[Freedombox-discuss] Freedombox threat model

Thu Jun 30 11:59:12 UTC 2011

Hi,

On Tue, Jun 28, 2011 at 12:23:28PM -0400, ian at churchkey.org wrote:
> On 06/28/2011 08:55 AM, bertagaz at ptitcanardnoir.org wrote:
> > First, there is no real "central" logging, no unique big
> > brother that the freedombox might want to defeat, but a lot of different
> > (from size to content) logging databases out there, maintained by a lot of
> > different actors.
> 
> . . .
> 
> > Often, interesting databases are the one maintained by ISPs. Even if a
> > hosting doesn't log anything and try to avoid the "central logging of
> > activities" this way, ISPs are at the right place to reveal a lot of
> > things about "activities of the masses" (i.e revealing who browsed a
> > website when posts were made).
> > 
> > I guess the easy answer to this other "central logging of activities"
> > threat is to use Tor when needed/possible. But then, wouldn't that be to
> > close to the "more complex problem of activists needing secrecy,
> > anonymity..."?
> 
> I think this is a great point and one we should pay a good deal of
> attention to in our threat model. I don't actually think Tor is an easy
> answer. If we build a system that routes everyone's web traffic through
> Tor as a general practice, we will never gain adoption beyond the
> members of this list and the existing Tor user base.
> 
> Most people will plug the box in, discover that their online banking
> doesn't work any more, that every website treats them like they are in
> Germany, destroying their ability to conveniently read things on many
> sites, to stream video from anywhere, etc, and that the general speed of
> their internet browsing has dropped substantially. Most people will see
> these results of plugging in a FreedomBox and quickly unplug it.

My point wasn't to say that all the traffic from a freedombox should be
torified, this is actually quite a bad practice and tends to reduce your
anonymity set (doing online bank checking through Tor for example isn't
really recommended).

It was just a matter to explain that "central logging" doesn't appear to
be a relevant term to define the FreedomBox threat model nor would be so
easy to solve that it could define the implementation roadmap.

Still, there might exist easy ways to help people using Tor for the kind
of traffic/identity they want to keep private, without making the rest of
their online activities too slow. Like having them easily split their
activities in distinct identities. Checking their bank account could be
done via their public profile (highly related to their public identity, so
should not mix with other traffic, using SSL but not Tor), while other
more private communication use other identities bound to Tor usage.

> There is a scale, it goes from the worse case scenario where everyone
> you interact with online knows everything else you do online, to the
> best case scenario, where no one you interact with knows enough about
> you to be sure that you are the same person from interaction to
> interaction.
> 
> Currently most people are almost all the way towards the worse case
> scenario. We are not going to get them all the way towards the other end
> at once, but we can move them along incrementally and the first step
> towards that is to identify the places where the most information about
> us is being collected and start pushing back. For that reason, my
> current threat model is the over-concentration of personal information
> in a handful of places. At the moment, the biggest information
> centralizers I know about are: ISPs, search engines, and advertisers.
> 
> (Governments are also large information collectors but, in the US at
> least, they function through the hands of the private industries. So
> when the NSA wants to follow all the calls in the US, it gets that
> information from the phone carriers rather than actually going out and
> bugging every phone, or even installing tracking devices on every phone
> tower.)

Well, when it comes to NSA, it's quite hard to say what they can do and
how for real. The phone system isn't the same than the internet one, and
Govs already have a lot of ears roaming around there. Guess the "Cyberwar"
circus won't help in getting them deaf.

> We can push back against ISPs, search engines, and advertisers without
> having to route everything through Tor. We can use local proxies that
> automate best practices for direct surfing, things like the
> HTTPS-everywhere, TrackMeNot, and CustomizeGoogle firefox plugins.
> 
> Right there we could cut down on direct click tracking and unencrypted
> http connections while also adding some basic data set poising for the
> rest of the monitoring. Throw in ad blocking and we move a step past
> that. Add an email and chat system and we pull even more data out of the
> center. Encrypt that data, even just with secure SMTP and OTR by
> default, and we cut the ISPs out as well. Do that with enough services
> and people might stop logging in to google every day.

I'm not sure HTTPS is the only layer that the freedombox should use to
protect its owners' privacy; it doesn't seem to be that reliable in the
current state. Go, Monkeysphere, go! ;)

> Alternately, if people are going to be logging in to Google/Yahoo, etc
> every day, we could offer to block that cookie to sites other than
> google, or to re-route search engine searches to another provider or
> many providers, so that one company doesn't have a complete picture of
> your activity online.
> 
> Importantly, all of these things will work without damaging people's
> experience of browsing the web. Some, like ad blocking, will make pages
> load faster and look cleaner. Some, like HTTPS-everywhere, are simple
> enough that any delay should be unnoticeable. The rest, like
> TrackMeNot-like dataset poisoning, we should set up only to use excess
> bandwidth during otherwise down connection time.
> 
> If we get too caught up in trying to build a box that makes people
> completely invisible at the cost of making the internet unusable, I fear
> our tools will never make it far enough in society to actually do much good.

Tor isn't really making internet unusable, it actually made a lot of
progress in term of speed.

There are ways to implement privacy solutions in the freedombox at the
beginning, if done in a smart way. A lot of technologies are already out
there, and it doesn't seems to be *that* hard to put them in the
freedombox. And again, no one talked about torifying every bit of the
freedombox traffic.

On the other side, I think there is a responsability from this project not
to give the people using it a false sense of security. With the goals the
project has advertised publicly, people will tend to assume that their
privacy is protected just because they use this box, which might not be that
true depending on what will be available.

And a big part of the implementation won't be so much related to technical
solution, rather than pushing good practices to freedombox owners and help
to use them easily.

bert.