\documentclass{llncs} \textwidth16cm \textheight21cm \topmargin0mm \oddsidemargin2.5mm \evensidemargin2.5mm %\textwidth=7in %\textheight=10in %\topmargin=-1.2in %\oddsidemargin .35in %\evensidemargin .35in \begin{document} %\newcounter{axiomctr} %\newcounter{axiomctrx} %\newenvironment{observation}{ %\begin{list} %{{\addtocounter{axiomctrx}{1}} Observation \arabic{axiomctr}.} %{\usecounter{axiomctr}} {\setcounter{axiomctr}{\arabic{axiomctrx}}}} %{\end{list}} \newcommand{\workingnote}[1]{} % The version that hides the note. %\newcommand{\workingnote}[1]{(**#1)} % The version that makes the note visible. \title{Open Issues in the Economics of Anonymity} %\title{Issues in the Economics of Anonymity} %\title{Topics in the Economics of Anonymity} %\title{The Economics of Anonymity} %\title{On the Economics of Anonymity} \author{Roger Dingledine\inst{1} \and Paul Syverson\inst{2}} \institute{The Free Haven Project \email{(arma@mit.edu)} \and Naval Research Lab \email{(syverson@itd.nrl.navy.mil)}} \maketitle Recent work tying together security and economics has indicated that the hard problems are not the technical issues, such as designing stronger cryptography and making policies easier to understand and enforce. Rather, the world of economics often has significant sway, with influences such as network externalities and asymmetric incentives \cite{anderson01why}. These same influences play an important part in the success and security of anonymity systems --- systems which attempt to protect the identities of their users. Indeed, this user privacy requirement makes the process of designing, observing, and analyzing these systems much more complex. Here we present some of the issues that arise in considering and applying economic structures and techniques to decentralized anonymity systems. \subsubsection{The need for such systems may actually be broader than expected.} At first glance, it seems that only paranoid users and people with extremely valuable or dangerous information need these strong anonymity systems. After all, single-hop web proxies like the Anonymizer \cite{anonymizer} seem sufficient to protect users from simple threats like profile-creating websites. On the other hand, censorship-resistant publishing systems, and to some extent any Internet sites that aim to be resistant to DDoS, can benefit from \emph{location protection} of their servers --- effectively hiding them behind several levels of indirection so the location or IP is hidden from direct attack. Indeed, for companies that \emph{are} protecting high-value corporate information, relying on firewalls, VPNs, and encrypted communication may not be quite the right approach. Whit Diffie has remarked that traffic analysis is the backbone of communications intelligence, not cryptanalysis. \workingnote{ %Also, the perspective that minimal protection is needed may be %reasonable in a relatively open democratic society; however, not all %the world is like that, and systems that protect users and publishers %in such environments are all the more important. Such ``democratizing'' %technology can also help continuation and devolopment of freedom and %openness in a society. %Providing good location anonymity seems to require an anonymous %pipe without a single point of failure for communicating with those %servers. There must be some way to manage the incentives and %security in the maintainance and use of that pipe. } %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %Outline of the remaining points of the paper from here: % %* Volunteer-based systems build the biggest anonymity sets %* But scaling by volunteers risks anonymity %* Very hard to give (economic) incentives to volunteer %* customization, heterogeneity, other incentives also dangerous %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \subsubsection{Good anonymity design inherently requires an economic perspective.} Most security issues in communication involve preventing disclosure or compromise of specific message content. DoS/QoS is an area where there has been much economic activity, but most of the work has to do with figuring out how self-interested principals (nodes) will provide or pay for resources such as storage/bandwidth. Anderson \cite{anderson01why} has indicated ways that economic issues are more central to information security than has previously been acknowledged. For publishing and communication anonymity, however, the economic connection is especially strong. Most of our remaining observations will illustrate this in various ways. It has long been lamented that people will not pay for security or assurance. That observation is all the more pointed for anonymity. Anonymity requires introducing ``inefficiencies'' in computation, bandwidth, and storage. Even assuming people will live with that, somebody has to pay for it. Unlike confidentiality, it's also not enough for the communicating end parties to cooperate on encryption simply using whatever communications infrastructure is available. In anonymity systems the resource people provide is anonymity (noise). The more noise, the more anonymous something hiding in that noise is. But mixes \cite{chaum-mix}, onion routers \cite{onion-cacm}, etc., even the Anonymizer, actually use the messages to hide among each other. So from an anonymity perspective, you're always better off going where the noise is provided. Further, when you send a message you are both a consumer and provider of anonymity. It's the ability to facilitate this growth of anonymity capital that is provided by mixes and other anonymity service providers. This is good news for confluence of network efficiency incentives and anonymity service, but of course it's not that simple. \subsubsection{Higher traffic and better performance may not imply stronger anonymity.} High traffic is necessary for strong anonymity. High traffic and better performance complement each other: a system that processes only a few messages at a time must delay service to achieve adequately large anonymity sets. Better performance attracts users both for its convenience value and the better potential anonymity protection. But this does not simply mean that systems processing the most traffic provide the best hiding. If trust is not well distributed, a high volume system is a point of vulnerability, from insiders and attackers who try to bridge the trust bottlenecks. Systems must also be robust against active attacks, e.g., trickle attacks in which known traffic is mixed with targeted traffic. The most insidious issue here is that an anonymity-breaking adversary with an adequate budget would do best to provide very good service, possibly also attempting DoS against other high-quality providers. None of the usual metrics of performance and efficiency will help tell who the bad guys are in this instance. Further, who assigns those metrics and how? If they depend on a centralized trusted authority, the advantages of diffusion are lost. We must design metrics that limit the damage adversaries can do from manipulating their reputations. For example, if we can bound the fraction of compromised nodes in the system, we can design incentives and protocols that tolerate them \cite{casc-rep}. \subsubsection{Strong anonymity favors a volunteer economy.} An anonymizing infrastructure cannot simply carry the traffic of one entity, even if that entity is a large corporation or government. If it did, any traffic entering or leaving the infrastructure would be linked to that entity. Thus traffic must be carried for others to protect oneself. Since those others similarly will not trust a single administrative entity to protect their anonymity, the anonymity infrastructure must consist of multiple independent elements. To date, attempts have found end users inadequately interested in paying for strong anonymity services --- thus we cannot use straightforward compensation as incentive for these independent elements to offer their services. %However, %corporations, universities, government %entities, etc.\ But while they probably won't get paid, large organizations may be still motivated either by a desire to hide their own activity within that of others or to provide a public service. %they may perceive an overriding %public good, e.g., For example, an anonymous tip line which is perceived to genuinely provide anonymity is more likely to be used. %This may prompt them to volunteer services. Of course, on an individual %level, censorship-resistant publishing is a natural improvement on %existing peer-to-peer file sharing systems. %So while they probably won't get paid, they still have motivation to %include a wide variety of users. On the other hand, there are direct economic disincentives to providing anonymity service, most notably legal liability or DoS threats. Anonymity systems allow users to connect, post, send messages, etc.\ indirectly through the system. Those unhappy to receive or see these connections and posts may attempt legal or other redress. By their very nature, anonymity systems will be the publicly visible ``source'' and thus the target of any reprisal. Good design, including structuring costs and incentives, can counter some of the attacks \cite{nymserver98}, but the liability question is still unresolved.\footnote{We know of a Crowds \cite{crowds-cacm} participant who reset the probability of forwarding on his jondo to one for this reason. Interestingly, this seems not to directly affect anonymity, only load distribution and system performance.} The issue has different implications based on whether the volunteers are individuals or large entities, where they are jurisdictionally, and what they are volunteering. Large corporate or governmental entities are more likely to be concerned about liability and public perception. Indeed, even \emph{individuals} with access to spare resources at corporations, universities, or other organizations may be dissuaded from volunteering them if the parent organization disapproves. More independent individuals are often still subject to ISP policies. One approach to the exit point liability problem is to build the system from volunteer nodes (individual or organizationally sponsored) and accept that exit points will be limited to locations that have decided (or been paid) to accept that liability, e.g., the Anonymizer, or that are in more tolerant jurisdictions. More generally, nodes can set individual exit policies to declare which traffic they will let exit from them, such as traffic for local users or other authenticated traffic \cite{onion-discex00}. Extending to wide-scale dynamic peer-to-peer systems would diffuse liability more widely and provide a much larger anonymity infrastructure; but if a few node operators are publically punished for running nodes, the remaining operators may stop out of fear. % Liability concerns may also push toward %large dynamic peer-to-peer systems since total liability is more diffused %by such a system, and the individuals participating may simply be less %aware or concerned than large organizations would be. In any case, Because the key to scaling these systems to large anonymity sets is attracting as many users as possible to join the infrastructure, this liability problem remains a roadblock. \workingnote{ Strong anonymity systems generally protect their users by dividing transactions over several trust domains and jurisdictions. The idea is to distribute trust among many different service providers, so the transaction is protected even if some of them are trying to compromise anonymity. Because the key to good anonymity is getting a big \emph{anonymity set} by hiding in traffic from as many users as possible, this model of anonymity system seems well-suited to a decentralized peer-to-peer design \cite{p2p-book} where volunteers from around the %should we remove this cite? is it actually meaningful? world sign up their computers to use and provide service to the system. } \subsubsection{Authentication in a volunteer economy.} Volunteers are problems: users don't know who they're dealing with. A disruptive bad guy can do whatever he wants. We can try to monitor system components, but this is harder to do in a decentralized dynamic system. It is possible to structure system protocols to create better incentives for honest principals and to catch bad performance by others \cite{mix-acc,casc-rep}. But even when this is feasible, identifying individuals is a problem. Classic authentication considers whether it's the right entity, but not whether the authenticated parties are distinct from one another. % \workingnote{. alone won't cut it Usually authentication is focussed on making sure that the right entity is authenticated. It is usually not focussed on making sure that authenticated parties are distinct from one another. Similarly for authorization. There are some exceptions: separation of duties in various authorizations, e.g., using threshold schemes. But, in an online world this can become complicated. For example, in auction designs may use thresholds so that a high percentage of compromised auctioneers is necessary to violate the assumed trust. As noted in \cite{KF98}, this approach is not applicable unless the auction is run by a large organization. ``In simplistic terms, it is reasonable to expect that, say three out of five employees (servers or server administrators) in a government organization or {\em xyz\_megacorp\/} will be honest. But it is different to assume that three out of five servers deployed by the relatively small {\em xyz\_little\_corp\/} will not collude.'' More generally, } % One person may create and control several distinct online identities. This problem is a nightmare when an anonymity infrastructure is scaled to a large, diffuse, peer-to-peer design; it remains one of the main open problems in the design of any decentralized anonymity service. The Advogato trust metric \cite{advogato} and similar techniques rely on humans to make initial trust decisions, and then bound trust flow over a certification graph. However, so far none of these trust flow approaches have provided a clear solution to the problem. Another potential solution, a global PKI to ensure unique identities, is unlikely to emerge anytime soon. %\subsubsection{Decentralized means the users must make security decisions.} \subsubsection{Customization and preferential service are risky too.} Leaving security decisions up to the user is traditionally a way to foist cost or liability from the vendor to the customer; but in decentralized dynamic anonymity systems it may be unavoidable. For example, a publisher in an anonymous publishing network might choose how many times to replicate her file, or thresholds for how many pieces are needed to reconstruct her file in some secret sharing scheme. After all, only she knows the value of the transaction. But these parameters can affect anonymity --- a file replicated many times stands out. %Standards making security parameters uniform across the entire %system will help protect each user and guidelines for use will no doubt %be quite helpful, but the usual cries to hold the software vendors and %service providers liable simply won't apply here. Choosing one or a few sets of system-wide security parameters can help protect users by keeping the noise fairly uniform, but again we're introducing inefficiencies. Further, we risk anonymity if we let users customize their client's behavior, for instance to let the client barter better in systems where nodes trade microcurrency for service. We can't even let users pay for better service or preferential treatment: the hordes in the coach seats are probably better off anonymity-wise than those in first class. % This may be a good %thing to the extent that ``turning down quality'' simply to cause the %right payment incentives is abhorred. However, ``in anonymity systems usability, efficiency, reliability and cost become \emph{security} objectives because they affect the size of the user base which in turn affects the degree of anonymity it is possible to achieve'' \cite{back01}. It remains to be seen whether designs and incentives, for both system users and system components, can be structured to meet all of these objectives sufficiently to create viable systems. % It remains to be seen whether the process of % shoe-horning all users into the same behavior profile can still % respect these objectives or whether we are forced to make systems so % inconvenient, slow, or just downright unusable that nothing is % workable. \bibliographystyle{plain} \bibliography{econws02} \end{document} %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \workingnote{ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% I think I am now covering most of this section in what is said above, but you may want to check. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% \subsubsection{Incentives for participating in the anonymity service} ...since the volunteers are so scary, we need *really* good reasons for them (or a good majority of them) to play nice. incentives for volunteers: * so if corporations do it, they're doing it either to protect themselves, or by principle or whatever * you can't actually pay nodes 'enough' to make liability issues worthwhile * but doing an exit node is not done for money The biggest scaling limitation in the remailer network is operator liability, particularly for exit nodes. Talk about little volunteers vs. big companies and/or universities and the way the incentives might change. %\subsubsection{Decentralized means the users must make security decisions} \subsubsection{Customization, heterogeneity, and preferential service risk anonymity.} Handling heterogeneity of nodes is a common and hard problem in p2p systems. Some nodes will have lots of bandwidth and processing power, some much less. If we set the bar for new nodes too high or too low, we throw away resources we could have used. Since in these anonymity systems it's really all about big anonymity sets and the resulting economies of scale, we want to get as many users as possible. These design goals conflict not just in terms of efficiently using node resources, but also in terms of allowing users to decide how much security they need. From one perspective, a decentralized hard-to-monitor system means the \emph{users} must make security decisions. In the case of anonymous communications, these decisions may correspond to how many and what kinds of nodes to use. In anonymous publishing, the user might choose how many times to replicate the file, or thresholds for how many pieces must be retrieved to reconstruct the file in some secret sharing scheme. After all, only they know the value of the transaction. But these parameters can affect anonymity as well --- a file replicated many times stands out. Making security parameters uniform across the entire system increases the protection for each user. but it also means that users can't pay for preferential ("better") service, and can't even pick which service they get. they can't tweak and customize their settings so they're 'efficient'. will this make them unhappy? will this make the systems less convenient to use? compare paper by adam back and co from infohiding, "convenience is a security parameter" possibly leading into conclusion: "because it's all about convenience, right?" } %\subsubsection{Can we make a rational exchange system work?} % %Can we make a rational exchange system work? Can we structure %incentives so that it doesn't make sense to cheat. E.g., in censorship %resistant storage, possibilities would be a ripping coins model or %where I give you a ``shudder'' micropayment if you download OK to %me. You need to have enough of these for credit. Alternatively, we %could have a set of witnesses that tests you (they might be assigned %using the tsbc mechanism, itself a mechanism in which it doesn't make %sense to cheat but also I guess you can't in a harmful way) via an %anonymous channel. If enough of them give you a thumbs up you get %credit. Otherwise no. What if I flood the network with potential %witnesses in order to discredit the good guys so that everyone stores %at the bad guys and they can then control what is where? \subsubsection{Anonymity is (not) fundamentally at odds with bandwidth-efficiency} In one perspective, the more noise you add, the better the anonymity. On the other hand, in many cases this noise is really the signal of others. Efficient high volume aggregations thus increase both anonymity and efficiency. look at security not in terms of compromising individual components, but rather goals of competing networks of nodes \begin{observation} \item Anonymity: is it a stock or a commodity? \end{observation} The more people buy the stock of one anonymity provider, the better the anonymity that it provides. But ultimately you can't get more anonymity than the messages that others are willing to put into the system. Now suppose that someone is trying to break anonymity. Here it is perhaps reverted to a two player game where the players are competing populations (of nodes, users?) one trying to get anonymous, the other trying to break anonymity \cite{syverson97}. Lots of spinoff issues: need the populations be partitions. Some nodes might try to maintain their own anonymity while trying to break that of others \cite{machiavelli}. What can we say if we start with the most simple: you're either an anonymity maker or attacker. We probably need to bound things a little. I won't spend arbitrary bandwidth and/or storage to protect your anonymity. But can we minimize that concern? Can we give an economic model of a roving adversary trying to break anonymity. This allows us to maintain a two-person case, but with population strategies. Can we find ESSs for something like this? How bout if we make some simple assumptions about the nodes (e.g., they are partitioned at any one time but can be shifted at intervals, they have a specific amount of bandwidth/storage/computation that they will spend to do the job (this might vary from being a good guy to being a bad guy). They Reference the papadimitriou paper on valuing private information in TARK 2001. Most of the work in the privacy/anonymity area is focused on trading away personal information etc.\ p3p and so on. But, censorship resistant storage, etc.\ still require an anonymous pipe of some kind or they are pointless (unless retrieval itself is rendered very diffuse redundant and efficient a la chord). And location protection of servers in a differentiated price structure might be crucial. During Internet war time, you have a way to sidestep the riffraff.