacy. They claim
+they want it but they are not willing to pay for it. While this might
+reflect a rational assestment of the trade-offs (that is, quite simply, the
+agents do not value their anonymity highly enough to justify the cost to
+protect it), it might also reflect ``myopic'' behavior such as the
+hyperbolic discounting of future costs associated to the loss of anonymity.
+See also \cite{acquisti-varian-02}.} --- especially when the system is new
+and not well known --- so in the strategic decision process they will decide
+against using the mix-net at all. Correct marketing seems critical to
+gaining critical mass in an anonymity system: in hindsight, perhaps
+Zero-Knowledge Systems would have gotten farther had it emphasized usability
+rather than security. Note that here again reliability becomes an issue,
+since we must consider both the benefits from sending a message \textit{and }%
+keeping it anonymous. If the benefits of sending the message are not that
+high in first instance, then the agents will have low sensitivity agent will
+have fewer incentives to spend anything to mantain the message itself
+anonymous. Given that in our model we consider the costs and benefits of
+using a certain system, we can of course extend the analysis to the
+comparison between different systems with different costs/benefit
+characteristics. We comment more on this in the conclusive Section.
 
 %Note in this case that the choice of agents with lower privacy sensitivity
 %between different anonymous systems with different levels of anonymity (and
@@ -1033,6 +1069,8 @@
 %those individuals who claim to care about their privacy are unwilling to pay
 %even small amounts to defend it - or, viceversa, are ready to trade it for
 %small rewards. 
+%In light of the comments by jbash about comparing different systems, would you like to keep the previous comment in the text or not?
+%
 
 Difficulties in bootstrapping the system and the myopic behavior \cite
 {acquisti-varian-02} of some users might make the additional incentive
@@ -1060,19 +1098,37 @@
 This need to pigeonhole users into a few behavior classes conflicts with the
 fact that real-world users have different interests and different
 approaches. Heterogeneity in its users is what makes the Internet so lively
-and successful. Reducing options can lead to reduced usability, scaring
-away the users and leaving a useless anonymity system.
+and successful. Reducing options can lead to reduced usability, scaring away
+the users and leaving a useless anonymity system.
 
 % It remains to be seen whether designs and
 %incentives, for both system users and system components, can be structured
 %to meet all of these objectives sufficiently to create viable systems.
 
-\section{Future Work}
+\section{Conclusions and Future Work}
 
 We have described a basic model for characterizing and analyzing the various
-incentives for participants to act either as senders or as nodes in
-strong anonymity infrastructures. There are a number of directions for
-future research:
+incentives for participants to act either as senders or as nodes in strong
+anonymity infrastructures. In particular, what we tried to achieve in this
+paper is a framework to interpret anonymity from an economic perspective. We
+have applied this framework to a number of simplified scenarios. The
+trade-off between simplicity and realism must be considered when evaluating
+our results, which consist in highlighting some trends in the dynamics of
+the decision process for agents interested in using anonymous systems. Some
+of these trends can be summarized as follows: there can be an optimal level
+of free-riding in anonymous mix-net systems, because there exist conditions
+under which agents with high sensitivity to anonymity will decide to incur
+the costs of offering the service to others in order to protect their own
+anonymity. However, we have discussed how the deployment of a completely
+distributed system might involve coordination costs which make it
+unfeasible. In addition, we have discussed how systems of this type rely on
+the presence of a vast amount of simple users (low sensitive types)
+producing traffic and noise. The analysis therefore highlights that
+attracting the types with low sensitivity is essential to the success of a
+mix system. This involves dealing with the possible myopism (or flat-out
+disinterest) of low sensitive types in the area of anonymity protection.
+
+There are a number of directions for future research:
 
 \begin{itemize}
 \item  Dummy traffic. Dummy traffic increases costs but it also increases
@@ -1083,30 +1139,30 @@
 its node, it will have to generate them as dummy traffic in order not to pay
 a penalty.
 
-\item  Reliability. Related to the above, we should add reliability issues to
-the model.
+\item  Reliability. Related to the above, we should add reliability issues
+to the model.
 
 \item  Strategic dishonest nodes. We have discussed above that it is
-probably more economically sound for an agent to be a lazy node than
-an anonymity-attacking node. Assuming that strategic bad nodes can exist, we
-should study the incentives to act honestly or dishonestly and the effect
-on reliability and anonymity.
+probably more economically sound for an agent to be a lazy node than an
+anonymity-attacking node. Assuming that strategic bad nodes can exist, we
+should study the incentives to act honestly or dishonestly and the effect on
+reliability and anonymity.
 
-\item  Unknown agent types. We should extend the above scenarios further
-to consider a probability distribution for an agent's guess about another
+\item  Unknown agent types. We should extend the above scenarios further to
+consider a probability distribution for an agent's guess about another
 agent's privacy sensitivity.
 
 \item  Comparison between systems. We should compare mix-net systems to
-other systems, as well as use the above framework to compare the adoption
-of systems with different characteristics.
+other systems, as well as use the above framework to compare the adoption of
+systems with different characteristics.
 
 \item  Exit nodes. We should extend the above analysis to consider specific
 costs such as the potential costs associated with acting as an exit node.
 
 \item  Reputation. Reputation can have a powerful impact on the framework
 above in that it changes the assumption that traffic will distribute
-uniformly across nodes. We should study this extension more formally
-along the lines described above.
+uniformly across nodes. We should study this extension more formally along
+the lines described above.
 
 \item  Information theoretic metric. We should extend the analysis of
 information theoretic metrics in order to formalize the functional forms in
@@ -1116,11 +1172,7 @@
 It is clear that, given their limited tractability in closed-form terms,
 some of the above extensions will need computational solutions.
 
-[Plus a brief summary here of what we've said in the paper that's neat.
-(What is that?)]
-
 \bibliographystyle{plain}
 \bibliography{econymics}
 
 \end{document}
-

***********************************************************************
To unsubscribe, send an e-mail to majordomo@seul.org with
unsubscribe freehaven-cvs       in the body. http://freehaven.net/
Prev by Date: [freehaven-cvs] cleaner tables, lots of reformatting
Next by Date: [freehaven-cvs] overhaul of sections 1 and 2 and part of 3
Prev by thread: [freehaven-cvs] cleaner tables, lots of reformatting
Next by thread: [freehaven-cvs] overhaul of sections 1 and 2 and part of 3
Index(es):
- Date
- Thread