[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[freehaven-dev] section 1.2: project summary



The Free Haven Project intends to deploy a system that provides a good
infrastructure for stronger anonymity. Specifically, this means that the
publisher of a given document should not be known; that clients requesting
the document should not have to identify themselves to anyone; and that
the current location of the document should not be known. Additionally,
it would be preferable to limit the number of opportunities where an
outsider can show that a given document passed through a given computer. A
more thorough examination of our requirements and notions of anonymity
can be found in Subsection \labal{anon}.

The overall design is based on a community of servers (which as a whole is
termed the `servnet') where each server hosts data from the other servers
in exchange for the opportunity to store data of its own in the servnet.
When an author wishes to publish a document, she breaks the document into
shares, where a subset (any $k$ of $n$) is sufficient to reconstruct the
document, and then for each share, negotiates for some server to publish
that share on the servnet. The servers then trade shares around behind
the scenes. When a reader wishes to retrieve a document from the servnet,
she requests it from any server, including a location and key which can be
used to deliver the document in a private manner. This server broadcasts
the request to all other servers, and those which are holding shares for
that document encrypt them and deliver them to the reader's location. Also
behind the scenes, the shares employ what is essentially the `buddy
system' to maintain some accountability: servers which drop shares or are
otherwise unreliable get noticed after a while, and are trusted less. A
trust module on each server maintains a database of each other server,
based on past direct experience and also what other servers have said.
For communication both between servers and between the servnet and
readers, we rely on an existing mixnet infrastructure to provide an
anonymous channel.

The system is designed to store data without concern for its popularity
or controversial nature.  Possible uses include storing source code or
binaries for software which is currently under legal debate, such as the
recent DeCSS controversy or other software with patent issues; publishing
political speech in an anonymous fashion for people afraid that tying
their speech to their public persona will damage their reputation; or even
storing more normal-looking data like a set of public records from Kosovo.

Free Haven is designed more for anonymity and persistence of documents
than for frequent querying --- we expect that in many cases, interesting
material will be retrieved from the system and published in a more
available fashion (such as normal web pages) in a jurisdiction where
such publishing is more reasonable. Then the document in the servnet
would only need to be accessed if the other sources were shut down.

The potential adversaries are many and diverse: governments, corporations,
and individuals all have reason to oppose the system.  There will be
social attacks from citizens and countries trying to undermine the trust
in the security of the system, as well as attacking the motivation for
servnet node operators to continue running nodes. There will be political
attacks, using the influence of a country's leaders to discourage use of
the servnet. There will be government and legal attacks, where authorities
attempt to shut down servnet nodes or arrest operators. Indeed, in
many cases ordinary citizens can recruit the power of the government
through lawsuits or subpoenas. Multinational corporations will hold
sway over several countries, influencing them to pass similar laws
against anonymous networks. There will be technical attacks, both from
individuals and from corporations and national intelligence agencies,
targetted either at the system as a whole or at particular documents or
node operators, to reduce the quality of service or gain control of part
of the network. Clearly the system needs to be designed with stability,
security, and longevity in mind.