The Free Haven Project aims to deploy a system for
distributed, anonymous, persistent data storage which is robust
against attempts by powerful adversaries to find and destroy any
stored data. This model of decentralized system has been classified as
peer-to-peer by recent popular media.
Main research goals of the Free Haven Project:
We try to meet this goal for all parties: the publishers that insert
documents, the readers that retrieve documents, and the servers that
store documents. We are in the process of designing and developing a
free, low-latency, two-way mixnet for forward-anonymous communication.
We consider methods for achieving accountability without sacrificing
anonymity. In particular, we're researching reputation and micropayment
schemes, which allow us to limit the damage done by servers which misbehave.
The publisher of a document -- not the servers holding the
document -- determines its lifetime.
The system functions smoothly as peers dynamically join or leave.
The Free Haven project began in December 1999 as a research
project initially comprised of several MIT students to design, implement, and
deploy a functional data haven. We've put it on the back
burner for now because it still has four main unsolved
problems before it can be robust enough:
- The reputation system is tricky and won't work. We need to
replace the gossip/credibility system with a mechanism for verifiable
transactions. See this
draft paper for more details.
- Retrieval is currently broadcast, which is too inefficient. We're
letting other projects work on solutions here, and we'll pick our
favorite when the time comes. Notably, it would be nice to base an
addressing scheme on consistent hashing, so it's easy to know which
node is currently hosting a piece of data, but hard to find the actual
location of that node.
- There is no anonymous communications infrastructure. This is the
area we're focusing on currently. See the
Mixminion page for our current work in that direction. I'm also
working on second-generation Onion Routing
(tcp-level anonymous communications rather than message-based), which
will provide weaker anonymity but lower latency.
- The incentives need to be better aligned. See this paper by George
Danezis and Ross Anderson about how distributing files randomly over
the network may be the wrong approach.