[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [freehaven-dev] Graduated Mirroring

On Thu, 27 Jan 2000, Roger Dingledine wrote:
> On the other hand, I have no real reason for having nodes not know
> the files that their fragments belong to, so I'm fine assuming that
> they have some way of figuring it out.

There might be a reason : plausible deniability. Someone operating
a server and caught with "evil data" may have an easier time with
authorities if they did not know the nature of the data they were
carrying. On the other hand, if the server operator screens data,
he may be more liable for possible consequences of having that data,
since he explicitly approved having it on his system. 

In this scenario, under Roger's proposal, the node may not want
to know which files it is holding. It will not try to find out. 
So the protocol need only avoid revealing what files are being stored.

There is another scenario I can imagine : one in which the owner's
knowledge is irrelevant; mere posession of the data will make him guilty.
Now the authority has taken control of the node, and is attempting 
to determine whether a specific, known, piece of evil data is present
anywhere on the node.

This seems much harder to protect against. The only possibility which
comes to my mind is forcing a query for the bad data to involve a set
of other nodes, some of whom have the data and some do not, but
all of whom respond to the query. Then use this somehow to build
uncertainty as to whether the targeted node actually has the data. You'd
have to ensure that the authority could not choose the set used, as well.

At that point, it may not be a problem worth solving. at least not in
a practical implementation. Unless there's a better way?

-David Molnar