[freehaven-cvs] rearranged section 4; much shorter conclusion

[arma@seul.org (Roger Dingledine)]

Update of /home/freehaven/cvsroot/doc/fc03
In directory moria.seul.org:/home/arma/work/freehaven/doc/fc03

Modified Files:
	econymics.tex 
Log Message:
rearranged section 4; much shorter conclusion


Index: econymics.tex
===================================================================
RCS file: /home/freehaven/cvsroot/doc/fc03/econymics.tex,v
retrieving revision 1.30
retrieving revision 1.31
diff -u -d -r1.30 -r1.31
--- econymics.tex	16 Sep 2002 23:40:49 -0000	1.30
+++ econymics.tex	17 Sep 2002 00:48:02 -0000	1.31
@@ -212,7 +212,7 @@
 analysis. In the next section we consider various applications of our
 framework. After that we will examine alternate incentive mechanisms.
 
-We begin with the assumption that individuals, or \it{agents}, value
+We begin with the assumption that agents value
 their privacy. This value might be related to profits they will make
 by keeping their messages anonymous, or to losses they will avoid by
 not having their messages tracked. Different agents might value
@@ -503,8 +503,12 @@
 In Section \ref{sec:model} we have highlighted that for both nodes and
 simpler users variable costs are more significant than fixed costs.} 
 %Roger, is this the case or not? ie are traffic related costs the highest ones? 
-These two considerations suggest against using a sequential approach of the
-Stackelberg type.\cite[Ch. 3]{fudenberg-tirole-91} For similar reasons we
+These two considerations suggest against using a sequential approach
+of the Stackelberg type \cite[Ch. 3]{fudenberg-tirole-91}. For similar
+reasons we also avoid a ``war of attrition/bargaining model'' framework
+(see for example \cite{rubinstein-82}) where the relative impatience of
+players plays an important role.
+
 also avoid a ``war of attrition/bargaining model'' framework (timing games
 (see for example \cite{rubinstein-82}) where the relative impatience
 of players plays an important role).
@@ -537,16 +541,15 @@
 simple, we assume that all messages pass through the mix-net in fixed-length
 free routes, so that we can write $c_{s}$ as a fixed value, the same
 for all agents. Users send messages at the same time, and only one message
-at a time. (We also assume that routes are chosen randomly by users, so that
+at a time. We also assume that routes are chosen randomly by users, so that
 traffic is uniformly distributed among the nodes.\footnote{%
-Reputation considerations might alter this point. We comment on this in
+The consideration of reputation might alter this point. We comment on this in
 Section \ref{sec:alternate-incentives}.}
 
 If a user decides to be a node, her costs increase with the volume of
 traffic (we focus here on the traffic-based variable costs). We also
 assume that all agents know the number of agents using the
-system and the number of them acting as nodes, and that each specific
-agent's actions are observable. We also assume that all agents perceive the same
+system and which of them are acting as nodes. We also assume that all agents perceive the same
 level of anonymity in the system based on traffic and number of nodes.
 Finally, we imagine that agents use the system because they want
 to avoid potential losses from not being anonymous. This sensitivity to
@@ -588,9 +591,9 @@
 Also, we do not explicitly report the value of sending a successful message.
 Both are simplifications that do not alter the rest of the analysis.
 %FIXME following sentence is huge
-We could in fact have inserted an action $a^{0}$ with a certain disutility from
+\footnote{We could insert an action $a^{0}$ with a certain disutility from
 not sending any message, and solve the problem of minimizing the expected
-losses; or, we could have inserted in the payoff function for actions $%
+losses. Or, we could have inserted in the payoff function for actions $%
 a^{s,h,n}$ also the utility of sending a successful message compared to not
 sending it (which could be interpreted also as an opportunity cost), and
 solve the dual problem of maximizing the expected utility. Either way, the
@@ -598,7 +601,7 @@
 non-anonymously, or not sending it at all, depending on which option
 maximizes the expected benefits or minimizes the expected losses.
 Thereafter, we can simply compare the two other actions (being a user, or
-being also a node) to the locally optimal exit strategy.
+being also a node) to the locally optimal exit strategy.}
 
 While this model is simple, it allows us to highlight some of the dynamics
 that might take place in the decision process of agents willing to use a
@@ -642,32 +645,27 @@
 then agent $i$ will choose to be an user of the system. Otherwise, $i$ will
 simply not use the system.
 
-Of course, for a formal solution we need an explicit functional form of the
-probability function. We have seen above, however, that privacy metrics
-(like \cite{Diaz02,Serj02}) do not directly translate into monotonic
-probability functions of the type traditionally used in game theory.
-Furthermore, the actual level of anonymity will depend on the mix-net
-protocol and topology (cascade-based or synchronous networks will provide
-larger anonymity sets than asynchronous networks where traffic is divided
-among the nodes).
-
-Nevertheless we can highlight the economic rationale
-implicit in the above equation. In the first comparison agent $i$ is
+Our goal is to highlight the economic rationale
+implicit in the above inequalities. In the first case agent $i$ is
 comparing the contribution to her own anonymity of acting as a node to the
-costs of doing so. Acting as a node dramatically increases anonymity, but it
+costs. Acting as a node dramatically increases anonymity, but it
 will also bring more traffic-related costs to the agent. Agents with high
-privacy sensitivity (high $v_{i}$) will clearly be more likely to accept the
-trade-off and become nodes.
-%FIXME emphasize this more
+privacy sensitivity (high $v_{i}$) will be more likely to accept the
+trade-off and become nodes because they risk a lot by losing
+their anonymity, and because acting as nodes significantly increases their
+probabilities of remaining anonymous. On the other side, agents with a
+lower sensitivity to anonymity might decide that the costs or hassle
+of using the system are too high, and would not send the message (or
+would use non-anonymous channels).
 
-\subsubsection{Strategic Agents: Simple Case}
+\subsubsection{Strategic Agents: Simple Case.}
 
 Strategic agents take into consideration the fact that their actions will
 trigger responses from the other agents.
 
 We start by considering only one-on-one
-interactions. First we study the case where each agent knows the
-other agent's type, but we then extend this case to study what happens when
+interactions. First we present the case where each agent knows the
+other agent's type, but we then discuss what happens when
 there is uncertainty about the other agents' types.
 
 Suppose that each of agent $i$ and agent $j$ considers the other agent's
@@ -695,7 +693,8 @@
 Then we can represent the payoff matrix as:
 \begin{equation*}
 \begin{tabular}{cccc}
-{\tiny Player i / Player j} & $a_{j}^{h}$ & $a_{j}^{s}$ & $a_{j}^{n}$ \\
+{\tiny Agent i / Agent j} & $a_{j}^{h}$ & $a_{j}^{s}$ & $a_{j}^{n}$ \\
+other agent's type, but we then extend this case to study what happens when
 $a_{i}^{h}$ & $A_{i},A_{j}$ & $D_{i},B_{j}$ & $E_{i},C_{j}$ \\
 $a_{i}^{s}$ & $B_{i},D_{j}$ & $F_{i},F_{j}$ & $G_{i},C_{j}$ \\
 $a_{i}^{n}$ & $C_{i},E_{j}$ & $C_{i},G_{j}$ & $C_{i},C_{j}$%
@@ -704,22 +703,44 @@
 As before, each agent has a trade-off between the cost of traffic and the
 benefit of traffic when being a node, and a trade-off between having more
 nodes and less nodes. In addition to the previous analysis, now the final
-outcome also depends on how much each player knows about whether the
-other is honest or not, and how much she knows about the other player's
-sensitivity to privacy. %extend
-When $v_{i} \gg v_{j}$ then equilibrium with free-riding can be sustained: the
-problem can be mapped to \cite{palfrey-rosenthal-89}. 
-%show proof with prob. distribition here, simplygfiy
-The system can have equilibria with free-riding even when the other
-agent's type is unknown, under certain probability distributions
-over the other player's type. This can be proved again following
-\cite{palfrey-rosenthal-89}.
-% FIXME which probability distributions? are they easy or hard,
-% likely or unlikely?
+outcome also depends on how much each agent knows about whether the
+other is honest, and how much she knows about the other agent's
+sensitivity to privacy.
 
-\subsubsection{Strategic Agents: Multi-player Case}
+Of course, for an explicit solution we need a specific functional form for the
+probability function.\footnote{We have seen above, however, that privacy metrics
+like \cite{Diaz02,Serj02} do not directly translate into monotonic
+probability functions of the type traditionally used in game theory.
+Furthermore, the actual level of anonymity will depend on the mix-net
+protocol and topology (cascade-based or synchronous networks will provide
+larger anonymity sets than asynchronous networks where traffic is divided
+among the nodes).} Nevertheless, this framework can be mapped into the
+model analyzed \cite{palfrey-rosenthal-89} where two players decide
+simultaneously whether to contribute to a public good.
 
-Traditionally, cooperative solutions with a finite horizon are not
+In our model, when for example $v_{i} \gg v_{j}$ and $v_{i}$ is large,
+the disutility to player $i$ from not using the system or not being
+a node will be so high that she will decide to be a node even if $j$
+might free ride on her. Hence if $j$ values her anonymity, but not that
+much, the strategies $a_{i}^{h}$,$a_{j}^{s}$ can be an equilibrium of
+the repeated game.
+
+In fact, this model might have equilibria with free-riding even when
+the other agent's type is unknown. Let's imagine that both agents know
+that the evaluations $v_{i}$ are drawn independently from a continuous,
+monotonic probability distribution. Again, when one agent cares about
+her privacy enough, and/or believes that there is a high probability
+that the opponent would act as a dishonest node, then the agent will
+be better off protecting her own interests by becoming a node (again
+see \cite{palfrey-rosenthal-89}). Of course the more interesting cases
+are those when these clear-cut scenarios do not arise, which we
+consider next.
+
+\subsubsection{Strategic Agents: Multi-player Case.}
+
+Each player now considers the strategic decisions of a vast number of
+other players. Traditionally, cooperative solutions with a finite horizon
+are not
 sustainable because, by backward induction, each agent will have an
 incentive to deviate when the actions of other agents are not observable. As
 compared to the analysis above with only two agents, now a defection of one
@@ -911,7 +932,7 @@
 more jurisdictionally diverse this group of nodes, the more robust the
 overall system.
 
-However, volunteers are problems: users don't know who they're dealing with.
+However, volunteers are problems: users don't know whom they're dealing with.
 We have primarily focused on the strategic motivations of honest agents, but
 the motivations of dishonest agents are at least as important. An
 anonymity-breaking adversary with an adequate budget would do best to
@@ -952,18 +973,19 @@
 period of time. Such adversaries will be in an arms race with protocol
 developers to stay undetected despite their attacks \cite{casc-rep}. The
 benefits from successful attacks might be financial, as in the case of
-discovering and using sensitive information, or a competitor's service being
+discovering and using sensitive information or a competitor's service being
 disrupted; or they could be purely related to personal satisfaction. The
-costs following being discovered as a dishonest node include rebuilding a
+costs of being discovered as a dishonest node include rebuilding a
 new node's worth of reputation; but being noticed and exposed as the
 adversary may have very serious negative consequences for the attacker
-itself. (Imagine the public response if the NSA were found running dishonest
-nodes.)
+itself. (Imagine the public response if an Internet provider were found
+running dishonest nodes.)
 
-All things considered, it might be that the laws of economics work against
-the attacker as well.
+Thus, all things considered, it might be that the laws of economics work
+against the attacker as well.
 
-A ``lazy'' node wants to protect her own anonymity, but keeps her costs
+A ``lazy'' node, on the other hand, wants to protect her own anonymity,
+but keeps her costs
 lower by not forwarding or accepting all of her incoming traffic. By doing
 so this node decreases the reliability of the system. While this strategy
 might be sounder than the one of the flat-out dishonest node, it also
@@ -1002,7 +1024,8 @@
 and not well known --- so in the strategic decision process they will decide
 against using the mix-net at all. Correct marketing seems critical to
 gaining critical mass in an anonymity system: in hindsight, perhaps
-Zero-Knowledge Systems would have gotten farther had it emphasized usability
+Zero-Knowledge Systems would have gotten farther had it placed initial
+emphasis on usability
 rather than security. Note that here again reliability becomes an issue,
 since we must consider both the benefits from sending a message \textit{and }%
 keeping it anonymous. If the benefits of sending the message are not that
@@ -1031,99 +1054,32 @@
 
 \subsection{Customization and preferential service are risky too}
 
-Leaving security decisions up to the user is traditionally a way to foist
+Leaving security decisions up to the user is traditionally a way to transfer
 cost or liability from the vendor to the customer; but in strong anonymity
 systems it may be unavoidable. For example, the sender might choose how many
 nodes to use, whether to use mostly nodes run by her friends, whether to
 send in the morning or evening, etc. After all, only she knows the value of
-the transaction. But these parameters can affect anonymity --- different
+her anonymity. But this choice also threatens anonymity --- different
 usage patterns can help distinguish and track users.
 
-Choosing one or a few sets of system-wide security parameters can help
-protect users by keeping the noise fairly uniform, but again we're
-introducing inefficiencies; users that don't need as much protection may
+Limiting choice of system-wide security parameters can
+protect users by keeping the noise fairly uniform, but
+introduces inefficiencies; users that don't need as much protection may
 feel they're wasting resources. Yet we risk anonymity if we let users
-customize or optimize their client's behavior. We can't even let users pay
+optimize their behavior. We can't even let users pay
 for better service or preferential treatment --- the hordes in the coach
-seats are probably better off anonymity-wise than those in first class.
+seats are more anonymous than the few in first class.
 
-This need to pigeonhole users into a few behavior classes conflicts with the
-fact that real-world users have different interests and different
-approaches. Heterogeneity in its users is what makes the Internet so lively
-and successful. Reducing options can lead to reduced usability, scaring away
+This need to pigeonhole users into a few behavior classes conflicts
+with the fact that real-world users have a continuum of interests and
+approaches. Reducing options can lead to reduced usability, scaring away
 the users and leaving a useless anonymity system.
 
 % It remains to be seen whether designs and
 %incentives, for both system users and system components, can be structured
 %to meet all of these objectives sufficiently to create viable systems.
 
-\section{Conclusions and Future Work}
-
-We have described a basic model for characterizing and analyzing the
-various incentives for participants to act either as senders or as
-nodes in strong anonymity infrastructures. In particular, what we
-tried to achieve in this paper is a framework to interpret anonymity
-from an economic perspective. We have applied this framework to a
-number of simplified scenarios. The trade-off between simplicity and
-realism must be considered when evaluating our results, which consist
-in highlighting some trends in the dynamics of the decision process
-for agents interested in using anonymous systems. Some of these trends
-can be summarized as follows: there can be an optimal level of
-free-riding in anonymous mix-net systems, because there exist
-conditions under which agents with high sensitivity to anonymity will
-decide to incur the costs of offering the service to others in order
-to protect their own anonymity. However, we have discussed how the
-deployment of a completely distributed system might involve
-coordination costs which make it unfeasible. In addition, we have
-discussed how systems of this type rely on the presence of a vast
-amount of simple users (low sensitive types) producing traffic and
-noise. The analysis therefore highlights that attracting the types
-with low sensitivity is essential to the success of a mix system. This
-involves dealing with the possible myopism (or flat-out disinterest)
-of low sensitive types in the area of anonymity protection. It appears
-therefore that a hybrid solution involving distributed trusted mixes,
-supported through entry-fees paid to a central authority and
-redistributed to the nodes, could be among the most interesting
-options. If certain nodes could be trusted thanks to their reputation,
-highly sensitive agents might will have an interest in supporting
-them. We can note here that the benefit discussed above coming from
-being a node could be transferred to another entity the agent trust,
-discounted by the trust level the agent places in that entity. Agents
-with lower sensitivity would be allowed to use the system for free.
-s mechanism should be implemented either but controlling the use by
-each agent of the system, so that for example free users might not
-send more than certain messages during a certain span of time, or by
-inserting masked costs such as delays for the free users (see, again,
-Anonymizer.com).
-In other words, what we have highlighted is that there are economic
-reasons for distributed trust and, under certain conditions,
-distributed trust could be an equilibrium in the system. In real life
-applications, however, it is likely that coordination costs will be so
-high that an hybrid solution like the one discussed above will be the
-best way to obtain the benefits agents want from the system.
-
-Alternate conclusion paragraph:
-
-We have described a basic model for characterizing and analyzing the various
-incentives for participants to act either as senders or as nodes in strong
-anonymity infrastructures. In particular, what we tried to achieve in this
-paper is a framework to interpret anonymity from an economic perspective. We
-have applied this framework to a number of simplified scenarios. The
-trade-off between simplicity and realism must be considered when evaluating
-our results, which consist in highlighting some trends in the dynamics of
-the decision process for agents interested in using anonymous systems. Some
-of these trends can be summarized as follows: there can be an optimal level
-of free-riding in anonymous mix-net systems, because there exist conditions
-under which agents with high sensitivity to anonymity will decide to incur
-the costs of offering the service to others in order to protect their own
-anonymity. However, we have discussed how the deployment of a completely
-distributed system might involve coordination costs which make it
-unfeasible. In addition, we have discussed how systems of this type rely on
-the presence of a vast amount of simple users (low sensitive types)
-producing traffic and noise. The analysis therefore highlights that
-attracting the types with low sensitivity is essential to the success of a
-mix system. This involves dealing with the possible myopism (or flat-out
-disinterest) of low sensitive types in the area of anonymity protection.
+\section{Future Work}
 
 There are a number of directions for future research:
 
@@ -1166,8 +1122,36 @@
 the agent payoff function.
 \end{itemize}
 
-It is clear that, given their limited tractability in closed-form terms,
-some of the above extensions will need computational solutions.
+%It is clear that, given their limited tractability in closed-form terms,
+%some of the above extensions will need computational solutions.
+
+\section{Conclusions}
+
+We have described a basic model for characterizing and analyzing the
+various incentives for participants to act as senders and nodes in
+strong anonymity infrastructures. Our model does not solve the problem of
+building a more successful system --- but it does provide some guidelines
+for how to think about solving that problem. Much research remains for
+a more realistic model, but we can already draw some conclusions:
+
+\begin{itemize}
+\item Systems must attract cover traffic (many low-sensitivity users)
+before they can attract the high-sensitivity users. To attract this
+cover traffic, they may well have to address the fact that most users
+do not want (or do not realize they want) anonymity protection.
+\item Reputation has a complex but critical influence on node
+participation. We must investigate its role more thoroughly.
+\item High-sensitivity users have incentive to run nodes, so they can
+be certain their first hop is honest.
+\item There can be an optimal level of free-riding in decentralized
+anonymity systems, because there exist conditions under which
+high-sensitivity agents will opt to accept the cost of offering service
+to others in order to gain cover traffic.
+\item While there are economic reasons for distributed trust,
+the deployment of a completely decentralized system might involve
+coordination costs which make it unfeasible. A central coordination
+authority to redistribute payments may be more practical.
+\end{itemize}
 
 \bibliographystyle{plain}
 \bibliography{econymics}

***********************************************************************
To unsubscribe, send an e-mail to majordomo@seul.org with
unsubscribe freehaven-cvs       in the body. http://freehaven.net/