Home » Blog » Uncategorized » Anonymity and Usability: Beyond Oil and Water

Anonymity and Usability: Beyond Oil and Water

originally posted at blog.ethanzuckerman.com, April 14th

EFF published a report a few days ago, titled “How to Blog Safely”. It’s a good little piece, but it spends little time on the technical issues surrounding blogging anonymously or psuedonymously. One intriguing passage that caught my eye:

Invisiblog.com is a service that offers anonymous blog hosting for free. You may create a blog there with no real names attached. Even the people who run the service will not have access to your name.

Hmm. Now that I’ve gotta try. As we work with an increasing number of international bloggers whose blogs have the possibility of getting their authors into serious trouble, anonymous blogging seems like a really useful technology.

I give the invisiblog folks – who turn out to be a group of Aussie cypherpunks (”an anonymous conspiracy of cypherpunks and crypto-anarchists”) – credit. They’re amazingly, astoundingly, impressively paranoid. Rather than promising to throw away access logs, or log directly into /dev/null while encouraging users to use anonymous proxies, they’ve concluded the the web, as a whole, is too dangerous to use for input to blogs. You can only create an invisiblog or post to a blog via the MixMaster remailer system. And, so that you have a reliable, persistent psuedonym, Invisiblog requires that your first blog entry be your public PGP key, and that every subsequent post be signed with your private key, so it can be checked against your public key. (This is pretty clever. If they didn’t do this, there’s the danger that someone would determine the address you were sending posts to, and pretend to be anonymous-you by sending messages to the same address, posting them on your invisiblog.)

It’s been a while since I’ve looked at remailer technology – clearly, we’ve moved a long way from anon.penet.fi and the era of single-machine remailers. Those remailers made cypherpunks nervous, because a single compromised remailer could copy and redistribute all the emails it had been sent.

MixMaster – type II – remailers are chained together, sending a mail through two to twenty nodes before anonymously delivering it. I suspect, but am not sure, that MixMaster uses an “onion” encryption model to protect the message enroute. If the message is going to pass through mailers A,B,C and D, it’s first encrypted with the public key for mailer “D”. Then a header, to forward it onto mailer D is added, and encrypted for mailer C. Another header, another encryption for B and then again for A. Should anyone intercept the message at any point other than the last mailer, all they would know is where it was going next, not the message contents or the final destination. (And who knows – there’s probably some cleverness which makes it less important if the final mailer in the chain is compromised.)

Unsurprisingly, you can’t generate MixMaster messages from Thunderbird, or whatever other mail client you’re running. You need to run the MixMaster client/server and pipe your outgoing mail into the standalone program. And the program’s not available as a compiled binary in any of the currently supported versions – there’s a binary of the 2.0 software, compiled in 2002, which runs in DOS on a Windows PC, but doesn’t – for me, at least – appear to actually send any mail. To get MixMaster running on my Mac, I did some serious yak shaving. I converted from PGP to GPG, enabled sendmail on my Mac, installed the zlib, ncurses, openSSL and prce libraries and then built the program from source. (At this point, I began to realize that I was going to need to write really, really good instructions if I was going to encourage people to use this system.)

Once I got the program running, I had another problem. To function, MixMaster needs up-to-date lists of mailers, mailer keys and reliability statistics – the tarballs for MixMaster include out of date lists. So I wrote a quick shell script and attached it to a cron job so MixMaster would have up-to-date support files. (It was sometime around the moment I began writing this shell script that I realized that invisiblog, in its current configuration, really wasn’t going to work for my antigovernment activist friends in Turkmenistan.) Downloading the current files, I was ready to test the application for the first time, sending myself some anonymous mail.

And that’s where the next problem reared its head. Most FAQs on MixMaster warn you that it can take anywhere from 2 to 48 hours for an anonymous message to reach its destination. Oh, and that I could expect a MixMaster network to fail on at least 2% of messages sent, and that many users chose to send multiple copies of a message, assuming one or more would fail. As you can imagine, this makes it hard to tell whether a system is working or not. Over the last two days, I’ve sent out about half a dozen messages – each containing a timestamp and the exact flags I used to send the message – to myself. I finally hit on the right combination of flags and configuration files and got an anonymous message from myself around 5pm today.

So now I’m ready to test Invisiblog, about two days after beginning the project. (Yes, in fairness, I’ve gone from Berkshire to Boston and back and then to Atlanta in that time period, as well…) But I no longer have any confidence that it could be at all useful for the folks I’d like to introduce it to – human rights activists in repressive nations – because I absolutely can’t imagine supporting the program remotely. “Oh yeah, Ahmed, MixMaster sometimes takes two days to deliver a mail. Why don’t you just wait patiently for your post on government-sponsored torture to appear online. And if it doesn’t, you can try to post it again in a couple of days. Stay safe!”

All of which brings me to the actual subject of my rant: the unusability of cryptography. At “Fellows Hour” at Berkman – the weekly get-together of the geeky lawyers and lawyerly geeks I hang out with – I asked the ten people in the room how many people had installed and used PGP, GPG or another email encryption tool. Three hands went up, including mine. When I asked who’d used the system in the last three months, mine was the only hand that remained up. (Just so you know that I’m not the sort of paranoid geek who encrypts his email by default, the only messages I’ve sent via PGP are ones including credit card numbers or Unix passwords.

Why aren’t my extremely smart, extremely geeky friends using strong crypto? “It’s too hard.” Which obviously can’t be the answer. Passing the Massachusetts state bar exam is hard. Installing PGP and generating a key is awkward, but not actually hard. What my friends mean is “I don’t perceive a benefit to using email encruption, and therefore it’s not worth the bother.”

The truth is they (and I) use crypto all the time. Rarely does a day go by when I don’t access a site using SSL. But I seldom think about the fact that I’m using cruptography because my browser already had a certificate installed and most of the crypto work is handled by the server administrator, not by me. And yes, I understand that SSL encryption is considered weak by the cypherpunks and that central key registries are inherently insecure. But folks actually USE SSL, dammit, and very, very few people use PGP. With this in mind, I’ve been looking forward to seeing how Ciphire, which promises to make much of the awkwardness of strong crypto transparent, gets adopted.

The biggest development for secure communications in the developing world is not Ciphire, Invisiblog or even well-thought out systems like Benetech’s Martus, which encrypts and backs up human rights information – it’s Skype. Skype uses AES – a very strong cipher, approved by the NSA for top secret information – to encrypt all traffic. This makes “tapping” a Skype call impossible, unless AES is vulnerable to an attack that is, at this point, completely secret. (As you’ve probably guessed, I’m insufficiently paranoid to believe that NSA can crack AES and listen to my Skype calls.) I expect US law enforcement, the media, Congress or all three to catch onto this any moment now – the headlines write themselves: “Estonian Hackers Give Al Qaeda a Perfectly Secure Telephone”.

But here’s the thing – the vast majority of new Skype users aren’t attracted by the strong crypto – they come for the free phonecalls, and most don’t know that they’re getting strong privacy in the bargain. And when email encryption catches on, that’s how it’s going to take the market – it’s going to be built into some supremely cool new email client, which will gain market share from its other features and allow the encryption to sneak in.

Ditto anonymous blogging – it will not catch on until a major bloghost happens, perhaps without announcing it, that they will take strong measures to maintain user privacy. invisiblog doesn’t appear to be catching on very quickly. There aren’t a lot of people starting invisiblogs, and those who are aren’t getting a ton of readership. (Wonderfully, invisiblogs publishes all their traffic statistics on the front page of the site. Why? It’s a security procedure. If there were a stats page specific to my website, I’d be likely to visit it more often than any random visitor. By analyzing access logs and looking to see who looked most often at a stats page, you could make an educated guess at the IP address of a weblog author. See, I told you these guys were paranoid. And smart. But mostly really paranoid.) Maybe it’s the fact that your blog is issued a catchy URL – the last 16 bytes of the fingerprint of your public PGP key. (”Hey man, check out my blog. It’s called ‘45a3ec12ef87aab0′!) Or that there’s one possible design – black type on white. (At least your links are blue.)

And perhaps it’s a good thing that these blogs aren’t getting a lot of readership. One of the most popular and frequently updated is a very scary document called “Diary of a Paedophile”, which is either the inner monologue of a very scary man, or a harrowing work of fiction. I’m seeing a few dozen blogs per week created on the site, most of which are a single test post. You’d think, with perfect anonymity, more people would have secrets to share. Maybe all the interesting people are still trying to get MixMaster to compile.

The problem with cryptography software is that it’s written by people who really, really, really care about cryptography. As a result, you get fantastically well thought-out software that’s filled with flaming usability hoops for users to jump through. Just a few minutes with GPG makes you realise that this was a piece of software written without input from the marketing department. (”Please select what kind of key you want: DSA and Elgamal, just DSA or just RSA?”) The battle between geeks and marketing – where marketroids ask geeks to do the impossible to make theoretical users happy – would greatly improve the usability of crypto tools. And yes, it would probably be less secure. And maybe that’s okay, because lots of users with pretty good privacy may beat a handful of elite users with bulletproof anonymity.