 My proudly present our next speaker. He's done a lot of exciting things, and I will just give you some very brief examples. It's things like running a communication company in Iraq and Afghanistan. There are things about building a data haven on a platform in the Atlantic Ocean in the North Sea. So I'm very proud to have him here. Please give a warm welcome to Ryan Leke. Thank you. Thank you very much for the introduction, and it's great to be here. CCC is my favorite conference out of all the conferences I go to. Great crowd. First day, it's already really exciting, so looking forward to it. So I'm going to talk about data havens from Havenco to today. Just a quick overview, who am I, what's a data haven, where do they come from, why have they failed, and then some ways to be successful. I really like this idea of having a conference track on things that have failed, because normally people are ashamed to talk about things that have failed or try to minimize how much things have gone wrong, and it's really the only way to learn. The only way to learn is to make mistakes, and it's better for someone else to make those mistakes rather than you, rather than making them over and over again. So just as background, I've been interested in crypto and eCash specifically, anonymous electronic cash since the early 1990s, the cypherpunks mailing list and a bunch of stuff like that. I started the offshore data haven Havenco, which we're going to talk about in 2000, with some friends of mine. I then worked in some war zones doing satellite communications using some of the experience I had from the Havenco operation. Then I did a trusted computing startup working on trusted cloud computing, and now I work at Cloudflare, which bought my trusted cloud computing company. So first thing is what is a data haven? A lot of people use the term, they use it for different things. We're going to talk about the Wikipedia definition, which is now I would say the canonical way to find the definition of something, a refuge for uninterrupted or unregulated data. So that's really two parts, and there's a lot of factors that go into it. Uninterrupted meaning against natural disaster, against normal service interruptions, things like that, but also against active attacks, censorship, things like that. There's a concept of regulatory arbitrage where you have one set of laws in one place, another set of laws in another place, and you're trying to pick and choose like which pieces of law are the best for you and the best for your operation. And there's all sorts of traits that go into a data haven. There's a physical, legal, operational, cryptographic. Data haven could be both a physical data haven or a software data haven sort of cryptographic approach or some combination or hybrid approach to those things. So the origin adds with a lot of things. Before someone built one, people have talked about it and thought about what could happen. Fiction, science fiction is generally a great predictor of science fact and science fiction has talked about this for a long time. There's also analogies in some very similar fields that are outside of the data or data processing world that are very similar. And there were some people doing data havens at least in some sense before HavenCo. But HavenCo is really the first purpose built physical data haven that I certainly know about. So in fiction, there's some great science fiction. As we move down this list, they get more and more precise. Early on it was more about the concept of crypto software things. Then it was sort of passing references to it. I would say Islands in the Net by Bruce Sterling, which is a great book, is probably the first story that really references data havens and multiple data havens and how they interoperate. If you haven't read these, all of these are great books. They're part of like the canon of science fiction. So I would definitely read them. Cryptonomicon has a really interesting history with HavenCo. It was started probably 98 or so he started writing it. I didn't find out about it until after we'd already started HavenCo, but they were sort of completely parallel evolution and huge numbers of weird parallels, like people's names, a lot of factors about it were very, very similar. So I guess it was just the right place at the right time. And then as you move down this list, Damon and Freedom are probably my two favorite sci-fi books. They're very persistently referenced to the idea of software that can't be terminated, so it solves this uninterrupted problem. But I would say that now data havens are like a concept that's used in fiction quite frequently. And then there were some analogies that are outside of the sort of data processing world. Free trade zones in countries, I think UAE is probably the biggest exponent of these, are a great analogy where you have a country that has one set of laws, but in a certain geographic area or a certain set of entities they're allowed to have different laws. And the idea is that foreign businesses will locate there, take advantage of these favorable laws and they wouldn't otherwise have been in the country and it doesn't affect the country. There's also the concept of offshore banking, the whole theoretical Swiss bank account where you are a political leader in some foreign country and you embezzle a bunch of money from your country and send it off to another country. Or you live in a country that's horribly repressive and will take away all your assets and you store them in a place like this. It's really a value neutral kind of thing. The concept of tax havens, I mean people talk, at least in America, a lot about the way Apple shelters a lot of their income through foreign entities even though it's earned overseas, but these have existed for a long time. And then shipping, I think basically all ships of large commercial ships are registered in a small number of jurisdictions that are different from the beneficial owners of that thing. Like Liberia, countries like that have huge numbers of ships but don't really have businesses there for them. And that's just because they have very favorable laws. And then there's gambling centers. Like Macau next to Hong Kong and China is not really catering to the local Macau population. It's people flying there to gamble. So there's that. And then there were some Data Havens pre-Having Co. So they're like the late 80s, early 90s, mid 90s. Now, where's community? There was the sort of like top site system which these were servers that were relatively well protected by usually being run by an admin on the side or something like that. There was a company Offshore Information Services Limited run by Vince Kate, who is one of the top people from the cypherpunks community creating this kind of stuff. He started a business Offshore before almost anyone from the US had considered it in this field in Anguilla. He was actually my next-door neighbor while I lived there. He had, it was a relatively small business. He had a bunch of like car batteries as a UPS and a 10 base two connection to me and a T1 connection or 1.5 megabit connection. And he had a couple of really big clients but this was to some extent one of the first Data Havens because it hosted data from the US that was under US law not allowed to be retained for a period of time. It basically was a driver's license database from I think the state of Texas where they couldn't retain the documents longer than a year but there was this other company that would retain them forever and let people search against them. Again, value neutral. And then there's the whole like dark period of the 90s which I'm afraid we're going back to where crypto software was banned from export or at least you couldn't give it to a foreign national. So effectively you had to do all your crypto development if you wanted to be open outside of the United States. And we're sort of going back in that direction with the exploits world. But in that case you had to be outside of the US and a non US citizen to do a lot of this development. There was a system that Ross Anderson from Cambridge had, Eternity and then a few people two of whom are on the possibly Satoshi list created versions of it and I created a pretty bad version of it. Tazry Webber, these are all software systems at the end and then of course there's the concept of availability from a high end data center. You've got great data centers where people spent 365 man in San Francisco two billion dollars building this data center. The idea being that it'll stay up through any sort of disaster. It's isolated from earthquakes. It's got a bunch of diesel fuel on site. Of course there was a software bug in all their UPSs so they all crashed at the same time but yeah, minor data. And there's been uses of this. Censorship resistance is the first thing that most people think of when they think of a data haven they think of data that someone's actively trying to shut down. But part of it is just uncertainty like until very recently we're still ongoing we don't really know the legal status of things like Bitcoin. So if you can pick a place that has decided what the legal status is it's a lot less risky. And there's also just durability and reliability. If you're spending a lot of money to have a service that needs to be up all the time you probably don't want to host it in your basement. You want to find a physically secure facility for it. And there's a lot of things. And then there's of course choice of law. Like gambling in the US is a super big problem to have any connection to especially recently purely for protection of the big existing casino industry. There's no moral really issues with it or anything particularly but you can't have any of that stuff touch the US. You have to pick a jurisdiction where you can. So then there's this place called Sea Land. So World War II anti-aircraft fortress in the North Sea which if you just take that statement it's crazy. So during World War II the British had a problem with German bombers coming in and bombing London. So they decided they wanted to intercept them not over London but over the North Sea. They started building these floating platforms out in the North Sea or not floating but their anchored platforms in the North Sea. And these sort of got left behind at the end of the war and they were sort of legal curiosities. Most of them got torn down and one of them didn't. The UK also did not have commercial radio. So people were doing pirate radio broadcasts from ships. Then they started cracking down on pirate radio broadcasts from ships. And so people started moving farther and farther out and they eventually started looking at places like this. As far as I know they never actually did pirate radio operations from this particular fort. They did it from other locations. But it was basically this place that was in at the time international waters occupied by somebody who declared it sovereign. And that if you look at international law which is kind of crazy is how you start a country. And so it's probably maybe sort of a country under the technical definition although the population is very small, territory is very small or some other things. No one really cared about it because it was a relatively upstanding British family that had it. They didn't do anything bad with it. They didn't really cause too much trouble. The British are pretty accommodating that kind of thing. And it was sort of the interesting legal curiosity but that was about it. And then we came around. There was this set of people who will name who had done business in various places, Anguilla various other places and thought, oh, Sea Land will be a great place to do a data haven and went there. So that's our story. So the founders are Sean and Joe Hastings who have done crypto software for a long time. And me, we'd worked on crypto software actually in Anguilla about a year apart and worked from there for the ITAR reasons. Samir Parekh who was the first SSL licensed vendor in the US in the 90s and Avi Friedman who was an early guy working on internet stuff and then at Akamai and a bunch of other places were very helpful early investors. And we had experienced firsthand with Anguilla, this little tiny country. It's maybe 7,000 people in the Caribbean that didn't really have favorable laws in any way. Just didn't have a lot of laws. And we just moved there because it was sort of a nice place to live sort of if you like Caribbean islands but there was no internet, shady legal system, all sorts of stuff like that. So purely by accident, basically we were all there at the same time. So one of the things that happened was one, it was really boring. I don't really like little Caribbean islands. I'd be much happier in a place with lots of fast internet. And it's one of those tourist places where you're only busy in one month out of the year. The law was unsettled in a lot of other places so we couldn't really go there. We looked at some other countries we might be able to go to. Oh, so we left, we left Anguilla. We rented the house from a government official's brother at an above market rate and then the other political party got elected in and none of our work permits were valid anymore so we basically got kicked off. It was exactly what you'd expect from a tiny country like that. So we all left and conveniently we're all in Oakland again, so Oakland, California. So we were like hanging out, trying to figure out what to do next and like, oh, we can't go to another little Caribbean island or something like that. We have to find some better solution to this thing because we all wanted to build anonymous electronic cash which is I would say probably the most difficult application to build. It meets all the requirements later in the talk. So we were looking at either existing countries we could use, free trade zones we could possibly negotiate with certain countries and then this concept of microstates. So places like Sea Land, there's a place in Australia, the River Province, all sorts of legal curiosities. We found this book called How to Start Your Own Country which was a Loom Panics Press which is sort of an alternative slash interesting stuff press and they published it. They mentioned Sea Land, we contacted them and did that but one of our other rejected ideas was to get a bunch of ships, accept toxic waste from a bunch of countries, put servers on the same barge as the toxic waste such that they couldn't really do anything to the barge without causing like an environmental catastrophe. So, yeah, that's the, yeah, yeah, yeah. I'm kind of glad we didn't do that actually. So we found this place called Sea Land and emailed the guy, it was a family that there were like two people living out on the place part time and they ran a fishing business in the coast nearby. So it was basically disused. It had a lot of stuff left over from World War II, like they de-milled it right after the war so there were no like actual useful weapons or anything on it but it had like tools and a bunch of stuff left over from then and it was about 5,000, 10,000 square feet falling apart, lots of issues. All the rooms look sort of like this, if not worse, this was actually one of the cleanest rooms and they did have guns but they were these like four-inch deck guns or something that were like rusted solid and ended up getting cut and thrown over the overboard. And this is sort of a layout of the thing. It was a structure, two cylindrical towers on top of a concrete barge. The whole thing's made out of ferrous cement and a superstructure. There were at 1.300 people living on this thing. The most we ever got on it was about 20 but usually around two and it was everything you would fear a 50 or 60-year-old sort of abandoned sea structure would be like, yeah. So they assembled it in place and they sunk it. It was pretty crazy and it was decorated in high British fashion, yeah. So yeah, and that's where it is. It's, so they changed the law on what international waters were. It used to be three nautical miles and you were international. They changed it to 12 but it was after the declaration of sea land being an independent country. So it's probably okay but it just adds lots of uncertainty. And if you see the town of Felix though, we had a six-story building there that we beamed our communications using a point-to-point wifi shot too. So it was pretty close to shore, not that far but the North Sea is not a fun place to be on a boat. So there's sort of stages of the sea land Haven Co. Adventure. All the sea land stuff that happened before I got involved to happen but not a whole lot happened. There were some crazy legal things but not very much physical infrastructure. During the starting-up phase, we did a lot of physical stuff and then we set up a business structure in parallel and I was like 19 years old at the time. This was also during the first dot-com boom so we didn't really have a lot of precedent to sort of copy things from. It'd be really easy to do most of this stuff today and technology was not quite where it should have been but yeah, this is the structure as we went up to it. This is actually an older photo where a newer photo has sort of gotten cleaned up a little bit but it was this basically bare structure. Getting out to it was on these little rigid inflatable ribboats and you would lift the entire boat out of the water using a crane which was an exciting process. I learned to use Pelican dry cases because if you don't then your stuff gets wet and it was really fun when you have a non-backed-up Sony Vio laptop to have to like disassemble it, run everything through deionized water or the closest thing you have and then like remove the electronics board from a hard drive because your only copies of keys were on that because somebody had taken your laptop out of the dry bag. But yeah, so things like that. This is what it looks like when you're getting carried up and it's really small from the air. Helicopter trips out for this thing because it's an offshore structure were like 3,000 pounds so about $5,000 or so each trip because they have to be twin engine and everything else so we would only really use a helicopter if the press were paying. If we were doing it we used these little boats or we used a fishing boat. This is sort of the process of getting winched up. In some cases you wore a harness and it would get attached to the back of your head and that and later we added a 500 pound concrete ball as ballast which made the whole process even more dangerous because if that thing hit you, also the sea is pitching up and down like 15 feet so there's a timing aspect to this. It's yeah, crazy, yeah. So the really interesting part is the data link. So this is the first thing we set up. This was a tachyon 1.2 meter dish. It's part of a V-SAT network which I later worked on that kind of stuff in Iraq and Afghanistan. You could get maybe two megs down maybe a quarter meg up and it was a shared network across a lot of networks. The interesting thing about this is I'd never really set up a satellite network before and there's this whole polarization angle thing where you have horizontal and vertical polarization on signals. It turns out that the alternate polarization was actually the credit card processor for all the gas stations in Europe and I didn't have the thing turned correctly so I blocked out satellite credit card processing for like 10 minutes when I first set this thing up which was kind of scary that you can do that with like one small satellite dish but so that was our sort of a backup link because V-SAT systems go to geostationary orbit and there's about 600 milliseconds, 1,000 milliseconds of latency added which is not so great for communications. Then at the very top of this, sorry I didn't have any better photos. I didn't take as many photos back then as I should have. There was a microwave link. It was originally a Wi-Fi link. I think it was an 802.11B link with a PCMCIA card and a bunch of cables and a bunch of like completely hacked together junk going from this to the building on shore. We later replaced it with a $30,000 four-byte E1 system for no good reason that didn't work as well. So yeah, the Wi-Fi version worked better. Way better and then we had free BSD boxes sitting on shore that had E1 cards because I was really anti-Sysco at the time because I wanted open source routers so I ran everything on Zebra and free BSD boxes and the whole thing was like crazy because we didn't have enough redundancy in power cycling so there were times where the power would go out in this building or something would crash and we'd have to like take a boat to go to the location. A bunch of times where I did like a make world upgrade without it working and the machine wouldn't come back up stupid stuff like that that I would never do again. But you can make this work with like really crazy stuff. Today you could do this with, you're actually within range of cell phone on shore so you could just put a cell phone data card in your laptop and do largely the same thing. The way we set up our network was actually intentionally this way we had a transport session that went between us and London telehouse and another peering facility so that we publicly peered with people in these high bandwidth locations. We did a lot of filtering and then brought it back to HavenCo via links that we controlled that we could obfuscate because those links were much harder to replace that's something I talked about in a little bit. Okay so we did launch. There was this Wired magazine has like a four month lead time on publications so we were telling them what we were going to do in advance of actually doing it because it had to be ready like we wanted it ready before the press hit so there's a lot of speculative stuff. Probably the dumbest quote was the nitrogen filled data center quote where conceivably you could do that but we had no money to do that kind of thing. So we had a secret plan to all of this which was to get a lot of press and using all that press in the peak of the market be able to negotiate with another country to set up the second version of this because our thinking was that doing the first one of these would be really hard to have any country say this would be a worthwhile thing to do but getting another country to say oh we'll be the backup site for that would be really easy. So we'd get like a more real place like say Hong Kong to be our secondary data center and then once you've got two you can do like 10 of them really easily. So that was a reasonable plan I think but we didn't get to that point. We got about 300 major press articles we had press flying out there all the time it was a height of dot com frenzy but even at this point it was team disorganization and stuff. We had like a sales email box that we didn't answer we just let it like accumulate because we were arguing over which ticketing system we should use so we just didn't answer it which was yeah. Yeah. So yeah. And this is one of our launch photos and this is me and this is Michael Bates who was at the time the son of the Prince of Zealand so he was like the second I don't know what the royalty thing is but yeah. This is get more examples of lovely British decor for this place. Press. Cool. So as you can expect given this a fail talk there was a there's a crash. So there was the dot com collapse which I don't know how many people remember the details of it but it was multiple things that happened in a row. It was sort of bad in 2000 and it got a lot bad in 2001 and it was bad for different sectors. There were all sorts of crazy things. The thing I really remember is Nortel stock apparently if you had bought beer in Canada and save the cans for the collection like the deposit you'd have more money than if you had bought Nortel stock because it went to like almost nothing. So we ran out of money we thought we could raise more money we didn't have any more money we were burning two big 55 gallon drums of diesel fuel every day we had a lot of staff all sorts of crazy stuff like that. So we didn't have the ability to raise money from third parties so we sort of refinanced and we originally had a contract where we could buy all of Sea Land for about $5 million in six to 12 months after launch thinking oh it'll be really easy to raise whatever number of millions of dollars and today or in 1999 that would be true not true in 2000 2001. So and instead we ended up bringing the Royal Family of Sea Land in as a partner they had run this place since like 1966 it was their main asset their main pride and joy they thought about it a lot so they thought about this entirely differently than we did. We were willing to push the limits on one data center in order to expand the model to things like that they were much more conservative which I can't really fault them for and then we ran on a shoebox budget my friend Avi one of our investors so he put in I think like a million dollars or so originally and then every time I'd fled to Boston he'd give me a bunch of cash like a bunch of cash like 10 grand or something and I would use that to pay bills and we didn't really keep track of it it was like the ultimate thing you don't do with investments of like throwing good money after bad how he just kept it running which was awesome of him but yeah not a good financial decision. Then so we basically run out of money peak we're spending like 30, 50K a week or so on renovations and then we got down to the point where we had to pay for things from our server hosting and we had maybe like a grand left over every month we had this food which was mostly left over from pre Havenco days and this was yeah yeah it was it was exciting of those things there's some corned beef from Argentina that is actually the most wretched thing I have eaten and we ate like most of the stuff yeah place so as far as servers go these are a bunch of seller on 533 boxes we had this I think fairly justifiable fear that if people saw how little infrastructure we had and nobody would actually buy anything this was our showcase data room of what the rest of the rooms would look like this was in fact the only one so yeah it got a little bit more populated but this is about like two thirds of the peak very small number of servers some UPS is we got a bigger UPS later but all basically free BST and Linux stuff pretty reasonable but yeah very very small scale we never had more than eight megs of bandwidth going to the place we had aggressive caching and then much more aggressive caching after I left which is an interesting story this is about peak capacity so yeah sitting in a knock the rooms are 20 or they're like six meter cylinders so you've got a circular set of desks around them in this room and that was where I spent most of my time mostly on IRC which is the main thing you do when you're on a little island like that yeah so speaking of aggressive caching so we had this whole model where we would host things where rather we would host things on sea land and then we would have peering sessions and transit purchased in places like London telehouse and a place in New York and then we bring the transport back those edge boxes are really tempting to use for caching after I left which wasn't on the most friendly of circumstances in the end of 2002 I think they decided it would be a lot cheaper to just not have anything on sea land anymore and put everything in those locations and not tell anyone it was really obvious for two reasons one the ping-times were zero milliseconds from the edge to this normally it's about two milliseconds by speed of light and then there was a huge fire because the original structure was all like ferrous amount and everything else the new generator room which they stored a bunch of oily rags in was made of tar paper and the predictable thing happened after like five years I don't know why it took five years but eventually completely caught on fire it was a huge fire and nothing happened on the servers so yeah there's that so given many I would say the failure here was over determined so we have lots of reasons why it failed and we need to sort of like piece apart why those things are some of them are totally idiosyncratic to a tiny platform under sea those are less interesting unless you for some reason want to build something on a tiny platform under sea there's other things that are much more general as data haven issues the core reasons were economics the product itself wasn't all that great and to be honest we were not the greatest team none of us had any experience running large businesses or even small businesses or really anything and then we did have the market like it's really lame to blame the market for it but I think the 2000 to 2001 collapse in bandwidth prices was a fundamental driver so what happened is we had an inherently high cost which was totally fine in 2000 there were two reasons for high cost it was high cost because it was on this little tiny platform it was also high cost because we didn't have any scale when you're buying 8 megabits of internet and transporting it over E1s you pay a pretty high cost per megabit if you're buying 155 which is what we'd originally ordered the cost per megabit is a lot lower and then we have the issue that in 1999-2000 the price for I guess Akamai service was like 2-3 thousand dollars a megabit per second effectively transit was 1-2k or something a megabit then the market collapsed and people would start selling below their own cost sometimes they'd sell below their marginal cost which is crazy but usually bandwidth doesn't have a marginal cost so basically like the market price went to like 10 dollars and our cost was 500 and we'd build everything on like 3,000 so that was a serious problem and then there was another additionally serious problem is we were missing some key components to make this a great product and then we didn't have any money to do anything differently because we only had only 8 megs we had to really ration bandwidth there's a lot of cool stuff you can do that you'd want to have more bandwidth for so you had to have physical servers and one server per customer was like a crazy thing the biggest problem I would say is we had no way for our customers to handle payments if you were a purely cypher space business you still had to go incorporate somewhere to get a bank account to accept credit card processing there was no bitcoin back then and I proposed at the beginning of this thing that we fund building anonymous electronic cash as the first enabler for this thing because if you have anonymous electronic cash and a secure place to put your server anywhere you can just have a key as your thing but we didn't do that and then we never really found a single really solid application for this thing so all the things from doing startups that I know you shouldn't do we did and then the team and structure issue fundamentally the issue was that the sea land people were more traditional much much more legally averse to risk uncertainty things like that and then there was me and I was very willing to push the limits on stuff because I just walk away from it if it failed so like I was trying to get to success there's a whole model in like venture capital where it's okay to fail like a hundred times if your one success is like a 10,000 time bigger return so we were pushing for that kind of thing and that isn't the kind of thing you do if it's your house basically then we headed lots of internal team issues politics like that and also it's just boring like this place was like five or 10,000 square feet it was kind of cool when I got to like leave every week or two but there was a period where I was out there for six months because I didn't have any money to go anywhere else so I was basically living on a tiny little one run a tiny little platform there was one other person there who was like a security guard like a 60 year old British guy security guard and I arranged to have like an offset by 12 hour shift from him so I would not actually see another person for like three months at a time it was probably not the most psychologically awesome thing to do but I had IRC so that totally made it better yeah so there's things that you would expect from building a data haven that would be the reasons for failure and they actually in our case were not reasons for failure we don't know that these things are not reasons for failure in general but they were not our reasons for failure maybe we didn't get to them maybe we were lucky so legal or regulatory pressure never actually was an issue at all we got some very very cursory legal threats type things but they were mostly from civil things we didn't host anything really bad we had a very correctly chosen for the risk model we had acceptable use policy so no spam no child porn no hacking other people's servers and I think we added no terrorism on 9-11 it wasn't really a thought before that and that was like the entirety of our acceptable use policy we were sort of in the gray area about copyright we also had the benefit that our cost was so high for servers that you would not be able to put a file sharing server on it and have it be profitable if we had much lower costs that would have been a common issue there was no real competition for a physical data haven at the time there were secure facilities but there was no data haven as such and no one had a great software replacement for this kind of thing no one hacked us as far as I know we had very little infrastructure ourselves so it's unlikely that that got hacked some of our customers might have gotten hacked but we wouldn't know but there was no like major hacking incident or anything and there were no fundamental technical issues here getting banned without to this place would not have been that hard with like five or ten million dollars versus two million dollars a lot of things like that so these weren't really reason to failure but we don't know if there's these are the things that I'm much more concerned about or is there an actual demand for data center data haven type services I think there is but we don't really know for sure how can you make a viable product that people actually be able to pay for like there's plenty of people who would love to have a server that could never be shut off but are they people who will be able to pay for that service at the cost required and then the biggest problem with this whole thing is it's really easy to have like one or two like float below the radar if you've got some services that don't attract any negative attention you're fine until you have like lava bit or something hosted on you and then legal stuff happens so basically the more successful you get the higher the odds of some horrible incident happening and then having to resist it which is sort of the opposite of a lot of other models where the bigger you get the easier it is to be successful so that's a that's a fundamental thing and there's a question of can you do this better in software if you can ever do something in software rather than offshore data havens it's totally worth it and then the other question is even if you can do all this stuff should we do it like not everything you can do should be done by people I think free speech trumps the other disincentives to doing this thing so I think data havens should exist but it is an open question and people have different opinions on that so we're not the only data haven there have been data havens since then and based on the earlier definition there's different ones so I would say that a conventional great data center like a tier one or whatever facility is a data haven in terms of keeping your servers available you're subject to the laws in whatever country you are and the nice thing is like the U.S. has great laws for certain things Ireland Germany have great laws for other things and you can pick and choose your application there's the company called the bunker and there's a couple other things where they've taken World War Cold War bunkers and refitted them as data centers they're in the countries that have certain laws so either UK law or Swedish law or Swiss law are the things like that but they're nice facilities they're generally have weaker network connectivity than the center of town data centers like Tallahouse would so there's a trade off there there's a bulletproof hosting model so there's this whole world the other role we had was no spam speaking of bulletproof hosting the response URLs that people go to from spam get shut down by people all the time where URLs get shut down all the time there's this concept of a bulletproof host that will stay up against this kind of attack usually the term bulletproof host is used specifically around this kind of like nuisance type stuff versus free speech but you could use it in any way and there's a famous company in the Netherlands that was rated and has some crazy stuff and then there's distributed software systems and there's application specific systems that are designed around redundancy so yeah this is a two billion dollar data center in downtown San Francisco which is later got sold for like twenty five million dollars or something there were the generators rolling out this is an awesome facility Pionin Bonoff data center which I've never been to but I'd love to get a server there someday Tallahouse the probably the premier internet interconnection center in all of Europe which is also great I used to live like five blocks away from that place which I thought would be awesome but it's actually more of a pain to move a server five blocks than it is to move it like across town because you feel bad about taking a taxi that distance and you can't really carry it so it was not a good decision and this is the bunker the cyber bunker sorry the cyber bunker so there have been successes so Havenco not a complete failure we did accomplish the goal of like making things popular eyes and things like that but it was not a commercial success in any way I lost like a quarter of a million dollars by spending a bunch of money not getting reimbursed on credit cards which is not awesome but there have been people who have been successful Bitcoin as far as we can tell so far like it's not the finished book but like it's been pretty successful Pirate Bay has been successful sort of like they've moved their servers around and have been relatively successful BitTorrent has been incredibly successful at keeping things available but has not been commercially terribly successful WikiLeaks has remained online despite doing stuff that the most powerful governments in the world don't like and the really exciting thing they did was its insurance file concept Silk Road was I guess there's an asterisk so it was basically successful technically except for some user admin issues or something and Tor has been pretty successful especially hidden services which are relevant in this case so really if we so we don't want to just like blindly do the same thing again we want to do figure out what went wrong and fix it so how not to fail you want to think about your application model for the technical side of it you want to think about who your threats are and the adversaries you definitely need to think about law business model and useful technologies that can help you so as far as application you want to do as little hard stuff as possible ever you always want to do easy stuff and you want to make sure it's like the I guess I could use a Sun Zoo quote or something but you always want to meet the enemy on a ground where you control what's your advantage you don't want to fight in your weak spot so do things that are easy like static data is pretty easy to keep resistant from censorship you just make lots of copies and it's also resistant against accidental relation whatever so if you have a lot of copies the cool thing with the insurance file is distributing widely an encrypted file and then distributing the small key later because basically they won't censor it because they can't go back in time so it's kind of awesome you end up with a lot of general distributed systems problems do you need to have immediate consistency some sort of global lock can you do eventual consistency all these things that like computer scientists deal with and then web application developers and application developers deal with are super relevant in the data haven world and then there's the hardest thing possible is to build a legacy so you can't build a custom client you have to use like a regular web browser globally synchronized transaction system that is the hardest thing to build so if you can build a data haven that will work with that model you have won maybe threats and adversaries depending on who your threats are there's a lot of techniques you can do and they're different against different people if you're worried about a government in the Middle East government in Africa something else going after your community your global diaspora community for human rights stuff put your servers in a place like Germany or in the United States because those governments will be happy to stand up to a dictator at least as far as not giving them the copies of your data you can split apps across jurisdiction I've seen as I did the work in Afghanistan just doing like satellite internet for people but I got to meet some of the law enforcement people and see the trouble they go through when they're trying to deal with servers that are in multiple jurisdictions in a lot of cases they don't even bother if it's in a particularly difficult jurisdiction like say Eastern Europe but if you can make that so it's like the Russian dolls problem of multiple servers they get bored pretty fast and you can use disposable finance which has been sort of the WikiLeaks model where the pieces that you have the most of and that you can easily replace you make those pop up those are the only things that are exposed and then you have servers in the back end your big data repository processing that's much harder to replace you keep shielded and then you minimize the bulletproof computing base so it's sort of related to trusting computing base where the parts that actually need to be resilient against all these attacks should be as small as possible for the application laws and politics these always change I know much more about technology than I do about laws but the issue we had in the 90s was that law wasn't really settled we had both and there's a concept at least in common law countries of like black letter law and then court law or case law there were lots of cases where there was neither black letter law nor case law now at least there's case law and a lot of cases there's black letter law about it but there wasn't a lot of that stuff back in the day then while sea lands was still going on during terrorism I woke I was like a sleep I'd gotten in like a weird sleep schedule so I woke up at local 3pm or so which was like an hour after the 9-11 World Trade Center attacks woke up saw the TV of like these things crashing in and thought one that sucks and two whoa they're going to completely ruin like any possibility of doing offshore data having stuff so I set up an anonymous remailer later that day and a bunch of other stuff that like pushed the limits a little bit more but it was pretty clear that terrorism is going to get used to beat down any form of anonymity even for things that are totally unrelated to terrorism in the 90s we had the four horsemen of child porn money laundering terrorism and tax evasion and it's a lot easier to scare people with terrorism so we were afraid of that the other thing is you want to have a preemptive positive legal campaign if you are behind the curve and the first thing anyone hears about you is something negative like you're used for child porn you have lost no matter if the law is on your side they'll just change the law they'll change the interpretation or your funding will get pulled or something like that you want to make sure that you've got good stories out there of like how you're helping people escape horrible situations things like that first and then you pick some cases that have really good optics so you help open source projects you help like the overseas diaspora of a country where the country is monitoring those people's communications thing like that the other key thing which I think these are all fairly obvious the one that I thought was the most useful is pick one known main adversary one threat and make sure you can defeat that so in our case we could pick something like gambling and we could be the awesome place where you can host your gambling servers no one really cared about gambling except for the US government and they were 5,000 miles away from us so we didn't really have to worry about them very much we would not have picked something that a lot of countries hated or that the British specifically hated because they're much closer to us so pick one thing to do and just do that thing rather than like and taking on every every other country in the world then there's an open question about business model you really want to have a working business model before you scale up your business so keep your costs low in building something like this so you can pick a model a lot of the problems are the interesting customers are usually not really able to pay very much the boring customers are slow to move so you can get interesting customers with not a lot of money early on but you can't really serve them unless you either have a lot of money or have very low costs and there's that the non-intuitive thing is to build a system that works really really really well for one specific application so you could build like anonymous re-mailers or one of the most secure effective against very high level threats systems out there because they only dealt with email whereas Tor has a much harder problem because it deals with arbitrary protocols so if you can build a single application that you know a lot about it's pretty easy relatively it's much easier not pretty easy and then solve something that's on the efficient frontier of risk and value don't put like hundreds of millions of dollars into solving something where you're only like a tiny bit better than somebody and you don't spend a lot of money to be tiny bit better or spend a lot of money but be amazingly awesome at it and then cross subsidize if you build a system for your own application you might make really high margins on say offering email addresses and stuff where the hosting can be higher than it is at other places because you have less costs for other things and then hybrid solutions where you have like a P2P model a software system and a data haven that are working together or things like that where it's not an objectionable application use that to demonstrate your technology and then build something else later so there's a lot of useful technologies that didn't really exist in the late 90s when we were doing this stuff that do exist now Tor, one of the more useful tools here a lot of people talk about it there was no point in me talking about Tor heavyweight clients there was a period in the early 2000s where it was basically just web clients no one wanted to run local software on the machine and it was sort of before JavaScript was at a real client there two things have killed that model one Ajax JavaScript stuff so you can build a pretty heavyweight client in a web browser even it doesn't require network access even better you have mobile phones and things we can have an actual application so we've gotten back to the point where you can build an application that has local state which lets you do much more interesting protocols and you can build new protocols there you can build a protocol that's much more resistant to censorship than HTTP to a static address and I'm a big fan of message if your fundamental task is message based you can pass these messages around like in the UECP model or the anonymous remailer model rather than opening a pipe it's much more anonymous much more secure much more reliable than that and use latency in that kind of situation to your advantage however there's a bunch of missing technology so we still have not I would say solve the anonymous electronic cache problem Bitcoin is a decent system but is not anonymous certainly not anonymous against determined effort to find arbitrary transactions not anonymous by default so zero coin and some systems like that might be sufficient I'm still a true believer in Chami and electronic digital blinded cache it has a long and kind of sad history but I think someone will eventually do this and it'll be successful I think we also need to reboot the anonymous remailer network I mean one of the sad things was Len Sassiman was the main remailer guy and he's no longer with us so we don't have a remailer network that is as good as it was in like 2003 so we need to at least get back to that level and maybe build something better and then cloud computing if you're building all this stuff for data haven and then you've got AWS as your back end for your application it's really easy to send a subpoena to there or do whatever else having a trustworthy cloud where the operator can't modify your computing would be great and it's not really cost effective to have dedicated physical servers for each machine especially in an offshore data haven so there's that and then secure client devices as we've seen with the silk road example no matter how great your server security is if your client device is captured unencrypted or whatever else you've got serious problems so yeah that's basically I have a bunch of URLs this will be up on the web somewhere a lot of stuff there's a bunch of articles some interesting legal analysis of this that has been done by people and that so yeah data havens have existed in concept and practice for I would I think there's probably examples in the 50s and 60s certainly from the 70s and 80s and genuinely mixed results so there's lots of work to do in the future I'd be very interested in any questions or comments or anyone has we have about 15 minutes left please use that thank you very much so any questions anyone okay a question from the internet in his opinion a bit louder please does the unwanted intention drugs politics and poorly supervised business and data redundancy models like cyberbunker outweigh the benefits of a data haven please repeat in your opinion does the unwanted attention drugs and politics and poorly supervised business and data redundancy models like cyberbunker outweigh the benefits of a data haven I think the need for data haven in 1998 was very very clear because the laws would not allow lots of very legitimate applications in September 10th 2000 I would probably maybe have answered the other way that laws in the US and in Europe were pretty good at the time however Patriot Act, RIP in the UK lots of things have been pushing in the other direction so while there are severe negatives to spam abusive use things like that I think actual legitimate free speech use is sufficiently at risk that the value of data havens is if not absolute today yes there's very easy projection where it is so I think we need the technology even if we use it for the equivalent of better latency reduction having servers close to people we should build that and then please if you leave the room now please leave silent thank you very much and take your garbage with you please on a scale from 1 to 10 how much bullshit would you say is in the ecosystem around bitcoin and blockchain technology right now and also in the startup world in general alright yes that is a good question 10 being the most okay so I think there is clearly value in both a lot of the startups and in bitcoin bitcoin is an awesome solution to distributed systems problem that has been open for a long time bitcoin itself as a currency does not really personally excite me I own 2.3 bitcoin after winning a bet about the North Korea hackers and Sony thing so I'm not I think it is not the final system I don't think bitcoin as it is today is going to be the system that does everything we want it to do but I think it is going to be an anonymous electronic payment system or some form of value will and that might be blockchain it might be bitcoin over time it might change and yeah there is a lot of hype with startups but especially in Silicon Valley where it seems like everyone does it by default but there is also a lot of value the contrary to that is look at the big companies and how much innovation they have it seems like they have outsourced all of the innovation to startups that they then buy so maybe it is a fundamental shift there is a lot of good and a lot of bad and we don't really know maybe there is another axis like an eye axis or something here have you considered the benefits of distributing decentralized config set up just like the pirate bay did while the servers were taken down from everywhere they popped up because I think that superior states like the United States they would just bomb Zeeland it would be a great threat to their geopolitical agenda if it didn't have public support and military to pack it up absolutely the level of protection you can get from a physical location is up to how angry you make people that have the ability to bomb you hosting gambling servers never would have gotten to that point the weirdest thing that I learned was there is a lot of stuff that is legal in set of country A and a lot of stuff that is legal in set of country B but I guess I can talk about them now but we had a customer that did this weird bidding or betting on porn images so porn in countries that are okay with gambling is usually bad so there were very few countries that had both porn and gambling being okay you'd bet on which of six soft core images would be popular the most popular among the people that week and you would then win if it was the most popular thing which is actually pretty awesome I think it would be a fun thing to recreate but they couldn't find an acceptable porn jurisdiction that was all in one but no one is going to bomb us for that yeah I agree the people like WikiLeaks I am certain that if the US government could quietly kill the people involved in WikiLeaks and not get caught for it or not be attributable it would have happened so the only thing that kept people alive and successful was being distributed in that sort of system that is the most resistant system against a large set like that or finding a counterweight nation state like going to Russia is the solution they are not going to go to war with Russia over Snowden but they would have potentially done more pressure against smaller countries so there is a crazy geopolitical thing involved but the thing that got me interested in crypto when I was 11 or 12 years old was knowing that I was like in a house and I had very little resources I could do something that no one could undo cryptographically but what I found on my machine was enough that with the right algorithm you couldn't decrypt it even if you had all the resources of everyone that would ever exist in any part of the universe so that is a really awesome concept and if you can use that to your advantage yeah go for it but there is a lot of things you can't do that like transaction systems make it much harder to do it seems like in a way tour hidden services has achieved some of what you intended to achieve with HavenCo but that might be better than tour hidden services yeah tour hidden services is a great system within the security parameters of the tour network I think if you had a sufficiently dangerous application hosted on a tour hidden service or if you made a mistake you could compromise the entire tour system tour is not designed to resist a really determined active global adversary and that is the adversary that we face they are willing to modify packets they are willing to do whatever so I don't think you could run a long running tour hidden service with a tour network as it is today with something that the US government really really really cared about defeating to the point where they would break arbitrary laws for like if the location of Osama Bin Laden had been discoverable by defeating all of tour in like 2005 or so it would have been defeated so that's a partially problem system I think there are systems that you could build with feasible resources that would resist that threat I think the systems that would be the easiest to build in the most preasible are message based systems like anonymous remailer Tim may have this awesome thing Blacknet back in like the mid 90s where you would send anonymous mail to anonymous remailer it would then wait like a week or so and do some operation on it and email you back a response or send it to a use net posting group that's much more secure against a global passive or global active adversary than a connection-oriented system with connection-oriented systems you can just do crazy stuff like if you think someone is the the if you can list it like 10,000 people that are possible candidates you look at their travel patterns you arrest like 10 of them if they're high probability you see if the service goes offline you go after servers individually there's lots of stuff you can do if you're willing to be a bad person to uncover tour in services but it's an awesome system and it's like the it's the best practical thing we have today is please from the internet yes there's a question could an established multinational company theoretically build a data haven within itself currently yes so and multinational organizations often do have things that are very close to data havens like I think I've done a lot of computer security stuff for the past two decades there's a crazy fact of like if you're a regulated industry that has to meet a certain security objective like a government contractor a government entity somebody who has some external regulation you will meet that regulation but you won't go any beyond that regulation the people who have like an open ended liability if their things are compromised do actually in some cases an exceptionally good job of security pharma companies doing drug discovery work where the molecule is like the most secret thing in the world for them they have actually good security proprietary trading firms they keep their algorithms relatively secure against like compared to what I would say any government agency has done so there are organizations that do a pretty good job of this usually those are those are usually static data hosting systems not transaction processing systems and they're for internal use it's a much easier model because you don't really have to worry about censorship or denial of service attack or other action you just need to keep integrity and operation but yeah corporations internally can build very secure systems however most corporations as everyone is aware have pretty horrible internal systems okay one question here what kind of system would you recommend to watch out for in the future Zuko is working on zero coin zero cash I think that's public I hope that's the thing I'm personally the most excited about there's I think that's the most exciting system Tor, ITP will continue development I think they have to they're on a curve that is not going to get to where you really need to be for data haven unless they actually change or improve I think there needs to be some improvement and change part of that is coming up with legitimate applications so if horrible governments get elected US, Europe, everywhere else such that the need for data havens is increased and more people see it as a mainstream thing that we have to have we'll get great data havens however we'll live in a world that has really shitty US and European governments where people get like abducted and killed and all sorts of stuff like that it's not really a trade off I'd want is a data haven that's really secure in an environment where you don't really need them and that's sort of a fundamental quandary of if you don't need it what no one's going to spend the money doing it the best people in the world aren't going to work on it they're going to work on something like delivering faster traffic rather than more secure traffic so yeah okay one last question from the internet is there a data haven do it yourself how to online if not would you like to put on online and is there a data haven software as a service yes there is not a good document for this I'm working on I bought a couple cabinets of space and I'm building out what I think the best way to build hosting and just sort of like best practice for that will be I'll document all that and put it up but until we get a virtualization platform that can do remote attestation so I had this company before I joined cloudflare it was doing cloud computing where you could remotely attest to the integrity of a container and the VM and everything else there was no market for it it was very hard to build private core which got bought by Facebook was working on very similar stuff until we have better hardware platforms until SGX is a start with a lot of other stuff we aren't going to be able to build a virtualized platform that is secure enough for this kind of stuff and without that it's going to be very hard to make this commercially viable if you have to use dedicated hardware for every single customer it will be pretty challenging so maybe okay thank you Ryan okay for all the other please take your garbage with you and we will continue in 15 minutes memory corruption why can't we have nice things thank you