[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[freehaven-cvs] added a key point to the conclusion
Update of /home/freehaven/cvsroot/doc/fc03
In directory moria.seul.org:/home/arma/work/freehaven/doc/fc03
Modified Files:
econymics.tex
Log Message:
added a key point to the conclusion
Index: econymics.tex
===================================================================
RCS file: /home/freehaven/cvsroot/doc/fc03/econymics.tex,v
retrieving revision 1.38
retrieving revision 1.39
diff -u -d -r1.38 -r1.39
--- econymics.tex 17 Sep 2002 02:56:49 -0000 1.38
+++ econymics.tex 17 Sep 2002 03:33:28 -0000 1.39
@@ -115,7 +115,7 @@
--- indeed, Diffie has remarked that traffic analysis is the backbone
of communications intelligence, not cryptanalysis \cite{diffiebook}.
-With so many interested users, it might seem that there is a ready market
+With so many potential users, it might seem that there is a ready market
for anonymity services --- that is, it should be possible to offer such
services and develop a paying customer base. However, with one notable
exception (the Anonymizer \cite{anonymizer}) commercial offerings in
@@ -155,7 +155,8 @@
identified. Nodes must carry traffic from others to provide cover.
%Yet those others don't want to trust their
%traffic to a single entity either.
-The only viable solution is to distribute trust. Each party runs a node
+The only viable solution is to distribute trust. Each party can choose
+to run a node
in a shared \emph{strong anonymity} infrastructure, if its incentives
are large enough to support the associated costs. Users with more modest
budgets or shorter-term interest in the system also benefit from this
@@ -211,7 +212,8 @@
discuss the incentives for the agents to participate either as senders
or also as nodes, and we propose a general framework for their
analysis. In the next section we consider various applications of our
-framework. After that we will examine alternate incentive mechanisms.
+framework, and then in Section \ref{sec:alternate-incentives} we
+examine alternate incentive mechanisms.
We begin with the assumption that agents value
their privacy. This value might be related to profits they will make
@@ -257,7 +259,7 @@
anonymous, or the losses the agents expects to avoid by keeping that
information anonymous. We represent the level of anonymity in the system
as a function of the traffic (number of agents sending messages in the
-system, $n_{s}$), the number of mixes (number of agents acting as honest
+system, $n_{s}$), the number of nodes (number of agents acting as honest
nodes, $n_{h}$ and as dishonest nodes, $n_{d}$), and the decisions of the
agent. We assume that this function maps these factors into a probability
space, $p$.\footnote{%
@@ -276,7 +278,7 @@
run a node may accidentally choose a dishonest node as their first hop,
significantly decreasing their anonymity (especially in low-latency
anonymity systems where end-to-end timing attacks are very hard to
-prevent). Further, agents who run a
+prevent \cite{back01}). Further, agents who run a
node can undetectably blend their message into their node's traffic,
so an observer cannot know even when the message is sent.
@@ -507,7 +509,7 @@
\subsection{Honest agents}
If a user only sends messages, the cost of using the anonymous service
-is $c_{s}$. This cost might be higher than using the non anonymous channel, $%
+is $c_{s}$. This cost might be higher than using the non-anonymous channel, $%
c_{n}$, because of usage fees, usage hassles, or delays. To keep things
simple, we assume that all messages pass through the mix-net in fixed-length
free routes, so that we can write $c_{s}$ as a fixed value, the same
@@ -612,7 +614,7 @@
-c_{s}<-v_{i}-c_{n}$%
\end{tabular}
\end{equation*}
-then agent $i$ will choose to be an user of the system. Otherwise, $i$ will
+then agent $i$ will choose to be a user of the system. Otherwise, $i$ will
simply not use the system.
Our goal is to highlight the economic rationale
@@ -728,7 +730,7 @@
be a node when the agent starts realizing that there is enough anonymity in the
system and she no longer needs to be a node. But if too many agents
act this way, the system might break down for lack of nodes, after which
-everybody would have to resort to non anonymous channels.
+everybody would have to resort to non-anonymous channels.
We can consider this to be a ``public good with free-riding'' type
of problem \cite{cornes-sandler-86}.
@@ -832,7 +834,7 @@
is a cost in the delay and the hassles of using the free service), and
offers better service for money. With usage fees, the cost of being a node
is externalized. A hybrid solution involves
-distributed trusted mixes, supported through entry fees paid to a central
+distributed trusted nodes, supported through entry fees paid to a central
authority and redistributed to the nodes.
%\item \emph{Bilateral contracts}. Bilateral or multilateral contracts between
@@ -855,14 +857,15 @@
Just as the statistics pages for seti@home \cite{seti-stats} encourage
participation, publically ranking generosity creates an incentive to
participate. Although the incentives of public recognition and public
-good don't fit in our model very well, they explain most actual current
+good don't fit in our model very well, we emphasize them because they
+explain most actual current
node operators. As discussed above, reputation can enter the utility
function indirectly or directly (when agents value their reputation as
a good itself).
-If we publish a list of mixes ordered by safety (based on number of messages
+If we publish a list of nodes ordered by safety (based on number of messages
passing through the node), the high-sensitivity agents will
-gravitate to safe mixes, causing more traffic and improving their safety
+gravitate to safe nodes, causing more traffic and improving their safety
further (and lowering the safety of other nodes). In our model the
system will stabilize with one or a few remailers. In reality, though,
$p_a$ is influenced not just by $n_h$ but
@@ -1022,7 +1025,7 @@
%Note in this case that the choice of agents with lower privacy sensitivity
%between different anonymous systems with different levels of anonymity (and
%monotonically associated costs) can be represented in our model as the
-%choice between being a node or only an user of the system. But anedoctal
+%choice between being a node or only a user of the system. But anedoctal
%evidence as well as surverys and experimental results have shown how even
%those individuals who claim to care about their privacy are unwilling to pay
%even small amounts to defend it - or, viceversa, are ready to trade it for
@@ -1120,9 +1123,11 @@
\begin{itemize}
\item Systems must attract cover traffic (many low-sensitivity users)
-before they can attract the high-sensitivity users. To attract this
-cover traffic, they may well have to address the fact that most users
-do not want (or do not realize they want) anonymity protection.
+before they can attract the high-sensitivity users. Weak security
+parameters (e.g. smaller batches) may produce \emph{stronger} anonymity
+by bringing more users. But to attract this cover traffic, they may well
+have to address the fact that most users do not want (or do not realize
+they want) anonymity protection.
%\item Reputation has a complex but critical influence on node
%participation. We must investigate its role more thoroughly.
\item High-sensitivity agents have incentive to run nodes, so they can
***********************************************************************
To unsubscribe, send an e-mail to majordomo@seul.org with
unsubscribe freehaven-cvs in the body. http://freehaven.net/