Plausible deniability for node operators

I propose discussing and then implementing a number of measures that combined would help endow node operators with some form of plausible deniability.

What I mean here by plausible deniability is that node operators, to the furthest extent possible, will not be held responsible for the canisters that they host. This would hopefully simplify legal liability and compliance burdens of node operators, moving responsibility for removing or modifying offensive canisters to the canister author, the NNS, or enforcement outside of the protocol.

In the recent Super Mario 64 incident, apparently a DMCA takedown notice was served by Nintendo to a node operator. This is unfortunate, as the node operator was placed in an undesirable legal position, and the node operator could only practically comply by removing their node from the network. Also note that this would not have addressed Nintendo’s actual concern, which was the preservation of their IP. Removal of the canister would require consensus amongst a majority of the node operators in the subnet either through an NNS vote or through direct node operator manipulation of the state of their nodes.

I propose that plausible deniability might be practically achieved in the short-term through the following mechanisms:

  1. Node shuffling as discussed here
  2. Secure enclaves/trusted execution environments as discussed here

More difficult mechanisms may be as follows:

  1. Multi-party computation
  2. Homomorphic encryption
  3. Decentralized boundary nodes
  4. Shielded IP addresses (NAT, the IC could be a giant intranet shielded by boundary nodes, IP address of canister never leaked)

There may be more mechanisms, which should be discussed in this thread.

Basically the node operators should know as little as possible about the canisters they run and vice versa. We should also know as little as possible about subnet membership.

Not only should the implementation of plausible deniability help with legal concerns, but the security of canisters on the network should be greatly increased as well. We want to avoid node operator collusion and targeted attacks on node operators hosting specific canisters.


I’m curious how Nintendo even knew which node provider to send the DMCA takedown to? Did they look that up on


Many good points which you raised in the summer if I recall. If the data centre or node operator hosting the canister can be determined, an order to compel takedown could still be served and have to be executed by the node provider.


That’s a good question. From the canister id you can get the subnet, and from the subnet and that dashboard you can get the node operators.

1 Like
1 Like

OK I guess you can see it here:

Maybe we could just hide that? lol

Not sure why that’s public to begin with.

1 Like

It’s important to consider the possibility that by obscuring what content node providers are hosting (e.g. via node shuffling or encryption), regulators are more likely to implement blanket bans on ICP hosting within their jurisdictions.

Most regulators aren’t going to accept the “globally democratic” will of the NNS; they will want to enforce local laws. Therefore, perhaps a better approach is for the NNS to curate country-specific blacklists for canisters (establishing the precise mechanism requires further discussion). Node providers can choose to “subscribe” to the blacklist for their own country, but this wouldn’t censor content globally, because the NNS would just deploy a replica in another country where the content isn’t illegal. Content would only be unavailable if it were illegal in all jurisdictions on Earth. A global ban wouldn’t be a bad thing: it would probably only occur for material like child abuse. And of course, the NNS can always take action itself instead of waiting for regulators.

So in summary:

  • Regulators will demand authority over content hosted within their jurisdictions. This is unavoidable, and ICP should have a strategy for letting node providers opt-in to complying with local laws, to avoid persecution. Obscuring the content hosted by node providers is not a good idea, since regulators will likely respond by enacting blanket bans on ICP.
  • People seeking content that is banned in their jurisdiction can use a VPN, as always.
  • The NNS has a “higher-level”, jurisdiction-independent authority. This can be used to enact the will of ICP holders, as long as there are node providers somewhere on Earth who can legally comply with that will.

Why doesn’t this apply to Ethereum? It has to do none of these things.

There’s definitely ways. Like I mean TOR manages it.

This discussion doesn’t apply to Ethereum because Mario 64, which is 54 MB, would cost $18,900,000 to host on Ethereum, and so Ethereum doesn’t suffer from these kinds of IP violations. The IC is encountering new challenges because it has capabilities that no other blockchain has.


Sorry the size of a file and the costs of Ethereum have nothing to do with this point. Why do governments accept Ethereum’s global consensus mechanism and not enforce KYC on every account?

I literally just gave an important reason. Governments haven’t needed to take action on IP infringement on Ethereum, because Ethereum is incapable of storing IP. It can only store miniscule amounts of data (a few numbers), which is not enough to encode IP like images, video, or game files.


It can transfer 100s of millions in value to a terrorist organisation. That’s a much bigger deal than a wee copyright infringement. Yet somehow, the forces you suggest that will come for The IC, haven’t come for it. Why?

1 Like

Governments all over the world are discussing crypto regulations as we speak. The fact that governments haven’t taken stronger action as of today has nothing to do with the design of Ethereum; governments can easily make hosting Ethereum nodes and holding ETH illegal at a moment’s notice. They’ve simply chosen not to, because they’ve not had a strong enough reason. Intellectual property violation en-masse is a reason to ban a protocol. ICP is at risk of that, and Ethereum is not, for the reason I mentioned in my last post. The issue is purely the difference in capability between the protocols, not the difference in governance.


ICP’s current form of governance does present regulatory (and censorship) risks, but governance is not the root cause of this IP issue that has arisen.

It might, but that’s a problem way down the road.

All we want to do here is prevent companies (not regulators) from sending DMCA takedowns.

If it gets to the point that governments are getting involved, I’d say we did a really great job in protecting node providers, and we can cross that bridge when we get there

1 Like

Sure, I suppose we could rely on governments being exceedingly slow to respond, and focus on a short-term fix. But we need to avoid ICP from developing a reputation for hosting illegal content. We need to protect the network’s public image. Otherwise, politicians (who are narrow-sighted) will just see it as a platform for crime. An honest attempt at tackling IP violations will help ICP appear legitimate in the eyes of lawmakers.


I couldn’t disagree more. It’s everything to do with Ethereum’s governance-minimised design. Since there’s no locus of control, governments have pursued their policy goals above the protocol level.

There’s no reason that if The IC minimised governance a similar outcome wouldn’t occur.


That’s literally what politicians said about Bitcoin for years. Like it had no usage other than drugs for about 3 years. Chuck Schumer proposed it be banned in 2012. You’re acting like the whole blockchain industry hasn’t existed up until now.


Perhaps a good counter-argument against my original proposal is that we don’t want to give governments too many levers that they can pull to assert control over the ICP network. If we allow governments to make “official” blacklists, then they are far more likely to come up with excuses to ban things.

But ICP must offer some mechanism to uphold laws, including country-specific ones. If it doesn’t, I can predict with 100% certainty it will be banned in many jurisdictions.

Bringing things back to this thread’s topic: my main point is that obscuring what content node providers are hosting is not a sufficient solution to IP infringement in the long term. As long as this community accepts that, I’m happy.