SUMMARY: We propose a partially decentralized market, consisting of perhaps a few dozen nodes, hosted and controlled by a closed group of market owners. The network remains usable as long as at least one node is up, and no more than half the ownership is under malicious control. Any number of nodes, or any minority of the owners, may be compromised without bad consequences. Buyers and sellers will preferably run a special client on their computers, but may also connect through a web browser and Tor only, with security properties similar to those of a centralized market.
Payment is made in Bitcoin or other similar currency, with the usual multisignature approach. Commission on an order is paid both to the node through which it was placed, as compensation for the cost of hosting the node, and to all owners in proportion to their stake, as compensation for the other work involved in operating the business (for example, evaluating new sellers, handling customer inquiries, or adjudicating disputes). If the market becomes successful, then ownership should become valuable. That ownership may be traded analogously to shares in a small private company, with its cap table recorded in a distributed ledger. That lets initial owners incrementally transfer control and beneficial ownership of the market to new investors. We think this structure does things that neither existing fully centralized markets nor fully distributed markets can.
BACKGROUND: A centralized market is convenient, and accessible even to users with very limited technical skills, who can place orders using tor2web and open WiFi in relative safety. No rational operator will run such a market forever, though. As the operator gets richer, the value of further income diminishes, and at some point no longer offsets the (also increasing) legal risk. The operator's options at that point are limited. A normal business could be sold; but a successful market is worth enough that few qualified buyers will exist, and it's hard to conduct a large one-shot transaction with an anonymous, untrusted party. Anyone trusted and familiar is likely to have ties to the original operator that increase the risk that the site will later be traced back to him. So at some point, the market is likely to disappear. If multisig is used, then it gets liquidated worthless, which is bad---the reputation that the market has developed is real value, and it's destroyed here. If not, then exit scam.
This has driven interest in fully decentralized markets. These are interesting---but we think they face legal risks greater than those faced by any decentralized system in current existence, and in most proposed forms fail to decentralize the core function of the market as a trusted intermediary.
The US government developed and continues to significantly fund Tor, and has so far taken no steps to limit civilian access to it. That seems at least slightly surprising, and we can only speculate on the reasons---perhaps NSA monitoring really is good enough to deanonymize traffic from certain high value targets, who will use it with a false sense of security, or perhaps government agencies use it themselves, and are glad to support drug trafficking if it helps mask their own traffic, or perhaps they really do just want to show people with censored access the open Internet, for the same reasons they fund Voice of America. Regardless, we don't see an obvious analogy to any of these justifications in a fully decentralized market selling illegal goods.
A market selling to the public necessarily must describe the products on sale in cleartext to anyone. That makes the illegal nature of transactions in a decentralized market much more obvious than, for example, in the Bitcoin blockchain. That also makes it straightforward for a node's operator to identify sellers of illegal goods, and decline to forward messages for them. It seems plausible to us that anyone running such a network openly will at some point be forced to do that, by something like a DMCA notice to a BitTorrent user but much worse. So the market should run over Tor, and any open developers of the client should dissociate themselves from the dark version of their network. That makes them likely to develop with goals that don't closely suit---or that actively inhibit---illegal transactions. Loss of anonymity from a JavaScript exploit is a low-priority bug for the operator of an open market, but potentially life-changing for his dark counterpart. (The exception to that might be decentralized services using their own currency, where the developers hope to profit from appreciation of that currency driven by popularity of the arm's-length darknet market. That still feels dangerous, if public information can show that many or almost all transactions in that currency are with sellers of illegal goods.)
Beyond that, there's nontechnical work involved in running a market. Amazon and eBay hire thousands of computer scientists, but they also hire thousands of customer service reps, who exercise human judgment in resolving questions and disputes. In a fully decentralized market, that work presumably falls to the escrow agent, a role that anyone can take on. That role has a winner-take-all character: all other things being equal, I'd rather use whichever agent has processed the most transactions (or burned the most currency for her "bond", or collected the most endorsements, or whatever other metric) in the past, because the reputation she'd be risking if she cheated me is more valuable, even if her commission is slightly higher. So that role seems likely to become centralized and valuable, with characteristics similar to those of a centralized market using multisig.
So we think:
A decentralized market is obviously much more resistant to both technical and legal attack than a centralized one.
The developers of all fully decentralized markets that we're aware of are working too openly to build software specifically suited to illegal transactions without putting themselves at great legal risk.
It's at least as important to distribute the role of escrow agent as to distribute whatever stores the data set.
Most casual buyers would rather accept a slight risk of losing money than install software beyond a web browser and maybe Tor. The service through which they connect can't be operated openly.
The concept of an anonymous joint-stock company, with beneficial ownership both tracked and rewarded cryptographically, is interesting.
- Just to be explicit, the "rewarded" part is what we find interesting. Everyone knows how to track settlement of anything in a distributed ledger now---but what makes that ledger entry valuable?
THE MARKET: Our proposed market exists as a set of hidden services, one per node---so a few dozen services. Anyone linking to the market is encouraged to reproduce the full set, or a random sample of as many as possible. An owner has two incentives to run a node. First, he gets commission for orders placed through that node. Second, those nodes are the face of the market to users not running the client themselves. A malicious owner can run whatever software he wants on his node, to steal buyers' money, or to just keep operating a real market but entirely for his own benefit. (This risk is faced only by a user connecting through a web browser only. Anyone running her own client will recognize and drop a malicious node without harm.) The owner has incentives against doing that: he will soon be discovered, at which point the other owners can destroy his stake in the legitimate network. That's still an argument to limit the share of transactions processed by nodes controlled by a given owner to some small multiple of his ownership share, which is auditable (since the other nodes know how many transactions are flowing out of that one).
An owner's stake is a private key. He never discloses that key to anyone else. The key may be used to sign a message transferring ownership of some fraction of his stake to a new owner, with that new owner identified by his public key, according to agreed rules. Initial ownership of the market derives from a public key hard-coded in the software. These private keys are stored somewhere safe, certainly not on the operating nodes or other servers at high risk of capture. A vote by some specified fraction of all users should probably allow them to destroy another owner's stake, since there's otherwise no remedy if a minority owner becomes malicious, and no way to maintain a quorum if owners disappear. The key may also be used to specify an address to which commission should be paid, or to deputize "customer service keys" to become valid for escrow and messages to or from the owners, for a limited time determined by the owners' trust in the people using them, of perhaps a few days, and perhaps a limited transaction count or dollar value too.
A buyer or seller's identity is a private key. She never discloses that key to anyone else. Sellers can post listings, any two users can exchange private messages, buyers can request transactions, buyers and sellers can comment and provide standardized feedback on transactions, and administrators can release transactions from escrow---so all the usual features of a market. Broadcast information (e.g., listings, feedback) is signed by the sender, and unicast information (e.g., messages, transactions) is signed by the sender and encrypted such that either the receiver or, in case of dispute, the owners and sender together can decrypt it, identically to in a fully decentralized market. It may be necessary to in most cases let the owners read messages from sellers to buyers, to stop them from bypassing escrow and commissions. The keys used to encrypt unicast information should be signed by a user's permanent key and rotated perhaps every month, with keys older than the maximum possible time to complete a transaction discarded. That sets a retention policy, limiting the damage if a user's private key is accidentally disclosed. Nodes can discard outdated messages to save storage, but malicious nodes will exist and can always keep full history; so only the key retention matters for security.
A client may request a public "customer service key" from the market, along with a list of owners who have approved it for use. By consulting the market's cap table, the client can confirm that the approvers are a majority of owners. This allows the owners to delegate their authority to lower-level employees, avoiding the need for them to personally vote on every transaction. That key may be used for encryption and signature of messages to and from the owners, and to confirm validity of a proposed arbitrator's key for escrow in a multisig transaction. Commission may be paid to all owners (with one output per owner), or may be paid to only a subset of them to decrease transaction size, with that subset rotated to distribute commission fairly over time. Nothing stops a node or client from distributing the commission unfairly, but this is auditable, and a misbehaving owner or seller can be expelled. That risk could be further mitigated technically, but it's not that different from the risk that buyers and sellers will bypass the transaction process entirely (for example, if the seller sends a payment address by private message), which is always present.
All information is flood-routed to all nodes, and all nodes hold the complete data set. We don't see the need for a distributed data structure. A cheap virtual server can store millions of transactions. If the system scales beyond that, then commission revenue should make the cost of better hosting irrelevant, and hosting costs would probably be dominated by front end server capacity (to tolerate DoS attacks) anyways.
A customer service rep can maliciously release escrow, disclose messages readable by the owners (but not other messages), or send messages as if from the owners. His key is valid only for a limited time, transaction count, or dollar value, limiting the possible damage. A malicious minority owner can't do much of anything. The server hosting a node can likewise be compromised without much harm. A powerful adversary (for example, law enforcement) might quietly buy out or compromise more than half the owners, and then shut down the entire network. If that happens, then a user running her own client still faces relatively low risk. The adversary can finalize escrow, but that's okay unless the seller becomes malicious too. The adversary can read messages that the user has sent to the owners, but that's probably not much. (In general, messages between buyers and sellers are stored encrypted such that only either the intended recipient, or the sender and the owners together, can decrypt them. If a buyer or seller wants help resolving a dispute, then she can reveal any relevant messages to the owners only then.)
If the majority shuts down the market, then the minority legitimate owners still have a full copy of the data set and all software, and hosting infrastructure in place. At that moment, they can change the hard-coded key from which all ownership flows, and restart the market under new ownership. That new ownership is arbitrary, so a dispute is likely, with multiple forks of the market competing to become the replacement. A single fork might ultimately displace all the others, or the market might forever split, but the value that was created---in the form of the market's software, and its accumulated reputation for buyers and sellers---isn't lost.
A colluding majority of owners could steal the market, by destroying everyone else's stake and continuing to operate. That would almost double their stake. (In most places where we discuss a majority, the threshold is arbitrary, though higher thresholds for malicious action decrease the threshold for malicious deadlock.) We don't see any way to fix that, but owners who chose to do that would be unlikely to find new investors afterward. So they'd be stuck owning the market forever, or selling to someone who trusts them for out-of-band reasons. So something analogous to the liquidity premium of public companies (which generally---excluding venture-backed madness---trade at a much higher earnings multiple than private ones) may be enough to stop that behavior. That theft may also cause some buyers and sellers to lose faith in the market, further impairing its value.
As described above, the market requires its buyers and sellers to run special software, beyond a web browser and Tor, since those users encrypt, decrypt, sign, and verify signatures using private keys that shouldn't be disclosed to anyone else. We don't see how to avoid that without trusting the node running the hidden service through which the user connects. For most casual buyers, that seems acceptable, though---at worst, if that node is compromised, then the buyer loses a few hundred dollars. Her mailing address probably isn't revealed, and certainly isn't if she uses PGP or equivalent by hand (as with centralized markets now). The leakage of mailing addresses can be mitigated, for example by encouraging sellers to periodically place fake orders with themselves using fake addresses, making payment from one address that they control to another. That of course could be automated. So the market should probably implement a "guest interface" requiring only that web browser, where a new user can choose a login and password, and the server will use a private key derived from a slow function of her password. That provides a user experience similar to that of centralized markets, with similar security.
The set of decisions that can be restricted to a majority shareholder vote cryptographically is small compared to the set that can be restricted by contract law and a functioning judicial system. Despite that, a few simple votes and the threat that an owner will lose his stake if he misbehaves may be enough to let a mutually anonymous and untrusting group operate a company.
To build this market, a developer might start by finding well-known vendors who wanted to "invest", trading their listings, marketing, and reputation for a stake in the market. We're pretty sure we could develop a usable version of this software---like with the distributed ownership mechanism implemented, but transactions processed partially by hand, and limited automation for the audit functions necessary to detect slow malicious behavior---within a few months. This seems generally like an easier problem than a fully decentralized market---it's okay if an owner can steal or cause other harm at a limited rate, as long as he'll be discovered before the cost of that harm exceeds the value of his stake. At the moment, we're interested mostly just in the concept.
We ask:
Is this (very high-level, obviously) description clear?
Is anyone aware of existing projects similar to this already underway?
If the answers are "yes" and "no", is this interesting?
Thanks.
Yes, very well articulated.
Yes. Your description sounds almost identical to /r/Axis_mundi although the shareholder concept is a variation
It's still interesting though. Why don't you bring some ideas to Axis Mundi as it has already adressed most of the points in your description.
love
EP