Decentralised internet governance: the case of a ‘peer-to-peer cloud’

: This article retraces the early stages of development of the 'peer-to-peer cloud' storage service Drizzle, with the aim of providing an example of decentralised network architecture as internet governance 'in practice'. More specifically, this paper sheds light on how changes in the architectural design of networked services affect the circulation, storage and privacy of data, as well as the rights and responsibilities exerted by different actors on them. This article does not mean to be a compendium of the implications of the decentralisation option in building a cloud platform, which entails a number of technical complications as well as advantages, including how to ensure the reliability and redundancy of data, and the soundness of the encryption mechanism. However, the privacy-related design choices described here are some of the many possible ways to illustrate the extent to which changes in network architecture are, indeed, changes in network governance.


DECENTRALISING THE CLOUD
In early 2007, when Drizzle first sees the light, the industry of online data storage -a service allowing users to store, save and share data on one or several terminals connected to the internet -has "never felt better" (Guerrini, 2010).Google, Amazon, Microsoft and Oracle, to name but a few, propose their storage platforms, each with its specificities and one common denominator: the 'cloud'.According to this model, the service provider is in charge of both the physical infrastructure and the software.Thus, the service provider hosts applications and data at once -in a location, and according to modalities, unknown or at best ambiguous to the user (Mowbray, 2009).The so-called 'server farms' proliferate, to support and manage this increasing remoteness of data from users and users' terminals.
In this context, Drizzle1, a small start-up founded by two developers and computer programmers who we will call Dietrich and Kurt, makes an unusual foundational decision: its cloud storage platform will mainly be composed -alongside more 'classical' data centres -of portions of the users' hard disks, directly linked in a peer-to-peer, decentralised network architecture (Schollmeier, 2001;Taylor & Harrison, 2009).This choice entails a number of peculiar features.
On the one hand, the implementation of a technical process defined as "encrypted fragmentation"2, which consists in encrypting locally -on the user's computer, and by means of a previously installed Drizzle P2P client -the content that will be stored.The content is then divided into fragments, duplicated to ensure redundancy, and spread out to the network.In The interdependent and egalitarian model subtending the platform will allow its users to barter their local disk space with an equivalent space in the decentralised cloud, thereby improving the quality of this storage space, which will become permanently available and accessible.By shaping their decentralised storage service, the developers of Drizzle carry on a double experimentation: with the frontier between centralisation and decentralisation, and with sharing modalities that blend peer-to-peer, social networking and the cloud.

PEER-TO-PEER STORAGE: THE CLOUD MEETS PRIVACY BY DESIGN
"In 2007, it was all starting to get social," Dietrich recalls three years later.Indeed, social media, Facebook and Twitter in particular, were at that moment entering the daily life of millions of internet users in an increasingly pervasive way.Drizzle's first steps are taken in a community of research and development that tries to counter the social media "explosion" by developing P2P systems as an alternative to a variety of internet-based services, including social networks, structured in a centralised manner (Le Fessant, 2009;Musiani, 2010a;Musiani, 2010b).
In 2007, Facebook had been in existence for three years.Millions of users had taken part in it, thereby contributing to the massive success of these Web-based services that allow individuals to build a public or semi-public profile within a system, define a list of other users with whom to interact, and see/browse the list of their and others' connections made in 'public mode' within the system (Boyd & Ellison, 2007).In parallel to their spectacular growth, social networks raise vibrant discussions and controversies, both within the expert community and among the general public.The ways in which social networking service providers leverage personal information and user data remains controversial, since they sometimes mean allowing external applications to access them, while on other occasions they pursue direct commercial purposes (Boyd, 2008).
The rise of the so-called cloud does nothing to mitigate the impression of risk for informed users, as applications and data are increasingly hosted in locations and ways unknown or at best ambiguous.User exposure on social networking sites and on cloud-based services positions privacy, more than ever, at the foreground of discussions.
In this context, several developers -including Drizzle's -identify in a peer-to-peer type of network architecture a possible way of approaching the protection of personal data privacy with a different angle: through the relocation and "re-appropriation" of data within the terminals of users, who would be able to host their own profiles and the information they contain (see also Moglen, 2010;Aigrain, 2010Aigrain, , 2011)).
As in the development of Drizzle, a conception of privacy and confidentiality of personal data, which is conceived of and enforced via technical means -called privacy by design (Cavoukian, 2010;Schaar, 2010), is at work.This conceptualisation of privacy is defined by means of the constraints and the opportunities linked to the treatment and the location of data, according to the different moments and the variety of operations taking place within the system.In particular, the confidentiality of data (personal data as well as the content stored in the P2P cloud) is defined by a peculiar role and enhanced features attributed to the password that identifies the user vis-à-vis the network, and by the implementation of the resource allocation system on which Drizzle is based.
Decentralised internet governance: the case of a 'peer-to-peer cloud'

PASSWORD AND USER RESPONSIBILITY
In Dietrich's intentions, the role of the user-selected and user-generated password for the Drizzle system should have "stri[cken] the user as soon as he had access to the system for the very first time."Indeed, the virtual form that is served to users upon subscription may come as a surprise: it informs that "We do not know your password as it never leaves your computer.Please, do not forget your password and use, if needed, your password hint." The status of the password is thus negotiated, beyond its usual meaning of unique identifier vis-à-vis the system, to define, detail and legitimise the process of local encryption and decryption of data within the Drizzle system.This feature comes to symbolise the specificity of Drizzle's promise of security and privacy as well as users' trust, as it becomes the symbol and the graphical representation of the 'local' dimension of the encryption process -as it never leaves the computer of the user who created it.The operations, for the most part automatically managed, that are linked to the protection of personal data are thus hosted on the terminals of users.Indeed, this entails a modification of the user's role within the service's architecture: node among equal nodes, it becomes a server itself, instead of a starting point and a final point for operations that are otherwise conducted on another machine or group of machines.
Through the attribution of this status to the password, the developers of Drizzle are also proposing an alternative to the balance between the rights exerted by users on their own data and the rights acquired by the service provider on these same data -a balance that is usually heavily bent on the provider's side.However, this reconfiguration in the balance of rights comes with a trade-off.As the password stays with the user and is not sent to the servers controlled by the firm, the latter cannot retrieve the password if needed.Thus, users do not only see their privacy reinforced, but at the same time and for the same reasons, the responsibility for their actions is augmented -while the service provider renounces to some of its control on the content that circulates thanks to the service it manages.The meaning of this 'renunciation', Dietrich explains, is double: on the one hand, the Drizzle team wishes to make it evident, almost translate into a specific object the user can easily relate to, the 'obscure' and unfamiliar process of client-side encryption, which is an ongoing source of controversies and perplexities.On the other hand, it is also a matter of Drizzle's business model: the more the firm knows about its users, the more it is mandatory for it to submit the users to regular surveillance and controland this requires an investment of material resources and time that, in its first phases of existence, the firm does not have: "If we can know what is in your account, starting with your password, we have heightened obligations to police the content and to make sure nobody can eavesdrop on the traffic."

DATA PRIVACY AND RESOURCE ALLOCATION
Another aspect that contributes to define rights and responsibilities is the detailing of the conditions for allocation and management of the computational resources provided by the different computers participating in the system.
As briefly described above, the choice to decentralise the platform makes it necessary, due to the very particular status of the resources used by the system, to detail several aspects in the terms of use: the role of computers belonging to users, the types of resources that Drizzle is able to use, their purpose.It also becomes necessary to detail the extent to which users are able to decideand communicate to their P2P client, thus to the system -the maximum quantity of local resources that the rest of the network/storage system can use.However, it is also necessary to define the articulation between the availability of resources and the different operations to which these resources will be destined to within the system.
The articulation of these two aspects has important implications for the confidentiality of data circulating in the system (both personal information and content stored by users).Several users, giving feedback to the developers in the early stages of the system, warn that the resource allocation process could be framed as a possible 'surveillance' or 'monitoring' of these resources, in a way that can potentially be highly automatised, invasive, privacy-threatening.
After a discussion between these concerned users and the developers, via the Drizzle forum, two modifications were applied to the terms of use: while the general terms now state that "resources are allocated and monitored in accordance with the Privacy Policy," the privacy policy itself details the extent of automation and pervasiveness of the system that allocates and Thus, the correct functioning of the allocation system indeed implies the gathering of several pieces of information concerning the material, computational and memory resources pooled by each participating computer.The pooling of the storage equipment (i.e., users' local resources, made available by each of them) is necessary for the system to work; however, it is not meant to imply an intrusion in the stored content itself, which remains protected by the local safeguard of the password and the encryption of content.The collection of information, the developers of Drizzle affirm, has the purpose of automatically computing the storage space made available by each user -and, as we have analysed elsewhere (Musiani, 2013b), of establishing the extent to Decentralised internet governance: the case of a 'peer-to-peer cloud' which each user can reclaim her place in the 'P2P cloud', an equivalent storage space in the network of participating users.

CONCLUSIONS
The development of Drizzle's 'peer-to-peer cloud' allows to observe how changes in the architectural design of networked services affect data circulation, storage and privacy -and in doing so, reconfigure the articulation of the 'locality' and the 'centrality' in the network (Akrich, 1989: 39), suggesting a model of decentralised governance "by architectural design" for the service.
Ultimately, decentralising the cloud leads to a reformulation and 're-balancing' of the relationship between the user and the service provider.The local, client-side encryption of data first, and its fragmentation afterwards -both operations conducted within the P2P client installed by the user, and entirely taking place on his terminal -are proposed by Drizzle as evidence that the firm, in its own words, "does not even have the technical means" to betray the trust of users.
In particular, this conception of privacy by design takes shape around the password, that remains locally stored in the user's P2P client and unknown to the service provider.In doing so, it becomes a form of disengagement of the service provider with respect to security issues, its 'auto-release' from responsibility: a detail whose importance may seem small at first, but eventually leads to changes in the forms of technical solidarity (Dodier, 1995) established between users and service provider.
For the purpose of this article, I have focused in particular on aspects such as the strengthening of privacy by design and the increase in responsibility attributed to the user, arguably among the "positive" aspects of a peer-to-peer cloud.However, it should be pointed out that an important part of the decentralisation choice made by the Drizzle team has involved assessing its possible downsides: reliability and redundancy of data, slow downloading performances, soundness of the encryption mechanism, and -no less important -the perception of these issues by users.A heated discussion among developers, and between developers and some pioneer users, also occurred on the topic of the 'legality' of the system, especially in jurisdictions such as that of the United States.All of these are complex issues and most of them could not be accounted for here -it has been done in a much more detailed manner elsewhere (Musiani, 2013: 123-173), by analysing, with tools derived from the field of science and technology studies (STS), a number of socio-technical controversies related to the development of the platform.
However, the privacy-related dynamics provided here are a few of the several possible ways to flesh out the extent to which changes in network architecture are, indeed, changes in network governance has never been more evident.The goal, as The New Yorker recently reported, "isn't to end surveillance, but to make it harder to do en masse" (Kopstein, 2013).
return, users need to accept to 'pool' -put at the disposal of other users and their computersthe computational and material resources necessary for the operations related to the storage of content.As the service's terms of use point out: "The user acknowledges that Drizzle may use processor, bandwidth and hard disk (or other storage media) of his computer for the purpose of storing, encrypting, caching and serving data that has been stored in Drizzle by the user or any other users.The user can specify the extent to which local resources are used in the settings of the Drizzle client software.The amount of resources the user is allowed to use in Drizzle depends on the amount of local resources the user is contributing to Drizzle."Decentralised internet governance: the case of a 'peer-to-peer cloud' Internet Policy Review | http://policyreview.info 3 February 2014 | Volume 3 | Issue 1 to ensure a fair allocation of resources within Drizzle, various data about the computers participating in the Drizzle network is collected.This data includes their IP addresses, disposability and the amount of resources they are contributing (e.g.bandwidth, memory).[…] Drizzle keeps track of how much storage space you have used and earned […] Drizzle collects statistical information for the purposes of monitoring, debugging and improving the system.This includes automatically generated problem, performance, network analysis and general usage reports, as well as logs of the connections and queries made to Drizzle's servers (including the involved IP addresses), as well as analytical data about the usage of the Drizzle website.However, none of this data contains information from your private or shared files." Drizzle has illustrated in practice the implications of 'architectures as governance' we had introduced in the previous article: the repartition of competences and responsibilities between service providers, content producers, users and network operators; the articulation between the individual and the collective; the shaping of user rights and 'community' norms; the definition of 'contributor' in internet-based services.In light of Edward Snowden's leaks about certain surveillance practices by the US National Security Agency, the potential of architectural choices -choices that would make the internet less centralised and more distributed -as a means of de facto privacy advocacy and promotion of decentralised Decentralised internet governance: the case of a 'peer-to-peer cloud' Internet Policy Review | http://policyreview.info 7 February 2014 | Volume 3 | Issue 1

FOOTNOTES 1 .
The name is fictitious ('light rain') and recalls the fragmentation and the distribution of data in the system's storage mechanism.The names of the developers are pseudonyms, as well.I have no direct interest in Drizzle -I use it as a case study of a possible 'decentralisation of the cloud'.2.Unless otherwise noted, citations are derived from in-depth interviews with the developers of Drizzle, conducted within a period of online and 'live' ethnography of Drizzle's development, design and innovation process (seeVinck, 2003)  between 2010 and 2011.