[Freedombox-discuss] Establishing Communication between Freedomboxes

[ian at churchkey.org]

On 07/04/2011 01:02 PM, Daniel Kahn Gillmor wrote:
> On 07/02/2011 02:24 PM, ian at churchkey.org wrote:
>> I think the best way to do this is through something like a dynamicDNS
>> centralized service.
> 
> Can you explain why a centralized service is the right way to go here?

It may not be, but it addresses three problems: 1) how to find other
people without a face-to-face meeting, 2) how to enforce community rules
for SPAM and abuse, 3) how to map someone's identity(real, pseudo, etc)
to a machine address for their FreedomBox.

bertagaz's proposal, and the one from this weekend about distributed
hash tables as a DNS-free locator mechanism, are both interesting
proposals for how to resolve #1 above, and perhaps they are two half of
the same solution since I am unclear how bertagaz's keyserver model will
map to physical freedombox locations without an intermediary when those
locations change as often as residential IP addresses and I am not sure
how to a machine with physical addresses of other machines stored in a
DHT converts newly discovered addresses to particular identities.

> In contrast, a centralized service puts a level of power in the hands of
> the maintainers of that service -- something that we're actively trying
> to avoid, if i understand the goals of the project correctly.

Indeed. I tried to explain the purpose and limit of that power in
context, but you are quite right that it should be explicitly discusses
in light of our shared project goals.

> For example, in your blog post, you explicitly outline a way that such a
> service could effectively ostracize a spammer or advertiser (albeit
> without outlining what the policy should be in a contested case).  This
> same mechanism could be used by a powerful adversary to de-voice and
> isolate a dissenter or whistleblower.

For those who did not read the piece, the basic idea is a dynamic DNS
server with additional capabilities to handle searching for friends and
making an initial "friend request". You find me on the site, you go
through whatever vetting mechanism we want on the site, which could be
nothing or having a verified OpenID address, or whatever else we want,
and the server gives you my most recent dynamic address plus a little
crypto token so that when your freedombox sends a "friend me" ping to my
freedombox's address, I can know how you got that address and deal with
your request accordingly by sorting it into the right profile or
dropping it if you don't have the right token and are just a SPAMer,
etc. From there our servers talk to each other directly and have no need
to involve the dynamic dns server again unless my address changes and i
have not communicated a new one to you directly.

I think it is important to consider that people want a mechanism for
enforcing community standards of SPAM and abuse. Everything from forums
to online dating sites rely on having a mechanism for filtering out
communications and members that push against the community norms. Even
bittorrent trackers establish rules about the kind of materials that can
be posted and shared on the system. If we do not want an intermediary
with power to enforce some of these community norms, we need to think
very carefully about how to accomplish the same thing at the distributed
ends of our network because those kind of social norms are at the center
of people communicate.

As to the specific example of a whistleblower of political dissenter, I
don't think the dynamic dns system would have the kind of power
necessary to isolate such an individual. The centralized server's only
utility lies in making initial contact with a person and, potentially,
in updating directions to that person when all other forms of addressing
have failed. Once you make a connection between boxes, you are free to
establish whatever other channels you with for maintaining in contact,
whether that is routine pings with new ip address information, or a
hidden TOR service for requesting address changes. If a powerful
opponent were to get an individual's account dropped from one of these
dynamic dns servers, that should have no impact on the communications of
anyone who had previously made contact, or with anyone who was simply
given the new address information after the account deletion. This is
just a white pages with a privacy screen, not your ISP.

Since this is just a white pages, there is also nothing stopping
multiple such sites from operating, just as we currently have social
networks, online dating, professional connection sites, and personal
blogs. A politically powerful opponent might be able to stop one of
these organizations from distributing your contact info, but if we
design them well enough from a legal and political position, as say
non-profits operated from multiple countries, it should be exceedingly
difficult to stop them all.

By the same token, an opponent politically powerful enough to subvert
that kind of distributed naming system could just as conceivably subvert
the existing DNS hierarchy or that of the gpg keyservers.

> When in doubt, we should avoid infrastructure with this kind of
> centralized leverage.  too much centralized power already exists in the
> non-freedombox world.  Let's not replicate those mistakes.

Agreed, but let's also not overlook the problems solved by a centralized
architecture as we move away from that centralization. I would love to
hear some more about how we can publish identity and machine contact
information through either the keyservers or dht, and particularly about
how to protect such contact routes from abuse by SPAMers and other forms
of contact abuse.

-Ian