DOCSLIB.ORG

1. 210830 E2EE Report Paper

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
1. 210830 E2EE Report Paper TERRORIST USE OF E2EE: STATE OF PLAY, MISCONCEPTIONS, AND MITIGATION STRATEGIES REPORT 1. Background And Scope 04 2. Methodology 04 Part 1 – Use and Perception of E2EE: Landscape Review 3. Use and Perception of E2EE: Key Findings 05 4. Public Perception of E2EE: User Concerns for Privacy And Security 06 5. Landscape Review: Use of E2EE Across The Internet 13 6. E2EE: Challenges for Content Moderation 23 7. Challenges for Law Enforcement Access 26 8. Policymakers Calls for Access to and Traceability of E2EE 29 9. Key Arguments Against the Creation of Backdoors 39 Part 2 – Assessing Terrorist and Violent Extremist Use of E2EE 10. Terrorist and Violent Extremist Use of E2EE: Key Findings 42 11. Terrorist and Violent Extremist Use of E2EE: Assessment 42 12. Suspected Use of E2EE In Terrorist Attacks And Its Impact on The Encryption Debate 54 13. Monitoring of Encrypted Platforms By Law Enforcement Agencies 56 Part 3 – Strategies for Risk Mitigation 14. Strategies for Risk Mitigation: Key Findings 62 15. Countering Criminal Use of E2EE 63 16. Preventing Criminal Use – EMS Feature Attributes 63 17. Identifying Patterns of Criminal Use – Metadata Analysis 66 18. Disrupting Criminal Use – Technical Tools to Detect Illegal Content 78 19. Going Beyond The Encryption Debate 85 Part 4 – Tech Against Terrorism’s Recommendations for Tech Platforms 20. Recommendation: Mitigating Risks of Terrorist and Violent Extremist Use of EMS 93 21. Recommendation: Taking A Stand For Encryption 99 Annex Annex 1. Encryption Technology 103 Annex 2. Encryption: A Backbone Of Today’s Digital World 108 Annex 3. The Encryption Debate 110 Annex 4. Non-Messaging E2EE Services’ Cooperation With Law Enforcement 113 Annex 5. Theroleofmetadatainuser-generatedcontent&contentmoderation 116 Annex 6. Safety By Design 118 Annex 7. Public Perception of E2EE: Survey 122 03|TECH AGAINST TERRORISM | TERRORIST USE OF E2EE | REPORT PART 1 USE AND PERCEPTION OF E2EE: LANDSCAPE REVIEW 1. BACKGROUND AND SCOPE This report aims to provide a comprehensive overview of the risks and mitigation strategies related to the use of end-to-end encryption (E2EE) technology – with a focus on the use of end-to-end encrypted communications and the risks of abuse by terrorists and violent extremists. This report is divided in four sections: 1. A landscape review of E2EE and 2. Recommendations for risk mitigation: associated risks: providing an overview of assessing the different risk mitigation and the current use of end-to-end encryption and content moderation strategies that have been an assessment of criminal use of online proposed with regard to E2EE, and outlining services offering E2EE. recommendations for governments and tech o Part 1: Use and Perception of E2EE companies. – Landscape Review o Part 3: Criminal Use of E2EE – o Part2:CriminalUseofE2EE– Strategies for risks mitigation Terrorists and Violent Extremists o Part 4: E2EE, Criminal use and Focused Assessment Risks Mitigation – Tech Against Terrorism’s recommendations The report was commissioned by Facebook. All findings represent Tech Against Terrorism’s independent analysis and research. 2. METHODOLOGY For this report, Tech Against Terrorism experts. These interviews were focused on how consulted over 160 publicly available reports, they viewed policymakers’ calls for so-called articles, white papers, and pieces of legislation “safe” backdoors to encryption, and how they concerning the use of encryption, and of end- considered tech companies could support law to-end encryption in particular, as well as the enforcement investigations without associated risks of criminal actors exploiting compromising the online privacy and security such technology. In addition, we consulted five provided by E2EE. Furthermore, a review of the encryption experts from the civil society and prominent literature addressing the specificities tech sectors both of encryption technology and of terrorist uses of the internet allowed us to build a Open-source analysis was used to map out the detailed overview of the technical specificities use of E2EE by internet users, as well as the of E2EE and of the content moderation perception of encryption technologies amongst challenges related to E2EE-protected content. policymakers and the public. To ensure a broad Finally, open-source intelligence (OSINT) overview and in-depth comprehension of E2EE, analysis was used to inform our understanding including its benefits and potential misuses by of the use of encrypted platforms by terrorists malevolent actors (especially terrorists and and violent extremists, including their preferred violent extremists), we supplemented this platforms and the reasons for those analysis with a series of interviews with E2EE preferences. 04|TECH AGAINST TERRORISM | TERRORIST USE OF E2EE | REPORT 3. USE AND PERCEPTION OF E2EE: KEY FINDINGS Increased use of encryption and concerns Algorithm and Diffie-Hellman public values, is for online privacy: open-source and the basis for encryption 1.There are growing user concerns over protocols used by many leading E2EE online privacy and tech company misuse of messaging apps, including WhatsApp, Line personal data: 64% of users say they are Messenger, Viber, and Wire. worried about this.1 Government and law enforcement calls for 2.These concerns have motivated online “backdoors” to encryption services to turn to encryption, including E2EE, 6.With E2EE becoming more prominently in particular for their communications offering. used as a result of user demand, policymakers As of 2019, over 40% of private companies and law enforcement have raised concerns across all business sectors were using regarding how E2EE could be exploited by encrypted solutions.2,3 criminal actors, including terrorists and violent extremists. However, privacy advocates stress 3.In certain countries and regions, including that there is no substantial evidence that the the US, UK, Russia, Germany, and Canada, lack of access to encrypted communications almost 100% of internet traffic passing through significantly hinder the work of law Google is encrypted on the server-side.4 enforcement, nor that the monitoring of criminal actors cannot be done without Messaging apps and end-to-end encryption: breaking encryption. 4.Messaging apps represent the second most common online activity globally (after social 7.E2EE technical experts and digital rights media), with 87% of the world’s population advocates agree that there are no safe using such services.5 WhatsApp, the world’s backdoors to encryption. Instead they argue most frequently used messaging app, delivers that compelling tech platforms to create over a 100 billion end-to-end encrypted backdoors or remove E2EE protection would messages every day,6 in an indication of the create more security risks, and for a greater global popularity of E2EE messaging apps. number of persons, than it would resolve. 5.Four of the six most-used messaging apps 8.The majority of the literature consulted globally offer E2EE as a default or opt-in. Most stresses that E2EE is the most secure form of of them rely on asymmetric encryption.7 encryption, and the security backbone of Signal’s protocol, based on Double Ratchet today’s digital world. 1 Gorman Doug (2020),The new privacy landscape, Global Web Index. 2 This includes online communications services, financial services, and health-related services that rely on strong encryption to ensure the integrity of their data and to prevent security breaches. 3 Statista, Enterprise-wide encryption solution usage worldwide 2012-2019. 4 Google, HTTPS Encryption on the Web. 5 Global Web Index (2020),Messaging Apps: Understanding the potential of messaging apps for marketers. 6 Singh Manish(2020),WhatsApp is now delivering roughly 100 billion messages a day, TechCrunch 7 A user sends a message encrypted with a public key, which is then decrypted by the recipient, using their matching private key. In this type, AES256 keys are the most commonly used, often alongside Double Ratchet Algorithm protocols for key management. 05|TECH AGAINST TERRORISM | TERRORIST USE OF E2EE | REPORT 4. PUBLIC PERCEPTION OF E2EE: USER CONCERNS FOR PRIVACY AND SECURITY The question of whether online users view program that allowed the NSA to compel tech positively the mainstream roll out of E2EE platforms to respond to user data requests. across online services is difficult to assess The document also revealed that most given the lack of global surveys on the telephone companies in the US had been subject. Until now, and with the exception of providing users’ phone records to the NSA.11 high-level public confrontation between tech These revelations “triggered a global wave of platforms and the authorities over providing privacy concerns by revealing the extent of law enforcement with access to encrypted government mass surveillance programs”,12 devices and communications,8 the question of and drove E2EE to become the norm for whether encryption should be viewed as a risk messaging apps. The same year, WhatsApp to security has remained mostly a discussion began to roll out encryption before partnering between policymakers, law enforcement, tech with the Open Whisper System – the group companies, and E2EE experts. However, the behind Signal, one of the first messaging app growing popularity of encrypted messaging that fully integrated E2EE – to begin rolling out apps (EMS), as well as the proportionate rise E2EE on its services in 2014. WhatsApp in users’ concerns about online privacy and became fully encrypted with E2EE protocols in how their data can be (mis)used by private 2016.13 Similarly, ProtonMail, the leading companies and governments, can inform us E2EE email service provider, launched in about public perceptions of E2EE and EMS. 2014 in direct response to the Snowden revelations and out of a desire to provide an 4.a Weakened trust in tech companies easy and secure communication service to users.14 Both the Snowden revelations and the Cambridge Analytica A Pew Research Centre study on “Americans’ scandal in 20189 heavily Privacy Strategies Post-Snowden”, published impacted users trust in internet in 2015, showed that 30% of individuals aware technologies and online platforms.
Load more

Recommended publications
  • Uila Supported Apps
    Uila Supported Applications and Protocols updated Oct 2020 Application/Protocol Name Full Description 01net.com 01net website, a French high-tech news site. 050 plus is a Japanese embedded smartphone application dedicated to 050 plus audio-conferencing. 0zz0.com 0zz0 is an online solution to store, send and share files 10050.net China Railcom group web portal. This protocol plug-in classifies the http traffic to the host 10086.cn. It also 10086.cn classifies the ssl traffic to the Common Name 10086.cn. 104.com Web site dedicated to job research. 1111.com.tw Website dedicated to job research in Taiwan. 114la.com Chinese web portal operated by YLMF Computer Technology Co. Chinese cloud storing system of the 115 website. It is operated by YLMF 115.com Computer Technology Co. 118114.cn Chinese booking and reservation portal. 11st.co.kr Korean shopping website 11st. It is operated by SK Planet Co. 1337x.org Bittorrent tracker search engine 139mail 139mail is a chinese webmail powered by China Mobile. 15min.lt Lithuanian news portal Chinese web portal 163. It is operated by NetEase, a company which 163.com pioneered the development of Internet in China. 17173.com Website distributing Chinese games. 17u.com Chinese online travel booking website. 20 minutes is a free, daily newspaper available in France, Spain and 20minutes Switzerland. This plugin classifies websites. 24h.com.vn Vietnamese news portal 24ora.com Aruban news portal 24sata.hr Croatian news portal 24SevenOffice 24SevenOffice is a web-based Enterprise resource planning (ERP) systems. 24ur.com Slovenian news portal 2ch.net Japanese adult videos web site 2Shared 2shared is an online space for sharing and storage.
    [Show full text]
  • Bbg), 2011-2015
    Description of document: FOIA Logs for the Broadcasting Board of Governors (BBG), 2011-2015 Requested date: 02-March-2016 Released date: 06-May-2016 Posted date: 08-August-2016 Source of document: BBG FOIA Office Room 3349 330 Independence Ave. SW Washington, D.C. 20237 Fax: (202) 203-4585 The governmentattic.org web site (“the site”) is noncommercial and free to the public. The site and materials made available on the site, such as this file, are for reference only. The governmentattic.org web site and its principals have made every effort to make this information as complete and as accurate as possible, however, there may be mistakes and omissions, both typographical and in content. The governmentattic.org web site and its principals shall have neither liability nor responsibility to any person or entity with respect to any loss or damage caused, or alleged to have been caused, directly or indirectly, by the information provided on the governmentattic.org web site or in this file. The public records published on the site were obtained from government agencies using proper legal channels. Each document is identified as to the source. Any concerns about the contents of the site should be directed to the agency originating the document in question. GovernmentAttic.org is not responsible for the contents of documents published on the website. Broadcasting 330 Independence Ave.SW T 202.203.4550 Board of Cohen Building, Room 3349 F 202.203.4585 Governors Washington, DC 20237 Office ofthe General Counsel Freedom ofInformation and Privacy Act Office May6, 2016 RE: Request Pursuant to the Freedom of Information Act-FOIA #16-035 This letter is in response to your Freedom of Information Act (FOIA) request dated March 2, 2016 to the Broadcasting Board of Governors (BBG), which the Agency received on March 14, 2016.
    [Show full text]
  • TECH TOOLS for ACTIVISTS Published : 2012-10-04 License : CC-BY T ABLE of CONT ENT S
    TECH TOOLS FOR ACTIVISTS Published : 2012-10-04 License : CC-BY T ABLE OF CONT ENT S Tech Tools For Activism 1 An introduction to this booklet 2 2 Securing your email 4 3 Anonymous Blogs and Websites 7 4 Microblogging Beyond Twitter 9 5 Browsing the Internet 11 6 Organising and Networking Online 14 7 Mobile Phone Security and Android Apps 18 8 Publishing and Networking News 21 9 Producing and Publishing Media to the Internet 23 10 Green Computing 25 11 Hiding & Deleting Things on your PC 27 TECH TOOLS FOR ACTIVISM 1. AN INTRODUCTION TO THIS BOOKLET 2. SECURING YOUR EMAIL 3. ANONYMOUS BLOGS AND WEBSITES 4. MICROBLOGGING BEYOND TWITTER 5. BROWSING THE INTERNET 6. ORGANISING AND NETWORKING ONLINE 7. MOBILE PHONE SECURITY AND ANDROID APPS 8. PUBLISHING AND NETWORKING NEWS 9. PRODUCING AND PUBLISHING MEDIA TO THE INTERNET 10. GREEN COMPUTING 11. HIDING & DELETING THINGS ON YOUR PC 1 1. AN INT RODUCT ION T O T HIS BOOKLET T his booklet will help you to: use email securely publish news and upload media anonymously make your web browsing more anonymous and secure use Facebook and Twitter more securely get organised online without relying on corporate social networking sites use encrypted messaging on mobile phones hide stuff on your computer so it can't be found find a more secure and decentralised replacement for Twitter support free software, open licences and decentralised/ federated communication. Why this booklet is important: This booklet provides an introduction to the effective use of technology for activism, with links to step-by-step guides and further information.
    [Show full text]
  • Is Bob Sending Mixed Signals?
    Is Bob Sending Mixed Signals? Michael Schliep Ian Kariniemi Nicholas Hopper University of Minnesota University of Minnesota University of Minnesota [email protected] [email protected] [email protected] ABSTRACT Demand for end-to-end secure messaging has been growing rapidly and companies have responded by releasing applications that imple- ment end-to-end secure messaging protocols. Signal and protocols based on Signal dominate the secure messaging applications. In this work we analyze conversational security properties provided by the Signal Android application against a variety of real world ad- versaries. We identify vulnerabilities that allow the Signal server to learn the contents of attachments, undetectably re-order and drop messages, and add and drop participants from group conversations. We then perform proof-of-concept attacks against the application to demonstrate the practicality of these vulnerabilities, and suggest mitigations that can detect our attacks. The main conclusion of our work is that we need to consider more than confidentiality and integrity of messages when designing future protocols. We also stress that protocols must protect against compromised servers and at a minimum implement a trust but verify model. 1 INTRODUCTION (a) Alice’s view of the conversa-(b) Bob’s view of the conversa- Recently many software developers and companies have been inte- tion. tion. grating end-to-end encrypted messaging protocols into their chat applications. Some applications implement a proprietary protocol, Figure 1: Speaker inconsistency in a conversation. such as Apple iMessage [1]; others, such as Cryptocat [7], imple- ment XMPP OMEMO [17]; but most implement the Signal protocol or a protocol based on Signal, including Open Whisper Systems’ caching.
    [Show full text]
  • Humanitarian Futures for Messaging Apps
    HUMANITARIAN FUTURES FOR MESSAGING APPS UNDERSTANDING THE OPPORTUNITIES AND RISKS FOR HUMANITARIAN ACTION Syrian refugees, landed on Lesbos in Greece, looking for a mobile signal to check their location and notify relatives that they arrived safely. International Committee of the Red Cross 19, avenue de la Paix 1202 Geneva, Switzerland T +41 22 734 60 01 F +41 22 733 20 57 E-mail: [email protected] www.icrc.org January 2017 Front cover: I. Prickett/UNHCR HUMANITARIAN FUTURES FOR MESSAGING APPS UNDERSTANDING THE OPPORTUNITIES AND RISKS FOR HUMANITARIAN ACTION This report, commissioned by the International Committee of the Red Cross (ICRC), is the product of a collaboration between the ICRC, The Engine Room and Block Party. The content of this report does not reflect the official opinion of the ICRC. Responsibility for the information and views expressed in the report lies entirely with The Engine Room and Block Party. Commissioning Editors: Jacobo Quintanilla and Philippe Stoll (ICRC). Lead Researcher: Tom Walker (The Engine Room). Content: Eytan Oren (Block Party), Zara Rahman (The Engine Room), Nisha Thompson, and Carly Nyst. Editors: Michael Wells and John Borland. Project Manager: Waiyee Leong (ICRC). The ICRC, The Engine Room and Block Party request due acknowledgement and quotes from this publication to be referenced as: ICRC, The Engine Room and Block Party, Humanitarian Futures for Messaging Apps, January 2017. This report is available at www.icrc.org, https://theengineroom.org and http://weareblockparty.com. This work is licensed under the Creative Commons Attribution-ShareAlike 4.0 International License. To view a copy of this license, visit: http://creativecommons.org/licenses/by-sa/4.0/.
    [Show full text]
  • Hiding in Plain Sight Narratives of Contemporary Online Anonymity
    Hiding in Plain Sight Narratives of Contemporary Online Anonymity Abstract This research combines social studies and software studies to analyse how anonymity manifests itself within the internet today. To this end, the concept of anonymity and its successor online anonymity are historically analysed by means of literature which is subsequently deployed as a framework for the analysis of Tor Browser, Signal, and Retroshare. (Online) anonymity has identity empowering qualities, adds to personal freedoms and has been a protective measurement for centuries. Overall it adds to the agency of individuals. This research examines how the encrypted browser, encrypted messenger, and encrypted social networking platform narrate online anonymity through their support- and about-pages, and interfaces. Alexander Galloway’s definition of the interface plays a central role for the latter. An examination of the architectures and interfaces of Tor Browser, Signal, and Retroshare demonstrates that the medium specific characters of anonymity enhancing tools add new layers to the concept of online anonymity. The way these tools structure information is influenced by cryptographic ideals, trust and functionality. While being effected by the latter, Tor Browser, Signal and Retroshare show that a different online culture can be established in which the individual’s anonymity plays a central role. Keywords online anonymity, encryption, interface, Tor, Signal, Retroshare Lieke Kersten 22 June 2016 Lonneke van der Velden Stefania Milan MA: New Media and Digital
    [Show full text]
  • Design Justice: Community-Led Practices to Build the Worlds We
    Design Justice Information Policy Series Edited by Sandra Braman The Information Policy Series publishes research on and analysis of significant problems in the field of information policy, including decisions and practices that enable or constrain information, communication, and culture irrespective of the legal siloes in which they have traditionally been located, as well as state- law- society interactions. Defining information policy as all laws, regulations, and decision- making principles that affect any form of information creation, processing, flows, and use, the series includes attention to the formal decisions, decision- making processes, and entities of government; the formal and informal decisions, decision- making processes, and entities of private and public sector agents capable of constitutive effects on the nature of society; and the cultural habits and predispositions of governmentality that support and sustain government and governance. The parametric functions of information policy at the boundaries of social, informational, and technological systems are of global importance because they provide the context for all communications, interactions, and social processes. Virtual Economies: Design and Analysis, Vili Lehdonvirta and Edward Castronova Traversing Digital Babel: Information, e- Government, and Exchange, Alon Peled Chasing the Tape: Information Law and Policy in Capital Markets, Onnig H. Dombalagian Regulating the Cloud: Policy for Computing Infrastructure, edited by Christopher S. Yoo and Jean- François Blanchette Privacy on the Ground: Driving Corporate Behavior in the United States and Europe, Kenneth A. Bamberger and Deirdre K. Mulligan How Not to Network a Nation: The Uneasy History of the Soviet Internet, Benjamin Peters Hate Spin: The Manufacture of Religious Offense and Its Threat to Democracy, Cherian George Big Data Is Not a Monolith, edited by Cassidy R.
    [Show full text]
  • Open Whisper Systems Protocol
    Open Whisper Systems Protocol Azotic or picayune, Walther never intermarries any butlerages! Logy Brewster predestinate luridly. Farcical and corneous Merv never break-ups spherically when Rajeev understocks his Java. If not, then it is famous with the encryption. In quick release, Open Whisper Systems released Signal and then versions for Android and the Chrome browser. On the lead hand, chatting apps started deploying encryption in as name of security. Group threads in open whisper systems protocol manager takes the table in two sessions are not? Sms needs of open whisper systems. Initial shared key of people, great track secret world, and propagated with some additional feature was that? This may result in bad UX. How much does the world, if you need for using the signal browser is latest blogs and implementation. Its code received a duplicate of passenger for the basic structure as cost as code quality which the Messenger service. It uses your mobile phone number can create an account fee can bypass be used to baby with other users having a Signal. Please try at later. His sense, he says, is determined make those protections possible for the average amount without much tech savvy. No spam, we promise. No access to open whisper systems protocol in hundreds of infrastructure and system of data that secure is a message transfer security analyses in person on. It is thought possible to delete an entire marital history. Signal protocol developed by open whisper systems project zero code strong as always focused on telegram account. Signal protocol implementation of open whisper systems was exchanged between them in my phone number to another piece of health, or decrypt a great if turned on.
    [Show full text]
  • Neutralité Des Plateformes
    Neutralité des plateformes Réunir les conditions d’un environnement numérique ouvert et soutenable Mai 2014 Rapport du Conseil national du numérique sur la neutralité des plateformes remis au ministre de l’Économie, du Redressement productif et du Numérique et à la secrétaire d’État chargée du Numérique 2 Sommaire Avis ........................................................................................................................... 5 Volet I - Renforcer l’effectivité des droits sur les plateformes numériques ....... 11 Volet II - Garantir la loyauté du système des données ......................................... 13 Volet III - Pas de compétitivité sans un investissement massif dans les compétences et les connaissances ........................................ 17 Volet IV - Créer les conditions pour l’émergence d’alternatives ......................... 19 Annexes .................................................................................................................... 23 Fiches thématiques .................................................................................................. 25 Fiche 1 – Les ressources du droit au service de la neutralité ............................. 27 Fiche 2 – La loyauté et la soutenabilité du système des données ...................... 33 Fiche 3 – La neutralité positive : réunir les conditions d’un Internet ouvert ......... 43 Rapport d’analyse sur les écosystèmes de plateformes ..................................... 49 Lettre de saisine .....................................................................................................
    [Show full text]
  • 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27
    Case 2:16-cv-02340-AB-PJW Document 1 Filed 04/06/16 Page 1 of 9 Page ID #:1 1 QUINN EMANUEL URQUHART & SULLIVAN, LLP Bruce E. Van Dalsem (Bar No. 124128) 2 ([email protected]) Daniel C. Posner (Bar No. 232009) 3 ([email protected]) Alex Bergjans (Bar No. 302830) 4 ([email protected]) 865 South Figueroa Street, 10th Floor 5 Los Angeles, California 90017-2543 Telephone: (213) 443-3000 6 Facsimile: (213) 443-3100 7 Attorneys for Plaintiff Wire Swiss GmbH 8 9 UNITED STATES DISTRICT COURT 10 CENTRAL DISTRICT OF CALIFORNIA 11 12 WIRE SWISS GmbH , a Swiss CASE NO. 2:16 -cv -2340 corporation; 13 Plaintiff, COMPLAINT FOR 14 DECLARATORY JUDGMENT OF v. NON -INFRINGEMENT; EXTORTION 15 QUIET RIDDLE VENTURES, LLC 16 d/b/a OPEN WHISPER SYSTEMS; DEMAND FOR JURY TRIAL and MOXIE MARLINSPIKE aka 17 MATTHEW ROSENFELD and/or MIKE BENHAM, an individual, 18 Defendants. 19 20 21 22 23 24 25 26 27 28 COMPLAINT Case 2:16-cv-02340-AB-PJW Document 1 Filed 04/06/16 Page 2 of 9 Page ID #:2 1 Plaintiff Wire Swiss GmbH (“Wire Swiss”) alleges against defendants Quiet 2 Riddle Ventures LLC dba Open Whisper Systems (“Open Whisper Systems”) and 3 Moxie Marlinspike, aka Matthew Rosenfield and/or Mike Benham (“Marlinspike,” 4 and collectively with Open Whisper Systems, “Defendants”), as follows: 5 NATURE OF THE ACTION 6 1. This is an action for a declaratory judgment of non-infringement of 7 copyright. As alleged in further detail below, Defendants claim copyright in certain 8 open-source software code used for encrypting data communications.
    [Show full text]
  • HUNTING for VULNERABILITIES in SIGNAL JP Aumasson & Markus Vervier
    HUNTING FOR VULNERABILITIES IN SIGNAL JP Aumasson & Markus Vervier 1 WHOIS JP (@veorq) Principal researcher @ Kudelski Security Speaks French Crypto guy Markus (@marver) Head of research @ x41 D-Sec Speaks German Not CISSP 2 PROPS This BH US 2016 boring talk Open Whisper Systems Eric Sesterhenn Hanno Boeck 3 AGENDA Signal internals, security promises Attack surface and liabilities Bugs, alternative features, and demos Conclusions 4 SIGNAL 5 THE SIGNAL APPS Mobile apps for messaging & audio/video calls By Open Whisper Systems (Moxie Marlinspike et al.) Formerly known as "TextSecure", "RedPhone" Android, iOS, and Chrome Desktop app 6 TRUSTED TOOL Endorsed by Snowden and other opinion leaders Popular among activists in the US and abroad Minimal data collection from Signal servers 7 SECURITY PROMISES Solid end-to-end encryption, defending against Active network attackers Client and server compromises Traffic analysis (partially) High assurance software, with Code perceived as high-quality No major security issue ever Reproducible Android builds 8 SIGNAL IS MORE THAN SIGNAL Core crypto "libsignal" licensed to and integrated in Facebook Messenger's "Secret Conversations" mode Facebook WhatsApp default encryption Google Allo's "Incognito" mode 9 10 KEY AGREEMENT: X3DH Combines 4 key pairs: long-term and ephemeral One-time prekeys trick, to simulate online-ness Forward-secret, resilient to malicious servers Out-of-band identity verification necessary 11 SESSION KEYS: DOUBLE RATCHET Protocol to compute message-unique keys: New Diffie-Hellman for every first message from a party "Key := Hash(Key)" for consecutive messages Past and future messages safe if present key known Attachments have identical protection 12 THE "SIGNAL PROTOCOL" = X3DH and double ratchet as implemented in Signal (Moxie Marlinspike, [email protected] ML, 30.11.16) 13 WAIT – WAS THAT ALL? 14 UNSPECIFIED a.k.a.
    [Show full text]
  • The Humanitarian Metadata Problem: 'Doing No Harm' in the Digital
    THE HUMANITARIAN METADATA PROBLEM: “DOING NO HARM” IN THE DIGITAL ERA OCTOBER 2018 1 THE HUMANIT ARIAN METADATA PROBLEM : “DOING NO HARM” IN THE DIGIT AL ERA OCTOBER 2018 About this study New technologies continue to present great risks and opportunities for humanitarian action. To ensure that their use does not result in any harm, humanitarian organisations must develop and implement appropriate data protection standards, including robust risk assessments. However, this requires a good understanding of what these technologies are, what risks are associat- ed with their use, and how we can try to avoid or mitigate them. The following study tries to answer these questions in an accessible manner. The aim is to provide people who work in the humanitarian sphere with the knowledge they need to understand the risks involved in the use of certain new technologies. This paper also discusses the “do no harm” principle and how it applies in a digital environment. This study was commissioned by the International Committee of the Red Cross (ICRC) to Privacy International (PI). The study does not advocate for privacy or against surveillance. Rather, it maps out where surveillance may obstruct or threaten the neutral, impartial and independent nature of humanitarian action. This study is based on the most updated information publicly available and/or obtained by the au- thors at the time of writing (July 2018). About the ICRC The International Committee of the Red Cross (ICRC) is an impartial, neutral and independent organi- sation whose exclusively humanitarian mission is to protect the lives and dignity of victims of armed conflict and other situations of violence and to provide them with assistance.
    [Show full text]