FMailing List
FRelated Works


    The Free Haven Project aims to deploy a system for distributed data storage robust against attempts by powerful adversaries to find and destroy stored data. Free Haven uses a secure mixnet for communication, and it emphasizes distributed, reliable, and anonymous storage over efficient retrieval. Some of the problems Free Haven addresses include providing sufficient accountability without sacrificing anonymity, building trust between servers based entirely on their observed behavior, and providing user interfaces that will make the system easy for end-users.

    Project Description

    The Free Haven Project intends to deploy a system that provides a good infrastructure for anonymous publication. Specifically, this means that the publisher of a given document should not be known; that clients requesting the document should not have to identify themselves to anyone; and that the current location of the document should not be known. Additionally, it would be preferable to limit the number of opportunities where an outsider can show that a given document passed through a given computer. We present a more thorough examination of our requirements and notions of anonymity, and compare them to the anonymity requirements of a number of related works.

    The overall design is based on a community of servers (which as a whole is termed the `servnet') where each server hosts data from the other servers in exchange for the opportunity to store data of its own in the servnet. When an author wishes to publish a document, she breaks the document into shares, where a subset (any k of n) is sufficient to reconstruct the document, and then for each share, negotiates for some server to publish that share on the servnet. The servers then trade shares around behind the scenes. When a reader wishes to retrieve a document from the servnet, she requests it from any server, including a location and key which can be used to deliver the document in a private manner. This server broadcasts the request to all other servers, and those which are holding shares for that document encrypt them and deliver them to the reader's location. Also behind the scenes, the shares employ what is essentially the `buddy system' to maintain some accountability: servers which drop shares or are otherwise unreliable get noticed after a while, and are trusted less. A trust module on each server maintains a database of each other server, based on past direct experience and also what other servers have said. For communication both between servers and between the servnet and readers, we rely on an existing mixnet infrastructure to provide an anonymous channel.

    The system is designed to store data without concern for its popularity or controversial nature. Possible uses include storing source code or binaries for software which is currently under legal debate, such as the recent DeCSS controversy or other software with patent issues; publishing political speech in an anonymous fashion for people afraid that tying their speech to their public persona will damage their reputation; or even storing more normal-looking data like a set of public records from Kosovo.

    Free Haven is designed more for anonymity and persistence of documents than for frequent querying --- we expect that in many cases, interesting material will be retrieved from the system and published in a more available fashion (such as normal web pages) in a jurisdiction where such publishing is more reasonable. Then the document in the servnet would only need to be accessed if the other sources were shut down.

    The potential adversaries are many and diverse: governments, corporations, and individuals all have reason to oppose the system. There will be social attacks from citizens and countries trying to undermine the trust in the security of the system, as well as attacking the motivation for servnet node operators to continue running nodes. There will be political attacks, using the influence of a country's leaders to discourage use of the servnet. There will be government and legal attacks, where authorities attempt to shut down servnet nodes or arrest operators. Indeed, in many cases ordinary citizens can recruit the power of the government through lawsuits or subpoenas. Multinational corporations will hold sway over several countries, influencing them to pass similar laws against anonymous networks. There will be technical attacks, both from individuals and from corporations and national intelligence agencies, targetted either at the system as a whole or at particular documents or node operators, to reduce the quality of service or gain control of part of the network. Clearly the system needs to be designed with stability, security, and longevity in mind.

    Design Requirements

    More formally, requirements beyond anonymity for a stable and useful system fall into two categories:

    Required Operations:

    • The system must provide a mechanism for anonymously inserting a document into the servnet.
    • The system must provide a mechanism for anonymously retrieving a document from the servnet, including verifying that the retrieved document is identical to the original document.
    • The system must provide a mechanism for expiring documents: the duration of a document should be decided by the publisher when that document is published to the servnet, and the document should be available (and immutable) until that duration expires.
    • The system must provide a mechanism for smoothly adding servers to the servnet without impacting functionality.
    • The system must provide a mechanism for recognizing inactive or dead servers and eventually no longer using or querying them.

    Guiding Principles:

    • The system must be robust: loss of perhaps up to half of the participating servers should not imply loss of any documents. In addition, the amount of damage that compromised or otherwise `evil' nodes can perform should be limited. This might be accomplished by a trust network, where each node actively maintains an opinion of other nodes, and nodes inform each other when they change an opinion.
    • The system must be simple: complex protocols and heuristics invite security weaknesses. It must be self-contained and based on realistic technological expectations. For instance, we cannot rely on a stable international electronic cash infrastructure.
    • The system must be modular enough that components can be upgraded in-place without impacting functionality.
    • The system must be decentralized: to maintain efficiency, security, and reliability, no single server or small subset of the servers should be a bottleneck anywhere in the protocol.
    • The system must provide flexibility on a per-server level: server operators should be able to decide how paranoid or trusting they are, how many resources to provide to the servnet, etc.
    • The components upon which the system relies must be free and open source, in the sense that modification and redistribution is explicitly permitted.
    • The system is content-neutral: popularity or popular opinion of a document should not influence its duration in the servnet.

    Our design goals and motivations are somewhat different that most related works. Notice that efficiency is not on the list -- we can afford to have more overhead (both in time and in bandwidth) if we get stronger anonymity and robustness. We assume that there will be some individuals who believe in the goals of the system, recognize its possible benefits, and will donate some services.

    By providing tools to enable safer and more reliable communication for organizations fighting for increased rights of individuals, as well as strengthening the capabilities of individuals to speak out anonymously about their situations, the members of the Free Haven Project hope to reinforce the rights of freedom of speech and freedom of information as integral parts of everyday life.

Site last updated on June 12th, 2009.
Check the News section for information on the latest content updates.