Censorship resistance is a problem for the IC, as the government of any country can take down a replica node by force if they host a canister that they do not like.
Has anyone considered a new I2P network for the IC? With all the replicas running on the I2P network instead of the Internet, it would be impossible to distinguish which replicas are hosting which canisters, and boundary nodes can act as bridges from the I2P network to the Internet
Acting as devil’s advocate here, it would also make it impossible to distinguish how many replicas are controlled by a single entity.
One of the core assumptions behind the IC protocol is deterministic decentralization, i.e. deterministically being able to select a comparatively small number of replicas with a wide set of controllers and widely distributed across geographies and jurisdictions. In the absence of that, one must fall back on anonymous decentralization and huge numbers of replicas in order to ensure all of the above.
Note that with either approach, it is merely highly unlikely for a single party (whether node operator or government) to control a majority of replicas. There always exists a non-zero probability that one party (or multiple colluding parties) may take control over a blockchain (whether through coercion or sheer financial power).
Not the primary concern, if the average government KNOWS that a certain node is hosting an illegal canister (lets say a casino), they may try to coerce the node to shutdown. If the government does not know about the contents of the canisters the node is running, they have no reason to crackdown on that particular node.
Despite a government only having influence on the nodes in that particular country, eventually, as nodes start getting shutdown in countries with stronger gambling laws, there will only be nodes in countries with free gambling. Now lets say countries with strong IP laws start cracking down on nodes, now theres only replicas in countries where gambling is legal, and IP laws are not respected. This is pretty much exclusively corrupt governments (not to mention even if they werent corrupt, lowering the number of countries where nodes exist to such a small subset is dangerous)
I doubt the community would just let this happen, which means pretty much any canister which is illegal in a few countries may end up getting voted out (see mario incident), this is obviously not ideal.
I dont think so, im not sure what the exact method the NNS uses currently to onboard nodes is, but im sure it could be retrofitted with ZK proofs to prove approval via NNS without revealing much more.
IE, lets say theres 100 nodes in the entirety of ICP, that have been approved by the NNS. The 101st validator gets approved by the NNS, via KYC or whatever they are verified to not be any of the previous 100, if theres a list of 100 public keys associated with every node, simply have the new node generate a new Keypair, and add the public key to the list. Now the node can generate a ZK proof to prove that they own a private key of one of the 101 public keys, without revealing which public key
A canister is just software. A node is a physical machine. You can move software to a different physical machine, there is no need to shutdown the node. All that’s needed is the node operator flagging that canister. Better yet, the node operator could set an attribute on their node preventing any gambling (or IP infringing, or porn, or any combination thereof) canisters from being deployed on their nodes. This would indeed limit deployment of e.g. gambling canisters to jurisdictions where gambling is legal (although I suspect gambling laws mostly constrain their citizens from gambling as opposed to servers under their jurisdiction running software owned by someone not under their jurisdiction offering gambling to people also not under their jurisdiction).
This works quite well if every node operator is limited to running a single node. But how does this prevent a node operator running tens (or in the future, hundreds) of nodes from running the majority of the 13 nodes making up a subnet?
It is also difficult (or very much impossible) to hide from a node what software is running on it. What’s to stop a government from ordering a node operator to list all the canisters running on their nodes?
Furthermore, this is the first time I hear of I2P, but I have a very strong suspicion that it adds significant latency to network communication. Unless network traffic goes through at least a few other nodes on its way from A to B, it’s going to be pretty easy to figure out who’s talking to who. Network latency is critical to the ICs speed. Doubling it would result in doubling the latency of the protocol.
Something like this might be useful for a handful of highly censorship resistant subnets (that would most likely end up hosting a lot of highly questionable content alongside a handful of useful applications), but (i) it would not be as simple as it may appear at first sight, (ii) possibly impose additional constraints on who can run how many nodes; and (iii) it would definitely provide subpar performance. Plus the honeypot aspect for unsavory apps.
How can a single node just decide this? Wont the whole subnet need to come to consensus on that? Even so, can a subnet just decide to kick out a canister like that? Dont you need a NNS vote for that?
(although I suspect gambling laws mostly constrain their citizens from gambling as opposed to servers under their jurisdiction running software owned by someone not under their jurisdiction offering gambling to people also not under their jurisdiction).
Gambling is just one of the potential things a government may want to censor, theres IP infringement, which I think most governments will try to stop regardless of whether or not its being served to its citizens, or maybe anti-propoganda like in Russia, or “blasphemous” information in religious authoritarian states (But apart from that, citizens of a certain place being stopped from interacting with canisters is something we should try to avoid anyway right? So ideally those citizens would be interacting with the canisters too, if they wanted to anyway)
This works quite well if every node operator is limited to running a single node. But how does this prevent a node operator running tens (or in the future, hundreds) of nodes from running the majority of the 13 nodes making up a subnet?
Again, im not entirely sure how the actual process works practically, but I dont see why you cant just have a Keypair for every node operator, or multiple keypairs for every node the operator is allowed to run
What’s to stop a government from ordering a node operator to list all the canisters running on their nodes?
Privacy laws, obviously wont stop an authoritarian government, but thats an upgrade from the current situation
Furthermore, this is the first time I hear of I2P, but I have a very strong suspicion that it adds significant latency to network communication. Unless network traffic goes through at least a few other nodes on its way from A to B, it’s going to be pretty easy to figure out who’s talking to who. Network latency is critical to the ICs speed. Doubling it would result in doubling the latency of the protocol.
Yes thats definitely true, latency and bandwidth will take a big hit, about 8x or so, which means video streaming will basically be impossible. So one of the nefarious activities you may be imagining will be unviable (but Im pretty sure if theres something particularly heinous the NNS would vote to remove it)
Something like this might be useful for a handful of highly censorship resistant subnets
Would be useful for the NNS, and also a DeFi subnet which I think the community has been asking for for a long time
The application would still work even the government manages to take down the replica or nodes as there would still be many nodes left in the subnet, at least enough to still reach consensus. No?
Reducing the number of countries where nodes can safely exist is bad for decentralisation. Further its highly likely that the community would rather vote out canisters VIA the NNS than have nodes be taken down, as proven by the nintendo incident (and that wasnt even from a government request, simple request from nintendo themselves)
If you look at something like Kubernetes you’ll likely find a mechanism along these lines: machines can be assigned arbitrary attributes (“AMD”/“Intel”, “US”/“EU”, “HDD storage”, whatever); jobs can also specify filters (e.g. require: "AMD", "EU", exclude: "HDD storage"); Kubernetes will then schedule your job accordingly, on a machine that respects your filters.
You could do something similar for the IC, with the only difference being that ALL replicas on the subnet would need to have the required properties (e.g. all allowing gambling, not in the EU, 30+ replicas). If no such subnet exists already, the NNS could (potentially for a bump in cost) put together a subnet with those properties for you. Only the respective canister (and others with similar requirements) would then have to deal with the resulting reduction in censorship resistance or whatever.
I seriously doubt that privacy laws apply to computers. Even if we’re talking a canister that is directly linked to someone’s identity, you can already query the IC directly about its existence. Asking a node operator to show whether the respective canister is running on their machines or not does not reveal any private information. They wouldn’t be asking for any of the data inside the canister, only for whether the canister is there or not. Similar to a court asking Amazon whether any Ethereum validators are running on AWS (assuming e.g. that Ethereum gets banned in the US).
As said, there is no need for a jurisdiction to ban IC nodes altogether, if there are ways of keeping certain content off of said nodes. E.g. if there are no canisters hosting pirated movies running on US nodes, there is no need for the US government to ban IC nodes (not on account of piracy, at least).
Such an approach might indeed severely limit the censorship and tamper resistance of a subnet that can host an IP infringing, anti-propaganda gambling canister, but maybe we should not be prioritizing for that content. It would also make an NNS takedown vote unnecessary in all but the most extreme cases (e.g. child porn): if a handful of nodes running on an island in the middle of the Pacific are happy to host your highly questionable canister in exchange for 10x the price, then so be it.