next up previous
Next: A simple design Up: The Eternity Service Previous: What it does

The threat model

Perhaps the most high level threat is that governments might ban the service outright. Might this be done by all governments, or at least by enough to marginalise the service?

The political arguments are quite predictable. Governments will object that child pornographers, Anabaptists and Persian spies will use the service, while libertarians will point out that the enemies of the state also use telephones, faxes, email, video and every other medium ever invented. Software publishers will be afraid that a pirate will Eternally publish their latest release, and ask for an `escrow' facility that lets a judge have offending matter destroyed; libertarians will object that no judge today can destroy the information contained in a personal advertisement published in `The Times' at the cost of a few pounds.

But law tends to lag technology by a decade or more; it is be hard to get all governments to agree on anything; and some countries, such as the USA, have free speech enshrined in their constitutions. So an effective worldwide ban is unlikely. There might always be local bans: Israeli agents might put up a file containing derogatory statements about the Prophet Mohammed, and thus get eternity servers banned in much of the Muslim world. If it led to a rejection of the Internet, this might provide an effective attack on Muslim countries' ability to develop; but it would not be an effective attack on the Eternity Service itself, any more than the Australian government's ban on sex newsgroups has any effect on the US campuses where many of the more outré postings originate.

Most non-legislative global attacks can be blocked by technical means. Network flooding can never be completely ruled out, but can be made very expensive and unreliable by providing many access points, ensuring that the location of individual files remains a secret and integrating the service with the Internet.

So in what follows, we will focus on the mechanisms necessary to prevent selective service denials at finer levels of granularity. We will imagine that an ignorant or corrupt judge has issued an injunction that a given file be deleted, and we wish the design of our system to frustrate the plaintiff's solicitors in their efforts to seize it. We will also imagine that a military intelligence agency or criminal organistion is prepared to use bribery, intimidation, kidnapping and murder in order to remove a file; our system should resist them too. The basic idea will be to explore the tradeoffs between redundancy and anonymity.


next up previous
Next: A simple design Up: The Eternity Service Previous: What it does

Ross Anderson
Tue Jun 17 15:08:09 BST 1997