Boundary Nodes as Censors

I’m thinking that in the future, if the IC becomes decentralized and millions of people adopt it, voting power will be so granular that it would be absurdly difficult to agree on things that aren’t obviously for the good of all parties, such as technical upgrades. So it would be technically possible but practically unlikely, which is virtually the same principle at play in BTC… it’s technically possible to exclude legitimate transactions from the ledger but practically unlikely.


I can confidently say that yes it is quite easy to deal with. We’ve been running an IPFS gateway for over 2 years that does 600TB of data transfer a month, and we’ve actually never received a DMCA.

DMCA arising from ordinary course of business or DMCA being filtered by apps might be manageable. Another vulnerability would be bad actors spamming network with DMCA content directly from canisters. In this situation how would a Boundary node be able to handle thousands of canisters with DMCA content constantly popping up?

Great initiative Harrison and Jordan - sounds like a pragmatic solution in the short term!
If the authorities target the gateway rather than the network we should be fine 90% of the time.

My question is about the other 10%. I believe the foundation KYC’s node operators, so ultimately if a company, say Nintendo, wanted some information taken down, could they not ask the foundation for the information relating to a node provider who is hosting the canister?

I feel like without the ability to run nodes anonymously, there will always be the threat of censorship. Whereas FileCoin is highly decentralised and it would be virtually impossible to stop the network from hosting content, not sure this is the case with small groups of nodes that form a consensus on a subnet.


Someone could do that on IPFS too. Hasn’t happened yet. And the DMCA would come with canister ID’s presumably in that scenario so would be easy to just blacklist those from the gateway. Plus it would be costly for an attacker to do that. So I just don’t see it as a high probability problem that’s worth factoring in


Given what you are talking about is messaging/culture/stance, I think the next step here would be for someone at Dfinity to opine on your proposal.


Yes I definitely agree that there should be a part 2 to this solution that involves node shuffling and other technical measures to take liability off node operators completely


I think this is a good compromise that will allow us to address an urgent need. I don’t believe this fully addresses the issues that some have raised regarding the potential pitfalls of on-chain governance but we need to move forward and improve as we go along. I see no reason why we need to address everything as one monolithic problem.


In 2016, Google reported receiving 2 million DMCA notices per day. If the IC is to scale to a global platform, whatever content management method we use must also scale.

1 Like

Another approach could be to separate the data layer from the compute layer, and distributing the data across many laptop-grade nodes.

I love this idea. This is definitely the way. Thanks Harrison and Jordan for keeping the discussion going!


I don’t think that is a good idea and potentially it may do more harm than good. You can not create digital laws, digital law enforcement, digital judges, and jury.
Laws are spider webs through which the big flies pass and the little ones get caught . Honore de Balzac
Solutions must be practical, can be implemented everywhere. Perhaps to hold the person(s) accountable in the event of foul play and after all whoever uploads stolen materials or child photography should be held accountable! To do so perhaps prior to uploading documents the person should sign a document digitally that the person is 100% responsible and in compliance with…This can be NFT and hidden from everyone and can be requested from courts or something like that!

Thank you for this. Here are my thoughts - not a legal opinion.

If a boundary node is going to be a “dumb router” then boundary node ownership and node ownership would have to be mutually exclusive so that in the event a boundary node operator were to be served with a takedown request they could certify they (as a corporate entity) do not have the offending content. The boundary node is basically a router with bits flowing through it. Hopefully, the content coming to the boundary is encrypted and not with a persistent cache.

If boundary node ownership is mutually exclusive to node ownership, I do not see how implementing a filtering policy would solve the issue of liability for node operators. The boundary operator does not have control of content. Node operators are still housing the canister with the offending intellectual property which may still be served to other canisters. A lawyer would likely file a takedown request with the boundary node provider, the node provider and the data centre operator.

Enabling the boundary operator to filter content still does not allow the boundary node operator to certify that the content is no longer accessible (i.e. inter canister communication). In some situations blocking a site may be sufficient but not in all cases (an old video game vs a blockbuster movie).

As long as the infringing content can be identified as being on node, it will be ripe for litigation.

With respect to boundary node operator’s responsibilities, I find it difficult to imagine a Boundary node operator who would wants to sign up for the responsibility of arbitrating DMCA requests and making them legally accountable for the content that they allow to be served. Presently, they risk being sued as part of a DMCA action and want to avoid this. I cannot imagine a boundary node operator signing up to be sued by the community for failure to take appropriate action.

Even if a person were to sign a document, the node operator serving the content remains legally exposed. Also, the anonymous nature of the platform would make certifying data difficult.

My understanding is that the filtering policy isn’t supposed to make storage node operators not liable, it’s supposed to make boundary node operators autonomous in their response to DMCAs, that is they can decide to comply or to ignore and that’s their own choice. Note that the Nintendo takedown notice was sent to a boundary node operator (here), not to a storage node.
The idea is to then use to be discussed technical solutions (node shuffling, secure enclaves, etc…) to make other types of nodes not liable.


I want to give a meta-comment on my personal silence on this thread:

  1. I do read closely all of these threads, and I know many at foundation do as well. Many times these threads influence thinking. We are listening.

  2. I am personally silent because I do not feel appropriately confident in my own expertise or thinking yet, so I am letting my own opinions brew based on the healthy conversation here and on other threads.

  3. Because of my role on the foundation (and especially in the developer forum), I am careful about how many questions, off-the-cuff proposals, or suggestions I pose without sufficient confidence to back them up. I would hate for people to read my ignorance or uncertainly as the Foundation’s ignorance or uncertainty. In the past, even when I caveat when I am speaking as an individual neuron holder/voter, I have found my own words copy/pasted as the foundation’s stance. I know other DFINITY members take similar care.

  4. The DFINITY foundation has been actively trying to give the community more breathing room to digest, debate, and express themselves. That is why I sometimes let threads get momentum before even jumping in.

Why did I write those 4 points? Because I want to signal that my silence does not mean I, Diego, am unengaged. I am as interested as all of you.

“Whereof one cannot speak thereof one must be silent”

  • that old dog Ludwig :wink:

Overall I like this Idea! Great job Harrison and Jordan! It does seem to be a good first start. Then maybe something like Node shuffling, as Jordan has discussed previously, can be added later to add plausible deniability correct? In my limited understanding, I am curious if it would be possible to have that same effect for the discussed boundary nodes? Something to reduce risk for all parties involved.

This is an excellent proposal which, in combination with node shuffling, should provide substantial censorship resistance while avoiding dangers inherent in having an active censor at core protocol level. In responding to these proposals, it is wise not to make the best the enemy of the good. There are no perfect solutions to these issues because, while there is unanimity on the need to weed out certain content, nobody has discovered a way to do so without also threatening legitimate content that might offend certain groups or be illegal in particular jurisdictions, just like nobody has found a way to kill all cancer cells without also damaging a few healthy ones. The point is to target as best we can, so that as much legitimate information as possible can flourish censorship-free on the Internet Computer blockchain.


Thank you, @harrison for proposing this solution.

IMO, the IC Community is exceptionally fortunate to have people with this level of practical experience who are also prepared to share those experiences. Again, thank you.

Thank you, @lastmjs from signposting the community to the proposal.

@diegop, thank you for describing your position in the post earlier; another great example of the honest responsibility you give to the fine line between Foundation, Community and Development.

@alexa.smith It appears Dfinity and the IC do not need to re-invent the wheel. If this requires a vote, let’s do it. If not, what is required for practical implementation?


This is the only path forward. The same thing happens in Bitcoin. There’s a US mining pool that won’t mine OFAC blacklisted addresses. Many other miners do but it’s the choice of the miners not the protocol which is neutral.


How does HTTP solve that problem? It doesn’t. Let app devs, browser devs, node providers, governments, police forces and any other number of people that almost unilaterally detest that content tackle that issue. Our job is to deliver a globally trusted Web 3.0 platform not to be the world’s police.