Opened 5 years ago

Closed 7 weeks ago

#1354 closed enhancement (not a bug)

Small countries should be put into "hidden mode"

Reported by: hermitcrab Owned by: sadie
Priority: minor Milestone: 0.9.41
Component: router/transport Version: 0.9.14.1
Keywords: Cc:
Parent Tickets: Sensitive: no

Description

I noticed in my netDB that a peer was from Isle of Man and this gave me the idea for this feature request. I think it would be wise putting users from countries with less than 150.000 inhabitants directly into hidden mode (unless

they want to be floodfill nodes) to increase their anonimity. Countries with few thousands of inhabitants are usually small countries and given that I2P has 30.000 users it is fair to guess that a user from a country with 50.000 inhabitants is the only person in the country connected to I2P.

Maybe a warning message could be put the first time the user runs I2P, something like "you were put in hidden mode due to your country of origin, if you want to partecipate you can do it doing:…….".

Countries with less than 150.000 inhabitants are:

  • Saint Vincent and the Grenadines
  • Kiribati
  • United States Virgin Islands
  • Grenada
  • Tonga
  • Aruba
  • Federated States of Micronesia
  • Jersey
  • Seychelles
  • Antigua and Barbuda
  • Isle of Man
  • Andorra
  • Dominica
  • Bermuda
  • Guernsey
  • Greenland
  • Marshall Islands
  • American Samoa
  • Cayman Islands
  • Saint Kitts and Nevis
  • Northern Mariana Islands
  • South Ossetia
  • Faroe Islands
  • Sint Maarten
  • Liechtenstein
  • Saint Martin
  • Monaco
  • San Marino
  • Turks and Caicos Islands
  • Gibraltar
  • British Virgin islands
  • Aland Island
  • Palau
  • Cook Islands
  • Anguilla
  • Wallis and Futuna
  • Tuvalu
  • Nauru
  • Saint Barthelemy
  • Saint Pierre and Miquelon
  • Montserrat
  • Saint Helena,Ascension and Tristan de Cunha
  • Falkland Islands
  • Norfolk Island
  • Christmas Island
  • Niue
  • Tokelau
  • vatican City
  • Cocos Islands
  • Pitcairn Islands

Subtickets

Change History (18)

comment:1 Changed 5 years ago by user

what would that protect them against?
as long as they don't say it on their eepsite or irc, etc, that they are from that country….

comment:2 Changed 5 years ago by zzz

Component: unspecifiedrouter/transport
Milestone: 0.9.150.9.18
Owner: set to zzz

comment:3 Changed 5 years ago by zzz

Needs hidden mode to work better #1192

Agreed with comment 1, if you're from some small place, don't tell anybody.

Low priority if it's of any use at all.

comment:4 Changed 5 years ago by hermitcrab

Well even from the console you can see if a peer is ussing I2PSnark or IRC for instance and if you see a peer from a small country it is fair thinking that it is the only one you are monitoring,hence the idea. Is it a wrong assumption?

comment:5 Changed 5 years ago by zzz

You are conflating router IDs with destination IDs. If they were the same, we wouldn't have any anonymity at all. They are not.

comment:6 Changed 4 months ago by zzz

Milestone: 0.9.180.9.41
Owner: changed from zzz to sadie
Status: newassigned

Assigning to sadie for a review of current list, compared to current country threats and policies, and also OONI and other measurement results.

comment:7 Changed 3 months ago by sadie

I think that we need further discussion on this topic. The I2P Metrics portal as I understand - batches together countries with a router population less than a certain number to protect those users.

comment:8 Changed 3 months ago by zzz

How is the metrics portal relevant? OP is about number of residents, not number of users; nor are the issues in comment 6 related to number of users.

comment:9 Changed 3 months ago by Reportage

There are 2 separate issues here which are being conflated, namely the hidden mode status for routers in countries with a small population, and display of locality of routers in countries where the router count falls below a defined threshold.

To address the second issue, and partially mitigate the first, in countries where the number of routers falls below x routers, the router could be designated as belonging to country "other" in the NetDB overview with the flag changed to the "?" flag in places where it's used in the console.

Putting all routers in countries with a small population in hidden mode by default is probably overkill.. in countries potentially hostile to I2P, routers are already placed in hidden mode by default. However, a notification on the NetDb? overview page and/or on the local routerinfo table indicating that hidden mode might be a consideration could work.

comment:10 Changed 2 months ago by sadie

Sensitive: unset

"where the number of routers falls below x routers, the router could be designated as belonging to country "other" in the NetDB overview with the flag changed to the "?" flag in places where it's used in the console." This is a good suggestion.

Adding a note regarding hidden mode can be done as well.

comment:11 Changed 2 months ago by zzz

So the suggestion is to hide data from users? These data are in the router and stored on disk. It's also useful for diagnostics. Should it be removed unless in advanced mode? Who are we hiding the data from? Not attackers or people capable of writing simple scripts.

@sadie please explain the threat model that this solves

comment:12 Changed 2 months ago by zzz

We just updated the hidden mode list for .41 based on the 2019 Freedom House ratings https://freedomhouse.org/report/countries-world-freedom-2019

For the most part we set hidden for countries with a CL (civil liberties) score of 6 or 7. The vast majority of the tiny countries in the OP have benign CL scores. I could see reducing the minimum CL to 5 or even 4 for tiny countries, if somebody would like to review the list and make a proposal. But I don't see the need or understand the threat model that would cause us to mark e.g. Monaco (CL score 1) as hidden.

drz also proposes in IRC to force firewalled for some countries which would have the effect of slightly less propagation of IPs, somewhere between normal and hidden mode. Again, the degree of incremental protection against an uncertain threat model (law enforcement with little tech knowledge?) isn't clear.

comment:13 Changed 2 months ago by sadie

I agree. What has proposed should be considered IF a threat model requires it.

Last edited 2 months ago by sadie (previous) (diff)

comment:14 Changed 2 months ago by zzz

@sadie so what's the threat model underlying your recommendation in comment 10?

comment:15 Changed 2 months ago by sadie

re: threat models - smaller user base could potentially be a risk of being identified by a technical user ie government / police. Also, perhaps to consider is the value of having this information so easily accessible at all. Some people ( myself included when I started using I2P and poking around) may be concerned to see such information. I am going to close this ticket to further address moving diagnostics to advanced settings.

comment:16 Changed 2 months ago by sadie

Add a subticket #2558 (Move Router Stats to Advanced Settings).

comment:17 Changed 7 weeks ago by sadie

Remove a subticket #2558 (Move Router Stats to Advanced Settings).

comment:18 Changed 7 weeks ago by sadie

Resolution: not a bug
Status: assignedclosed
Note: See TracTickets for help on using tickets.