next up previous
Next: The threat model Up: The Eternity Service Previous: The Eternity Service

What it does

The Eternity Service will be simple to use. Say you want to store a 1MB file for 50 years; there will be a tariff of (say) $99.95. You upload a digital coin for this, together with the file; no proof of identity or other formality is needed. After a while you get an ack, and for the next 50 years your file will be there for anyone to get by anonymous file transfer.

Copies of the file will be stored on a number of servers round the world. Like the Internet, this service will depend on the cooperation of a large number of systems whose only common element will be a protocol; there will be no head office which could be coerced or corrupted, and the diversity of ownership and implementation will provide resilience against both error and attack.

The net effect will be that your file, once posted on the eternity service, cannot be deleted. As you cannot delete it yourself, you cannot be forced to delete it, either by abuse of process or by a gun at your wife's head.

External attacks will be made expensive by arranging things so that a file will survive the physical destruction of most of the participating file servers, as well as a malicious conspiracy by the system administrators of quite a few of them. If the servers are dispersed in many jurisdictions, with the service perhaps even becoming an integral part of the Internet, then a successful attack could be very expensive indeed -- hopefully beyond even the resources of governments.

The detailed design will utilise the well known principles of fragmentation, redundancy and scattering. But before we start to consider the details, let us first consider the threat model.

Ross Anderson
Tue Jun 17 15:08:09 BST 1997