\newcommand{\dofig}[3]{\begin{figure}
\epsfbox{#1}
\caption{#2}
\label{#3}
\end{figure}}

\documentstyle[twoside,fancyheadings,doublespace,fullpage,epsf,amssymbols]{article}
\setstretch{1.0}

\headheight 32pt
\lhead{Free Haven Project Abstract}
\rhead{Roger Dingledine}

\begin{document}
\pagestyle{fancy}
\pagenumbering{arabic}

\section{Overview}

The Free Haven Project aims to deploy a system for distributed data
storage robust against attempts by powerful adversaries to find and
destroy stored data. Free Haven uses a secure mixnet for communication,
and it emphasizes distributed, reliable, and anonymous storage over
efficient retrieval. Some of the problems Free Haven addresses include
providing sufficient accountability without sacrificing anonymity,
building trust between servers based entirely on their observed
behavior, and providing user interfaces that will make the system easy
for end-users.

\section{Project Description}

The Free Haven Project intends to deploy a system that provides a good
infrastructure for anonymous publication. Specifically, this means that the
publisher of a given document should not be known; that clients requesting
the document should not have to identify themselves to anyone; and that
the current location of the document should not be known. Additionally,
it would be preferable to limit the number of opportunities where an
outsider can show that a given document passed through a given computer. We
present a more thorough examination of our requirements and notions of
anonymity, and compare them to the anonymity requirements of a number of
related works. 

The overall design is based on a community of servers (which as a whole is
termed the `servnet') where each server hosts data from the other servers
in exchange for the opportunity to store data of its own in the servnet.
When an author wishes to publish a document, she breaks the document into
shares, where a subset (any $k$ of $n$) is sufficient to reconstruct the
document, and then for each share, negotiates for some server to publish
that share on the servnet. The servers then trade shares around behind
the scenes. When a reader wishes to retrieve a document from the servnet,
she requests it from any server, including a location and key which can be
used to deliver the document in a private manner. This server broadcasts
the request to all other servers, and those which are holding shares for
that document encrypt them and deliver them to the reader's location. Also
behind the scenes, the shares employ what is essentially the `buddy
system' to maintain some accountability: servers which drop shares or are
otherwise unreliable get noticed after a while, and are trusted less. A
trust module on each server maintains a database of each other server,
based on past direct experience and also what other servers have said.
For communication both between servers and between the servnet and
readers, we rely on an existing mixnet infrastructure to provide an
anonymous channel.

The system is designed to store data without concern for its popularity
or controversial nature.  Possible uses include storing source code or
binaries for software which is currently under legal debate, such as the
recent DeCSS controversy or other software with patent issues; publishing
political speech in an anonymous fashion for people afraid that tying
their speech to their public persona will damage their reputation; or even
storing more normal-looking data like a set of public records from Kosovo.

Free Haven is designed more for anonymity and persistence of documents
than for frequent querying --- we expect that in many cases, interesting
material will be retrieved from the system and published in a more
available fashion (such as normal web pages) in a jurisdiction where
such publishing is more reasonable. Then the document in the servnet
would only need to be accessed if the other sources were shut down.

The potential adversaries are many and diverse: governments, corporations,
and individuals all have reason to oppose the system.  There will be
social attacks from citizens and countries trying to undermine the trust
in the security of the system, as well as attacking the motivation for
servnet node operators to continue running nodes. There will be political
attacks, using the influence of a country's leaders to discourage use of
the servnet. There will be government and legal attacks, where authorities
attempt to shut down servnet nodes or arrest operators. Indeed, in
many cases ordinary citizens can recruit the power of the government
through lawsuits or subpoenas. Multinational corporations will hold
sway over several countries, influencing them to pass similar laws
against anonymous networks. There will be technical attacks, both from
individuals and from corporations and national intelligence agencies,
targetted either at the system as a whole or at particular documents or
node operators, to reduce the quality of service or gain control of part
of the network. Clearly the system needs to be designed with stability,
security, and longevity in mind.

\section{Design Requirements}

More formally, requirements beyond anonymity for a stable and useful system
fall into two categories:

Required Operations:

\begin{itemize}
\item The system must provide a mechanism for anonymously {\bf inserting} a
document into the servnet.
\item The system must provide a mechanism for anonymously {\bf retrieving}
a document from the servnet, including verifying that the retrieved
document is identical to the original document.
\item The system must provide a mechanism for {\bf expiring} documents:
the duration of a document should be decided by the publisher when that
document is published to the servnet, and the document should be
available (and immutable) until that duration expires.
\item The system must provide a mechanism for smoothly {\bf adding servers}
to the servnet without impacting functionality.
\item The system must provide a mechanism for {\bf recognizing inactive or
dead servers} and eventually no longer using or querying them.
\end{itemize}

Guiding Principles:

\begin{itemize}
\item The system must be {\bf robust}: loss of perhaps
up to half of the participating servers should not imply loss of any
documents. In addition, the amount of damage that compromised or
otherwise `evil' nodes can perform should be limited. This might be
accomplished by a trust network, where each node actively maintains an
opinion of other nodes, and nodes inform each other when they change
an opinion.
\item The system must be {\bf simple}: complex protocols and heuristics
invite security weaknesses. It must be self-contained and based on
realistic technological expectations.  For instance, we cannot rely on
a stable international electronic cash infrastructure.
\item The system must be {\bf modular} enough that components can be upgraded
in-place without impacting functionality.
\item The system must be {\bf decentralized}: to maintain efficiency, security,
and reliability, no single server or small subset of
the servers should be a bottleneck anywhere in the protocol.
\item The system must provide {\bf flexibility} on a per-server level: server
operators should be able to decide how paranoid or trusting they are, how
many resources to provide to the servnet, etc.
\item The components upon which the system relies must be {\bf free and open
source}, in the sense that modification and redistribution is explicitly
permitted.
\item The system is {\bf content-neutral}: popularity or popular opinion of a
document should not influence its duration in the servnet.
% This decision should be left entirely to the publisher of the document;
% by joining the system, servnet nodes agree to host data from other nodes
\end{itemize}

%We assume that there will be some generous individuals out there who
%believe in the goals of the system and will donate some services.
%Notice that efficiency isn't on the list -- we can afford to have more
%overhead (both in time and in bandwidth) if we get stronger anonymity
%out of it. 

Our design goals and motivations are somewhat different that most
related works.  Notice that efficiency is not on the list -- we can
afford to have more overhead (both in time and in bandwidth) if we get 
stronger anonymity and robustness.  We assume that there will be some
individuals who believe in the goals of the system, recognize its
possible benefits, and will donate some services.  

By providing tools to enable safer and more reliable communication for
organizations fighting for increased rights of individuals, as well as
strengthening the capabilities of individuals to speak out anonymously 
about their situations, the members of the Free Haven Project hope to
reinforce the rights of freedom of speech and freedom of information
as integral parts of everyday life.

\end{document}