Privacy by Default. White Paper

p≡p foundation council 2016–07–18 (v1.0.5)

Contact: mailto:[email protected] Website: https://pep.foundation2

1OpenPGP fingerprint: EC55 39C8 FECF 7C4F 324B F027 A9DE 30FC 56BB B555 2Or using CAcert certificate cf. URL https://cacert.pep.foundation Document versions

• v1.0.5 (2016-07-18): Update modules graphics (pEp for iOS; no Inboxcube patch) • v1.0.4 (2016-07-02): Change OpenPGP fingerprint in the title page • v1.0.3 (2016-03-03): Rename “Conceptual White Paper” in “White Paper” • v1.0.2 (2016-03-02): One typographical fix • v1.0.1 (2016-02-29): Stylistic changes and typographical fixes • v1.0 (2016-02-29): First public version • v0.6 (2016-02-29): Draft version • v0.5 (2016-02-28): Second revised early draft • v0.4 (2016-02-21): First early draft

1 Contents

1 Introduction and Motivation 3

2 p≡p at a glance: privacy without compromise 5

3 Design principles 7 3.1 Ease of use: hassle-free installation, automatic configuration and integration 7 3.2 Understandability: traffic lights semantics / Privacy Status ...... 7 3.3 Interoperability: convergence of messaging systems ...... 8 3.4 Cross-platform support: free choice of platforms ...... 8 3.5 100% peer-to-peer: no central providers ...... 9

4 being used and communication strategy 10

5 Architectural aspects: p≡p engine and adapters 11

2 1 Introduction and Motivation

The Right to Privacy and the Right of the whereabouts of all the personal, to Freedom of Information are part collective or corporate data involved. of the inalienable Human Rights. In the future, mass deployment of These rights are listed in Article 12 and Internet of Things (IoT) technologies is Article 19 of the Universal Declaration expected, meaning that many of the of Human Rights based on Resolution objects we know today – may that be 217 A (III) of the UN General Assem- implants in our bodies, (parts of) our bly as Objects of Legal Protection. clothes, all kind of sensor systems in our homes, streets or organizations In a time when Chartered Rights are – will get “on-line” and “talk” to each being more and more threatened, mea- other. Such developments have the sures have to be taken into our own potential to completely eradicate the hands in order to protect and preserve notion of privacy. This puts in dan- them. Especially because of the Inter- ger an open and democratic society. net the circumstances for a majority of people have changed completely, All that said, it’s vital to act now and and unfortunately not for the better. in the most effective way possible: p≡p stands for pretty Easy privacy Taking a deep breath, we must real- (abbreviated as p≡p) – the “E” or ize that the entrance of humanity into “≡” to be emphasized, but without digital age is accompanied by all of us compromise in privacy. We want the continuously losing more and more of Internet to become a secure place, our privacy rights, which we believe where people and organizations gain are paramount for citizens, families, back their constitutional rights to enterprises, public offices, lawyers, communicate in private by default. NGOs, journalists and political activists for being able not just to feel, but also We start our mission by radically easing to act and interact freely – without the use of well-known and established any fears of becoming discriminated end-to-end cryptographic tools for al- or suppressed based on past behav- ready existing and widely used written iors, opinions expressed or the social digital communication channels (like communication network an actor is in. e-mail, SMS or chat), without forcing users to adhere to new communica- Today, any individual or collective ac- tions channels and by providing the engaged in any digital activity, must necessary tools for gluing already assume not only to be just constantly existing – but not easy to use – compo- monitored, but having its behavior auto- nents together and helping businesses matically analyzed by text and data min- to spread p≡p and the technologies ing or other technologies of machine it employs as industry standards. learning3 – leading for literally everyone being scored and categorized. This gen- However, considering the different erally happens without the actors’ con- use cases the Internet has today (e. g. sent and without a clear consciousness it’s also used for voice calls or to carry

3Sometimes also just called “big data” technologies involving (complex) algorithmic methods.

3 out payments), we don’t want p≡p to munciations: at least, we let that be be seen as forever bound and ending the beginning of our efforts to help to in “just” securing written digital com- secure the Internet and its users.

4 2 p≡p at a glance: privacy without compromise

What is p≡p? p≡p motivates a new standard to tificate authorities) by default, even securely encrypt and verify written though p≡p (for compatibility reasons communications, without reinvent- and integration purposes) supports ing the wheel. p≡p, by design, eases S/MIME (e. g. used in organizations secure communications relying on for e-mail ). However, de- well-established end-to-end cryp- fault p≡p installations shall not be tographic methods (following stan- expected to support non-end-to-end dards like OpenPGP or OTR) by in- approaches of cryptography: for p≡p tegrating into existing systems for centralized cryptographic approaches written digital communications and provide weak cryptography only and automating management tasks. are considered an unreliable communi- cation type in terms of our approach Ultimately, p≡p wants to change of privacy without compromise. the default in written digital com- munications: from unencrypted, To achieve the goal of spread, from unverified and unanonymized to en- an organizational point of view, the p≡p crypted, verifiable and anonymized.4 project founders set up two different types of entities, distinguished by sep- p≡p restores security and privacy arated legal entities in two different without requiring user interaction for European countries: its basic operation and never putting communications’ security over the • p≡p foundation, a non-profit organiza- ability to communicate: thus, if no tion established as foundation under channel be- Swiss law holding the trademarks on tween two peers can be established, p≡p and the copyrights of the p≡p the text message is sent unencrypted engine and the p≡p adapters for dif- (cf. 4 for some more details) rather ferent programming languages and than hassling the users involved. development environments. It is sup- porting Free and Open Source Soft- Whenever two p≡p peers established ware Projects (FOSS) to integrate a technically secure communication p≡p. channel, they can add human trust to it by verifying each other’s digital identity • p≡p security, a enterprise incorpo- by comparing Trustwords (cf. 3.2 for rated in Switzerland and Luxem- some more details): like that two peers bourg and licensed by p≡p founda- can increase confidence they are really tion to spread p≡p software to both communicating with each other and Business-to-Business (B2B) and no Man-In-The-Middle (MITM) attack Business-To-Consumer (B2C) mar- is taking place. No trust will be put kets by creating, distributing and pro- into key servers or centralized trust viding support for add-ons, plug-ins infrastructures (like commercial cer- and apps enabling users and organiza- tions to use p≡p technology.5

4For anonymization, GNUnet message transport is considered, cf. https://www.gnunet.org. 5Cf. https://www.prettyeasyprivacy.com/

5 All software published by p≡p foun- dependent entities for each public dation will be and forever remain release. By all of these measures we freely available for the general pub- do our best effort to make sure p≡p lic under the GNU General Public Li- software is and stays backdoor-free cense version 3 (GPLv3) or any later even if it’s distributed by third party. version. All software will be subject to an independent code review for p≡p software will be cryptographically any release, disclosing the full tech- signed and provided with detailed build nical report. As part of its its model instructions and a fully documented of security by design providing the build chain for each platform involved, most trust possible, p≡p foundation to make transparent how deterministic will make sure that all licensed p≡p builds6 can be created from source. software gets code-reviewed by in-

6Cf. https://blog.torproject.org/blog/deterministic-builds-part-one-cyberwar-and-global- compromise

6 3 Design principles

Above all, p≡p – contrary to existing Furthermore, for their communications cryptographic solutions – shall be p≡p users don’t depend on any specific easy to install, use and understand. (web or ) platform, message transport system (SMS, E- In our opinion, not just power Mail, XMPP etc.) or centrally provided users, but all users have the right client–server or “cloud” infrastructures: to use end-to-end cryptography. p≡p is 100% peer-to-peer by design.

3.1 Ease of use: hassle-free installation, automatic configuration and inte- gration p≡p software shall integrate into ex- for regular users, of course power isting systems for written digital com- users will remain free to configure their munications like e-mail clients (e. g. installation by themselves and turn Thunderbird, or Outlook) off the automation proposed by p≡p. and messaging clients, or be provided as apps for smartphones (e. g. for An- From the beginning, the p≡p concept droid or iOS) in a hassle-free way: in bears in mind to be installed not just case of e-mail this means that upon on end user devices, but also in or- installation existing OpenPGP keys ganizations with thousands of users: will be used by p≡p automatically for important features for such settings, any further communication; should like distribution lists, BCC mailings no OpenPGP keys be available, p≡p and unencrypted archiving of e-mails, automatically creates a private and which were sent or received encrypted, public key for the e-mail address con- is possible. cerned. Even though it’s discouraged

3.2 Understandability: traffic lights semantics / Privacy Status

To indicate the security level in place • yellow: The communication chan- for a given communication situation, nel is perfectly encrypted by state- p≡p uses traffic lights semantics7 to of-the-art technology known being easily indicate the Privacy Status to the correct, using well-implemented cryp- user: tographic methods only and sufficient key lengths, but sender (inbound) or recipient (outbound) are not (yet) veri- • red: An attack was detected or the fied. user explicitly expressed mistrust for the given communication channel, so that this channel must be considered • green: Two peers have used a side- specifically insecure. channel (e. g. by making a phone call)

7Changes to the colors’ meanings might still occur. 8Trustwords are unique representations of a peer’s , but not in form of hexadeci- mal blocks as usual when verifying OpenPGP fingerprints, but in form of words in users’ mother native lan-

7 to check their Trustwords,8 so the like sending a post card. Any impor- communication can be shown as fully tant actor transporting the message trusted by all reasonable means.9 can read about the sender, the re- cipients, the subject and read the • No color: That’s the default situa- message’s full contents and attach- tion of today without p≡p or any ments. Also in cases where the other (known) cryptographic so- encryption employed is undefined lution under management of p≡p or unreliable (e. g. S/MIME with software from an inbound or to an commercial CAs) or a key couldn’t outbound peer. In case of e-mail be found the Privacy Status has no the communication channel usually color. must be considered as insecure

3.3 Interoperability: convergence of messaging systems

Instead of forcing whole user bases p≡p pursues the philosophy not to take to use new (post e-mail) messaging sides, respecting users’ choices and systems, the p≡p concept is about providing solutions for their preferred securing what’s insecure today. messaging systems and the ability to communicate with all peers on their Not at last taking into account preferred communications channels. that e-mail is one of the most Even though p≡p will provide its own widespread message transport sys- messaging format for cases where tems used10 for written digital com- both communication end points have munication, sided by SMS, XMPP p≡p software installed, and no other and proprietary message formats. format delivers the needed properties.

3.4 Cross-platform support: free choice of platforms

From the very beginning (cf. 5 for p≡p is starting with securing e-mail some more details) portability and communications for Mail User Agents cross-platform support is an important (MUAs) like Thunderbird, Apple Mail design aspect of p≡p. p≡p will support and Outlook providing add-ons, plug-ins desktop, apps and web-based systems. and apps for smartphone operating sys- For the latter, add-ons and plug-ins will tems like Android and iOS. p≡p shall be made available supporting popu- also be integrated and shipped with lar web-based e-mail providers, which already popular messaging systems people are being used to access with wherever possible. their different devices by a browser.

guage or any of the languages in the realm of ISO 639-1 code; cf. URL https://cacert.pep.foundation/ trac/wiki/Trustwords. 9This, of course, is assuming no malware of any kind is present at one or both end points and no back- door is present at any end point in the system. 10That is including the fact each active Internet user might have at least one e-mail address and the use of most (web) services require an active e-mail address to be used. Also in business situations, e-mail is persisting being prevalent.

8 3.5 100% peer-to-peer: no central providers

By default, communications be- In any case, p≡p will do its best to tween p≡p peers always work end- hide as much as possible of the to-end encrypted – no eavesdrop- communicated information from ping in between shall be possible attackers – including metadata – by design. p≡p users are never increasing attackers’ costs to the forced to use a proprietary platform. maximum (cf. 4 for more details).

Concerning communication by e- p≡p delivers a synchronization proto- mail using OpenPGP cryptography, col11 allowing a user to own different this means every user or organiza- devices (e. g. a laptop and a smart- tion can decide by themselves if they phone) sharing a common Device want to run an own e-mail server or Group key pair, such that to use third party services to com- can be sent and read across different municate with other peers via e-mail. devices.

11Cf. URL https://cacert.pep.foundation/trac/wiki/p%E2%89%A1p%20sync%20protocol for a sketch.

9 4 Cryptography being used and communication strategy

Following the principle of privacy with- ii. if anonymizing platform not out compromise p≡p is making sure available, fallback to p≡p the p≡p engine always chooses the static encryption based on cheapest available and most secure OpenPGP way of communicating possible, that 2. when a p≡p user is communicating is choosing the most feasible commu- with a non-p≡p user then depending nication route, which at the same time on the capabilities of the non-p≡p is the most expensive for attackers. user: The current communication strategy a. if anonymizing and forward se- looks like the following: crecy is possible, use that (i. e. OTR over GNUnet) 1. When two p≡p users are communi- cating: b. if anonymizing but no forward secrecy is possible, use that (i. a. if on-line communication avail- e. OpenPGP over Qabel) able: OTR (or Axolotl) through . if forward secrecy is possible, GNUnet use that (i. e. OTR)

b. if on-line communication not d. if hard cryptography but no for- available: ward secrecy is possible, use that (i. e. OpenPGP) i. if anonymizing platform e. if only weak cryptography is available, p≡p static encryp- possible, use that (i. e. S/MIME tion based on OpenPGP with commercial CAs) through anonymizing plat- form (e.g. Qabel12) f. send unencrypted

12Cf. URL https://qabel.de/ or any similar solution.

10 5 Architectural aspects: p≡p engine and adapters

p≡p consists13 of three components: engine; instead p≡p adapters are pro- viding an easy API in the language • p≡p engine and the development environment • p≡p adapters of the application .

• p≡p plug-ins, add-ons and apps Examples of adapters, which are al- ready available under the GNU GPL v3 For portability reasons14, the p≡p license by the p≡p foundation include: engine is written in C99 program- ming language. p≡p engine is im- • p≡p Qt Adapter for graphical environ- plementing formats, applying cryp- ments based on Qt (e. g. KDE desk- tography, managing keys and trust top systems)16 and driving message transports. • p≡p Java Native Interface (JNI) adapter (e. g. for Android plat- Part of the p≡p engine distribution is forms)17 a replacement for GnuPG, NetPGP- et15, a PGP implementation for plat- • p≡p iOS adapter for iOS-based sys- forms where GnuPG is not available. tems (iPhones and iPads)18 • p≡p COM server adapter for Mi- Any developer of add-ons, plug-ins, crosoft Windows, supporting a .NET apps or desktop applications does API (e. g. needed for Outlook)19 not need to deal with cryptographic functionalities accessible by the p≡p More p≡p adapters to follow.

13For the most detailed, complete and up-to-date (work-in-progress) resource in this regard, the publicly available trac site of the p≡p foundation should be consulted: cf. URL https://cacert.pep.foundation/ trac/. 14p≡p can also be made available for microcontrollers (on IoT components) with only minimalistic hard- ware. 15Cf. https://cacert.pep-project.org/trac/browser/netpgp-et/ 16Cf. URL https://cacert.pep.foundation/trac/browser/pepqtadapter 17Cf. URL https://cacert.pep.foundation/trac/browser/pepjniadapter 18Cf. URL https://cacert.pep.foundation/trac/browser/pepiosadapter 19Cf. URL https://cacert.pep.foundation/trac/browser/pepcomserveradapter

11