[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[freehaven-dev] intro draft



rough proposal outline:

1. motivation/project goals
2. threats we expect
3. related works
4. some proposed mechanisms/implementations to meet our goals

this thing is still in construction (it's been a long evening). here's
a draft of the first section. section three will remain roughly the
same, section four i'll draft tomorrow sometime (heh), and section two
is under construction currently. i'll wake up in a few hours and take a
stab at fixing up some of my terminology. :) comments very much
appreciated.






\section{Motivation}

The internet is moving in the direction of increasing freedom
of information, and increasingly blurred national boundary lines.
At the same time as a strong sense of global community is growing,
technical advances have provided greatly increased bandwidth and
an enormous amount of computing power and well-connected storage.
However, the increases in speed and efficiency have not brought
comparable increases in privacy and anonymity on the internet -- indeed,
governments and especially corporations are beginning to realize that
they can leverage the internet to provide detailed information about the
interests and behaviors of existing or potential customers. Court cases,
such as the Church of Scientology's lawsuit against foo or the more recent
OpenDVD debate (and subsequent arrest of DeCSS author Jon Lech Johansen),
demonstrate that the internet does not currently have an
adequate infrastructure for truly anonymous publication or distribution
of documents or other data.

\section{Project Goals}

The Free Haven Project intends to deploy a system that provides a good
infrastructure for stronger anonymity. Specifically, this means that the
publisher of a given document should not be known; that clients requesting
the document should not have to identify themselves; and that the current
location of the document should not be known.

The design is based on a community of servers (which as a whole is termed
the `servnet') where each server hosts data from the other servers in exchange for
the opportunity to store data of its own in the servnet. Besides the above
anonymity requirement, there are a number of other requirements for a stable
and useful system:

\begin{itemize}
\item The system must be robust: loss of perhaps
up to half of the participating servers should not imply loss of any
documents.
\item The system must be simple: complex protocols and heuristics
invite security weaknesses. It must be self-contained and based on
realistic technological expectations.  For instance, we cannot rely on
a stable international electronic cash infrastructure.
\item The system must be decentralized: to maintain efficiency, security,
and reliability, no single server or small subset of
the servers should be a bottleneck anywhere in the protocol.
\item The system must support privacy of data [i need a better term]:
popularity of a document should not influence its duration in the servnet.
This decision should be left entirely to the publisher of the document;
by joining the system, servnet nodes agree to host data from other nodes
in a `content-blind' manner. [this description needs help]
\item The system must provide (accountability?): the amount of
damage that a compromised or otherwise `evil' node can perform should be
limited.
\item The system must provide flexibility on a per-server level: server
operators should be able to decide how paranoid or trusting they are, how
many resources to provide to the servnet, etc.
\item The components upon which the system relies must be free and open
source, in the sense that modification and redistribution is explicitly
permitted.
\item The system must provide a mechanism for anonymously inserting a
document into the servnet.
\item The system must provide a mechanism for anonymously retrieving
a document from the servnet, including verifying that the retrieved
document is identical to the original document.
\item The system must provide a mechanism for expiring documents:
the duration of a document should be decided by the publisher when that
document is published to the servnet, and the document should be
available until that duration expires.
\end{itemize}

We assume that there will be some
generous individuals out there who believe in the goals of the system
and will donate some services.
Notice that efficiency isn't on the list -- we can afford to have more overhead
(both in time and in bandwidth) if we get stronger anonymity out of it.