Security Considerations

From OIP Wiki
Revision as of 23:56, 19 November 2017 by Devon (talk | contribs) (Created page with "== Security Considerations == '''Adversarial thinking''' or “red team” assessment has been an essential component in the process of building Open Index Protocol. This over...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Security Considerations

Adversarial thinking or “red team” assessment has been an essential component in the process of building Open Index Protocol. This overview summarizes the questions, solutions & security considerations that have been analysed. Can’t find an answer to your question or concern? Email it to ae@alexandria.io

Assumptions

  • The marketplace will include rational actors who see it as in their best interest to use standards & obey the law.
  • A unified data layer is necessary to protect freedom of information and entropy resistant access to content
  • Entropy resistant?) and the most efficient technology available.
  • Incentive structures influence outcomes. A trust-minimized, permissionless standard with a market-based, sustainable incentive structure fosters cooperation, competition and iteration; continuously improving product market fit.
  • At present, some human governance is necessary. Although the Open Index Protocol Working Group is a potential social central point of failure, this risk is minimized by a distributed, transparent governance structure.

Legal Considerations

Protocol Compliance and filtering lists are used to address issues of law (see definitions in Open Index Protocol Standards, section C, “retailers”).

protocol/app layer differentiation

possibly add intro (parity with incentive structure) here that discusses the protocol/app layer differentiation & how the smarter approach to piracy is to incentivize compliance (not drm).

DMCA & piracy

As required for the index to be trustworthy and transparent, OIP does not filter content during the publishing process. However, the content index is filtered by retailers when their front ends display content to users and by payment processors when payment is sent from user to publisher. Retailers and payment processors must enforce protocol compliance filters established by the Open Index Protocol Working Group. Payment addresses for retailers and payment processors who do not comply with protocol compliance standards will be blacklisted.

Piracy of professional / entertainment industry content

  • What happens if a registered publisher attempts to publish content it does not have rights for?
  1. The protocol compliance standard requires retailers and payment processors follow their local laws. In jurisdictions where DMCA and other content protection laws exist, pirated content is therefore included in the protocol compliance standard. IMDB, MusicBrainz and other open databases will be used to determine if a publisher holds the rights to the content, resulting in a filter between the entire index blockchain and the content supported by retailers and payment processors.
  2. When professional entertainment industry content in databases like IMBD, Music Brainz, etc is published by an anonymous publisher, retailers will be encouraged to provide a “request publisher verification” process. Using this process, they send a request to the rights-holder found in these public databases asking them to verify their publisher account. Retailers will already be using various protocol and application level services to optimize the meta-data associated with artifacts to make content easier for their audiences to find, so it does not add significant time, work or code to find contact information for the rights holders in public databases. The “request publisher verification” process will encourage rights-holders who are not yet aware of OIP with incentive to learn about it’s benefits because of demonstrated audience demand.
  3. To receive revenue through OIP, retailers and payment processors must comply with OIP standards, including the requirement that they abide by the laws of their country and provide an easy method of reporting DMCA violations. Thus, it is in the best interest of retailers and payment processors to proactively maintain protocol compliance by filtering content that is likely to be pirated. The protocol compliance standard is enforced by a blacklist; if a retailer is not protocol compliant, it will be added to the “distribution violations” blacklist maintained the Open Index Protocol Working Group. By using entertainment industry databases and comparing them with publisher data, content that is likely to be pirated is identified. Registering a publisher name is optional, but without doing so, a publisher will show up as “anonymous” to the OIP Daemon API. Retailers can use this information to filter out content published by an anonymous publisher that is listed in industry databases unless it has a verified publisher.
  • What happens if a pirate registers an unclaimed publisher account name to falsely appear as a rights holder of the content the pirate wants to publish/distribute/sell?
  1. As described above, if retailers or payment processors are not protocol compliant, their revenues are terminated. To ensure compliance and continued revenues, these businesses may choose to include additional filters such as Verified Publisher (see Open Index Protocol Standards, section A, “publishers”). Some pirates may seek out unregistered names of high profile content rights holders and attempt to register these names to appear as a rights holder of the pirated content they want to distribute. However, unless the name is verified on a supported social media platform, the publisher account is considered unverified. To mitigate blacklist risk, retailers and payment processors can choose to not display content that is listed in professional databases like IMDB and MusicBrainz unless it has a Verified Publisher.
  • What happens if a piracy site does not honor publisher terms of use and distributes content for free or a reduced price? (Example: Popcorn Time, shaolinfriedrice.com)
  1. Although piracy sites are driven by multiple overlapping motivations, many profess idealism about information freedom and access to content as their core purpose. By using OIP to make content available to anyone, content rights holders remove this reason for piracy; OIP is fully decentralized, meaning it cannot be censored with central points of failure, this results in global freedom of information and access to content. It will become culturally understood that pirates distributing content that is available in OIP are intentionally circumventing the rights holder, making both pirate and potential audience unable to justify the theft as an issue of information freedom/access.
  2. According to researchers, on aggregate audiences prefer to legally access and pay for content if it meets two fundamental criteria: 1) easy to access and 2) affordably priced. To solve the access issue OIP is fully decentralized and the transport layers are interoperable; this means it can be used by any front end service including social media. A shared data layer increases efficiency and decreases infrastructure costs. The efficiency increase is so remarkable it is possible to significantly reduce the price for the audience, and also significantly increase revenue for the rights holders.
  3. Borg the pirates, resistance is futile with OIP’s assimilation incentive. Piracy sites receive an enormous amount of user traffic, but have very limited revenue opportunity. Piracy sites incur costs for server fees and development and typically attempt to capture revenue with click-ads, pop-ups and spyware. However, most end users protect themselves by using ad blockers, VPNs and malware detectors which prevent the piracy sites from capturing this potential advertising revenue. Therefore, pirates need to reach larger and larger daily user rates to cover their costs, which in turn makes it easier for law-enforcement to disrupt their operations; even if law enforcement is unable to block DNS addresses of piracy sites, they can conduct server farm raids and spend years in court. The OIP assimilation incentive encourages piracy sites to migrate from being entirely black-hat distribution platforms to grey or even white-hat platforms by offering them an automatic cut of any revenues they generate distributing content published with OIP according to the rights holder’s terms of use. The carrot/stick incentive structure entices them to begin reaping revenues from their traffic via legitimate content distribution and terminates this revenue if they continue to offer a pirated version of the same content; by ignoring pirated content that is not published to OIP, the assimilation incentive converts these sites and their users incrementally.
Example: If the rights holder of XX publishes the film using OIP at a price of $1 to watch, $10 to buy and a 15% retailer cut, YY can remove the pirated version from its search index and instead link its users to the OIP version and if a user sends $1 of bitcoin to watch it, the pirate platform will receive $0.15. To increase their earning potential, piracy sites can recognize demand for popular content based on its bittorrent tracker statistics and swap them out for OIP versions. If the piracy site continues to offer the pirated copy of the content in addition to the OIP copy, the OIPWG will add them to the “rights-holder violators” blacklist, and the piracy site will not receive the retailer cut of any transactions processed by protocol compliant payment processors.

User-generated / New Media Content

Since an open database of rights holders for user-generated content does not yet exist, content creators are encouraged to use OIP to claim the rights to their content with the blockchain, an open database for all content rights holders to define their unique distribution terms. If user-generated content ownership is questioned, the Open Index Protocol Working Group will act as an arbiter.

  • What happens if a pirate publishes user generated content it does not have rights for?
  1. Retailers are encouraged to provide easy methods to report claims of pirated content. Piracy claims will be verified by Open Index Protocol Working Group which will review evidence of ownership (example: verification of the content creator’s ownership of a YouTube, Instagram, etc account from which the content was pirated). If the piracy claim is valid, the pirate artifact-id will be added to the “distribution violations” blacklist and if the legitimate rights holder publishes the content to OIP, they will then control the distribution terms and revenue.

Universally Abhorrent Content & Child Pornography

The Open Index Protocol Working Group is in favor of freedom of information and open access to content with one exception - it prohibits profiting from illegal or universally abhorrent content such as child pornography, snuff pornography and hunting/torturing/murdering humans for sport.

  • What happens with abhorrent content like child pornography?
  1. Algorithms and agencies like Net Nanny will be used to identify publishers, retailers and payment processors who do not comply with this standard, and these payment addresses will be blacklisted. Censorship via blacklist must be judicious & transparent so that Open Index is trustworthy.
  2. In many countries storing and viewing this kind of universally abhorrent content is illegal; the OIPWG will work with authorities to conduct this process in a safe and legal manner.

market vulnerabilities

Trust-minimized processes establish a free and transparent marketplace where incentives of publishers, miners and optional middlemen (retailers & promoters) are aligned. Designed as an interdependent, yet antifragile system, the OIPWG governs formulae that align incentive structures. (See definitions in Open Index Protocol Standards, section E, “miners” incentive structure The commercial value of content published with OIP is connected to the mining incentive. For commercial content to be validly published, a specific amount must be paid as a tx fee at the time of publishing. The OIP standard defines a formula to determine this amount with two variables: 1) the retail price of the content being published and 2) the current average retail price of all commercial content in the index.

Although there are no requirements regarding how the publisher obtains the tokens to pay this fee, to increase ease of use, the OIP standard defines a set of optional automated processes (historian, tradebot, autominer, autotrader). These processes increase ease of access to tokens for publishers and ease of maintaining a consistant profit margin for miners and traders.

Miners who use these automated processes are required to contribute to the transparent, cooperative and decentralized/distributed work of recording market conditions. When a participating pool wins a block, they include the OIP specified historian data in the transaction message space of the block reward. (see more in OIP Standards historian section). The historian data is then used by the automated processes autominer & autotrader.

The standards that govern these automated processes create an equal opportunity marketplace that benefits from both cooperation and competition and a system that grows stronger through chaotic expression of individual self interest as miners compete to maximize their margin.

Normal market conditions creates bell curve of margins captured by miners; outliers caused by market stressor events.

Blockreward Emission Schedule

Current estimates project that all Florincoin block rewards will be released by 2027, at that time tx-fees will drive the security incentive.

  • What happens to the incentive structure when all new Florincoin block rewards have been released and the miner incentive is driven by tx-fees only?

OIP standards create an incentive structure that fosters an interdependent ecosystem. The tx-fee for free content is limited to the cost of entering the data into the blockchain, where as the tx-fee for commercial content corresponds with it’s retail price. The retail value of commercial content drives the security incentive; a significant tx-fee incentive will be present as long as there is commercial publishing activity. Driven by publishing demand, the florincoin token supply will be constantly recycled through pools as tx-fees. Its likely that over time some tokens will be destroyed, reducing the overall supply of tokens and causing an increase in token value, especially if OIP user demand grows while overall token supply declines.

The publish fee which is calculated by the OIP standard, not the Florincoin consensus rules, will supplement the block rewards over time. As applications using OIP get more end users, there will be more incentive to publish content to it, resulting in more net publishing fees. These fees will quickly grow to be larger than the block reward native to Florincoin, and they will be received by miners just like the block reward is. This allows the total supply of florincoin to have a hard cap at 160M tokens, while allowing the incentive to mine the blockchain to continue to grow as long as there is publishing activity to the index.

Token value volatility

A wide variety of issues can trigger a rapid change in mining and trading markets, especially during rapid growth. Regardless of the reason for a market stressor, the results of a stressor distill to two fundamental issues: 1) incentive alignment (market price of token) and 2) index security (hash rate). The OIP standard defines formulae to address each of these issues; they are designed to incentivize enough cooperation to keep the ecosystem in balance while allowing plenty of room for thriving free market competition.

  • What happens if there is a dramatic change in the market price of the token?
  1. The offer price allowed by the automated process will be affected by dramatic change in the market price of the token. If the market price decreases significantly, and the cost of mining does not decrease proportionately, the margin allowed by the automated trading process may fall, possibly to zero. If the market price increases significantly, the automated process offer price will allow a higher margin, likely the full target margin set by the pool.
Formula

To encourage the offer price for tokens in the automated process to align with the market price of the token, the following formula is used:

The variable in the formula is used as a multiplier of margin, the OIPWG sets this variable. Currently it is set at 2, therefore, the automated process offer price must be less than 2x the average market price. At the current variable, when the offer price is 1x the market price and below, the winning pool captures its full target margin. As the offer price approaches 2x the market price, the margin calculated in the offer price reduces,with the decrease accelerating to zero margin as it reaches the threshold.

  • What happens if the market price is higher than the automated process offer price?
  1. The incentive structure for this formula relies on its alignment with the market price. Certain market stressors will result in market prices for the token being higher than those offered by the automated process. When this happens there are three potential outcomes: 1) miners leave tokens inside the autominer automated process; 2) move tokens to the open market; 3) a second automated process is used to connect publishers to traders in the event that all tokens are moved and no tokens are available in the automated process between publishers and miners.

Some miners will value ease, consistency and automation more than the risk and management necessary to capture the maximum possible margin by manually trading their tokens. This group will likely choose to leave a portion or all of their mined tokens inside the automated process that connects miners to publishers. Some miners will value capturing the maximum margin possible more than the ease and consistency of the automated process. This group is likely to move a portion or all of their mined tokens out of the automated process and onto the open market. Once tokens have been moved from the automated process onto the open market, they are no longer eligible for use in the automated process.

Conditions for an Antifragile Market Assuming diversity of miner behavior, it is likely some tokens will remain in the automated process and some will move to the open market. The tokens moved to the open market reduces the number of potential trades in the automated process, resulting in the first group of miners closing their trades sooner. The incentive for the first group is a steady and reliable margin without actively monitoring markets, the incentive for the second group is the opportunity to get a better market price and capture more revenue. The competition between miners to maximize their individual gain functions as a kind of positive stress that benefits the whole market.

The automated process connecting miners and publishers is first come first serve, using historian messages in the blockchain to identify the chronological order of open trades based on when they were mined. If all miners remove their tokens from the automated process, or whenever there are not enough tokens available in the autominer process to fulfill a publisher request, a secondary automated process is used to connect publishers to traders called autotrader.

Each tradebot node will have preferences for the length of time it waits for autominer before switching to autotrader. Once initiated, autotrader will offer a trade at the current spot price. If there is no response to a request to trade at spot, then a new request is made at some percent above spot. Autotrader will repeat this process until it finds a percent above spot that is accepted. The autominer & autotrader automated processes make access to publishing tokens as frictionless as possible for both the publisher and the retailer.

Automated arbitrage Assuming diversity of trader behavior, it is likely some traders will be willing to sell at the average spot price. If there is enough volume and volatility between the exchanges it is likely at least one exchange is trading below the market average spot price. If the trader is able to leverage the difference immediately, they extract an arbitrage gain for facilitating liquidity. However, if the market is narrow (all exchanges trading at prices too close to each other), it is possible that no traders will accept the spot price and a percent above spot will be necessary. This additional percent will not be taken into account in the flow-btc exchange price in the tx-fee required for valid publishing. Various front ends will handle the additional percent charge differently; they may absorb the added fee as a cost of doing business, pass it on to the publisher as an expedience fee, or perhaps offer the option to avoid the additional percentage charge by waiting for their content to be published at some later time when an autotrader user is willing to trade at spot.

  • What happens if a the token price is sabatoged by token holder(s) dumping significant volume onto the trading market? (Price crash/lower 51% attack resistance)

This type of attack is impossible to completely ward off, but also an expensive/difficult attack to maintain long term. If a florincoin whale (or group of them) dumped tokens onto the market at a sufficiently high volume, the market price could fall enough to weaken the incentive to mine the index blockchain, and thus lower its resistance to a 51% or long-range attack.

The suppressed market price and mining level would pull the automated process margin down; unable to receive their target margin, many autominers would likely stop new rentals. With fewer autominers competing over a lower hash rate, some autominers may capture their target margin, but if the price is suppressed enough it's possible autominers would be unable to capture a margin above their overhead costs.

However, no matter how low the token market price temporarily falls, retail service providers and content rights holders will have incentive to protect the index. The automated mining margin is not the primary motivation for these businesses, instead they depend on the accuracy of the content index. This group can work together to protect the index by participating in Collaborative Defense mode as described above. No matter how low the token price falls, they will not lose money because they will trade their tokens at their actual cost.

Between the demonstrated resilience of the system against the attack, the artificially suppressed (and thus more accessible) price of tokens and any newfound awareness of the project from the Streisand Effect, eventually the market value will revive and the attacker will lose the ability to continue suppressing the price.

Malicious Acts

  • Network Attack, Data Manipulation, Exchange Fraud

The incentive structure of OIP is designed to encourage compliance by offering positive rewards, and deter noncompliance by eliminating potential rewards and enforcing blacklists. OIP is fully decentralized, uses interoperable transport layers, and information in the index blockchain is human readable; this combination offers the highest level of transparency possible. Sunshine is the best disinfectant.

The OIP standard requires registration of publishers, retailers, promoters and miners; this information is logged in the index blockchain. Reputation is transparently available because these users are required to register. Application layer services using OIP can use this information in their reputation management services, optionally combining this transparently available information for both user identity & transaction history to optimize their offering.

The index blockchain average block time is 40 seconds. When a mining pool using the automated mining margin process wins a block, the OIP standard requires the pool log specific information into the blockchain, called historian data (defined in OIP Standards, section Miners, historian). Selection for data input is determined by the index blockchain’s proof of work security; the winner of the block inputs the historian data.

A 24 hour moving average of the historian data is used to calculate the protocol offer price and to verify the correct publish fee was paid. The time delay between mining the block reward/inputting historian data and the token sale to the publisher increases the opportunity to identify network attacks. If the network is attacked, historian data input during the attack is excluded from the moving average calculation.

Proof-of-work governed historian data input combined with the rapid 40 second block time results in diverse and abundant market information that can be averaged to assess the accuracy of the historian data.

  • What happens if there is a 51% attack?
  1. Deterrent

The processes that automate mining margins includes a formula designed to deter mining pools from attempting to control too much of the network by reducing or eliminating the automated mining margin if the pool controls too much of the network. It includes two variables - the first variable initiates the margin reduction, the second variable is the number at which the margin reaches zero. The margin deceleration increases as the pool hash rate approaches the second variable; currently these variables are set at XX and 50%, these variables are governed by OIPWG.

Furthermore, if a pool wins XX blocks in a row is defined as a malicious attack, and the associated tokens are not eligible for trade within the automated system.

  1. Incentive

The process that automates mining margins also includes a mechanism designed to incentivize miners to participate in defensive mining in the event of a 51% attack. The Collaborative defense operation ensures miners do not lose money even if the cost to mine during the attack is greater than the current market value of the token. The tokens won during collaborative defense are automatically sold to publishers at a price that covers the miner’s actual cost, no matter how far it is from the market price.

Retailers, artists, labels, studios and other content rights holders who have published content with OIP or depend on it for their business revenue have a vested stake in the security of the index; assuming diversity of behavior, some of these players will see it as in their best interest to participate in collaborative defense mining, especially because it will not affect their profits.

The automated system works to ensure that the token value is aligned with the hash rate; and that these are aligned with the value of the data contained in the shared data layer. If a miner is motivated only by the desire overwhelm the network or acquire tokens and is not participating in the automated system, the cost to mine can be driven up by the Collaborative Defense of the miners using the automated system to increase the network hash rate and make the attack more expensive.

  • What happens if a mining pool attempts to manipulate historian data?

Historian data (defined in OIP Standards, section Miners, historian) is used in the automated mining/trade process to determine the offer price at which the tokens will be sold. To increase the alignment of the protocol offer price with current market conditions, historian data is calculated as a moving average of historian data points from the previous 24 hour time period.

Selection for historian data input is random; it is determined by the index blockchain’s proof of work security. To input historian data, a mining pool must win the block. Because of the 51% attack deterrents described above, each mining pool is limited to providing less than XX% of the historian data in a given period of time. Additionally, OIPWG will monitor historian data with a simple script that will flag any data points with a spread of more than X% and investigate accuracy of outlier data points. The time between when the tokens are mined and sold is enough for OIPWG to monitor and react to issues.

Pool miners do not receive any financial incentive if a pool falsifies historian data. If the manipulated historian data falsifies the information such that the protocol offer price is calculated lower than it should be the pool miners make less money than they would if the data was correct. If the manipulated historian data falsfies the information such taht the protocol offer price is calculated hither than it should be, any artifacts with publish fees calculated on incorrect information will not resolve in the index. This externalizes the issue to the Retailer.

Miners using the automated mining/trade process sell their tokens to Retailers. If miners input incorrect historian data the fradulent data is identified, it will be omitted from all future protocol calculations. Any publish fees that were paid based on the fraudulent data will not resolve the correct artifact. Because historian data is used to determine the validity of publish fees, it’s likely that retailers will prefer to work with mining pools with excellent reputations, because correct historian data and trade execution reduces the Retailer’s administrative burden.

Furthermore, if a mining pool is inputting incorrect historain data, the pool is added to an OIPWG blacklist. If blacklisted, the pool’s tokens are not eligable for trade with the automated system, and the incorrect historian data points are omitted when calculating the automated system offer price and validating publish fees.

There is insufficient incentive for mining pools to input incorrect historian data. If pools attempt to game historian data to increase the offer price and get more money than they should, the manipulated data would be quickly noticed & blacklisted; this manipulation would not result in increased money to the miners. If mining pools attempt to game historian data to incite fear or sabotage the protocol because the falsified data is decreasing the offer price and miners are not recouping their costs, they would also be quickly noticed, blacklisted and falsified historian data points would be omitted from protocol calculations.

Overall, the incentive structure is slanted toward compliance - mining pool participants with correct data and trade execution will make more money.

  • What happens if miners or traders fail to complete trades and steal tokens? (Theft of flo for btc trades)

Service providers like retailers, miners & traders who use the automated system must register in the Open Index. Service provider registration is a necessary component of the system being transparent; the trustworthiness of service provider reputations can be automatically tracked, which allows trades to happen with increased speed and decreased error and fraud.

Similar to the way mining rental services rate the reliability of hardware providers and allow end users to evaluate the service’s reputation when choosing rentals, various tradebot deployments will rate the reliability and trust of autominer pools & autotrader nodes based on what percent of their past trades were correctly completed. Those who fail to complete a trade and steal tokens will fail to continue receiving trade requests. Positive reputation history increases trust.

Namespace

From concert tickets and domain names to blockchain tokens and namespace, any free market faces the problem of second market speculators if product demand outpaces a limited supply. The risk taken by early speculators to acquire the limited supply can be seen as a necessary step in the process of a product that increases in value.

  • What happens with name squatting?

In a free market with limited namespace, squatting is essentially unavoidable and expected market behavior. Early speculators choose to assume more risk because of the possibility of increased reward; their activity serves to grow the overall marketplace.

Unintentional squatting, or “burned” names, may eventually be addressed through a review process arbitrated by the OIPWG. If a name is found to be squatted, the OIPWG could release the name using the filter lists it maintains. This process will be formalized by the OIPWG in the future, the following example illustrates the idea.

Example: A desired name is not in active use and believed to be squatted. Evidence of squatting is collected from the OIPWG’s retailer reports to demonstrate that the name has not been resolved to find any content, nor has any content published by it received any comments. Hypothetical example: name must receive at least 1 interaction with a non-sock puppet user per year to mitigate the risk of squatters idly publishing throw-away content to falsify use. Usage requirements like these are easy for a normal content creator to meet, but increase the chances of recovering forgotten or burned names.

censorship threats

Full global state replication of index data, transparency of all publish attempts including fails, and human readable index data ensure Open Index is transparent and resists censorship (see definitions in Open Index Protocol Standards, section XX, “ “ ). Additionally, automated systems for mining and trading protect the blockchain from attack or alteration (detailed in market vulnerabilities above).

(Is there something to say for parody here? Maybe something about OIPWG as possible central point of failure -> censorship philosophy + transparent architecture)

decentralization & transparency: fail-safe & open jungle

Convenience and existing user behavior patterns will lead most early OIP publishers and audience users to access content via a centralized web-client. All aspects of the OIP specification are decentralized - index layer, storage & transport layer, and payments layer. The convenient web-clients mirror the information protected in the decentralized components of OIP.

The architecture of the information capture is design can further enhance censorship resistance. Full global state replication, human readable index data, and transparency of all publish attempts including fails means the index can be permissionlessly audited to evaluate if content is missing and if so, the reason it is absent.

  • What happens with a DDos, DNS, or other centralized service attack?

Any individual artifact in the Open Index can be reached by one of two means; directly via decentralized networking, or via a hosted service on the World Wide Web. Retail services with web-clients must use a standard URI format - hostname/playername/artifact or hostname/playername/publisher/artifact.

If an attacker attempts to block the distribution of an artifact by targeting a web-client with a DDoS attack on their server or a DNS-based attack on their domain name, 3rd party payment processors (browsers, browser extensions, OS-level background applications) will look up a fail-over host which is not currently under attack to serve the content.

In the event of a coordinated denial of service attack on the all web-clients of all registered retailers, users will have the option to enable fully-decentralized mode, which will sync the blockchain using the p2p consensus system. This will incur high costs to these users, but ultimately defeat any effort to fully censor an artifact from being distributed.

Attempted censorship like this can have a ricochet effect - the internet has dubbed it the Streisand Effect - whereby the size of the effort to censor information is proportional to the counter-effort to spread it.

  • What happens if the OIP Working Group uses blacklist filters for censorship?

Transparency is the antidote to censorship and is the reason the OIP blockchain has 1) proof of work security, 2) full global state replication of index, 3) zero filtering as content is published to the blockchain, including incorrect/failed publish attempts. If the OIP Working Group uses its power over blacklist filters as a means of censorship, the market will likely respond to this violation of trust by reducing financial & community support. OIPWG’s transparent and distributed governance structure will mitigate this threat.

  • What happens if incumbent studios, labels or other rights holders resist?
“Adding content to a private, walled garden on the internet smacks of the old-world America Online ideology:

While at Sony in 1994, I was sent to Virginia to learn how to build a Sony "app" on AOL (the #3 online service, behind Compuserve & Prodigy at the time) using AOL's proprietary "rainman" platform. Fast forward to Facebook 2007 and see similarities: If you want access to their big base of users, develop something in their proprietary language for their people who live in their walled garden.

It was so clear to me back in 1999 that AOL was doomed. But at the time, any criticism of AOL was heresy. For a lot of companies, AOL was the internet.

Just as the early World Wide Web was called a passing fad and companies struggled to implement it, resistance to OIP from incumbent walled-garden services is likely in the beginning. But the tide of technology cannot be stopped. As HTTP inventor Sir Tim Berners-Lee said, "You can make the walled garden very very sweet, but the jungle outside is always more appealing in the long term."

Furthermore, the incentives of OIP will positively drive user acquisition.

  • More money: Creators/rights holders gain new revenue channels and control of their terms of service/pricing. Retailer overhead costs decrease and distribution performance increases. Social media influencers receive direct payments for sharing. Audiences pay less and get bespoke access.
  • Less piracy: Retailers cannot display pirated versions of media that is published to OIP by the creator/rights holder; this ‘registration’ in OIP reduces access to pirated versions of media. Piracy sites are financially incentivized to display/sell OIP content, monetizing their user base while continuing to provide open access.
  • More accurate: Public awareness that current services are insecure and opaque is increasing (equifax/censorship). Culture will shift toward transparency as blockchain and decentralized technology offer more trustworthy solutions. OIP is a transparent ledger of media and decentralized distribution and payments, offering permissionless auditing of system and increased accuracy of attribution and payments.

collaborative defense

Proof of work security diversifies network stakeholders, guarding against the kind of social attack vectors seen in federated systems and proof of stake security. OIP automated systems for mining and trading further increase the antifragility and scalability of this network.

  • What happens when an outside attacker attempts to change the contents of the Open Index, or interrupt the auto-miner, auto-trader or publisher operations? (long-range PoW attack, 51% PoW denial-of-service attack)

The value of the content in the index is directly tied to the incentive to secure it. The business models of certain OIP stakeholders will incentivize their participation in Collaborative Defense (explained in detail in sections XX).

Furthermore, the OIPWG will release checkpoints for the blockchain on a periodic basis, limiting how far back in time any attacker could reasonably attempt to change blockchain contents.