Decentralization: Searching for the Soul of the IC

As many of you are aware, there has been a bit of soul-searching in the Dfinity community as of late, regarding moderation of content on the IC and the nature of decentralization.

To recap, a boundary node operator received a DMCA (US copyright) takedown notice from Nintendo after someone uploaded Super Mario 64. The Dfinity Foundation submitted a proposal to remove this canister, spurring a heated discussion with no clear consensus. Ultimately the canister owner removed it themselves and the proposal was rejected as it was no longer necessary.

In the wake of this we are left with many open questions on the future of the IC. I am going to attempt to lay out my understanding of this issue and a path forward within the ethos of decentralization.

Why Decentralize

Allow me to elucidate the “why” of decentralization to make our goals clear. Decentralization can refer to various properties of a system. In crypto, one could say it refers to how many independent nodes there are, or independent developers, or the lack of a loci of control. It is the latter that I think is most important. When there is no single person or group of people that control the destiny of a network, what emerges is a new form of agreement, a digital legal system, that enables people to form contracts they can rely upon, without depending on any particular nation state. Because if there is a single person or group that controls the network, then ultimately a nation state could compel them to alter the state of the network. Bitcoin is so interesting because it is a currency that does not have any dependency on a nation state. It transcends borders and enables people to conduct business, so long as the digital law is enforced. Where nation states use the negative incentives of fines and jail to enforce law, Bitcoin uses crypto-economic positive incentives to encourage honest nodes/miners to enforce the protocol law. The design space of crypto-economics has only begun to be explored, but already we have seen much innovation there, and we will continue to see more powerful mechanisms emerge.

The whole point of decentralization is to create the conditions in which people can form contractual agreements without relying on any particular nation state. These agreements, expressed in code as so-called smart contracts, form the backbone of crypto. Decentralized applications (dApps) are what we call these smart contract systems that facilitate agreements. Currencies, exchanges, lending markets, and even social media, are all constructed of agreements between parties. When you use Uniswap to exchange USDC to ETH, you are forming an agreement with the liquidity providers to do the swap at a certain rate. When you make a post on Distrikt, you are forming an agreement to store and broadcast your content.

Crypto Law

In traditional law, you can form contractual agreements with people because (generally) a nation state will enforce it in court. Its not perfect. It sometimes requires lengthy and expensive legal battles to enforce an agreement, and can be corrupted by politics, but it has worked pretty well to enable the huge economies of today. In crypto law, you can form contractual agreements because the crypto-economics of the network provides assurances the code (agreement) will be executed properly. Its not perfect. There can be hacks and bugs. But it offers orders of magnitude more efficiency of execution and cross-jurisdiction transactions. With the lower cost, it also brings this efficient legal system to the 3rd world, many of whom don’t have access to good court systems or lawyers.

Performance vs Decentralization

The way that most blockchains achieve crypto-economic guarantees of decentralization involves limiting the computation and data storage of smart contracts, such that in a worst case scenario the network can stay running on consumer-grade hardware, which makes it very difficult for any nation state to stamp out. This provides users with the assurance there is no reliance on a nation state. But many types of dApps require far more computing power and data storage than consumer hardware can provide. This is where the IC comes in.

What the IC brings to the table is highly performant smart contracts that open the door to new types of dApps. Decentralized social media is one such dApp that would be impossible anywhere else, due to cost. On Ethereum it would cost hundreds of millions of dollars per GB of data. On Solana, a respectably fast blockchain, it still costs hundreds of thousands per GB.

However, this performance comes at a cost- namely, decentralization, or the ability of a nation state to disrupt the network. As IC nodes run in data centers, a nation state can simply compel the data centers to evict the IC nodes. In a worst case scenario, all nodes in a country could be feasibly shut down by decree, as users cant stand up new nodes at home. IC nodes would of course remain running in other countries, but with a limited amount of boundary nodes, it would be easier to prevent access with IP address blocking, and bandwidth would be degraded. New boundary nodes would be stood up, but it may not happen fast enough before the new IPs are blocked. There are also VPNs, Tor etc that can get around firewalls, but this cat-and-mouse game is an order of magnitude more difficult for nation states if users can run nodes at home.

One counter to this threat model is of course to utilize more nodes per subnet, spanning different jurisdictions. How many is enough? 7? 30? 1000? The more nodes, the costlier and less performant the network is, so that decision is probably best left to the individual dApps.

Is the tradeoff worth it?

At the end of the day, the IC has a bigger risk of disruption by a nation state than less performant blockchains like Ethereum. While some purists would scoff at this very idea, I don’t think that makes the IC useless. I believe there is a market for high performance dApps, and if the IC is the best we can do at this time, the market will come to the IC.

For example, I believe there is a huge global interest in a decentralized version of YouTube, that gives users and content creators ownership of the platform. If you are a decentralization purist, would you rather no one bother to create a decentralized YouTube? Because if not on the IC, it won’t happen on any other chain. On the contrary, at this very moment I’m sure there are multiple teams working on this, and there is currently no better platform to build it on that offers any amount of decentralization than the IC. Decentralized YouTube will happen. The question is, do we want to be a part of it or let perfection be the enemy of progress?

Now say we get our “dTube.” People start uploading stolen videos from content creators and make way more money than the creators themselves. Worse, child pornography ends up on there. The vast majority of the IC community is against both those things. But how do we reconcile this in the spirit of decentralization?

The Problem of Content

I have seen arguments that Ethereum and Bitcoin don’t have this problem with content. That’s correct, they don’t, because no one has tried to host content due to the exorbitant cost to do so. If one could upload data on those chains for cheap, they would be going through the same soul searching as the IC. The crux of the issue is the target on node operators’ backs. If Super Mario 64 was on the Bitcoin chain, Nintendo could take a Bitcoin node operator to court. Whether they win or not has yet to be determined, but there have been alarming rulings in similar cases where a “service provider” who had no idea their server was being used in a certain way got taken to court and lost. With the DMCA, the law states “service providers” must make “reasonable” attempts to stop serving the content. For a blockchain, this could mean turning off your node. The laws on child pornography with respect to internet service providers are less tested in court AFAIK but given the public outrage associated with it, I expect courts to be brutal to nodes unintentionally hosting it.

So the IC is the first decentralized network to face this content moderation problem head on. We are breaking ground here and how we handle it is crucial to the future of the IC and crypto as a whole. Decisions have to be made on what legal risk to expose node operators to, and ultimately in what countries we want IC nodes to be able to run.

Morals vs Survival

Law enables us to form agreements, but in some sense it is an expression of the morals of a nation. While law is never perfectly aligned with morals, it is influenced by them. Traditional law won’t let you form agreements to assassinate someone, because that is counter to that society’s morals. Ideally, we want laws to follow commonly agreed morals as well as it can. When it comes to digital law on the IC, we can look to the morals of the IC community as a guide.

On the other hand, we all want the IC to survive, and minimize the chances of nodes being outlawed. So we must weigh survival and morality in the establishment of any content policy. When it came to Super Mario 64, I got the sense that the morals of the community was fine with it existing, but the survival instinct to protect nodes in the US/EU/JP was what swung people against it.

Let it burn?

Should we care about nodes in certain countries, or should we just let the strongest survive? While copyright disputes may only be a problem in some countries, I can assure you hosting child porn is illegal practically everywhere. And if the point of the IC is high performance dApps, we should enable dApps to be hosted on nodes in every country possible, to optimize bandwidth and network latency for users. This may mean dApps have to choose subnets based on content policy versus geographical locations of nodes, but letting the market decide that tradeoff is better than that decision being made by the NNS.

Plausible Deniability

Some discussion around engineering in plausible deniability for node operators has been going on. Sorry to say, I don’t think this resolves the issue. Even if data is encrypted on disk and node shuffling occurs, it is still possible for a node to know what publicly accessible data they are hosting by looking at network traffic. And whichever machine ends up sending the illegal data to clients will be on the hook in the eyes of the courts. For the IC, this means boundary nodes take all the heat. Even if we could somehow design perfect plausible deniability, that wouldn’t stop countries from simply banning all IC nodes in their borders, severely degrading the bandwidth and latency of IC dApps.

Decentralized Censorship

Some have argued that any censorship capability in a blockchain destroys its decentralization. As I stated earlier, I believe what matters with “decentralization” is the ability to facilitate agreements independent of any nation state, and the difficulty for any nation state to disrupt that ability.

For the sake of argument, imagine an Ethereum-like blockchain which had the sole purpose to host haikus. In lieu of an automated haiku filter, users perform a token vote on transactions that don’t include haikus to remove them from the chain. Is this network still decentralized, despite the censorship? I would say yes.

When it comes to the IC, I believe we could apply a limited amount of censorship in accordance with community morals and/or node survival without sacrificing its soul of decentralization. I do agree however, that if not done extremely carefully, censorship power will be ceded to nation states, which defeats the purpose of decentralization. Consider if the NNS voting power was majority owned by US citizens, and the US gov cracked down hard on ICP holders to compel them to vote in certain ways. Effectively the independence from nation states would be lost.

Scaling Moderation

Then there is the practical implementation of content policy. Too strict of rules can jam up the pipeline and fracture the community. Too many NNS votes will cause voter apathy. It is becoming clear that simply using the NNS remove canister proposal as enforcement is not going to scale.

Nation states today don’t vote on every enforcement of law. If every case of theft went to a democratic vote, no one would ever be convicted, because the system can’t scale to that many proposals per day. They use court systems.

Crypto Court

There is already an implementation of a court system on the Ethereum blockchain that has arbitrated over 1000 cases, Kleros. Because it is built on crypto law, it uses crypto-economics to provide assurance a case will be ruled on according to human-written agreements. The key piece is an incentive structure that enables anonymous jurors to come to a consensus despite the possibility of bribes. I will not go into details here but I encourage you to check out their white paper.

One way the IC could scale content moderation is to use a system like Kleros. First, the NNS would ratify a content policy, preferably on a per-subnet basis so there is diversity of moderation and lets node operators choose their legal risk. Then if someone believes a canister violates the policy, they open a dispute. The case makes it way through the court, potentially through multiple appeals. If the verdict is in favor of a violation, only then does the canister get removed.

To prevent frivolous cases, a deposit must be put down to open a case, which is forfeited if the case is lost. However, to incentivize participation, a bounty should be paid to successful cases. This can be thought of as crowdsourcing content disputes.

The IC could start using this system as a signaling mechanism with little to no code changes as a trial run before deeper integration. IE, if a dispute is successful on Kleros, that signals ICP holders to vote in favor of removing the canister. Eventually, the remove canister power can be entirely ceded to an on-chain court.

Market-based solution

There has also been discussion of a market-based solution that creates a market for node operators and canister deployers. In such a system, to deploy a canister you must go through an auction where node providers give a price to run your canister, presumably scaled based on legal risk and location. After some thought, I do not see this as a workable path for the IC, at least in the medium term. The main problem is that it turns the IC into a whitelisted network, as opposed to an open network like it is today. It creates a tedious process for both node operators and developers. It is too similar to other products like Akasha Network. It makes it more difficult for developers to estimate costs. I am open to ideas here but the sweeping changes needed for this as far as I can tell are going to be too much for this community to approve.

Next Steps

Clearly there is still a lot of work to be done in figuring out the direction to go. But something has to be done. As it stands, the IC is a hammer looking for a nail until it can provide clarity to node operators and app devs on what content is acceptable and how this process unfolds. Burying our heads in the sand will only lead to uncertainty and more trouble down the line. We have to anticipate these problems before they happen and design around them. I have proposed a path towards a solution in the spirit of crypto-economics that I believe provides a framework for the IC to establish itself as the premier high performance blockchain, as other blockchains at similar levels of performance will eventually face the same problem.

After further community discussion on this issue, we should put forward NNS proposals to determine the direction to go, similar to the R&D proposals. Whether it’s crypto-court, market-based, remain as-is, or disable canister removal ability, ultimately the NNS should decide. For those who vehemently disagree with whatever direction we go in, fortunately we live in the land of open source where you can fork the IC and run it your own way. May the best chain win.

wasn’t it a node provider, not a boundary node provider?

oh and very interesting summary, thanks for the writeup

Great write-up, thanks!

This is but the first drop of rain. This kind of issue will really become apparent as the storm gathers pace, as I’m sure it will.

Fascinated to see how the NNS copes, and also to see how it evolves as a result.

Great, summary and I’m in agreement with most points you make…

Bottomline I think people need to understand that there is a delicate line to balance between protecting creator’s IP and taking down canisters without due process.

Is it time for a mini-charter? minimum set of rules, then delegate

I mentioned this in the boundary thread proposal (and also referenced Kleros), but I think it needs to go one stage further. I don’t think it’s about creating a single set of governance rules that everyone must adhere to, I think it’s creating a framework on top of IC that provides the ability to create sets of governance rules and enabling nodes to subscribe to them, as well as rules to be administered on behalf of subscribers.

I would naturally start with a “common” default rule set that most node operators would be likely to want to adhere to, but I think node operators need to opt in to the rule sets they need/want (whether that be nodes in particular geographies or any other use case), and that should include opting in to none at all (but taking on 100% liability as a result).

IC protocols stay agnostic of it all, and are decentralised as the OP says. Tools that enable real community governance (and compliance with external jurisdictions where needed) over a single global rule set IMO.

Much of this debate hinges around the notion of censorship. It is important to underline that censorship-resistance is a question of degree. A sufficiently motivated state can censor anyone if they want to badly enough. It sometimes appears from the discussion in the other threads that this is not understood.

Given that it is a question of degree it is also worth discussing why it is seen to be valuable. For me, “censorship resistant” doesn’t mean a free-for-all, it simply means that something cannot be arbitrarily censored without due process. That is, there needs to be a reliable procedure in place to ensure just decisions are made. Many struggle with the censorship of Julian Assange and various people being removed from Twitter because we believe those decisions are made arbitrarily, without due process, by powerful state and non-state actors such as CEOs like Jack Dorsey.

Far fewer of us are concerned (though some still are) about what we consider just censorship, including respecting laws on pornography and IP. This is what the Nintendo case was centred on and it was seen by many as a no-brainer because everyone knows Nintendo holds the IP on that game.

My view then is this: if it is the case that censorship will occur one way or another, perhaps by states simply removing nodes or coercing node providers, does it not make sense to get ahead of this by creating a mechanism by which users can be assured of justice if censorship is to take place.

The answer, as @talkingant and @codi0 argue, is a transparent and just dispute resolution layer such as Kleros. This would not simply be useful for resolving disputes over questionable content, but also for resolving all kinds of disputes that will arise on Dapps and in DAOs. It is a justice layer that the IC needs one way or the other. Sadly, Kleros is currently unusable because of the gas fees, but on the IC I believe it would be as core to the proper functioning of the web3 as our justice systems are to our real nation-states.

Out of interest, because I’m not that familiar with the full IC ecosystem yet, has there been a community-initiated project that contributed to key infrastructure on top of the protocols?

A justice system/framework seems like a good candidate for that kind of thing to me. Lots of room for community debate on how it should work and be implemented, maybe backed by a DAO to fund it (or even competing prototype implementations), and a step towards community-led governance.

What if the content policy conflicts with the law of some nation-state? For example, let’s say the community votes to allow DMCA violations like the Super Mario 64 game here. Then, we’re back to the square one.

I guess the assumption is that we as a community need to ratify a content policy that prohibits most illegal content, especially the egregious ones like child porn. I’m not sure if we’d come to a consensus about Super Mario 64 though.

It may be the case the community decides not to honor US copyright law. It would mean there would be only a handful of countries where nodes could be hosted.

But I think we should provide both options and let the market decide. Want fast connections for US/EU users? Then you deploy in the DMCA-Takedown-compliant subnets, which are moderated by the on-chain court. Want less censorship risk, at the cost of more limited bandwidth/latency? Then you deploy to the non-DMCA subnets, mostly hosted in The Netherlands, Singapore, etc.

One way to think of the on-chain court system is like moderation-as-a-service for node providers, so they can focus on just running the nodes.

Here are some ways the IC can continue thriving even in the face of intimidation from litigious Fat Cats:

(1) Badlands network or even something running directly on end user devices would be much more difficult to control than a few dozen large node providers.

(2) An Anonymity/Mixnet/Onion Routing layer that nodes and canisters can opt-in to. This would make it much more difficult for litigious actors to discover who is serving up a piece of content.

(3) Option for homorphic/encrypted computation and storage on nodes. This makes for near perfect plausible deniability and makes it exceedingly difficult for copyright fat cats to prove anything.

(4) Allow anybody to run their own boundary nodes locally on devices, similarly to IPFS nodes. Then they can directly access anything on the IC without depending on public boundary nodes which can be attacked. There is no reason why this can’t be done now.

These would probably be sufficient to continue hosting content like Super Mario 64 without the IC suffering, however there are no doubt other ideas I haven’t thought of.

As for content and activity the IC community deems obsene, harmful, destructive, or otherwise intolerable, have a hierarchy of governance and moderation:

(1) At the top level of the entire IC, the community (through the NNS) decides what rules all dapps must follow and how to incentivize dapps and hold them accountable. The IC wide moderators don’t specify how each dapp should comply with the rules, only what the rules are.
Example: The IC community decides that child porn, drug sales, doxxing, etc. are not allowed and dapps violating these terms are removed. Violations can be reported at (SOME DAPP), and will be reviewed.

(2) Individual dapps or subnets would figure out (through SNSs) how to ensure they comply to IC wide rules and show IC wide moderators they are complying to the best of their ability.
Example: An ecommerce dapp uses a filter to prevent sales of drugs. IC wide moderators can view and test the code for this filter and see how well it’s performing and how often it fails to catch drug sales.

I think it’s a good point. dapps can choose whatever they agree on (SNS) beyond the basic set of rules the IC has.

Are canisters always stored as whole units on a single node? What happens if a file is fragmented amongst many nodes in different territories?

Not to get too philosophical, but with sufficient fragmentation the question becomes not “Where is the data stored?” but rather, “Where is the organizing principle located?”

And that question could have many possible answers.

Yes, canisters are fully replicated on every replica that’s part of the subnet the canister lives on.

this is useful information

The promise of Web 3.0 was autonomy, anonymity, and automation. The deeper we study this tech the more it seems to be snake oil, pipe dream, or both. This just ain’t going to work, we fear.

When you say “this tech”, are you talking about blockchain or ICP specifically?

I don’t think it’s snake oil but the concept of “Blockchain Singularity” is a pipe dream in my opinion. The IC also seems to be in a weird position, in order to achieve the “singularity” Dfinity had to compromise a lot on decentralization for scalability’s sake, which means we might end up with something that’s not scalable/economically viable enough to cause an axodus from legacy cloud provider and at the same time not decentralized enough to benefit from the perks of Web 3.

Of all the protocols we have investigated, ICP is the most promising, actually fell in love with it. “This tech” is blockchain and dapp/smart contracts in general. Without the 3 As it is much less interesting. Not that we want to sell heroin or porn of any kind, but if we can’t be anonymous then there really isn’t much point in jumping through the hoops. People want to be as anonymous as they are at a flea market. We have a right to Digital Anonymity.

But, like Eric Schmidt famously said (paraphrase) “if you aren’t doing anything wrong you have nothing to worry about.” And, by the way, why did you buy that pack of cigarettes at bigCo last week? We have notified healthcare.gov. Your rate will need to go up.

I think you hit the nail on the head here
The IC doesn’t have a niche (at least not yet) while all great businesses and products usually start off with carving out a niche and executing on it ruthlessly.