\chapter{Introduction and Requirements}

\section{Motivation}

The internet is moving in the direction of increasing freedom
of information. National boundary lines are growing increasingly blurred.
At the same time as a strong sense of global community is growing,
technical advances have provided greatly increased bandwidth and
an enormous amount of computing power and well-connected storage.
However, the increases in speed and efficiency have not brought
comparable increases in privacy and anonymity on the internet -- indeed,
governments and especially corporations are beginning to realize that
they can leverage the internet to provide detailed information about the
interests and behaviors of existing or potential customers.  Court cases,
such as the Church of Scientology's lawsuit against Johan
Helsingius \cite{helsingius}
or the more recent OpenDVD debate \cite{dvd}
(and subsequent arrest of DeCSS author Jon Lech Johansen),
demonstrate that the internet currently lacks an
adequate infrastructure for truly anonymous publication or distribution
of documents or other data.

Indeed, there are a number of other deeper motivations for the deployment
of an anonymous publishing service such as Free Haven. Not only do we hope to assist those like
Helsingius and Johansen, but we have the wider goals of pushing the
world a few more steps in the direction of free and open information
and communication.  In Germany, Internet Service Providers such as AOL
are liable for the content that passes across their systems
\cite{liable-isp}. Recent British legislation threatens to make citizens
responsible for the content of encrypted documents that they're holding,
even if they don't possess the ability to read these documents
\cite{brit-RIP}.  Such
restrictions on the free flow of information, however, are already
being attacked: for example, American hackers are attempting to break
holes in China's ``Great Firewall'' to allow Chinese citizens access to
Western media \cite{wiredchina}.

In addition to such revolutionary actions, there are a wide
range of activist projects which employ the internet for publicity but focus on
helping real people in the real world.
Such projects include Pirate Radio \cite{pirate}, a
%BroncBuster's
%defacing of the website of the China Society for Human Rights Studies
% need better example
%(an organization backed by the Chinese government) 
%are centered around the Internet,
%\cite{bronc}
% {\tt http://www.infoshop.org/pirate\_links.html},
% {\tt http://www.beatworld.com/fcc.html},
loose confederation of radio operators joined in the belief that
ordinary citizens can regulate the airwaves more efficiently and more
responsibly than a government organization; as well as mutual aid
societies such as Food Not Bombs! \cite{food}, an organization which
``serves free food in public places to dramatise the plight of the
homeless, the callousness of the system and our capacity to solve social
problems through our own actions without government or capitalism.'' 

% Bad example -- introduces way too many new issues / arguable points
% such as the recent protests{\footnote {\tt
% http://www.washingtonpost.com/wp-srv/business/feed/a29574-2000jan26.htm}}
% in Seattle and Washington DC against global capitalism and corporate
% oppression.

By providing tools to enable safer and more reliable communication for
organizations fighting for increased rights of individuals rather than
nations or corporations, as well as strengthening the capabilities of
political dissidents and other individuals to speak out anonymously
about their situations, the members of the Free Haven Project hope to
help pave the way to a modern society where freedom of speech and freedom
of information are integral parts of everyday life.

\section{Project Summary}

The Free Haven Project intends to deploy a system which provides a good
infrastructure for anonymous publication. Specifically, this means that the
publisher of a given document should not be known; that clients requesting
the document should not have to identify themselves to anyone; and that
the current location of the document should not be known. Additionally,
it would be preferable to limit the number of opportunities where an
outsider can show that a given document passed through a given computer. A
more thorough examination of our requirements and notions of anonymity
can be found in Chapter \ref{chap:anon}.

The overall design is based on a community of servers (which as a whole is
termed the `servnet') where each server hosts data from the other servers
in exchange for the opportunity to store data of its own in the servnet.
When an author wishes to publish a document, she breaks the document into
shares, where a subset (any $k$ of $n$) is sufficient to reconstruct the
document. Then for each share, she negotiates for some server to publish
that share on the servnet. The servers then trade shares around behind
the scenes. When a reader wishes to retrieve a document from the servnet,
she requests it from any server, providing a location and key which can be
used to deliver the document in a private manner. This server broadcasts
the request to all other servers, and those which are holding shares for
that document encrypt them and deliver them to the reader's location. Also
behind the scenes, the shares employ what is essentially the `buddy
system' to maintain some accountability: servers which drop shares or are
otherwise unreliable get noticed after a while, and are trusted less. A
trust module on each server maintains a database on the behavior of
each other server, based on past direct experience and also what other
servers have said.  For communication both between servers and between
the servnet and readers, we rely on an existing mixnet infrastructure
to provide an anonymous channel.

The system is designed to store data without concern for its popularity
or controversial nature.  Possible uses include storing source code or
binaries for software which is currently under legal debate, such as the
recent DeCSS controversy or other software with patent issues; publishing
political speech in an anonymous fashion for people afraid that tying
their speech to their public persona will damage their reputation; or even
storing more normal-looking data like a set of public records from Kosovo.

Free Haven is designed more for anonymity and persistence of documents
than for frequent querying --- we expect that in many cases, interesting
material will be retrieved from the system and published in a more
available fashion (such as normal web pages) in a jurisdiction where
such publishing is more reasonable. Then the document in the servnet
would only need to be accessed if the other sources were shut down.

The potential adversaries are many and diverse: governments, corporations,
and individuals all have reason to oppose the system.  There will be
social attacks from citizens and countries trying to undermine the trust
in the security of the system, as well as attacking the motivation for
servnet node operators to continue running nodes. There will be political
attacks, using the influence of a country's leaders to discourage use of
the servnet. There will be government and legal attacks, where authorities
attempt to shut down servnet nodes or arrest operators. Indeed, in
many cases ordinary citizens can recruit the power of the government
through lawsuits or subpoenas. Multinational corporations will hold
sway over several countries, influencing them to pass similar laws
against anonymous networks. There will be technical attacks, both from
individuals and from corporations and national intelligence agencies,
targeted either at the system as a whole or at particular documents or
node operators, to reduce the quality of service or gain control of part
of the network. Clearly the system needs to be designed with stability,
security, and longevity in mind.

\section{Design Requirements}

More formally, requirements beyond anonymity for a stable and useful system
fall into two categories:

\begin{itemize}
\item Required Operations:

\begin{itemize}
\item The system must provide a mechanism for anonymously {\bf inserting} a
document into the servnet.
\item The system must provide a mechanism for anonymously {\bf retrieving}
a document from the servnet, including verifying that the retrieved
document is identical to the original document.
\item The system must provide a mechanism for {\bf expiring} documents:
the duration of a document should be decided by the publisher when that
document is published to the servnet, and the document should be
available (and immutable) until that duration expires.
\item The system must provide a mechanism for smoothly {\bf adding servers}
to the servnet without impacting functionality.
\item The system must provide a mechanism for {\bf recognizing inactive or
dead servers}; it should consequently cease to use or query them.
\end{itemize}

\item Guiding Principles:

\begin{itemize}
\item The system must be {\bf robust}: loss of perhaps
up to half of the participating servers should not imply loss of any
documents. In addition, the amount of damage that compromised or
otherwise `evil' servers can perform should be limited. This might be
accomplished by a trust network, where each node actively maintains an
opinion of other nodes, and nodes inform each other when they change
an opinion.
\item The system must be {\bf simple}: complex protocols and heuristics
invite security weaknesses. It must be self-contained and based on
realistic technological expectations.  For instance, we cannot rely on
a stable international electronic cash infrastructure.
\item The system must be {\bf modular} enough that components can be upgraded
in-place without impacting functionality.
\item The system must be {\bf decentralized}: to maintain efficiency, security,
and reliability, no single server or small subset of
the servers should be a bottleneck anywhere in the protocol.
\item The system must provide {\bf flexibility} on a per-server level: server
operators should be able to decide how paranoid or trusting they are, how
many resources to provide to the servnet, etc.
\item The components upon which the system relies must be {\bf free and open
source}, in the sense that modification and redistribution is explicitly
permitted.
\item The system is {\bf content-neutral}: popularity or popular opinion of a
document should not influence its duration in the servnet.
% This decision should be left entirely to the publisher of the document;
% by joining the system, servnet nodes agree to host data from other nodes
\end{itemize}
\end{itemize}

We assume that there will be some
generous individuals out there who believe in the goals of the system
and will donate some services.  
Notice that efficiency isn't on the list -- we can afford to have more overhead
(both in time and in bandwidth) if we get stronger anonymity out of it.

\newpage

\section{About this document}

This paper was written as a joint effort by the members of the
Free Haven project, a group of students led by Roger Dingledine
(primary author). The other project members contributing to this document are
Michael Freedman (Sections \ref{sec:related-comm}, \ref{sec:attacks-comm},
\ref{sec:future-comm}, all of Chapter \ref{chap:impl-comm}, and part of
Appendix \ref{app:related-comm-appendix}), David
Molnar (Section \ref{sec:related-comm} and Appendix \ref{app:related-comm-appendix}), Brian
Sniffen (Sections \ref{sec:related-trust}, part of \ref{sec:design-trust},
\ref{sec:attacks-trust}, and \ref{sec:future-trust}), and Todd Kamin
(Section \ref{sec:design-ui}).