Geoffrey Goodell on Sun, 16 Jun 2019 18:00:46 +0200 (CEST) |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
Re: <nettime> Unlike Us links on social media and their alternatives |
Dear Morlock, I think your threat model is wrong. At issue here is the question of whether infrastructures allow unscrupulous adversaries to manipulate the behaviour of multitudes of persons, cheaply and at scale, which although related should not be confused with the question of whether it might be possible for an adversary to eavesdrop on some conversations. On Sat, Jun 15, 2019 at 11:34:27PM -0700, Morlock Elloi wrote: > 1.1 Because any onion-like routing will raise red flags in many places. > Providing end-to-end privacy alone is a huge step by itself, and easier to > accomplish without irritating powers that be too much. Let them know who > talks to whom, and construct social graphs. They were able to do that with > paper letters as well, since ever. The amount of Tor use by "freedom > fighters" is infinitesimal compared by semi-criminal and criminal use (as > defined by legal domains.) This is a bar too high to start with. That is a dangerous narrative that leads nowhere useful. > 1.2 It's asymmetric. Lesser governments (all except one) cannot penetrate > onion routing. Major government can, routinely, as it has complete coverage, > making correlation attacks trivial (unless we go back to mixmaster with > random delays up to many hours.) This would be discriminatory towards lesser > governments, and further empowering the major one. Unfair. There are two problems with this argument: First, there is no evidence that global adversaries actually use timing and correlation attacks to de-anonymise parties communicating via onion routing. Operators of Silk Road and The Pirate Bay were identified as a result of their operational security failures, and some perpetrators have been caught because the anonymity set of plausible suspects was small enough that circumstantial evidence of their use of onion routing was sufficient. Timing and correlation attacks are certainly possible, but they are not so important that onion routing is ineffective. Second, as above, the threat model is mass surveillance. Carrying out timing and correlation attacks is expensive, generally requiring a large amount of statistical sampling, active engagement in real time, or both. A powerful adversary might be able to carry out such attacks on a handful of targets who use onion routing. However, the chance that even a global-scale adversary would be able to de-anonymise everyone, every time, with this approach is vanishingly small. Suggest that the primary power of onion routing lies in its protection of the masses from surveillance and monitoring, not in its protection of individual suspects from targeted attacks. > 2. Once end-to-end privacy is routinely available, anonymity can be the next > step. But these should be two independently moving parts. Plus the solutions > for the two are not the same. By 'privacy' here I assume you refer only to the message contents, not the metadata. Frankly, the metadata (particularly location and social graph information) are much more valuable, and threatening to autonomy via mass surveillance, than the content of messages. Manipulation via mass surveillance, not the discovery of one's secrets via wiretapping, is the primary threat. For this reason, end-to-end encryption over intermediated communication channels, such as that offered by WhatsApp, Signal, and Skype, does not actually make us more private in a way that is actually useful. Unencrypted conversations over a federated network are in some ways more private than encrypted conversations over a centrally-controlled network. > I think that this should be further clarified as: > > Stage 1: "in a manner that does not expose content of their conversations to > third parties" (ie. the conversations are private, but metadata (who talks > to whom and when) isn't. > > Stage 2: "in a manner that does not expose neither content nor metadata of > their conversations to third parties". So, borrowing your idea to divide our plan to roll out private communication infrastructure into two stages, I would restate your first stage as follows: Stage 1: 'in a manner that does not make use of third-party intermediaries to broker conversations' What I mean by this is that people should connect to each other directly and not rely upon single-provider platforms. This is the motivation for using Nextcloud instead of Dropbox, Google Calendar, and Skype. All of these can be done (with end-to-end encryption, by the way) without onion routing. However, onion routing offers a second benefit beyond anonymity: it allows a means of network traversal that addresses the problem Morlock raised earlier about most Internet users not being directly addressable. I can run Nextcloud or a chat server or an email server because I have a static IP address. However, most people don't. Onion routing allows anybody to run services, even those stuck behind network filters, policies, or middleboxes. Even laptops and mobile phones can run services. No longer do their users need to be second-class Internet citizens. So even if we do not care about or believe in its anonymity properties, onion routing can help us avoid third-party platforms. And avoiding third-party platforms is what we need to do next, if we want to protect human autonomy. Best wishes -- Geoff # distributed via <nettime>: no commercial use without permission # <nettime> is a moderated mailing list for net criticism, # collaborative text filtering and cultural politics of the nets # more info: http://mx.kein.org/mailman/listinfo/nettime-l # archive: http://www.nettime.org contact: nettime@kein.org # @nettime_bot tweets mail w/ sender unless #ANON is in Subject: