Geoffrey Goodell on Sun, 16 Jun 2019 18:00:46 +0200 (CEST)


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: <nettime> Unlike Us links on social media and their alternatives


Dear Morlock,

I think your threat model is wrong.  At issue here is the question of whether
infrastructures allow unscrupulous adversaries to manipulate the behaviour of
multitudes of persons, cheaply and at scale, which although related should
not be confused with the question of whether it might be possible for an
adversary to eavesdrop on some conversations.

On Sat, Jun 15, 2019 at 11:34:27PM -0700, Morlock Elloi wrote:
> 1.1 Because any onion-like routing will raise red flags in many places.
> Providing end-to-end privacy alone is a huge step by itself, and easier to
> accomplish without irritating powers that be too much. Let them know who
> talks to whom, and construct social graphs. They were able to do that with
> paper letters as well, since ever. The amount of Tor use by "freedom
> fighters" is infinitesimal compared by semi-criminal and criminal use (as
> defined by legal domains.) This is a bar too high to start with.

That is a dangerous narrative that leads nowhere useful.

> 1.2 It's asymmetric. Lesser governments (all except one) cannot penetrate
> onion routing. Major government can, routinely, as it has complete coverage,
> making correlation attacks trivial (unless we go back to mixmaster with
> random delays up to many hours.) This would be discriminatory towards lesser
> governments, and further empowering the major one. Unfair.

There are two problems with this argument:

First, there is no evidence that global adversaries actually use timing and
correlation attacks to de-anonymise parties communicating via onion routing.
Operators of Silk Road and The Pirate Bay were identified as a result of their
operational security failures, and some perpetrators have been caught because
the anonymity set of plausible suspects was small enough that circumstantial
evidence of their use of onion routing was sufficient.  Timing and correlation
attacks are certainly possible, but they are not so important that onion
routing is ineffective.

Second, as above, the threat model is mass surveillance.  Carrying out timing
and correlation attacks is expensive, generally requiring a large amount of
statistical sampling, active engagement in real time, or both.  A powerful
adversary might be able to carry out such attacks on a handful of targets who
use onion routing.  However, the chance that even a global-scale adversary
would be able to de-anonymise everyone, every time, with this approach is
vanishingly small.  Suggest that the primary power of onion routing lies in its
protection of the masses from surveillance and monitoring, not in its
protection of individual suspects from targeted attacks.

> 2. Once end-to-end privacy is routinely available, anonymity can be the next
> step. But these should be two independently moving parts. Plus the solutions
> for the two are not the same.

By 'privacy' here I assume you refer only to the message contents, not the
metadata.  Frankly, the metadata (particularly location and social graph
information) are much more valuable, and threatening to autonomy via mass
surveillance, than the content of messages.  Manipulation via mass
surveillance, not the discovery of one's secrets via wiretapping, is the
primary threat.  For this reason, end-to-end encryption over intermediated
communication channels, such as that offered by WhatsApp, Signal, and Skype,
does not actually make us more private in a way that is actually useful.
Unencrypted conversations over a federated network are in some ways more
private than encrypted conversations over a centrally-controlled network.

> I think that this should be further clarified as:
> 
> Stage 1: "in a manner that does not expose content of their conversations to
> third parties" (ie. the conversations are private, but metadata (who talks
> to whom and when) isn't.
> 
> Stage 2: "in a manner that does not expose neither content nor metadata of
> their conversations to third parties".

So, borrowing your idea to divide our plan to roll out private communication
infrastructure into two stages, I would restate your first stage as follows:

Stage 1: 'in a manner that does not make use of third-party intermediaries to
broker conversations'

What I mean by this is that people should connect to each other directly and
not rely upon single-provider platforms.  This is the motivation for using
Nextcloud instead of Dropbox, Google Calendar, and Skype.  All of these can be
done (with end-to-end encryption, by the way) without onion routing.

However, onion routing offers a second benefit beyond anonymity: it allows a
means of network traversal that addresses the problem Morlock raised earlier
about most Internet users not being directly addressable.  I can run Nextcloud
or a chat server or an email server because I have a static IP address.
However, most people don't.  Onion routing allows anybody to run services, even
those stuck behind network filters, policies, or middleboxes.  Even laptops and
mobile phones can run services.  No longer do their users need to be
second-class Internet citizens.

So even if we do not care about or believe in its anonymity properties, onion
routing can help us avoid third-party platforms.  And avoiding third-party
platforms is what we need to do next, if we want to protect human autonomy.

Best wishes --

Geoff

#  distributed via <nettime>: no commercial use without permission
#  <nettime>  is a moderated mailing list for net criticism,
#  collaborative text filtering and cultural politics of the nets
#  more info: http://mx.kein.org/mailman/listinfo/nettime-l
#  archive: http://www.nettime.org contact: nettime@kein.org
#  @nettime_bot tweets mail w/ sender unless #ANON is in Subject: