\newcommand{\cm}[0]{$\checkmark$}
\newcommand{\subsubsubsection}[1]{\paragraph{#1}}

\newcommand{\dofig}[3]{\begin{figure}
\epsfbox{#1}
\caption{#2}
\label{#3}
\end{figure}}

\newcommand\topquote[2]{\begin{quotation} \singlespace \em #1 \par \leftskip=0pt \hfill --- #2 \end{quotation}}

\documentclass[twoside,vi,]{mitthesis}
\usepackage{fancyheadings}
\usepackage{doublespace}
\usepackage{fullpage}
\usepackage{epsf}
\usepackage{amsmath}
\usepackage{multicol}
\usepackage{simplemargins}

%setstretch{1.0}

\settopmargin{1in}
\setbottommargin{1in}
\setleftmargin{1.25in}
\setrightmargin{1.25in}

\headheight 32pt
\lhead{Trust Economies in the Free Haven Project}
\rhead{Brian Sniffen}
\begin{document}
\title{Trust Economies in the Free Haven Project}
\author{Brian T. Sniffen}
\department{Department of Electrical Engineering and Computer Science}
\degree{Bachelor of Science in Computer Science and Engineering}
\degreemonth{June}
\degreeyear{2000}
\thesisdate{May 22, 2000}
\supervisor{Ron Rivest}{Webster Professor of Computer Science and Engineering}
\chairman{Arthur C. Smith}{Chairman, Department Committee on Graduate Students}
\maketitle
\newpage~\thispagestyle{empty}~\newpage%\addtocounter{page}{-2}

%%%Abstract

\newpage
% Uncomment the next line if you do NOT want a page number on your
% abstract and acknowledgments pages.
\pagestyle{empty}
\setcounter{savepage}{\thepage}
\begin{abstractpage}
%\input{abstract}
The Free Haven Project aims to deploy a system for distributed data
storage which is robust against attempts by powerful adversaries to
find and destroy stored data. Free Haven uses a secure mixnet for
communication, and it emphasizes distributed, reliable, and anonymous
storage over efficient retrieval.  We provide a system for building
trust between pseudonymous entities, based entirely on records of
observed behavior.  Modelling these observed behaviors as an economy
allows us to draw heavily on previous economic theory, as well as on
existing data havens which base their accountability on financial
loss.  This trust system provides a means of enforcing accountability
without sacrificing anonymity.
\end{abstractpage}

% \pagenumbering{roman}
\setcounter{tocdepth}{2}
\tableofcontents

% \listoffigures
% \newpage

% \pagenumbering{arabic}

\chapter{Introduction}
\pagestyle{fancy}
\topquote{Just build the trust system.  It'll be easy}{Roger Dingledine}
The intent of the Free Haven Project is to create a system for
anonymous publication and retrieval of information in such a way that
information, once injected into the system, is very difficult to
remove.  Unlike other anonymous publication systems, it focuses
primarily on anonymity, not on availability.  Further documentation on
the Free Haven Project itself is available at \cite{rogers-thesis} and
\cite{freehaven}.

\section{Motivation}
\begin{quotation}
\singlespace
The Internet is moving in the direction of increasing freedom
of information and increasingly blurred national boundary lines.
At the same time as a strong sense of global community is growing,
technical advances have provided greatly increased bandwidth and
an enormous amount of computing power and well-connected storage.
However, the increases in speed and efficiency have not brought
comparable increases in privacy and anonymity on the Internet -- indeed,
governments and especially corporations are beginning to realize that
they can leverage the Internet to provide detailed information about the
interests and behaviors of existing or potential customers.  Court cases,
such as the Church of Scientology's lawsuit against Johan
Helsingius\cite{helsingius}
or the more recent OpenDVD debate\cite{dvd}
(and subsequent arrest of DeCSS author Jon Lech Johansen),
demonstrate that the Internet currently lacks an
adequate infrastructure for truly anonymous publication or distribution
of documents or other data. \cite{rogers-thesis}
\end{quotation}

Any attempt to create such an infrastructure will, by nature of its
anonymity, require various parties to perform services for people they
have never met, with no certainty of their work ever being repaid.  A
formalized definition of trust is required.  For the purposes of the
Free Haven Project, this definition leads us to a \emph{Trust
Economy}: a way of trading favors for trust.  

An economic model of trust allows us to draw on previous work
regarding trust networks with actual financial penalties.  It also
gives us a tool to talk about net benefits and costs of various
security and trust policies.

\section{Free Haven Project Summary}
\emph{excerpted from \cite{rogers-thesis}}
The Free Haven Project intends to deploy a system that provides a good
infrastructure for anonymous publication. Specifically, this means that the
publisher of a given document should not be known; that clients requesting
the document should not have to identify themselves to anyone; and that
the current location of the document should not be known. Additionally,
it would be preferable to limit the number of opportunities where an
outsider can show that a given document passed through a given computer. A
more thorough examination of our requirements and notions of anonymity
can be found in \cite{rogers-thesis}.

The overall design is based on a community of servers (which as a whole is
termed the `servnet') where each server hosts data from the other servers
in exchange for the opportunity to store data of its own in the servnet.
When an author wishes to publish a document, she breaks the document into
shares, where a subset (any $k$ of $n$) is sufficient to reconstruct the
document, and then for each share, negotiates for some server to publish
that share on the servnet. The servers then trade shares around behind
the scenes. When a reader wishes to retrieve a document from the servnet,
she requests it from any server, including a location and key which can be
used to deliver the document in a private manner. This server broadcasts
the request to all other servers, and those which are holding shares for
that document encrypt them and deliver them to the reader's location. Also
behind the scenes, the shares employ what is essentially the `buddy
system' to maintain some accountability: servers which drop shares or are
otherwise unreliable get noticed after a while, and are trusted less. A
trust module on each server maintains a database on the behavior of
each other server, based on past direct experience and also what other
servers have said.  For communication both between servers and between
the servnet and readers, we rely on an existing mixnet infrastructure
to provide an anonymous channel.

The system is designed to store data without concern for its popularity
or controversial nature.  Possible uses include storing source code or
binaries for software which is currently under legal debate, such as the
recent DeCSS controversy or other software with patent issues; publishing
political speech in an anonymous fashion for people afraid that tying
their speech to their public persona will damage their reputation; or even
storing more normal-looking data like a set of public records from Kosovo.

Free Haven is designed more for anonymity and persistence of documents
than for frequent querying --- we expect that in many cases, interesting
material will be retrieved from the system and published in a more
available fashion (such as normal web pages) in a jurisdiction where
such publishing is more reasonable. Then the document in the servnet
would only need to be accessed if the other sources were shut down.

The potential adversaries are many and diverse: governments, corporations,
and individuals all have reason to oppose the system.  There will be
social attacks from citizens and countries trying to undermine the trust
in the security of the system, as well as attacking the motivation for
servnet node operators to continue running nodes. There will be political
attacks, using the influence of a country's leaders to discourage use of
the servnet. There will be government and legal attacks, where authorities
attempt to shut down servnet nodes or arrest operators. Indeed, in
many cases ordinary citizens can recruit the power of the government
through lawsuits or subpoenas. Multinational corporations will hold
sway over several countries, influencing them to pass similar laws
against anonymous networks. There will be technical attacks, both from
individuals and from corporations and national intelligence agencies,
targeted either at the system as a whole or at particular documents or
node operators, to reduce the quality of service or gain control of part
of the network. Clearly the system needs to be designed with stability,
security, and longevity in mind.

\input ./brians-related-trust.tex
\input ./brians-design-trust.tex
\input ./brians-impl-trust.tex
\input ./brians-attacks-trust.tex
\input ./brians-future-trust.tex
\chapter{Conclusions}
\topquote{Wow.  Building trust systems is hard.}{Roger Dingledine}

I remain convinced that the economic model of trust offers valuable
insights, and will eventually lead to a rigorous model of anonymous
trust.  What exists now is a framework for testing various assumptions
about trust and anonymity.  With the experience of an active Free
Haven, it will be able to grow into a more robust system.

For now, the Free Haven relies in large part
on goodwill and generosity of the community to provide resources to
ensure that there is sufficient protection against corrupt or malicious
nodes.

\newpage
\appendix
\chapter{Acknowledgements}
This paper was written with the help and advice of several people to whom I am particularly grateful.  They include:
\begin{itemize}
\item Roger Dingledine provided the inspiration for the Free Haven Project and coordinated the efforts of all involved.  Late-night discussions with him on the nature of anonymity, trust and confidence inspired the trust economy concept.
\item Seph Sokol-Margolis, David Molnar, Michael Freedman, and the rest of the Free Haven Group provided many hours of valuable discussion on the merits and flaws of this system/
\item Susan Born caused this document to be readable by non-cryptographers and readers of formal English.
\item Professor Ron Rivest, as thesis supervisor to Roger, Michael, and myself, contributed greatly to our online discussions and provided a dose of political realism.
\end{itemize}

\bibliographystyle{alpha}
\bibliography{freehaven.bib}
\end{document}