These pages, marked with GREEN headings,
are published for comment
and criticism. These are not our final findings; some of these opinions
will probably change.LOG OF UPDATES
Technical Restrictions May Make Nanotechnology Safer
Overview: Because
unleashed molecular
nanotechnology (MNT) is so dangerous, the best solution appears
to be careful administration of
the technology, including some mandatory restrictions. Fortunately,
the same features that make MNT dangerous also allow the implementation
of several kinds of technological restriction that may form useful components
of an overall administration program. Products that might be adapted
for unauthorized molecular
manufacturing pose a serious threat to MNT security. Other products
pose other kinds of threats, and additional restriction will probably
be desirable. Still, many products, once approved, can be built freely—and
for some classes of products, approval can be a rapid and automated
process. MNT-built functionality will be amazingly compact: a supercomputer
could fit inside a grain of sand. This allows a human-scale product,
such as a personal
nanofactory, to include dedicated security or monitoring hardware.
Massive computer power can help with several other problems, including
privacy-safe surveillance and patent reform.
Embedded
security systems can restrict nanofactories.
Unrestricted molecular
manufacturing would create terrible dangers.
Some restrictions will clearly be necessary. However, no
simple solution can work—any effective solution must be multifaceted.
Technological capabilities and restrictions deserve special attention
because of the unprecedented power and compactness of the technology.
This power and compactness is what makes MNT-built products so dangerous.
However, it also allows the design and use of very small security devices.
Surveillance and/or restrictive devices can be integrated into many
MNT products, including nanofactories.
We describe here a system called Embedded Security Management (ESM)
for applying flexible controls at the most effective points. Basically,
nanofactories have to check with a central controller before building
any product.
There are
many useful points of control to prevent illicit products.
There are several
distinct points where the use of nanofactories can or should be limited.
Built-in technology restrictions can help at most of these points. Products
must be designed, nanofactories must exist, designs must be distributed,
products must be built, and products must be used. The people involved
are product designers, nanofactory owners and users, product users, and
one additional group—"crackers" who would try to break the technological
restrictions at any point in the product cycle. Undesired use can be either
prevented technologically or deterred with technological assistance. The
many combinations of stages, people, and types of control provide a foundation
for flexible design of a suitable control system. This page describes
the extremes to which control can easily be taken. Some of these measures
are undesirable for a variety of reasons and will probably not be necessary
in practice to maintain security.
The primary goal
is to prevent unrestricted nanofactories from being developed. An unrestricted
nanofactory can be duplicated easily, spread widely, and/or used to build
all sorts of dangerous products, thus destabilizing economics and geopolitics
and reducing individual and institutional security. A secondary goal is
to prevent dangerous products from being produced by a restricted nanofactory.
Even if unrestricted nanofactories are prevented, there are many products
such as weapons and drugs that could be damaging to society. Also, too
few checks on nanofactory products would make it too easy to bootstrap
an unrestricted nanofactory. Finally, nanofactory restrictions can form
the basis of a commercial infrastructure, allowing designers to charge
money for their designs without fear of illicit copying, and permitting
enforcement of intellectual property laws.
Nanoblocks
can be fabricated separately.
To build an MNT product,
it is necessary to produce small complex parts using molecular fabrication,
and then join the parts together. The nanofactory that we have described
does both operations internally, fabricating nanoblocks and then joining
them via convergent
assembly. However, prefabricating the nanoblocks in central factories
has several advantages. First, most of the energy required to build
a product is used for fabrication; an assembly-only nanofactory would
be more suitable for home use. Second, the mechanochemical fabricators
could be kept under much tighter security in a central location than
in millions of personal nanofactories, which simplifies the problem
of thwarting illicit nanofactory bootstrapping efforts. Of course, this
approach would impose some additional limitations on the products, but
the tradeoff might well be worth it. (Thanks to Tom Craver for suggesting
this.)
Nanofactories
can be made to check before building each product.
There are several
ways to limit personal nanofactories (PNs) to only build desired products.
Each approved product file could be digitally signed by the approving
body, and factories would only accept signed designs. However, this does
not allow revocation or limitation of permission. A hardware key could
be required, so the holder of a certain key could build certain products.
This is also insufficiently flexible. It seems best to require the PN
to check with a central agency for permission before building each product.
Such checking need not require much time or overhead; if every file is
digitally signed when it is first designed, all that's needed is to check
the signature against one or two lists. If a problem were discovered with
a design, the ability to produce it could be revoked. This also allows
products to be tracked to some extent; product recalls as well as law
enforcement would be facilitated by keeping track of which factory produced
which product at what time. For products carrying some kind of risk, the
person requesting the product could also be verified. For example, some
medical products might only be produced at the request of a medical doctor
or pharmacist. This type of tracking could also form the basis for commercial
transactions: a product would be made only after a consumer had paid the
owner of the design. This level of tracking will raise significant privacy
concerns. However, consumers are already giving up their privacy to a
large extent in today's software systems, and the entertainment industry
will quite possibly be successful at getting Digital
Rights Management accepted. Since most MNT products could be made
by anonymous users, DRM is an equivalent or greater privacy loss—and
provides far less benefit.
Many designs
could be approved automatically.
Under CRN's ESM plan,
each new design would have to be approved before it could be manufactured.
Designs would be divided into classes, each with their own approval scheme.
Many useful products will be reasonably large (and could not easily come
apart and release nanoparticles), with only small amounts of energy storage
(so they could not easily hurt someone), and no edges sharper than children's
scissors (and a few other restrictions). Such designs may be considered "probably
safe", and may be approved by an automated process. Other products may
need an approval process similar to UL listing before they can be widely
produced. Still others are so dangerous, either to people or to the MNT
security infrastructure, that they would have to be carefully restricted—built
and used only under close supervision.
Legal jurisdictions
create some complications.
Legal issues are
difficult because of the wide variety of laws and jurisdictions. Even
the "probably safe" class includes includes many products that would be
illegal in certain jurisdictions, including some weapons, drug paraphernalia,
and sex toys. Within a jurisdiction, the designers of such products could
be tracked and punished as soon as the product was noticed. Cross-jurisdictional
transfer of designs is a more difficult problem; a design may be perfectly
legal in one place and forbidden in another, and digital files do not
respect borders—nor should the designer be responsible for knowing,
much less following, every law in the world. As today, responsibility
for owning an illegal product can rest on the owner of the product. Knowing
that each product built can be tracked will serve as a deterrent. Image
recognition software is being developed today for a variety of purposes,
including filtering pornography on the Internet. Similar software could
be used to scan designs for potential illegality, and warn users before
they built the product. Foreign designers known to produce locally illegal
products could have their designs flagged, manually assessed, and blocked
for nanofactories within the local jurisdiction. Although these answers
are not perfect, they offer a more effective and comprehensive solution
than the methods used today to prevent importation, manufacture, and possession
of illegal products.
Nanofactories
can be made very "smart" about detecting intrusion attempts and fingering
the criminals.
There are many incentives
to "crack" nanofactory security, creating an unrestricted factory. An
unrestricted factory could be used to produce goods without paying royalties,
to produce weapons and other tools of crime and terror, and to produce
illegal goods with little chance of being caught. It is important, then,
to make nanofactories difficult to crack and to discourage people from
trying. A tabletop personal nanofactory (PN) is large enough to contain
a vast amount of security hardware. For example, a cubic millimeter can
contain a million nanocomputers. A similar amount of hardware can be built
into the walls and interior of the factory to detect either physical damage
or scanning. If a cracking attempt is detected, the factory can immediately
shut itself down and destroy its interior structure. Even high explosive
could not open the factory as fast as a self-destruct signal could be
sent internally.
For several reasons,
it is useful for PNs to know their location and be in close contact with
the central controller. This allows jurisdictional restrictions on products.
It also allows some security problems to be corrected: if someone discovers
how to crack a nanofactory, all PNs of that design can be deactivated.
A PN that lost contact with the central controller would quickly deactivate
and scramble itself. When a nanofactory detects a cracking attempt and
shuts itself down, that event would be traceable—and the last known
location would help to catch the crackers. Contact could be maintained
through a GPS-like system that tracked both the content of the messages
and the time required for their delivery. This would allow the factory
to triangulate its position, and to be fairly certain that no one was
intercepting and modifying the messages—or at least not taking a
long time to do so. Successful cracking of a PN would probably require
destruction of several nanofactories, plus time to work. Close monitoring
of PNs would almost guarantee that such an attempt could not succeed before
the police broke down the door. Finally, requiring nanofactories to be
in contact with central control would prevent the use of PNs in large
free-range self-replicating systems that might otherwise be difficult
to track and clean up.
Risky or valuable
products could use a similar system to track and report their location
and usage. The advantages of built-in product tracking are not available
for very small MNT products, but very small products are undesirable for
other reasons, including litter and possible health issues.
Massive nano-built
computer power can help with several problems.
MNT fabrication can
create amazing amounts of computer power, which can be used to check designs
or implement surveillance. Software under development today can analyze
video and detect unexpected events. This allows automated, or at least
semi-automated, detection of illicit research activities. Image processing
software can be used to obscure the faces and other identifying details
of individuals, allowing locations, equipment, or questionable activity
to be studied in detail without revealing people's identity—unless
the activity is determined to be criminal. Of course, such a system would
have a very high potential for abuse; it should probably not be used unless
all the alternatives are clearly worse.
Pattern recognition
software can also be used to analyze nanoblock product designs. A design
boils down to a 3D pattern of nanoblocks, stored digitally. Design analysis
can be used for several purposes. New designs may be sorted into probably-safe
and probably-risky categories to speed up the approval process for safe
products. Analysis of weapons systems may be used to track some system
capabilities without giving away too much information about their design;
thus, countries can verifiably share some information about what they're
designing and building while still retaining some secrets. Finally, design
analysis software can be a crucial aid to patent reform. Current problems
with software patents will only get worse for systems with quadrillions
of nanoblocks in almost unlimited combinations. Nanoblock design patents
could be required to include a program that detects patent infringement.
This would benefit inventors, who would know if their design infringed
an existing patent. Patent holders could use their programs to scan for
infringing products. And patent examiners could easily determine if a
patent truly represented prior art—if the program flagged an existing
design, it would not pass the novelty test.
DEVIL'S ADVOCATE —
If the factories
have to check with a database every time they make something, what happens
if the database goes down, either accidentally or due to a malicious
attack? Won't this mean nobody could make anything, not a good idea
if nanofactories are producing food as well?
A disabled database
would indeed mean that no one could make anything with that system. For
technical reasons, food is likely to be built with a different device anyway.
There are various options -- such as allowing nanofactories to build stuff
they've recently built without checking back -- that could minimize the
effects of database downtime on critical production without adding much
security risk.
What if
quantum computing cracks the encryption you're using?
There are some kinds
of encryption, like one-time pad, that even quantum computing can't break.
And quantum
encryption can be used to make newer nanofactories secure—and
then the old ones can be deactivated remotely.
Security
is really hard to do right, even in simple systems.
The security part of
the nanofactory isn't affected by the complexity of the nanofactory. It
just has to say whether the factory can build a design or not. That's sufficiently
simple that we can probably do it right the first time if we work really
hard at it.
What if
people running the central control get paid or blackmailed to approve
a dangerous design?
It would have to be
set up so that that couldn't happen—so that one compromised person,
or even a few, would not be enough to corrupt the system. Requiring consensus
from several people on several continents seems like a good idea for approving
anything questionable.
Don't these
restrictions cripple the technology and prevent most of the benefits?
Probably not. There's
a vast range of useful products in the "mostly safe" category. For products
that might harm consumers but don't risk cracking the system, approval could
be as fast as with today's processes.
This doesn't
prevent people from doing an independent MNT project.
It's not supposed to.
Other administrative policies and institutions will have to prevent that.
We just don't want nanofactories to make independent MNT projects easier
than they already will be.
On
29 October 2006, a reader wrote: I couldn't help but find
scary some of the proposals on this page, particularly the mechanisms
for extensive communication between personal nanofactories (PNs) and
central controllers. I worry that there's a danger of misinterpreting
what may appear to be criminal actions. If there is to be a rapid police
response to a pattern of PNs losing contact, it seems that there would
need to be a heavy law enforcement infrastructure across the world,
wherever the operation of PNs would be supported. Can it be guaranteed
that a protocol for respecting a suspect's rights would be upheld during
the process of arresting, interrogating, and holding the person?
I do understand that the apparent scariness of a proposal is not necessarily
a reason not to implement it, but this just seems to be going too far in the
direction of a police state. As a related issue, it seems like once there
are powerful restrictive measures in place, there will be strong temptation
to forbid the production of safe items or information that simply are taboo
in mainstream society. Isn't there a risk of political efforts (possibly representing
mainstream religious views) breaching the ideal of no special interests being
considered?
Again, I guess all of this might be necessary to prevent disaster, however.
Thanks for expressing
your concerns! CRN believes that the greatest risk we
face is a massive unstable arms race. Just below that, however, is the risk
of a global totalitarian government. Unfortunately, private misuse of nanofactories could
reinforce calls for a totalitarian crackdown. On the other hand, if a government wants a
totalitarian crackdown, then they can certainly manufacture excuses, regardless
of whether actual civilians have access to unrestricted nanofactories. So,
it appears that there are no simple solutions.
We originally wrote this page back in 2003, and now we're starting to rethink
it—not enough to retract it yet, but enough that maybe we should post
alternate suggestions. We'll work on that. In any case, this discussion underscores
the need for more urgent investigation into how
to deal with such a powerful technology.