Safety Mechanisms for NomadNet

[mmarquez76]

Hello,

First off, I appreciate Reticulum and NomadNet's core mission of censorship-resistant, decentralized, resilient communications for the people.

What, if any, mechanisms are in place to deal with the eventuality of people using NomadNet for CSAM, revenge porn, doxxing, or other kinds of abuse? I'm not asking whether there's any sort of central moderation, because obviously that's not the goal here, and I also understand that any takedown mechanism would undermine the mission of a censor-proof network.

Are there any plans for other mechanisms that could help limit the use of NomadNet for almost universally objectionable or abusive content like this? I'm aware there's already an ignore feature in NomadNet, but is there anything more to be done?

I'm thinking something like a public reputation system with a client-configurable reputation threshold to allow people to filter out low-reputation nodes, or the ability to subscribe to ignore lists maintained by nodes so that people can avoid objectionable communications without needing to see them first.

[Rick1029]

Not the author, have not contributed any code.. just giving my 2 cents. I think this runs under the assumption that your reticulum network is public, or that you are interfacing with only publicly available nodes (like public meshtastic fans or ham radio enthusiasts). People use the plain internet, I2P, Tor and even USB drives to spread immoral content. There are plans to push things like chat control, age verification, AI face recognition etc etc... all supposedly to combat these abuses - but we know it is all primarily for surveillance and does little to actually stop these abuses. I don't see a way for reticulum to address this in any meaningful way.

I think a public reputation system is not possible because reticulum intentionally allows for regeneration of LXMF addresses at a whim, so a bad actor could just regenerate and continue. (Saying this though, I wonder how the ignore feature works? Is it also circumventable with an address regeneration?)

If you are building / have built your own sovereign communication system over reticulum for your community, and you face a bad actor like this, I believe the solution is not through reticulum but through actual confrontation. You likely are in touch with those who have access to your reticulum network, even through friends of friends.

[LinuxinaBit]

See also #837

[worst-git-server]

there are ways to prevent people from sending you this kind of content which are pretty simple to implement, like #837, but there are no ways to block this kind of content for everyone in a way that is private, decentralised and cannot not be abused.

[joakim]

This question recently came up at a conference about the Fediverse. To paraphrase/oversimplify what was said: This is the most complicated and most interesting question in this area. Ideally, harmful content should be regulated at an international level, as high up as the UN. Conscentious instances would be expected to disallow and take down harmful content. If an immoral instance keeps transmitting harmful content, you should blacklist that instance. The immoral instances would be cut off from the conscentious instances of the network, essentially becoming an island of its/their own.

I don't know if that's the best we can do, or how well it applies to Reticulum, but I do agree that it should be regulated at the UN level. Otherwise, we get things like Chat Control.

And I think it's an important topic. If Reticulum networks have no way of dealing with this, it is very easy these days to label it as a darknet harbouring criminals. We need a way to respond to that kind of attack on the protocol, which is bound to come.

[LinuxinaBit]

That applies a lot more to social networks and/or networks where nodes can see the content passing through them...

[mmarquez76]

We need a way to respond to that kind of attack on the protocol, which is bound to come.

I mean, to give Mark credit, the protocol itself seems to be designed to be very resistant to governments cracking down on it. As long as people have any sort of connectivity (even just LoRa handhelds), it would be near impossible to completely stamp out a regional reticule.

In practice, if Reticulum became widely adopted enough for it to become the next boogeyman (like encrypted chat apps currently are in some places), all it would take would be a couple of high-profile government takedowns of Reticulum node operators for there to be a massive chilling effect on adoption. This is why having something to point to in terms of safety helps - optics matter.

[joakim]

I love Reticulum's resistance against censorship and takedown. But if using it is criminalized, that strength becomes a weakness. Regular people won't use it and become stuck in 1984, while criminals will, only confirming what the authorities claim. That would undermine everything, so I think it's worth taking seriously.

It might help to have some good arguments against it being/becoming a haven for criminals. Of course, it's "only" a protocol, it's what's built on top of it that matters. It's possible to build a criminal haven with RNS, but it's also possible to build a garden.

Maybe what we need are "safe" apps that have built-in protection against harmful content, ensuring it remains acceptable for mainstream use. I still haven't come across any harmful content on Nomadnet, but it's only a question of time before Reticulum attracts the "wrong" kind of users. I think it's good to be proactive and do something before it becomes an issue.

It's not easy to balance liberty and responsibility. I believe adults should have a large degree of freedom, but not at the cost of harm to others. And I strongly believe that children in particular should be protected from harm. Achieving that is much harder in the digital world than it is in the real world, but we're good at solving hard problems, and I think we really should solve this one.

To be clear, I understand that this can't be solved by the network stack itself. But it might be solved by the community, by how we build apps on the protocol.

[LinuxinaBit]

Fair.
I don’t think worrying about optics in a scenario like that matters that much because there’s really no way to avoid stuff governments like to attack without entirely breaking the fundamental principles of Reticulum.

Somewhat related:
I do still worry about optics in cases like Reticulum’s new custom license though because that has a direct impact on adoption among the foss community (and only among the foss community, the main place it is actually detrimental). See https://github.com/markqvist/Reticulum/issues/850 for some of my thoughts on the subject.

[joakim]

I don’t think worrying about optics in a scenario like that matters that much because there’s really no way to avoid stuff governments like to attack without entirely breaking the fundamental principles of Reticulum.

True. Reticulum must never be compromised. If authorities make the protocol itself illegal, there's nothing to be done (other than break the law). I hope it doesn't come to that.

Somewhat related

I'm also worried about the new license hurting Reticulum's adoption. I fully understand and support Mark's intentions, I just think it's unfortunate. Interoperability is so important in open source. Roll-your-own-license is as difficult as roll-your-own-crypto, one should at least consult experts (lawyers) first. (Not that I have, but I wouldn't use my own license without the approval of lawyers.)

It kind of reminds me of JSON's license saying "The Software shall be used for Good, not Evil." When IBM's lawyers contacted Crockford about the problematic provision, he granted IBM special permission to use JSON for evil 😆

[joakim]

Just an idea I had: Create a gossip protocol for building a distributed blocklist. Maybe using a CRDT? Maybe users could set a threshold for when to exclude. Maybe weighted by nodes you trust. A bad-reputation system.

[LinuxinaBit]

What would this blocklist actually be blocking exactly?

[LinuxinaBit]

The best way to think about LXMF in this context is as if it was email, except anyone could create an entirely new, fully unique address at will.

It is far better to use systems designed for networks like Reticulum, for example we have proof-of-work based stamps to help prevent spam, and allow/approval based lists instead of blocklists. Stamps already exist, and I proposed allow/approval based lists in #837

This is all on the LXMF messaging level, not the network level. Reticulum cannot block things because it purposefully doesn't even know the sender for privacy and anti-censorship reasons.

[joakim]

What would this blocklist actually be blocking exactly?

CSAM, gore, porn, etc. Could be separate lists for different kinds of harmful content.

Reticulum cannot block things because it purposefully doesn't even know the sender for privacy and anti-censorship reasons.

I suppose a blocklist/blacklist would have to be implemented in the application layer where the sender's identity is known. Like the IP blacklists used by spam filters, ad blockers and safe browsing features that protect (especially children) from exposure to harmful content online.

It could be easily disabled by someone with admin rights of course, but at least it could offer opt-in protection against harmful content, making Reticulum/LXMF similar to the web in that sense. Except higher up the stack, in the app layer.

[mmarquez76]

Another idea I just thought of: maybe a feature where NomadNet nodes can opt-in to arbitrary codes of conduct, defined by other nodes, which make them subject to removal by that node.

This feature could be structured generally so that any node can opt into any other node's code of conduct, which is then represented by a field in Node.py that contains the public key of the node that owns the code of conduct. New functionality could then be added to allow the owning node to use its private key to take down the page of any node that claims to follow its code of conduct upon violation of that code. Other users could then filter out nodes that don't follow their preferred codes of conduct when browsing NomadNet.

As an example: say the UN created a NomadNet node with a code of conduct that outlines basic rules banning CSAM, revenge porn, content illegal in a node's stated geopolitical jurisdiction, etc. Any node that wants to be able to say it follows that code of conduct would then select some option in their preferred client that indicates that their node is now subject to enforcement by any node that possesses the UN node's private key. Other users could then see some sort of badge or flavor text on the node's announce or page that indicates that it follows those rules.

Advantages:

• It would be an opt-in system, allowing people to choose what basic rules govern the content they see on the network.
• Arbitrary NGOs, free software foundations, governments, or of course just individual people could establish their own preferred codes of conduct, and none of those would affect any nodes that choose not to opt-into them.

Disadvantages:

• Any mechanism to take down content, even if it is opt-in, could be a future vulnerability or an opportunity to try and coerce node operators to opt into a code of conduct without fully understanding the implications on their node.
• There would be no recourse for any node whose content was taken down from a code of conduct other than just hosting their content independent of any code of conduct (i.e. default behavior)
• As an asymmetric key-based system, the private keys of nodes owning widely-adopted codes of conduct would become valuable targets for data theft. Anybody who took such a key could then take down many nodes or wreak havoc on the network.
• Of course, Reticulum's whole design ethos is based around avoiding central points of authority, and this feature would directly go against that. Widely-adopted codes of conduct could easily end up reproducing existing, abusive systems of centralization by concentrating power in whichever node owns that code of conduct.

[LinuxinaBit]

A website can't exactly remove another website from itself?

[LinuxinaBit]

Exceptions:

• If they're using a protocol higher up like ActivityPub up that allows them to connect to each-other in the first place; in that situation Reticulum doesn't have the solution, the higher up protocol does.
• LXMF propagation nodes connect to eachother, but they merely relay encrypted messages and have no way of seeing them. Also they already have ways to un-peer. Personally I believe the LXMF propgation node system is broken for more practical reasons so I'm not terribly concerned either way.

[joakim]

I thought "node" was more like device? And "destination" more like website or ip:port?

If I understand correctly, your idea is that nodes announce which Code of Conduct they follow, making it public? Then your client would only allow content from nodes that follow the Code of Conducts that you approve? It's a cool idea! I'm just not sure how well it would work in practice. Any node can say that it follows the UN's Code of Conduct, for example, but it could still serve CSAM and there's nothing to be done about it.

You can only block on your device. It could be done as I described in another comment, by subscribing to a blacklist of harmful nodes (identities?). It is different from moderation in the Fediverse, which is essentially Facebook/X like platforms with servers hosting content for others. This would be more like spam filters, ad blockers and safe browsing tools on your device. I think something like that could work, as long as you trust the maintainers to not start censoring legitimate stuff. One should be free to choose which blacklist(s) to use.

[LinuxinaBit]

I thought "node" was more like device? And "destination" more like website or ip:port?

You’re right, just not in this context.
mmarquez76 was talking about NomadNet nodes, which are like websites.

Still either way it doesn’t make sense:

• NomadNet nodes, website-equivalent
  • “Your website has to sign my website’s code of conduct”
• Reticulum nodes, router-equivalant
  • “Your router has to sign my router’s code of conduct”

I think it’s better to think of this code of conduct idea like terms of service on normal websites and put the responsibility on the service provider rather than a network.

You can only block on your device. It could be done as I described in another comment, by subscribing to a blacklist of harmful nodes (identities?).

That’s a fair idea, but you have to remember that new identities can be created at will so a blocklist would be impossible to maintain.
For NomadNet pages, a curated Amber-pages like list is far better, though in my opinion that would work best as a standalone NomadNet page people would visit like it was Google. This will probably become necessary as Reticulum grows anyway ;)
As for direct messaging, see #925 (reply in thread)

[joakim]

I see, thanks for being patient and explaining things :)

Yes, burner identities would make it impossible to block spammers, but I don't think that applies to nodes sharing harmful content. They'd want others to find their nodes, so I would think they'd keep their identity and destinations.

(Amber Pages for those who don't know what that is.)