[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[freehaven-cvs] overhaul of sections 1 and 2 and part of 3

To: freehaven-cvs@freehaven.net
Subject: [freehaven-cvs] overhaul of sections 1 and 2 and part of 3
From: arma@seul.org (Roger Dingledine)
Date: Mon, 16 Sep 2002 17:23:38 -0400 (EDT)
Delivered-To: archiver@seul.org
Delivered-To: freehaven-cvs-outgoing@seul.org
Delivered-To: freehaven-cvs@seul.org
Delivery-Date: Mon, 16 Sep 2002 17:23:39 -0400
Reply-To: freehaven-dev@freehaven.net
Sender: owner-freehaven-cvs@freehaven.net
Update of /home/freehaven/cvsroot/doc/fc03
In directory moria.seul.org:/home/arma/work/freehaven/doc/fc03

Modified Files:
	econymics.tex 
Log Message:
overhaul of sections 1 and 2 and part of 3


Index: econymics.tex
===================================================================
RCS file: /home/freehaven/cvsroot/doc/fc03/econymics.tex,v
retrieving revision 1.26
retrieving revision 1.27
diff -u -d -r1.26 -r1.27
--- econymics.tex	16 Sep 2002 21:12:21 -0000	1.26
+++ econymics.tex	16 Sep 2002 21:23:35 -0000	1.27
@@ -85,16 +85,16 @@
 \begin{abstract}
 
 Decentralized anonymity infrastructures are still not in wide use today.
-We (the community) must figure out how to change our approaches and
-designs in order to build systems with a better chance of success. Here
-we present some new insights about how to align incentives to create
-an economically workable system for both users and infrastructure
-operators. We explore some reasons why anonymity systems are particularly
-hard to deploy, enumerate the incentives to participate either as senders
-or also as nodes, and build a general model to take into account these
-incentives. We then describe and justify some simplifying assumptions to
-make the model manageable, and compare optimal strategies for participants
-based on a variety of scenarios.
+While there are still technical barriers to a secure robust design, our
+lack of understanding of the incentives to participate in such sytsems
+remains a major roadblock. Here we present some new insights about how
+to align incentives to create an economically workable system for both
+users and infrastructure operators. We explore some reasons why anonymity
+systems are particularly hard to deploy, enumerate the incentives to
+participate either as senders or also as nodes, and build a general model
+to describe the effects of these incentives. We then describe and justify
+some simplifying assumptions to make the model manageable, and compare
+optimal strategies for participants based on a variety of scenarios.
 
 \end{abstract}
 
@@ -105,107 +105,97 @@
 \section{Introduction}
 \label{sec:intro}
 
-Individuals and organizations need and desire
-anonymity on public networks like the Internet. People want to be able
-to surf the Web, purchase online, and send email without revealing
-their identities, interests, and activities to others. Corporate and
-military entities must negotiate and communicate with other organizations
-without revealing the existence of their interactions to competitors and
-enemies. Firewalls, VPNs, and encrypted communication do not provide this
-protection --- indeed, Whit Diffie has remarked that traffic analysis
-is the backbone of communications intelligence, not cryptanalysis
-\cite{diffiebook}.
+Individuals and organizations need anonymity on the Internet. People
+want to surf the Web, purchase online, and send email without exposing
+their identities, interests, and activities to others. Corporate
+and military organizations must communicate with other organizations
+without revealing the existence of such communications to competitors and
+enemies. Firewalls, VPNs, and encryption cannot provide this protection
+--- indeed, Diffie has remarked that traffic analysis is the backbone
+of communications intelligence, not cryptanalysis \cite{diffiebook}.
 
-With all these interested users,
-it might seem that there is a ready market for services in this area ---
-that is, it should be possible to offer such services and develop a
-paying customer base. However, with one notable exception (the
-Anonymizer \cite{anonymizer}) commercial offerings in this area have
-not met with sustained success. We can attribute these failures to
-the fact that commercial online services are still relatively new and
-uncharted, and we can also point to the current economic environment in
+With so many interested users, it might seem that there is a ready market
+for anonymity services --- that is, it should be possible to offer such
+services and develop a paying customer base. However, with one notable
+exception (the Anonymizer \cite{anonymizer}) commercial offerings in
+this area have not met with sustained success. We could attribute these
+failures to market immaturity, and to the current economic climate in
 general. However, this is not the whole story.
 
-Here we explore the incentives of participants to both offer and use
-anonymity services. We set a foundation for understanding and clarifying
-our speculations about the influences and interactions based on these
-incentives. Ultimately we aim to uncover some new insights about how
-to align incentives to create an economically workable system for both
-users and infrastructure operators.
+In this paper we explore the incentives of participants to offer
+and use anonymity services. We set a foundation for understanding and
+clarifying our speculations about the influences and interactions of these
+incentives. Ultimately we aim to learn how to align incentives to create
+an economically workable system for users and infrastructure operators.
 
-Section \ref{sec:overview} gives an overview of the
-ideas behind our model, and Section \ref{sec:model} goes on to describe
-a variety of (often conflicting) incentives and build a general model
-to incorporate many of them. We then bring to light some simplifying
-assumptions in Section \ref{sec:application} and draw conclusions
-about certain scenarios. Sections \ref{sec:alternate-incentives} and
-\ref{sec:roadblocks} describe some alternate approaches to incentives and
-problems we encounter in designing and deploying strong anonymity systems.
+Section \ref{sec:overview} gives an overview of the ideas behind our
+model, and Section \ref{sec:model} goes on to describe the variety of
+(often conflicting) incentives and build a general model to incorporate
+many of them. In Section \ref{sec:application} we give some simplifying
+assumptions and draw conclusions about certain scenarios. Sections
+\ref{sec:alternate-incentives} and \ref{sec:roadblocks} describe some
+alternate approaches to incentives, and problems we encounter in designing
+and deploying strong anonymity systems.
 
 \section{The Economics of Anonymity}
 \label{sec:overview}
 
-Anonymity can be studied from an economic perspective. The actual
-protection of anonymity does not simply involve technical cleverness ---
-it also requires understanding the incentives of heterogeneous parties
-and solving the intricate web of their trade-offs.
-Single-hop web proxies like the Anonymizer can probably protect
-end users from simple threats like profile-creating websites.
-On the other hand, users of such commercial proxies are forced to
-trust them to protect traffic information.
-Many users, particularly large organizations, are rightly
-hesitant to use an anonymity infrastructure they do not control.
-However, a system that carries traffic for only one organization does
-not provide much protection at all --- it must carry traffic from
-others to provide cover. Yet those others don't want to trust their
-traffic to a single entity either. The only viable solution is
-to distribute trust. Each organization or other entity runs
-a node in a shared \emph{strong anonymity} infrastructure, if its
-incentives are large enough to support the associated costs. Users with
-more modest budgets or shorter-term interest in the system also
-benefit from this decentralized model, because they can be confident
-that a few colluding nodes are unlikely to uncover their anonymity.
+%Anonymity can be studied from an economic perspective. The actual
+%protection of anonymity does not simply involve technical cleverness ---
+%it also requires understanding the incentives of heterogeneous parties
+%and solving the intricate web of their trade-offs.
+Single-hop web proxies like the Anonymizer protect end users from simple
+threats like profile-creating websites.  On the other hand, users of
+such commercial proxies are forced to trust them to protect traffic
+information.  Many users, particularly large organizations, are rightly
+hesitant to use an anonymity infrastructure they do not control.  However,
+running one's own system won't work: a system that carries traffic for
+only one organization provides little protection --- it must carry traffic
+from others to provide cover. %Yet those others don't want to trust their
+%traffic to a single entity either.
+The only viable solution is to distribute trust. Each party runs a node
+in a shared \emph{strong anonymity} infrastructure, if its incentives
+are large enough to support the associated costs. Users with more modest
+budgets or shorter-term interest in the system also benefit from this
+decentralized model, because they can be confident that a few colluding
+nodes are unlikely to uncover their anonymity.
 
-However, so far few people or organizations are willing to run these
+Today, however, few people or organizations are willing to run these
 nodes. In addition to the complexities of configuring current anonymity
-software like Mixmaster, providing a node costs significant amounts of
-bandwidth and processing power, most of which will be used by `freeloading'
-users who do not themselves run nodes. Furthermore, when administrators
-are faced with abuse complaints concerning illegal or antisocial use of
-their systems, the very anonymity that they're providing prevents
-the usual solutions of suspending users or otherwise
-holding them accountable.
+software, running a node costs a significant amount of bandwidth and
+processing power, most of which is used by `freeloading' users who do
+not themselves run nodes. Furthermore, when administrators are faced with
+abuse complaints concerning illegal or antisocial use of their systems,
+the very anonymity that they're providing precludes the usual solution
+of suspending users or otherwise holding them accountable.
 
-Unlike with encryption, it's not enough for the communicating
-end parties to cooperate on anonymity simply using whatever communications
-infrastructure is available. Alice cannot decide by herself that she
-wants her message to be anonymous --- the infrastructure itself must
-cooperate. Anonymity systems use messages to hide messages: senders
-are consumers of anonymity and also providers of the cover traffic that
-creates anonymity for others. Thus users are always better off going
-where the noise is provided.
+Unlike confidentiality (encryption), anonymity cannot be created by the
+sender or receiver. Alice cannot decide by herself to send anonymous
+messages --- she must trust the infrastructure to provide protection, and
+others must use the same infrastructure. Anonymity systems use messages
+to hide messages: senders are consumers of anonymity and also providers
+of the cover traffic that creates anonymity for others. Thus users are
+always better off on crowded systems because of the noise they provide.
 
 High traffic is necessary for strong anonymity, which means that the
-incentives of several agents must find a common equilibrium. High
-traffic and
-better performance complement each other: a system that processes
-only light traffic must delay messages to achieve adequately large
-anonymity sets. Thus better performance attracts users both for its
-convenience value and the better potential anonymity protection. But
-systems processing the most traffic do not necessarily provide the best
-hiding. If trust is not well distributed, a high volume system is
-vulnerable both to insiders and to attackers who try to bridge the
-trust bottlenecks.
+incentives of several agents must find a common equilibrium. High traffic
+also enables better performance: a system that processes only light
+traffic must delay messages to achieve adequately large anonymity sets.
+%Thus better performance attracts users both for its
+%convenience value and the better potential anonymity protection.
+But systems that process the most traffic do not necessarily provide the
+best hiding: if trust is not well distributed, a high volume system is
+vulnerable to insiders and attackers who target the trust bottlenecks.
 
-Anonymity systems must be robust against a surprisingly wide variety
-of attacks to break anonymity \cite{back01,raymond00}. Adversaries
-can also attack to reduce the efficiency or reliability of nodes, or
-to increase the cost to operators of running nodes. All
-of these factors combine to threaten the \emph{anonymity} of the system.
-As Back et al point out, ``in anonymity systems usability,
-efficiency, reliability and cost become \emph{security} objectives because
-they affect the size of the user base which in turn affects the degree
-of anonymity it is possible to achieve'' \cite{back01}.
+Anonymity systems face a surprisingly wide variety of direct
+anonymity-breaking attacks \cite{back01,raymond00}. Additionally,
+adversaries can also attack the efficiency or reliability of nodes, or
+try to increase the cost of running nodes. All of these factors combine
+to threaten the \emph{anonymity} of the system.  As Back et al point
+out, ``in anonymity systems usability, efficiency, reliability and cost
+become \emph{security} objectives because they affect the size of the
+user base which in turn affects the degree of anonymity it is possible
+to achieve.'' \cite{back01}
 
 We must balance all of these tradeoffs while we examine the incentives
 for users and node operators to participate in the system.
@@ -214,54 +204,53 @@
 
 \label{sec:model}
 
-In this section and the following we formalize the economic analysis of why
-people might want to send messages through mix-nets. Here we discuss the
-incentives for the agents to participate either as senders or also as nodes,
-and we start proposing a general framework for the analysis. In the next
-section we consider various applications of our framework.
+In this section and those that follow, we formalize the economic analysis
+of why people might choose to send messages through mix-nets. Here we
+discuss the incentives for the agents to participate either as senders
+or also as nodes, and we start proposing a general framework for the
+analysis. In the next section we consider various applications of our
+framework.
 
-We start from the assumption that agents value their privacy, hence they
-have an interest in using a mix-net system. This interest might be related
-to profits they will make by keeping their messages anonymous or losses they
-will avoid by not having their messages tracked. Different agents might
-value anonymity differently.
+We begin with the assumption that agents value their privacy. This value
+might be related to profits they will make by keeping their messages
+anonymous, or to losses they will avoid by not having their messages
+tracked. Different agents might value anonymity differently.
 
-The strategy space $S$ for each agent $i \in I$ (where $I=\left\{
-1 \dots n\right\}$) willing to use the mix-net is the set of strategies
-$s$ based on the following feasible actions $a$:
+Each agent $i$ (where $i \in \left\{1 \dots n\right\}$) has a strategy
+$s$ based on the following possible actions:
 
 \begin{enumerate}
-\item  Act simply as a user of the system, $a^s$, specifically by sending
-(and receiving) her own traffic over the system; and/or agreeing to
+\item  Act as a user of the system, specifically by sending (and
+receiving) her own traffic over the system, $a^s$; and/or agreeing to
 receive dummy traffic through the system, $a^r$.
 
-\item  Act as an honest node, $a^{h}$, which can involve receiving
-and forwarding traffic (and possibly acting as an exit node), keeping
-messages secret, and possibly creating dummy traffic.
+\item  Act as an honest node, $a^{h}$, by receiving and forwarding
+traffic (and possibly acting as an exit node), keeping messages secret,
+and possibly creating dummy traffic.
 
-\item  Act as dishonest node, $a^{d}$, which can involve pretending to
-forward traffic but not doing so, pretending to create dummy traffic but
-not doing so (or sending dummy traffic easily recognizable as such), or
-using the traffic which passes to compromise the anonymity of the system.
+\item  Act as dishonest node, $a^{d}$, by pretending to forward traffic
+but not doing so, by pretending to create dummy traffic but not doing
+so (or sending dummy traffic easily recognizable as such), or by
+eavesdropping traffic to compromise the anonymity of the system.
 
-\item  Send messages through conventional non-anonymous channels, $a_{n}$
-(or send no messages at all).
+\item  Send messages through conventional non-anonymous channels, $a_{n}$,
+or send no messages at all.
 \end{enumerate}
 
-For each complete strategy profile $s=\left( s_{1},...,s_{n}\right) $, each
-player receives a von Neumann-Morgenstern utility $u_{i}\left( s\right) $.
+For each complete strategy profile $s=\left(s_{1},...,s_{n}\right)$, each
+agent receives a \\von Neumann-Morgenstern utility $u_{i}(s)$.
 The payoff function $u_{i}$ is based on a variety of benefits and costs. The
 benefits include:
 
 \begin{enumerate}
-\item  Benefits of sending messages anonymously. We model them as a function
+\item  Benefits from sending messages anonymously. We model them as a function
 of the subjective evaluation the agent places on the information
 successfully arriving at its destination, $v_{r}$; the subjective value of
-the information remaining anonymous, $v_{a}$; the perceived level of
-anonymity in the system, $p_{a}$ (the probability that sender and message
+keeping her identity anonymous, $v_{a}$; the perceived level of
+anonymity in the system, $p_{a}$ (the probability that the sender and message
 will remain anonymous); and the perceived level of reliability in the
 system, $p_{r}$ (the probability that the message will be delivered). The
-subjective value of the information being sent anonymously could be related
+subjective value of maintaining anonymity could be related
 to the profits the agent expects to make by keeping that information
 anonymous, or the losses the agents expects to avoid by keeping that
 information anonymous. We represent the level of anonymity in the system
@@ -274,8 +263,8 @@
 provide better measures of anonymity: such work shows how the level
 of anonymity achieved by an agent in a mix-net system is associated
 to the particular structure of the system. But probabilities are more
-tractable in our analysis, and better than the common ``anonymity set''
-representation.} In particular:
+tractable in our analysis, as well as better than the common ``anonymity
+set'' representation.} In particular:
 
 \begin{itemize}
 \item  The number of users of the system is positively correlated to the

***********************************************************************
To unsubscribe, send an e-mail to majordomo@seul.org with
unsubscribe freehaven-cvs       in the body. http://freehaven.net/
Prev by Date: [freehaven-cvs] changes, some from alessandro
Next by Date: [freehaven-cvs] cleanups in section 4
Prev by thread: [freehaven-cvs] changes, some from alessandro
Next by thread: [freehaven-cvs] cleanups in section 4
Index(es):
- Date
- Thread