Will Scott

Tag: blog

  • On Trust

    There has been a fair amount of effort on UCAN (User Controlled Authorization Networks), and other types of ‘decentralized credentials’ over the last couple years. These efforts perpetuate the same control structures that exist today, with delegated trees of hierarchical control. This is in contrast to a personal or ‘decentralized’ trust we might hope for in peer to peer networks. It is difficult to use DIDs, UCANs, or other proposed mechanisms for reputation and network formation without finding ourselves back trusting an authority – they are both easily captured and naturally lend themselves to centralization of control. We need a fundamentally different trust infrastructure in order to build resilient, peer to peer networks.

    On non-hierarchical models for trust

    The main barrier is not a technical one – we have seen technical implementations (e.g. the GPG web of trust) for decades. There is an intuitive design for how a flat trust model can be implemented. The problem lies in a dis-satisfaction from the emergent properties of that naive network structure. This tension has been framed in a couple different ways. One perspective is that the user experience in bootstrapping trust is overly cumbersome, and this friction leads to an insufficiently dense trust network. A different perspective on the same tension is that a user-driven trust system is at-odds with transitive / automatic trust relations, and that actions to ‘ease’ the user experience are fundamentally reducing user control.

    We can find a space for exploration, by calling out this tension as a false dichotomy. The choice is not between a single authority vs user-directed trust links, but about distributing trust structures. There is a space for organic / automatic way to generate and allow for the reflection and evolution of trust that is neither user-directed nor rooted in a single authority. The bit-torrent tit-for-tat mechanism is one form of this, where protocol-compliant behavior leads to an increasing buffer for data transfer within the protocol.

    Trust or Reputation

    There is a related notion that is more regularly referred to in protocols as a concept of ‘reputation’. Reputation can be viewed as a property of a node in a system rather than one of an edge. (e.g. reputation is often constructed as a metric that is transitive, or where a node has a single consensus value. This is different from how we normally think of our personal trust in another user.)

    What then exactly are we trying to capture in a measure for ‘Trust’? In the hierarchical systems of web 2, it’s meant to provide some assurance that “someone is who they say they are”. It isn’t an indication that there are ‘aligned beliefs’, but rather that the expected entity is behind a given identifier. The properties that come from systems like TLS / CAs look very similar to reputation in this sense. While each individual can over-ride and manually configure which authorities to trust, that definition of trust is meaning a confidence in adherence to protocol and of coherence between expectation and reality.

    Scoping trust

    A challenge we sometimes run into when talking about trust as it relates to technical networks is that our expectation of scope is typically much more limited in digital or transactional contexts than they are in real life. When you refer to a person as a “trusted individual”, the implication is not only that this is not an ‘imposter’, but also that the person has some level of altruism or aligned / positive motivations. While some formulations use reputation as a stand-in for this additional notion of trust, I would argue that it is perhaps better thought of as an understanding of motivations. The trust is that it is understandable what game someone is playing, what their motivations are, and thus what their rational behavior will be.

    Narrow interactions, like those scoped in technical protocols, are intentionally limited to exclude externalities, but this also makes it difficult to understand if other nodes have ulterior motives in participating in the protocol. The analysis of what can be learned by a participant, and the other uses that can be derived from participation is not always easy to analyze, and the lack of completeness is unsatisfying. In contrast, the design of protocols to not leak information is difficult-to-impossible, and difficult to justify. Even the determination and understanding of risk present in a system is an expensive proposition.

    Categorizing mechanisms

    How do we build distributed notions that reflect this notion of confidence that another participant is also playing the same game as us?

    If we take the narrower view of actions within the protocol, we can get to a somewhat useful taxonomy of work in this space.

    • The bit-torrent tit-for-tat algorithm uses the demonstration from the other participant that they’re following the protocol as a signal to continue the conversation.
    • A set of protocols use a proof of work, or computational puzzle as a way for participants to demonstrate that it is worth something to them to participate.
    • Protocols like TLS have added revocation lists, and things shaped like “proofs of bad behavior” as ways to share knowledge of identities that have misbehaved. If the cost of creating an identity is high, and your misbehavior causes “reputational damage”, your rational behavior becomes more incentivized to follow the protocol.
    • Finally, there is emerging growth of validation-based protocols. Cryptographic proofs are increasingly able to provide an assertion that computation has been performed per the expected protocol, and reduces the space of valid-but-not-compliant actions that can be taken.

    The complement to this category are protocols that make use of external costs. In many cases the cost is difficult to quantify, which leaves modeling of the strength of the protocol trust levels equally difficult to pin down. At the same time, it means that there is the ability for costs to be higher relative to what could be built into a protocol in isolation.

    • Protocols which involve a validation of ‘real name’ (linking an ID, bank account, cell phone, etc) are able to retaliate for misbehavior using the legal system.
    • Protocols involving social graphs use the potential of negative impact to your standing with your friends.
    • Protocols requiring registration with a phone number, or who distribute their app only for mobile devices are leveraging the cost of those assets as part of the account cost.

    Increasing trust

    From the previous categories we can see that there are two ways that they end up leaning on for increasing this notion of trust.

    The first is increasing the cost of defection. Increasing the costs tied to creating or re-creating an account increase this cost. Impacting a reputation or decreasing utility likewise are ways to increase the cost of not following a protocol

    The second way that trust is increased is by increasing a user’s confidence that they will be able to succeed in getting resolution when another user defects. In most of the ‘in protocol’ cost models, resolution occurs as part of the protocol itself. Bit-torrent won’t continue rewarding peers that aren’t honoring the tit-for-tat agreement. Submitting a computation without a valid proof transcript will be ignored. It is the out of protocol actions where this subjective confidence is most at issue. Actions like Facebook suspending Cambridge Analytica (and publicized moderation actions more generally) demonstrate to users that enforcement is taking place.

    Full circle

    How do we provide decentralized notions of trust that can be dense and mesh with protocol needs for automatic establishment?

    By ensuring that the risk associated with a trust link is less than what can be mitigated when trust is broken. This can be done in one of three ways:

    1. The benefit of breaking trust can be reduced
    2. The cost associated with punishment can be increased
    3. Regularity (or user perception) of breaking trust leading to punishment can be increased

    Concretely, the hesitancy to form a mesh network comes most often from the lack of a concretely defined threat model. When a protocol comes with a well scoped definition of misbehavior, it is typically much easier to enforce compliance and to frame the protocol in a way that provides comfort to participants.

    It’s worth noting that we are often concerned with one of the hardest forms of this scenario – which is balancing the ease of participation in a system with the indirect and difficult to identify surveillance risks. Concrete examples of this tension are nation-state identification of Tor users, RIAA identification of bit-torrent users, or IRS identification of crypto currency users. In all of these cases, a user joining the protocol may behave as normal, but may also record network identifiers of other participants they encounter. An unaccountable out-of-protocol leaking of these known identifiers then leads to repercussions to other participants. I don’t know if the preceding discussion is the best framing in this specific case. I think it can be used as a lens still, but the interesting question here is mostly around the first point of reducing the benefits around breaking trust, and in reducing the signal that such an attack gets in the initial level of participation in the protocol.

  • The City

    Earlier this week I visited The City with a group of friends. It’s an interesting place, and I’m glad I took the time to experience it, as it provided a unique context to reflect on a set of more abstract ideas.

    The claim to fame of the city is that it is the largest art installation on earth – a mile by 1.5 miles of terrain sculpted over something like 50 years into an aesthetically pleasing ‘city’ – a series of gravel mounds and hollows each curbed and delineated by gravel roads. There are a couple of distinct sculptures within the space – brutalist/minimalist concrete structures, a series of triangles on one end of the city and a deconstructed, cantilevered cube on the other.

    The city is as much the experience as it is the physical art itself – each day one group of 6 people is allowed to visit by the foundation set up to administrate the exhibit. The visit typically involves a 2.5hr pilgrimage from the antithetical los Vegas up to the city, itself near Area 51 in the high Nevada desert. The city as a place is meant to be timeless – which is effected with a permanent crew to rebuild after storms lead to erosion, and to sweep the paths each day to erase the footprints from previous visitors.

    • There were a few primary ideas I took away from the piece while walking through it for the 3 allotted hours. I’m sure much of this is a reflection of the head space I was in, and aren’t intentional on the part of Heizer as an artist.
    • Insignificance – The scale of the piece, while vast, remains dwarfed by the surrounding Nevada mountains and what nature has created
    • Illusory – The artifacts which appear as coherent monuments from afar break apart into a much more fragile and hard to interpret components as one gets closer to inspect them.
    • Permanence – Despite all efforts, any attempt at permanence is doomed to fail, but that can’t and shouldn’t discourage the attempt to fight against entropy. I think there’s an argument for a preference for growth/evolution over permanence, but I think that’s beyond the experience I took away from this piece.
    • The essence of urban life – what is the emergent behavior between the individual participants and the overall experience of a city?

    The city, along with its other restrictive policies requires visitors to agree not to take photos. There are enough photos online to get a reasonable approximation of the experience despite this. It perhaps indicates this policy has been effective in limiting the use of the city as a canvas for selfies / other subjects, and maintaining its position as a sole protagonist.

  • Tibet 2018

    Tibet 2018

    In the second half of August, 2018, I biked from Golmud in Qinghai to Lhasa. The road, the G109, is a lifeline for Tibet, with 85% of supplies for Tibet imported along this route. It parallels the primary train line into the region, and was one of the first paved routes on the plateau.

    It’s also 1000+km above 4,500m.

    My original motivation for the trip was a similar but different route, the G318 road connecting Chengdu in Sichuan to Lhasa. This route is one of the most popular long distance cycling routes in China, and there are a number of posts I found when looking for bicycling adventures in China that were simply incredible. The 318 wasn’t fully paved until 2013, and it wasn’t uncommon to see posts where groups were fording stretches of waste-deep mud. While this adventure lacks some of the romanticism, it approximates what for me is at the heart of the pilgrimage.

    We started by flying to Xining, with a layover in Beijing where I redeemed online train reservations for tickets. After a short connection to a night train to golmud, we got our bikes assembled, and I navigated the kuaidi system to ship the extra luggage to a hotel in lhasa.

    The first adventure occurred 30km outside of town. After passing signs warning us we’d already entered Tibet (we were still 100’s of km from the official boundary of the TAR, but the G109 road is managed by the Tibetan authority from Golmud), we encountered a road checkpoint that wanted foreigners to be accompanied by a guide, and to have a valid permit for entering the region. I had worked with Extravagant Yak to secure a guide from TuoTuoHe, a town before the first such checkpoint which either of us were aware of. After a couple rounds of discussions between the officers, us, and the tour guides, we were allowed to continue unaccompanied on the first leg, as initially planned. The hesitation and negotiation reminded me of how rare it is for foreigners to be in this area.

    The first week was the highlight of the trip for me. A series of low-mileage but strenuous days brought us to the plateau, and the direct, spontaneous interactions we were able to have each day were fantastic. We got water from a local spring, received a warm welcome from returning military convoys, and learned how to operate a coal stove.

    Tibet was interesting to finally see as well. I’ve hesitated to travel or interact with the region because of the political sensitivities. I don’t feel like that I was missing too much – my general impression of Tibetan culture and lifestyle has not dramatically changed as a result of the trip, though I do appreciate the direct experience confirming what I had suspected. In broad strokes, the situation of the Tibetan minority does not seem abnormal to that of other Chinese minorities. Like Xinjiang, there are restrictions on movement, a different predominant language, and different cultural norms. The underlying tensions are not unique, increased Chinese driven development is modernizing the society, but there is concern that the uplift is not equitable, and that improvements may mute traditional cultural values.

    Regardless, Tibet-the-location is beautiful, and was fantastic to explore.

  • NextGen Scholar

    Excited to be included in the 2018 class of CSIS NextGen Scholars.

  • Scalable Remote Measurement of Application-Layer Censorship

    Quite exciting to see another step in remote measurement systems at USENIX Security in August. This particular piece is on how to recover DPI policies at scale.

  • Open Letter to the Cuba Internet Task Force

    The following is a response to an invitation to participate in the recently formed Cuba Internet Task Force.

    Task Force Representatives:
    I will not be joining the Cuba Internet Task Force, or Subcommittees, because I believe the harm done by the existence of these committees outweighs any potential benefit of the recommendations that can come from them.

    In recent years, Cuba has increasingly normalized Internet usage, through expansion and cost reduction of WiFi, through the advent of AirBNB as a major source of tourism revenue, and through growing traffic capacity.

    In the scope of my work, I have documented the flourishing community wireless networks operating in tandem with official Internet service from ETECSA. These community efforts already address the “last mile” problem, and it is not hard to imagine the future where they are consolidated or integrated to provide Internet-to-the-home for many more Cubans.

    These efforts are hindered by the perception by the Cuban government that the Internet and its associated ‘freedom’ are being forced upon them by the United States. In the wake of the creation of this task force, Cuban media has focused on the implied pressure, and private individuals in the Cuban technology sector have come under increased scrutiny.

    Instead of attempting to influence the policies of another sovereign nation, I encourage us to reflect more on our internal policies. US government sanctions currently require a wide range of US-based education and reference sites from blocking Cuban traffic. Likewise, limitations preventing Cubans from connecting to US-invested undersea cables are partially responsible for the scarcity and cost of Cuban Internet connections. Reducing these sanctions can allow Cubans to become a market for US companies, and will provide additional incentives for widespread connectivity across the country.

  • A whirlwind trip to Beirut

    Through a series of unlikely events, I found myself with the opportunity to visit Beirut for a week in early March of 2018. It was a great experience, and challenged many of the stereotypes I had developed about the realities of both the middle east and proximity to conflict zones.

    The most impressive aspect of Lebanon to me was the handling and presence of the refugee situation in the area. Lebanon has had a significant southern area of refugee camps for those moving away from conflict in Palestine. More recently, a sizable refugee population has entered the country leaving the Syrian conflict. Today, there are more refugees in Lebanon than citizens, which is a source of conflict and tension in many parts of the country.

    Camps, at least the impressive images of dense clusters of refugees we see in western news, do not reflect the reality I found in Lebanon. At least from the portion of the eastern countryside I saw, refugees are situated in small clusters of a few families at edges of existing towns and cities. While shelter construction is rushed, as families arrive and quickly need places to stay, there’s a significant local variability in how much local time and resources are available to construct more livable dwellings. On the ground, the competence and overloaded-ness of the local NGOs and community members is probably the biggest factor in outcome. The structures I saw had power, TVs, and charging android phones.

    I was caught off guard in a good way by the urban population center of Beirut. First, Beirut continues to exist as a melting pot of a bunch of different ethnicities and cultures. Second, there was both a general tolerance and liberalism that exceeded what I’ve seen in UAE or Pakistan. Third, that liberalism translated into a much less pervasive security apparatus than I was expecting given the location and strife in the region. I needed to provide a passport as Identification for hotels, but did not need it for travel in the country, and did not need to show ID for access to school campuses of businesses. Part of that is white privilege, but in general there was not infrastructure to support any meaningful restrictions of movement or exclusion of groups from public areas.

    I was likewise surprised by the seeming ease with which people were able to travel between Lebanon and Syria. For the demo day of a syrian entrepreneurship bootcamp, a number of spectators traveled to Beirut for the day from Damascus. The general sentiment I heard from several Lebanese was that the country is generally safe, but that as you get towards the edges, it’s preferable to travel with someone from the area who knows people. It’s often non-obvious, but traveling with someone who already has relationships built with those in the region seems to be the accepted way of keeping situations diffused.

    In terms of connectivity, much of the stress of the country is that the conflict surrounding it has meant that there are not solid landline connections to the rest of the world. This means most Internet traffic is routed through an undersea cable to Cyprus, which limits the overall capacity for the country. In turn, this leads to relatively expensive fixed-line Internet pricing, with many people opting for mobile Internet. Mobile connections can often be cheaper and faster than the DSL providers. In rural areas, it was noted that there are some cases of communities sharing mobile connections, through hotspots or tethering to a connected phone.

    One of the signs I found heartening was that at the makerspace in Beirut, there were members with Tor project and Internet activism stickers on their laptops. The ability openly express support for those causes is a great sign that civil society is able to function without significant pressure on that front.

  • DPRK Consumer Technology

    The video from the talk I gave on how to get more public visibility into DPRK consumer technology is now online.

    Slides for the talk are available here.

  • 34C3

    I’m very excited to have two talks at CCC at the end of the month. The bulk of accepted talks can be seen and voted on at the CCC “halfnarp”.

    The first talk is on the Internet in Cuba. It expands upon the recent talk I presented at IMC last month, to provide additional color on what Internet access is really like in Cuba, and what the community there is doing to create LANs and other alternatives to the official but expensive ETECSA service.

    The second talk looks again at technology in Pyongyang. Since 2014, there have been a number of talks about the totally closed off tech ecosystem there, but as it ramps up we continue to only get a few glimpses into what’s going on, and it’s getting only harder as the broader tensions ramp up. My goal is to propose a path for getting more rather than less transparency into the picture, because it is a really fascinating place.

    The talks should both be recorded, and might even be streamed. If you’re one of the (I hear it could be up 16,000) participants, I hope to see you in Leipzig!

  • China in 2017

    China in 2017

    I had the chance to visit China last week and tag along with the tail-end of a longer trip organized around various Makerspaces around the region. This is the first time in several years that I’ve spent a prolonged amount of time in the dense population areas of Beijing and Shanghai, and it was fascinating to watch the evolution that continues in this majority of Chinese life.

    The most noticeable change from my perspective is that Beijing and Shanghai are effectively almost cashless. The use of Alipay and wechat pay are ubiquitous, to the point that you feel that you are creating an imposition to shop keepers by paying with cash. While funding your account on either of these services requires a chinese bank account (which itself requires a mainland cellphone number), the process can be short-circuited by making an unofficial exchange with someone willing to send you a personal transfer within the systems. It remains easy enough to find people at hostels, (as well as localbitcoins, I hear) who are willing to trade.

    The systems themselves are fascinating to use. Payment to a merchant will automatically cause you to follow the merchants account, typically leading to messages about member cards and discounts. These messages seemed to only be pushed directly in response to a purchase, and weren’t overly intrusive. It seems to be the realization of the business-to-consumer engagement systems facebook and google have been struggling and so far failing to build in the US. Smaller vendors often operate directly as individuals – you type in how much money the bill is, and send it as a direct transfer to an account specified by the waiter or merchant.

    This payment structure has resulted in a secondary industry of android-based devices dedicated to sales and scanning QR codes for these systems, as well as receipt printers that turn app orders into printed requests for food or similar.

    Apart from the payment evolution, it is really interesting to watch China modernize. Life there now is much more comfortable from a western perspective than it has been in the past, with both a larger presence of foreigners visible and more english available to help navigate. Some distinctive characteristics remain, including a self-interested approach to queuing and different expectations of personal space. Prices in Shanghai have reached parity with those in the west, although cheaper options remain if you look for them.

    In terms of Internet connectivity, I was surprised to find that connectivity remained quite similar to what I had experienced in the past. An SSH tunnel to a foreign server was sufficient to maintain email access while I was there, and disruptions I experienced seemed to be much more a function of over-loaded local networks than of more restrictions for international traffic. I talked with a couple different people who mentioned that Astrill continues to not be blocked, and seemed surprised that something so well known continues to operate without disruption.