-
Notifications
You must be signed in to change notification settings - Fork 0
Anonymous Private Communications Service
I did a lot of reading before discovering (Chaum, 1981) Anonymous Remailer. I should have started at https://research.torproject.org/.
All of my thinking before that was based on a single server for storage with client side public key encryption. While this model has been successfully used by many providers (sharpmail, neomail, hushmail, silent circle, lavabit, and even the proposed service from mega.co.nz) this model is inevitably susceptible to pressure from coercive national intelligence organizations. Thank you for fighting the good fight, Lavabit. Even worse, however, is the fact that most these "privacy-focused" companies are even more focused on their bottom line. Bruce Schnier lamented this in The Future of Ephemeral Conversation (2008) and The Public/Private Surveillance Partnership (2013).
I hope he is wrong. I hope that these juggernauts have some real, justified fear of current and future mix networks like Tor and I2P. I hope that enough people will replace their trust in centralized authority with trust in themselves and their neighbors and peers that we can live free of their tyranny. Flash back to 1776: Cryptography is our munition.
I realize now that "single point of failure" is not a viable long-term model, even for jurisdiction hoppers. I realize also that I cannot possibly understand mix networks quickly enough to finish this project before the deadline. I'll come back to it when I have time to understand it all better.
The reference client will probably be based on Mailpile. Pagekite is doing some great work in this area.
Tahoe might be one piece of the puzzle, for people who need to keep files available (loss would be worse than disclosure) but don't want to trust a single provider. The "storage provider" problem is interesting but orthogonal to the problem we are trying to solve. Integration with Tahoe would look like the mail delivery agent dropping the message into a subscriber's Maildir/new.
DISCLAIMER: I am not a lawyer, nor to I pretend to be one on Slashdot or Reddit. The ideas presented here (unless otherwise noted) are based on my own vague fantasies of being able to actually comprehend the incomprehensible morass of statute and precedent that chokes our government, our courts, and our lives. I also make use of my slightly-more-realistic fantasies of understanding basic cryptography, computer security, and computer programming. Caveat Emptor.
The protocols most commonly used for Internet communications, SMTP and IRC, where designed in a legal and social environment very different from what prevails today. People, in general, were more trusting, and governments were somewhat more trustworthy. Today, in the face of increased state surveillance, corporate lobbying to pass draconian laws, and ubiquitous (mostly insecure) network connectivity, privacy-conscious people need to reevaluate their communication habits and use practices and services that support the confidentiality and integrity of their communications and associations.
This project proposes the design of a communications service provider that allows members to strictly control access to their private communications, and if necessary, create online identities that cannot be easily linked to their real identity. It specifically addresses surveillance threats from law enforcement and government agents in the United States. The intent is not to promote or facilitate illegal or harmful activity, but to protect fundamental human rights, such as those specifically enumerated in the Bill of Rights: freedom of speech; freedom of association and assembly; right to bear arms to protect oneself and one's associates; protection from unreasonable searches, seizures, and surveillance; right to due process, etc.
The Electronic Frontier Foundation, (hereafter EFF) is a donor-funded non-profit organization with a mission to slow and stop the erosion of our digital rights. The EFF has published a broad guide for people wanting to protect themselves from the invasions of the surveillance state.
- "The Electronic Frontier Foundation (EFF) has created this Surveillance Self-Defense site to educate the American public about the law and technology of government surveillance in the United States, providing the information and tools necessary to evaluate the threat of surveillance and take appropriate steps to defend against it." (EFF,2013,Surveillance Self-Defense)
- The first, fourth, and fifth amendments to the U.S. Constitution.
- The Federal Wiretap Act 18 USC Chapter 119
- The "Stored Communications Act" 18 USC Chapter 121 portion of the "Electronic Communications Privacy Act", or ECPA.
Riseup.net Lavabit Ipreda
https://internetganesha.wordpress.com/2013/08/10/lavabit-privacy-seppuku-and-game-theory/ "Gmail closed to protest NSA spying. Government web sites crumble under load from angry citizens." It would probably take only one day. We would see some real privacy legislation the very next day. What a beautiful dream!
https://heml.is/ Nice concepts. I love the "Secrets are only secrets if they are secret." sound bite.
Mega uses "The Privacy Company" as a tag line, but seems much more concerned with protecting themselves from legal liability than protecting their customer's privacy. Maybe I just get that from reading their terms, etc.
UCE (client-site user-controlled encryption) and the promise to move operations to Iceland if New Zealand passes the back-door laws are encouraging.https://internetganesha.wordpress.com/2013/08/10/lavabit-privacy-seppuku-and-game-theory/ https://www.schneier.com/blog/archives/2013/08/the_publicpriva_1.html
http://www.huffingtonpost.com/2013/07/22/nsa-leaks-spying-internet_n_3633510.html "At Ixquick, more than 45,000 people have asked to be beta testers for a new email service featuring accounts that not even the company can get into without user codes, spokeswoman Katherine Albrecht said. The company will levy a small charge for the accounts, betting that people are willing to pay for privacy." Oops. Paying for privacy almost guarantees you lose anonymity. Payment information is in the set of "meta-data" that has the least protection of all. 18 USC section 2703 (c)(2)(F)
http://www.law.cornell.edu/uscode/text/18/2703
Some Records Require Only a Subpoena
https://www.eff.org/wp/defending-privacy-us-border-guide-travelers-carrying-digital-devices
- Support electronic communications over insecure networks that can be private, anonymous, repudiable, and/or ephemeral.
- Private means that no one who is not a party to the communication should be able to understand the message.
- Anonymous means that any party of the communication can ensure that his pseudonymous identity cannot be easily linked to his real identity, especially by any third party. In some cases, the sender may have to trust that the other parties will not reveal the content of the communication. In all cases the recipient should be assured that the message was not modified by a man in the middle.
- Repudiable means that no party to the communication can later prove via technology that the conversation is authentic. (There may be external evidence to support the authenticity of an alleged conversation. Our goal is to create at least plausible deniability.)
- Ephemeral means that no record of the conversation remains that might be exposed later.
- use case: ordinary private email
- use case: sensitive private email
- use case: casual conversation
- use case: sensitive conversation
- use case: anonymous private speech
- use case: anonymous public speech
The most important principles to support these goals are:
- If it isn't recorded anywhere, it cannot be disclosed.
- If it is recorded somewhere, it should be protected by strong encryption.
18 USC § 2518 (3)(b) is interesting "there is probable cause for belief that particular communications concerning that offense will be obtained through such interception." Does this mean if the judge might deny the request if he has reason to believe that the communications in question are encrypted with an short-lived key, and therefore the seizure is unlikely to be productive.
18 USC § 2703 - "Required disclosure of customer communications or records" of the Stored Communications Act lists the information the Government can ask for simply by offering "specific and articulable facts showing that there are reasonable grounds to believe that the contents of a wire or electronic communication, or the records or other information sought, are relevant and material to an ongoing criminal investigation." The primary risk here is that relevant could be interpreted very broadly. Because of the ease of obtaining such a subpoena, the service should not store any of this information: name, address, phone numbers, length of membership, session data (network address, time, duration), payment information. It is technically feasible to simply not collect or record any of this information. Length of membership can be obscured by carefully creating member records without time-linked data. Session data can be discarded when it is no longer needed, even immediately after the session ends/expires. Payment information is a critical leak. Credit cards and bank information can be linked trivially to real identities. Even supposedly anonymous payment methods such as cash and prepaid debit cards can be linked to a person by using video from security cameras.(needs citation) To avoid disclosing identifying information through payments, the service must operate as a donation-supported organization offering services to the public at no charge. If the organization has political mission, donation and member lists may be protected more strongly by the First Amendment.(needs citation)
The SMTP listener should accept a normally-invalid SMTP conversation. The only information required for delivery is the recipient's address. The other headers can be omitted by privacy-focused transport agents. Outgoing messages will need to comply with the full protocol, unless the receiving MTA advertises compatibility with the reduced protocol. HELO, STARTTLS, RCPT, DATA, QUIT. Or even simpler: HTTP POST. Most of the headers in legacy SMTP are unnecessary with modern well-connected networks. The HTTP POST transfer agent could detect forwarding loops by retaining for a few days a hash of each message received. A federated network of cooperating servers would be much more resilient to legal attacks than a set of servers operated by a single organization.
Am I re-inventing private peer-to-peer networking? (TODO: research P2P, onion routing, hidden services)
While it may be convenient to have multiple aliases associated with a single subscriber id, this arrangement should be used only with careful consideration, because information requests might require disclosure of all related aliases. When anonymity is important, each alias should have its own account and key.
It is essential for the service provider to carefully specify and follow data retention policies. If the provider receives a legal request for specific information, they must be able to point to specific policies that describe why the data is not available.
18 USC § 2704 requires the provider to preserve a backup of any communications the government deems interesting. The statute requires notice and 14 days for the subscriber to quash the subpoena ... except "if in its sole discretion such entity determines that there is reason to believe that notification under section 2703 of this title of the existence of the subpoena or court order may result in destruction of or tampering with evidence." (in other words, if they just don't feel like telling you. The gag order cannot be challenged.) The 14 days between notice to customer and delivery of the backup to the government gives you an opportunity to respond, but the data is already backed up before the notice, so you had better not count on being able to delete it.
Individuals can also protect themselves from from accusations of destruction of evidence, by articulating and following data retention policies that retain information only as long as it is valuable. It is especially important to only allow third party service providers to store data when availability of that data is more important than its confidentiality.
While an adversary may obtain a warrant and hide it with a gag order, if you have been scrupulous about encrypting all of your communications, even the super-warrant may not reveal anything useful, unless the mail cover alone is able to lead them to evidence. In order to get the content of the communication, they will need a key. In order to get it from you, they will need to 1) compromise one or more of your clients with a key logger or such, or 2) begin open legal proceedings against you. In the latter case, you will now be able to defend yourself more effectively because the fight is in the open. In a criminal case, the Fifth Amendment may allow you to keep your key private.
Consider a policy of document destruction by generating new keys on a regular basis. Every document encrypted with a particular key -- even copies not under your control -- can be effectively destroyed by destroying every copy of the private key or its password. If you do this every week, your adversary can only obtain at most seven days worth of data (after they finally charge you openly), even if they have been collecting encrypted data for a long time. (TODO: how could you arrange this if you keep your key-store on a third-party server? probably not a good idea.) If each new key is signed by a long-lived signing key that your peers have verified as yours, then distributing the new public key should be painless. There should probably be a small overlap between when you publish the new key and when you retire the old key, so you can still read messages sent but not delivered before the new key was published. The limiting case of a new key for each message is like OTR.
- Detailed Requirements Document
- The requirements document should include sufficient detail to support a legal review and guide anyone who chooses to implement the service. It should specify requirements for the following:
- legal documents, including privacy policy, terms of service, and abuse policy;
- business processes related to:
- subscriber data and meta-data,
- government requests for subscriber data,
- complaints of abuse (spam, infringement under DMCA, harassment, etc.),
- reports of security vulnerabilities;
- hosting infrastructure: document security requirements;
- host security: document server hardening procedures;
- application design:
- wire protocols,
- server processes,
- chron jobs,
- database design,
- user interaction requirements for a minimal reference client;
- end user guide: document what the users need to know to achieve their privacy and anonymity goals.
- Legal Review
- The design should be reviewed by an attorney to identify legal risks to anyone implementing and deploying the service and to the subscribers to such a service. We plan to seek a referral from the EFF to identify a qualified attorney. This review will help determine the feasibility and likelihood of success of such a deployment.
Schnier, Bruce, The Future of Ephemeral Conversation (2008) https://www.schneier.com/blog/archives/2008/11/the_future_of_e.html
Name of Act (Year) Name of Act of Year
Name of Act § Section number, Volume number U.S.C. § Section number (Year). Name of Act, Pub. L. No. Number , § Section number, Volume number Stat. Page number.
18 USC § 2522 If your code doesn't allow you to comply, they can force you to change it in a way that allows compliance. They might have to pay you for your time to make the changes: "Any provider of ... furnishing such facilities or technical assistance shall be compensated therefor by the applicant for reasonable expenses incurred in providing such facilities or assistance." (18 USC § 2518)
I like (18 USC § 2518 (9)): no intercepted communications can be used as evidence in a trial unless they give you a copy of the order and the communications intercepted and give you a chance to challenge the wiretap.
United States v John Doe Doe rightly asserted his Fifth Amendment privilege. The government sought to compel production of alleged files, only granting immunity for the act of production, but not for derived evidence. Doe again refused to comply and was held in contempt. On appeal, the judge reversed the decision of the lower court. The prosecution believed there were files on the encrypted hard drives, but could not prove, independent of Doe's act of production, that there was actually anything at all on the drives. In granting immunity that was not coextensive with the Fifth Amendment privilege, they were fishing for evidence. The judge rightly held, supported by numerous other cases, that this was inappropriate and that Doe was right to refuse the order. (The government may not have even been able to prove that Doe was able to decrypt the drives, but in their greed, they bungled the case and didn't even get that far.)
Privacy-conscious individuals are encouraged to carefully study the materials available on the web sites of the EFF and the Electronic Privacy Information Center (EPIC)
See (mailpile issue 79) for an excellent description of the need for forward secrecy and plausible deniability, which are NOT supported by PGP.
But we do know that the NSA is constrained by economics. If you look at their techniques, they tend to go for techniques that have bulk payoff. And if they can subvert every copy of Windows encryption, they get a lot. If they have to go into individual computers to steal secrets, that’s expensive. So the more you can do to raise the cost of being eavesdropped on, the safer you are. (Bruce Schneier for Democracy Now)
The Tor people were right: Don't use Windows