Boundary Nodes as Censors

I proposed something very similar in your previous thread @lastmjs, I think this is a promising approach. This would really help with “canister x is legal in country A but not country B” type of cases.

And I think the NNS should still have the power to remove canisters, which could be used for cases where the entire IC community agrees that it should be removed.


Hey man. If you still support the NNS being able to censor, how do you envisage the network will deal with this situation?


I like the reasoning behind it (separating the boundary nodes out because they are not part of consensus)
Issues I see:
There would have to be way more boundary nodes, otherwise it becomes too easy to mess with.
There should have to be some help from the wider community (Dfinity/ICA) if boundary nodes have to be on the forefront of legal defense, they’ll think twice about the hassle signing up/staying.
This seems to work for general censorship (legal in country A, illegal in country B) but might be difficult for things like IP, where essentially all countries where boundary nodes are (rn) would agree end they’ll all have to block it anyway.

Still the NNS should retain the power to remove canisters, imo. What about people stealing content within the IC, might be early now but might come up in the future.

1 Like

Not clear on what is being achieved here by the boundary node proposal.
a - the content gets taken down
b - is the access blocked from a particular a geography.

I think there is a misconception that ALL requests from a geography absolutely must be routed via a particular boundary node. It’s definitely not the case. it is trivial and possible to route US traffic via a European boundary node. This routinely happens when boundary nodes are being updated/offline.

I am pretty sure it is not that easy to circumvent DCMA by “fixing” DNS records. DNS fudging might put domain at risk !

1 Like

Well one proposal should be able to remove any amount of canisters, so uploaded 1000 times does not necessarily mean 1000 different proposals.

That being said, it’s a bit of an odd question: the problem you’re sketching is a difficult case whether the NNS can remove canisters or not, so it’s not very related. How would you propose to solve that problem?

I don’t have a solution and I don’t think there is one that doesn’t involve centralisation and capture TBH.

If you have a rule that you can still censor at protocol level - even with a really high bar - it will result in an amount of decision-making for the NNS that would be completely impractical to execute without extremely short vote times and extremely low participation or devolution to an authority accountable to the NNS. Both those paths lead to centralisation.

1 Like

@faraz I think you may have missed this part

For example, DFINITY may continue running the small number of boundary nodes that they currently run at . But we may also see other boundary nodes at , , or any other domain name. Those running the boundary nodes will need to interface with the centralized world to provide their services. If DFINITY doesn’t do a good job, then other interested parties may spin up boundary nodes. We may see multiple boundary node operators competing to offer the best gateways into the network.

So there are different boundary nodes with different domains that can make personal choices about what content they want to serve, which may also help them comply with the law applicable to that boundary node, and prevent take downs.


If boundary nodes operators have the power to decide what’s blacklisted and what not, couldn’t this end up opening a new can of worms? Considering the path of least resistance would be: if in doubt, blacklist.
They would become something like gate-keepers, right?
IMHO this works only if we try getting boundary nodes up in a big scale and geographically spread out enough to stand a chance.


Hi everyone,

I will give you another perspective from the point of view of tokens and NFTs which is really important to this discussion.

The only reason that ETH or ICPunks have value is that we are certain that it cannot be stolen or switched offline. If there is a possibility that any people by voting can switch of canister then it means that any assets on the IC are NOT SAFE and should not be TRUSTED as a value storage.

Any solution that enables people to store value (DEFI, NFTs, Lending and such) cannot really operate in an environment that poses a risk of “loosing” all stored funds. Even if they are not lost and just “offline” it still means they are no better than any centralized solution and people that stored their assets have no longer access to them (welcome to CEX world).

The proposal to separate the boundary nodes and protocol itself makes a lot of sense, as we know in the future IC should exist independently from the DFINITY foundation, furthermore most of the voting power should also be distributed among network participants. If the option to switch canisters off remains we risk creating “centralized blockchain” that tries to mask itself as the decentralized. Any party that is able to get more than 50% votes can (and will if possible) switch off canisters arbitrarily, for any “valid” reason. It would be similar to amazon switching off competition just because it can.


Agreed, native BTC and ETH integration will make this issue even worse.

But can’t 51% of validators “censor” in any other blockchain aswell?

1 Like

They can censor transactions, or make a hardfork. However the value still remains.

Yes this is absolutely spot on.

but does the value really remain? if the whole network updates, and you don’t? like the “value” of ETC compared to ETH ?

I disagree pretty strongly. On ETH, the miners can do whatever they want. If they agree that something should be rolled back or be removed or so, they can do that. An example is the ETH-ETC hardfork, where they just chose to change the rules.

In the internet computer, the community holds this power, via the NNS. I think that’s better than just the miners having this power. And if the community does not want to remove canisters, then they can just vote “no” on all removal proposals, and nothing will ever be removed from the internet computer.

Giving boundary nodes additionally the option to maintain a blocklist does not mean that people “lose funds”. It just means that this specific boundary does not serve certain things, but you can try a different boundary node.


We have a great example in Bitcoin and Bitcoin Classic and Bitcoin Cash. As the whole blockchain is available for everyone when fork happens all the data remains. Of course given time forks lost its value in comparison to original Bitcoin. However they had a possibility to choose to separate from main network and create their own, which retains all data previous to the fork (like in Futurama with blackjack and hookers ;)). On IC we have no option to do so.

but this data is simply a transaction ledger, right?

Don’t get me wrong I’m all for Badlands, everyone running nodes in their basement, private subnets, node shuffling aso.
Just thinking of ways to deal with this at infant stage, and I think we are all worrying how dealing with this will set a precedent for how to deal with issues in the future.

Really important discussion to have, imho.


How does it not mean 1000 different proposals?
Either you always need a proposal to remove a canister or canisters can be removed without NNS deliberation. We are assuming that people reupload the same content after a proposal has been approved to remove that content, it’s supposed to illustrate the futility of content moderation at the protocol level as opposed to the application level, where arbitrariness is allowed.

1 Like

Yes, it is just transaction ledger