Security Considerations

From OIP Wiki
Jump to: navigation, search

Adversarial thinking or “red team” assessment has been an essential component in the process of building Open Index Protocol (OIP). This overview summarizes the questions, solutions & security considerations that have been analyzed. Can’t find an answer to your question or concern? Email it to ae@alexandria.io

2018

Contents

Assumptions

  • A sufficiently diverse marketplace will include rational actors acting in their own best interest who understand it will benefit them to use standards & obey the law
  • A proof-of-work blockchain-based shared data layer is the most efficient technology available to protect information freedom and resist entropy of information access
  • Incentive structures influence outcomes. A trust-minimized, permissionless system with a sustainable market-based incentive structure fosters cooperation, competition, and iteration; continuously improving product-market-fit
  • At present, some human governance is necessary. Open Index Protocol Working Group is a potential central point of failure, vulnerable to social attack. This risk is minimized with a transparent governance structure, weighing feedback from all system participants: Publishers, Platforms, Influencers and miners

Legal Compliance

Filtering lists are used to address issues of law (see definitions in OIP Specification, “Platforms”). Code is indifferent to legal considerations. As demonstrated by p2p distribution, illegal use cannot be restricted at the protocol layer and code cannot be responsible for the content it distributes. OIP benefits from clear differentiation between the protocol and application layers because legal compliance is required at the application layer, where it can be effectively enforced. Rather than failed negative deterrents like Digital Rights Management, compliance with content rights is positively incentivized; OIP offers pirate sites strong financial incentive toward compliance.

DMCA & Piracy

As required for the index to be trustworthy and transparent, OIP does not filter content during the publishing process. Instead, the content index is filtered by Platforms when their front ends display content to users and by payment processors when payment is sent from user to Publisher. Platforms and payment processors must enforce filters established by the OIPWG. Payment addresses for Platforms and payment processors who do not comply will be blacklisted.

Piracy of professional / entertainment industry content

What happens if a registered Publisher attempts to publish content it does not have rights for?

  1. Platforms and payment processors are generally expected to follow their applicable local laws. In jurisdictions where Digital Millennium Copyright Act (DMCA) and other content protection laws exist, pirated content is filtered out by Platforms and payment processors. IMDB, MusicBrainz and other open industry databases will be used to determine if a Publisher holds the rights to the content, resulting in a filter between the entire Florincoin blockchain and the content supported by Platforms and payment processors.
  2. When professional entertainment industry content in databases like IMBD, MusicBrainz, etc is published by an anonymous Publisher, Platforms will be encouraged to provide a “request Publisher verification” process. Using this process, they send a request to the rights holder found in these public databases asking them to verify their Publisher account. Platforms will already be using various protocol and application layer services to optimize the meta-data associated with artifacts to make content easier for their audiences to find, so it does not add significant time, work or code to find contact information for the rights holders in public databases. The “request Publisher verification” process will encourage rights-holders who are not yet aware of OIP to learn about it’s benefits because of demonstrated audience demand.
  3. To receive revenue through OIP, Platforms and payment processors must comply with the OIP specification, including the requirement that they abide by the laws of their local jurisdiction and provide an easy method for users to report DMCA violations. Thus, it is in the best interest of Platforms and payment processors to proactively filter content that is likely to be pirated. If a Platform displays/sells pirated versions of content that is published to OIP, it will be added to the distribution violations blacklist maintained the OIPWG. By using entertainment industry databases and comparing them with Publisher data, content that is likely to be pirated is identified. Registering a Publisher name is optional, but without doing so, a Publisher will show up as “anonymous” to the OIP Daemon API. To improve their piracy filters, Platforms can filter out content listed in industry databases unless it has a Verified Publisher.

What happens if a pirate registers an unclaimed Publisher Name to falsely appear as a rights holder of the content the pirate wants to publish/distribute/sell?

  1. As described above, if Platforms or payment processors are not compliant, they are added to a blacklist and will not receive the Platform cut of any transactions processed by compliant payment processors. To ensure compliance and continued revenues, these businesses may choose to include additional filters such as Verified Publisher (see OIP Standards, section A, “Publishers”). Some pirates may seek out unregistered names of high profile content rights holders and attempt to register these names to appear as a rights holder of the pirated content they want to distribute. However, unless the name is verified on a supported social media platform, the Publisher account is considered unverified. To mitigate blacklist risk, Platforms and payment processors can choose to not display content that is listed in professional databases like IMDB and MusicBrainz unless it has a Verified Publisher.
  • What happens if a piracy site does not honor Publisher terms of use and distributes content for free or a reduced price? (Example: Popcorn Time, shaolinfriedrice.com)
  1. Although piracy sites are driven by multiple overlapping motivations, many profess idealism about information freedom and access to content as their core purpose. By using OIP to make content available to anyone, content rights holders remove this reason for piracy; OIP is fully decentralized, meaning it cannot be censored with central points of failure, this results in global freedom of information and access to content. It will become culturally understood that pirates distributing content that is available in OIP are intentionally circumventing the rights holder, making both pirate and potential audience unable to justify the theft as an issue of information freedom/access.
  2. According to researchers, on aggregate audiences prefer to legally access and pay for content if it meets two fundamental criteria: 1) easy to access and 2) affordably priced. To solve the access issue OIP is fully decentralized and the transport protocols are interoperable; this means it can be used by any front end service including social media. A shared data layer increases efficiency and decreases infrastructure costs. The efficiency increase is so remarkable it is possible to significantly reduce the price for the audience, and also significantly increase revenue for the rights holders.
  3. Borg the pirates, resistance is futile with OIP’s assimilation incentive. Piracy sites receive an enormous amount of user traffic, but have very limited revenue opportunity. Piracy sites incur costs for server fees and development and typically attempt to capture revenue with click-ads, pop-ups and spyware. However, most end users protect themselves by using ad blockers, VPNs and malware detectors which prevent the piracy sites from capturing this potential advertising revenue. Therefore, pirates need to reach larger and larger daily user rates to cover their costs, which in turn makes it easier for law-enforcement to disrupt their operations; even if law enforcement is unable to block DNS addresses of piracy sites, they can conduct server farm raids and spend years in court. The OIP assimilation incentive encourages piracy sites to migrate from being entirely black-hat distribution platforms to grey or even white-hat platforms by offering them an automatic cut of any revenues they generate distributing content published with OIP according to the rights holder’s terms of use. The carrot/stick incentive structure entices them to begin reaping revenues from their traffic via legitimate content distribution and terminates this revenue if they continue to offer a pirated version of the same content; by ignoring pirated content that is not published to OIP, the assimilation incentive converts these sites and their users incrementally.
Example: If Taylor Swift publishes "reputation" using OIP at a price of $1.29 per track or $13.99 for the album and a 15% Platform cut, The Pirate Bay can remove the pirated version from its search index and instead link users to the OIP version. If a user buys one track for $1.29, The Pirate Bay will receive $0.19. To increase their earning potential, piracy sites can identify demand for popular content with their own analytics and replace the popular content with OIP versions. If the piracy site continues to offer the pirated copy of the content in addition to the OIP copy, the OIPWG will add them to a blacklist, and the piracy site revenues are terminated.

User-generated / New Media Content

Since an open database of rights holders for user-generated content does not yet exist, content creators are encouraged to use OIP to claim the rights to their content with the blockchain, an open database for all content rights holders to define their unique distribution terms. If user-generated content ownership is questioned, the OIPWG will act as an arbiter.

  • What happens if a pirate publishes user generated content it does not have rights for?
  1. Platforms are encouraged to provide easy methods to report claims of pirated content. Piracy claims will be verified by OIPWG which will review evidence of ownership (example: verification of the content creator’s ownership of a YouTube, Instagram, etc account from which the content was pirated). If the piracy claim is valid, the pirated Artifact-ID will be added to a blacklist and if the legitimate rights holder publishes the content to OIP, they will then control the distribution terms and revenue.

Child Pornography & other Universally Abhorrent Content

The OIPWG is in favor of freedom of information and open access to content with one exception - it prohibits profiting from illegal or universally abhorrent content such as child pornography, snuff pornography and hunting/torturing/murdering humans for sport.

What happens with abhorrent content like child pornography?

Algorithms and agencies like Net Nanny will be used to identify Publishers, Platforms and payment processors who do not comply with this standard, and these payment addresses will be blacklisted. Censorship via blacklist must be judicious & transparent so that OIPWG is trustworthy. In many countries storing and viewing this kind of universally abhorrent content is illegal; the OIPWG will work with authorities to conduct this process in a safe and legal manner.

Market Vulnerabilities

Trust-minimized processes establish a free and transparent marketplace where the incentives of Publishers, Autominers and optional middlemen (Platforms & Influencers) are aligned. Designed as an antifragile interdependent system, the OIPWG governs formulae that align these incentives. (See definitions in OIP specification, section E, “autominers”)

The commercial value of content published with OIP is connected to the mining incentive. For commercial content to be validly published, a protocol-calculated amount must be paid as a tx fee at the time of publishing. The OIP standard defines a formula to determine this amount with two variables: 1) the retail price of the content being published and 2) the current mean average retail price of all commercial content in the index.

Although there are no requirements regarding how the Publisher obtains the tokens to pay this fee, to increase ease of use, the OIP specification defines a set of optional automated processes (Historian, Tradebot, Autominer, Autotrader). These processes increase ease of access to tokens for Publishers and ease of maintaining a consistent profit margin for Miners and traders.

Miners who use these automated processes are required to contribute to the transparent, cooperative and decentralized work of recording market conditions. When a participating pool wins a block, they include the OIP specified historian data in the transaction message space of the block reward. (see more in OIP Specification historian section). The Historian data is then used by the automated processes Autominer & Autotrader.

The specifications that govern these automated processes create an equal opportunity marketplace that benefits from both cooperation and competition and a system that grows stronger through chaotic expression of individual self interest as Miners compete to maximize their margin.

Normal market conditions creates a bell curve of margins captured by miners, with outliers (zero or extremely high margin) caused by market stressor events.

Blockreward Emission Schedule

Current estimates project that all Florincoin block rewards will be released by 2027, at that time tx-fees will drive the security incentive.

What happens to the incentive structure when all new Florincoin block rewards have been released and the miner incentive is driven by tx-fees only?

OIP's incentive structure is an interdependent ecosystem. The publish fee, sent as a tx-fee, is calculated by OIP, not the Florincoin consensus rules and will supplement the block rewards over time. The publish fee for free content is limited to the cost of entering the index data into the blockchain, whereas the publish fee for commercial content corresponds with it’s retail price. The retail value of commercial content drives the security incentive; a significant tx-fee incentive will be present as long as there is commercial publishing activity. Driven by publishing demand, the florincoin token supply will be constantly recycled through pools as tx-fees. It's likely that over time some tokens will be destroyed, reducing the overall supply of tokens and causing an increase in token value, especially if OIP user demand grows while overall token supply declines.

Token value volatility

Offer Price vs Conditions, Segment 1
Offer Price vs Conditions, Segment 2
Offer Price vs Conditions, Segment 3

A wide variety of issues can trigger a rapid change in mining and trading markets, especially during rapid growth. Regardless of the reason for a market stressor, the results of a stressor distill to two fundamental issues: 1) incentive alignment (market price of token) and 2) index security (hash rate). The OIP specification defines formulae to address each of these issues; they are designed to incentivize enough cooperation to keep the ecosystem in balance while allowing plenty of room for thriving free market competition.

What happens if there is a dramatic change in the market price of the token?

The offer price allowed by the automated process will be affected by dramatic change in the market price of the token. If the market price decreases significantly, and the cost of mining does not decrease proportionately, the margin allowed by the automated trading process may fall, possibly to zero. If the market price increases significantly, the automated process offer price will allow a higher margin, likely the full target margin set by the pool.

To encourage the offer price for tokens in the automated process to align with the market price of the token, the following formula is used to determine the Offer Price per Florincoin token, in US Dollars:

[math]O = \mathcal{f} \times ( 1 + ( \frac {\mathcal{g}}{100} \times \Omega _\mathcal{W} \times \Omega _\mathcal{M} ) ) \div \mathcal{U} \times \mathcal{X} [/math]

where:

  • [math]\mathcal{f}[/math] is the rental cost (in BTC) to rent enough hashes per second of sCrypt mining to mine 1 Florincoin token,
  • [math]\mathcal{g} [/math] is the given Autominer pool's target margin,
  • [math]\Omega _\mathcal{W}[/math] is the "pool weight" margin multiplier,
  • [math]\Omega _\mathcal{M}[/math] is the "market conditions" margin multiplier,
  • [math]\mathcal{U}[/math] is the weighted exchange value of 1 Florincoin token, in US Dollars, and
  • [math]\mathcal{X}[/math] is the weighted exchange value of 1 Florincoin token, in Bitcoins.

This formula is influenced primarily by two conditions-based multipliers; "pool weight" and "market conditions", both controlled by OIPWG-governed thresholds. As a result, autominers can earn their full target margin under normal conditions, but if their pool's weight on the network rises above the given threshold (currently 30%), the resulting margin will reduce toward zero. Likewise, if the the cost to mine tokens gets out of alignment with the current market price for tokens (currently the threshold is 1.25x the market price), their Offer Price margin will start reducing toward zero.

What happens if the market price is higher than the automated process offer price?

The incentive structure for this formula relies on its alignment with the market price. Certain market stressors will result in market prices for the token being higher than those offered by the automated process. When this happens there are three potential outcomes: 1) miners leave tokens inside the autominer automated process; 2) move tokens to the open market; 3) a second automated process is used to connect Publishers to traders in the event that all tokens are moved and no tokens are available in the automated process between Publishers and Miners.

Some miners will value ease, consistency and automation more than the risk and management necessary to capture the maximum possible margin by manually trading their tokens. This group will likely choose to leave a portion or all of their mined tokens inside the automated process that connects miners to Publishers. Some miners will value capturing the maximum margin possible more than the ease and consistency of the automated process. This group is likely to move a portion or all of their mined tokens out of the automated process and onto the open market. Once tokens have been moved from the automated process onto the open market, they are no longer eligible for use in the automated process.

Conditions for an Antifragile Market

Assuming diversity of miner behavior, it is likely some tokens will remain in the automated process and some will move to the open market. The tokens moved to the open market reduces the number of potential trades in the automated process, resulting in the first group of miners closing their trades sooner. The incentive for the first group is a steady and reliable margin without actively monitoring markets, the incentive for the second group is the opportunity to get a better market price and capture more revenue. The competition between miners to maximize their individual gain functions as a kind of positive stress that benefits the whole market.

The automated process connecting miners and Publishers is first come first serve, using historian messages in the blockchain to identify the chronological order of open trades based on when they were mined. If all miners remove their tokens from the automated process, or whenever there are not enough tokens available in the autominer process to fulfill a Publisher request, a secondary automated process is used to connect Publishers to traders called autotrader.

Each tradebot node will have preferences for the length of time it waits for autominer before switching to autotrader. Once initiated, autotrader will offer a trade at the current spot price. If there is no response to a request to trade at spot, then a new request is made at some percent above spot. Autotrader will repeat this process until it finds a percent above spot that is accepted. The autominer & autotrader automated processes make access to publishing tokens as frictionless as possible for both the Publisher and the Platform.

Automated arbitrage

Assuming diversity of trader behavior, it is likely some traders will be willing to sell at the average spot price. If there is enough volume and volatility between the exchanges it is likely at least one exchange is trading below the market average spot price. If the trader is able to leverage the difference immediately, they extract an arbitrage gain for facilitating liquidity. However, if the market is narrow (all exchanges trading at prices too close to each other), it is possible that no traders will accept the spot price and a percent above spot will be necessary. Various front ends will handle the additional percent charge differently; they may absorb the added fee as a cost of doing business, pass it on to the Publisher as an expedience fee, or perhaps offer the option to avoid the additional percentage charge by waiting for their content to be published at some later time when an autotrader user is willing to trade at spot.

  • What happens if the token price is sabotaged by token holder(s) dumping significant volume onto the trading market? (Price crash/lower 51% attack resistance)

This type of attack is impossible to completely ward off, but also an expensive/difficult attack to maintain long term. If a Florincoin whale (or group of them) dumped tokens onto the market at a sufficiently high volume, the market price could fall enough to weaken the incentive to mine, and thus lower resistance to a 51% or long-range attack.

The suppressed market price and mining level would pull the automated process margin down; unable to receive their target margin, many autominers would likely stop new rentals. With fewer autominers competing over a lower hash rate, some autominers may capture their target margin, but if the price is suppressed enough it's possible autominers would be unable to capture any margin above their overhead costs.

However, no matter how low the market price of the token falls, retail service providers and content rights holders will have incentive to protect the index. The automated mining margin is not the primary motivation for these businesses, instead they depend on the accuracy of the Open Index. This group will work together to protect the index by participating in Collaborative Defense mode (add link). No matter how low the token price falls, they will not lose money because they will trade their tokens at their actual cost.

Between the demonstrated resilience of the system against the attack, the artificially suppressed (and thus more accessible) price of tokens and any newfound awareness of the project from the Streisand Effect, eventually the market value will revive and the attacker will lose the ability to continue suppressing the price.

Malicious Acts

The incentive structure of OIP is designed to encourage compliance by offering positive rewards, and deter noncompliance by eliminating potential rewards and enforcing blacklists. OIP is fully decentralized, uses interoperable transport layers, and information in the index blockchain is human readable; this combination offers the highest level of transparency possible. Sunshine is the best disinfectant.

The OIP specification requires registration of Publishers, Platforms, Influencers and Autominers; this registration information is the Open Index. Reputation is transparently available because these users are required to register. Application layer services using OIP can use this information in their reputation management services, optionally combining this transparently available information for both user identity & transaction history to optimize their offering.

The index blockchain average block time is 40 seconds. When a mining pool using the automated mining margin process wins a block, the OIP standard requires the pool log specific information into the blockchain, called historian data (defined in OIP Standards, section Miners, historian). Selection for data input is determined by the index blockchain’s proof of work security; the winner of the block inputs the historian data.

A 24 hour moving average of the historian data is used to calculate the protocol offer price and to verify the correct publish fee was paid. The time delay between mining the block reward/inputting historian data and the token sale to the Publisher increases the opportunity to identify network attacks. If the network is attacked, historian data input during the attack is excluded from the moving average calculation.

Proof-of-work governed historian data input combined with the rapid 40 second block time results in diverse and abundant market information that can be averaged to assess the accuracy of the historian data.

What happens if there is a 51% attack?

Stick The processes that automate mining margins includes a formula designed to deter mining pools from attempting to control too much of the network by reducing or eliminating the automated mining margin if the pool controls too much of the network. It includes two variables - the first variable initiates the margin reduction, the second variable is the number at which the margin reaches zero. The margin deceleration increases as the pool hash rate approaches the second variable; currently these variables are set at 30% and 45%, these variables are governed by OIPWG.

Furthermore, if a pool wins 10 blocks in a row, it is defined as a malicious attack, and the associated tokens are not eligible for trade within the automated system.

Carrot The process that automates mining margins also includes a mechanism designed to incentivize miners to participate in defensive mining in the event of a 51% attack. The Collaborative Defense operation ensures miners do not lose money even if the cost to mine during the attack is greater than the current market value of the token. The tokens won during collaborative defense are automatically sold to Publishers at a price that covers the miner’s actual cost, no matter how far it is from the market price.

Platforms, artists, labels, studios and other content rights holders who have published content with OIP or depend on it for their business revenue have a vested stake in the security of the Open Index; assuming diversity of behavior, some of these players will see it as in their best interest to participate in collaborative defense mining, especially because it will not affect their profits.

The automated system works to ensure that the token value is aligned with the hash rate; and that these are aligned with the value of the data contained in the shared data layer. If a miner is motivated only by the desire to overwhelm the network or acquire tokens and is not participating in the automated system, the cost to mine can be driven up by the Collaborative Defense of the miners using the automated system to increase the network hash rate and make the attack more expensive.

What happens if a mining pool attempts to manipulate historian data?

Overall, OIP's incentive structure is slanted toward compliance because mining pool participants with correct data and trade execution will make more money.

Historian data (defined in OIP Standards, section Miners, historian) is used in the automated mining/trade process to determine the offer price at which the tokens will be sold. To increase the alignment of the protocol offer price with current market conditions, historian data is calculated as a moving average of historian data points from the previous 24 hour time period.

Selection for historian data input is random; it is determined by the Florincoin blockchain’s proof of work security. To input historian data, a mining pool must win the block. Because of the 51% attack deterrents described above, each mining pool is limited to providing less than 45% of the historian data in any given period of time. Additionally, OIPWG will monitor historian data and flag any data points with a spread of more than 10% and investigate accuracy of outlier data points. The time between when the tokens are mined and sold is enough for OIPWG to monitor and react to issues.

Pool miners do not receive any financial benefit if a pool falsifies historian data. If the manipulated historian data falsifies the information such that the protocol offer price is calculated lower than it should be, the pool miners make less money than they would if the data was correct. If the manipulated historian data falsifies the information such that the protocol offer price is calculated higher than it should be, any artifacts with publish fees calculated on incorrect information will not resolve in the Open Index. This externalizes the issue to the Platform.

Miners using the automated mining/trade process sell their tokens to Platforms. If miners input incorrect historian data and the fraudulent data is identified, it will be omitted from all future protocol calculations. Any publish fees that were paid based on the fraudulent data will not resolve the artifact, creating customer service issues for the Platform used by the Publisher. Because historian data is used to determine the validity of publish fees, it’s likely that Platforms will prefer to work with mining pools with excellent reputations, because correct historian data and trade execution reduces the Platform’s customer service burden.

Furthermore, if a mining pool is consistently inputting incorrect historian data, the pool is added to an OIPWG blacklist. If blacklisted, the pool’s tokens are not eligible for trade within the automated system, and the incorrect historian data points are omitted when calculating the automated system offer price and validating publish fees.

There is insufficient incentive for mining pools to input incorrect historian data. If pools attempt to game historian data to increase the offer price and get more money than they should, the manipulated data would be quickly noticed & blacklisted; this manipulation would not result in increased money to the miners. If mining pools attempt to game historian data to incite fear or sabotage the protocol because the falsified data is decreasing the offer price and miners are not recouping their costs, they would also be blacklisted and falsified historian data points would be omitted from protocol calculations.

What happens if miners or traders fail to complete trades and steal tokens? (Theft of flo for btc trades)

Service providers like Platforms, miners & traders who use the automated system must register in the Open Index. Service provider registration is a necessary component of the system being transparent; the trustworthiness of service provider reputations can be automatically tracked, which allows trades to happen with increased speed and decreased error and fraud.

Similar to the way mining rental services rate the reliability of hardware providers and allow end users to evaluate their reputation when choosing rentals, various tradebot deployments will rate the reliability and trust of autominer pools & autotrader nodes based on what percent of their past trades were correctly completed. Those who fail to complete a trade and steal tokens will fail to continue receiving trade requests. Positive reputation history increases trust.

Namespace

From concert tickets and domain names to blockchain tokens and namespace, any free market faces the problem of second market speculators if product demand outpaces a limited supply. The risk taken by early speculators to acquire the limited supply can be seen as a necessary step in the process of a product that increases in value.

What happens with name squatting?

In a free market with limited namespace, squatting is essentially unavoidable and expected market behavior. Early speculators choose to assume more risk because of the possibility of increased reward; their activity serves to grow the overall marketplace.

On the other hand, unintentional squatting, or “burned” names, , may eventually be addressed. This process will be formalized by the OIPWG in the future, the following example illustrates the idea.

Example: A desired name is not in active use and believed to be squatted. Evidence of squatting is collected from the OIPWG’s Platform reports to demonstrate that the name has not been resolved to find any content, nor has any content published by it received any comments. In order to be considered "in use", a name must receive at least 1 interaction with a non-sock puppet user per year to mitigate the risk of squatters idly publishing throw-away content to falsify use. Usage requirements like these are easy for a normal content creator to meet, but increase the chances of recovering forgotten or burned names.

Censorship Threats

Permissionless publishing, full global state replication of index data, transparency of all publish attempts including fails, and human readable index data ensure Open Index is transparent and resists censorship. The index can be permissionlessly audited to evaluate if content is missing and if so, the reason it is absent. Additionally, automated systems for mining and trading protect the blockchain from attack or alteration (detailed in market vulnerabilities above).

Transparent Open Jungle

Convenience and existing user behavior patterns will lead most early OIP Publishers and end users to access content via a centralized web-host. All aspects of the OIP specification are decentralized - index layer, file storage/transport layer, and payments layer. The convenient web-host mirror the information protected in the decentralized components of OIP.

What happens with a DDos, DNS, or other centralized service attack?

Any individual artifact in the Open Index can be reached by one of two means; directly via decentralized networks, or via a hosted service on the World Wide Web. Retail services with web-clients must use a standard URI format - hostname/playername/artifact or hostname/playername/publisher/artifact.

If an attacker attempts to block the distribution of an artifact by targeting a web-client with a DDoS attack on their server or a DNS-based attack on their domain name, 3rd party payment processors (browsers, browser extensions, OS-level background applications) will look up a fail-over host which is not currently under attack to serve the content.

In the event of a coordinated denial-of-service attack on the websites of all registered Platforms, users will have the option to enable fully-decentralized mode, which will sync the blockchain using the p2p consensus system. Although these users will incur the bandwidth and storage costs associated with syncing these networks, they will ultimately defeat any effort to fully censor an artifact from being distributed.

Attempted censorship like this can have a ricochet effect, whereby the size of the effort to censor information is proportional to the counter-effort to spread it (the Streisand Effect).

What happens if the OIP Working Group attempts censorship by abusing blacklist filters?

Transparency is the antidote to censorship and is the reason OIP uses a blockchain which has 1) proof-of-work security, 2) full global state replication and 3) zero filtering as content is published to the blockchain, including incorrect/failed publish attempts; this combination permits anyone to audit the index and identify if content is missing from hosted front ends. If the OIPWG uses its power over blacklist filters as a means of censorship, the market will likely respond to this violation of trust by reducing financial & community support. OIPWG’s transparent and distributed governance structure will mitigate this threat.

What happens if incumbent studios, labels or other rights holders resist?

Just as the early World Wide Web was called a passing fad and companies struggled to adopt it, resistance to OIP from incumbent walled-garden services is likely in the beginning. But the tide of technology cannot be stopped. As World Wide Web inventor Sir Tim Berners-Lee said, "You can make the walled garden very very sweet, but the jungle outside is always more appealing in the long term."

Furthermore, the incentives of OIP will positively drive user acquisition:

  • More money - Creators/rights holders gain new revenue channels and control of their terms of use and pricing. Platform overhead costs decrease and distribution performance increases. Social media influencers receive direct payments for sharing. Audiences pay less and get bespoke access.
  • Less piracy - Platforms cannot display pirated versions of media that is published to OIP by the creator/rights holder; this ‘registration’ in OIP reduces access to pirated versions of media. Piracy sites are financially incentivized to display/sell OIP content, monetizing their user base while continuing to provide open access.
  • More accurate - Public awareness that current services are insecure and opaque is increasing (equifax/censorship) https://www.consumer.ftc.gov/blog/2017/09/equifax-data-breach-what-do http://www.zerohedge.com/news/2017-11-17/demise-dissent-why-web-becoming-homogenized . Culture will shift toward transparency as blockchain and decentralized technology offer more trustworthy solutions. OIP is a transparent ledger of media and decentralized distribution and payments, offering permissionless auditing of system and increased accuracy of attribution and payments.

Collaborative Defense

Proof of work security diversifies network stakeholders, guarding against the kind of social attack vectors seen in federated systems and proof of stake security. OIP automated systems for mining and trading further increase the antifragility and scalability of this network.

What happens when an outside attacker attempts to change the contents of the Open Index, or interrupt the auto-miner, auto-trader or Publisher operations? (long-range PoW attack, 51% PoW denial-of-service attack)

The value of the content in the index is directly tied to the incentive to secure it. The business models of certain OIP stakeholders will incentivize their participation in Collaborative Defense (explained in detail in sections XX).

Furthermore, the OIPWG will release checkpoints for the blockchain on a periodic basis, limiting how far back in time any attacker could reasonably attempt to change blockchain contents.