Taking a crack at a practical system (introducing the ESCROWNYM)
by Vinay Gupta • February 5, 2012 • Everything Else • 4 Comments
If you want the summary: build the courts first, and build them now, if you want to protect the Electronic Frontier, and, indeed, the People.
(You may well want to read the two previous blog posts which go along with this one to understand the whole mindset behind this piece, but that’s about 6K words total, so… On Undesigning the Cryptographic Utopia and On the Ethics and Pragmatics of Cryptography)
So here’s a problem to solve: peer caching of HTML5 video objects. I’ve got a few of these: the #TRUTHandBEAUTY video archive. Suppose that the Jamais Cascio talk on solving global warming with Geoengineering goes viral? I’m hosting 500mb of files, multiplied by 80,000 viewers, that’s 40,000 gigabytes, 40 terabytes. I’m not sure than when Dreamhost says “unlimited” they mean 40 terabytes unlimited. So I could move them to Archive.org, but that file is CC-BY-SA-NC. Vimeo and Youtube and Blip won’t do such a long file, and advertise all over everything in some cases, so… let’s just say hosting this stuff myself is the current paradigm, and hoping that people who Slashdot also mirror.
Now, why is this a crypto problem? We can’t reasonably expect every human to make a legal assessment of every file they want to help host. It’s simply unreasonable: the transactional overhead of examining every file for Copyright and (by god) even Patent infringement is too great for Youtube and all the other Common Carrier services, like your ISP, and it’s too great for you and me. But not having savage lawyers fighting on our behalf, we have to try something different.
Question: is an encrypted file that I cannot read copyright infringement if another person downloads it and decrypts it into a copyrighted file on their machine? What if I have absolutely no idea about the contents? How far do we have to push this argument (say I’m only holding 1/8th of the bits?) before we wind up with a “no infringing files here, Officer” cache? We can legally design this. Google might even help.
So now I’ve got my 500mb .ogg file. I have a utility which cuts it into some set of known-safe sections. In my case it’s a .ogg which is OK to redistribute, but even if it was copyright infringing, it’s all OK for now because we’ve cut it into non-infringing lumps and stored them too. We’ve probably doubled our file size in the process, but we’re going to live with that problem for now. So your web browser is the next obstacle.
You download the .ogg – no problem. I’m getting hammered, rather than serving you the .ogg, I want to be able to serve you a redirect. I don’t just want to serve you the redirect, though, I want to serve you a metadata file which your browser turns into a “go git ’em” strategy not unlike a politically sophisticated Bittorrent. Now this implies a browser plug-in or a proxy that sits on your machine and grabs URLs of the format http://cache.cache/
These are not evil pieces of software to write, particularly after Bittorrent, so let us continue down this path.
Let’s assume, for a moment, that caches are social and work like currency. I have 10 or 100 friends. They have web sites. They set up a subdomain, cache.yourname.com, and a robot sits there. If my site (and not somebody else’s site) pushes a file over there by HTTP with appropriate passwords, the cache robot takes a non-infringing set of files. On request it returns them by HTTP, as it would any other file, up to a preset limit between us which is likely based on your web host’s policy, your degree of good will towards me, and how much traffic you’ve seen so far.
If you’re particularly well-intentioned you have 10 or 100 friends, and if my file is really, really moving, you ping them and ask if they’d be willing to carry a slice of the file. And, after all, you have no idea what’s in it, and in fact whether it originated on my web site, or whether I was simply carrying a cache file for somebody else, and decided to spend a little of my capital with you by passing on this slice of popular content to you.
It’s a little like Bittorrent, with a couple of key differences.
1) You don’t know what you’re carrying because it’s hacked up into lumps (Freenet-ish)
2) The social network of people sharing cache responsibilities is hardcoded, it’s a social/trust network, rather than being the swarm of people currently downloading a file.
These are politically rather than technically important distinctions, and we’ll get to the reason for making them later.
So now we’ve got a METADATA format, and a simple protocol for moving LUMPs of files across the network to be served by cache robots. Robots presumably have half a dozen or so operations, roughly:
* catch a file
* ask a neighbouring node to cache a file
* serve a file (actually this is probably just HTTP via Apache or whatever)
* expire a file that we don’t want to serve any more
* manage bandwidth (“no more files this month”)
* communicate status to various humans and robots
Now, let’s discuss liability again.
Let’s say we’ve moved beyond mere copyright infringement, and we’re dealing with CP. So now we’re in a domain where even holding a chunk of something, and simply saying “got no idea, gov” is not enough – it’s morally repungant to be aiding and abetting in the distribution of CP, and even if we’ve got a technically legal system, these people can fuck right off. We want to put heads on poles here, and we’ll help the police to get the job done. So our fully-anon system where blocks are being pushed around an (encrypted) network all on their own suddenly isn’t good enough. It might be technically fine, within the limits of its lack of sophistication, but it’s politically inadequate. There’s a very basic atomic operation missing: get that motherfucker!
So let’s take a look at this again. I need to know who is distributing these files. But I must not know what’s in them, because I’m a Common Carrier and only carrying a chunk to protect myself from some kinds of liability.
This is a job for crypto. Specifically, this is a job for Secret Sharing and Digital Signatures. And possibly zero knowledge proofs. Now this is a proper-hard protocol design question, but let’s think through the political level first, then get technical.
* I’m hosting a non-infringing lump of something
* There’s a METADATA file which names all the lumps required to assemble FINAL file.
* The METADATA file includes a decryption key for this final file.
Now, what I need to know is that this METADATA file exists (or the lumps I’m holding are useless) and that it’s VALID (in some political sense). But I don’t want to see it, and I don’t want my ROBOT to see it, to avoid liability. In fact, I might even have a defensive-driving script which autorefuses to store both the METADATA file and a LUMP file.
So how’s about we don’t touch anything which doesn’t have a METADATA file with some kind of credentials. Ah, but we don’t want to see the METADATA, so what we need is a SIGNATURE or something like it for each lump.
“No, officer, I don’t know what this is – in fact I can’t know what this is, but I accepted it based on this credential, and since you’ve proven to me (by the digital signatures) that it’s actually CP, and you have a warrant, have… SOME INCRIMINATING DATA ON THE AUTHOR.”
Ok. Promising. So I have a list of known-good digital signatures, and I accept a LUMP which is signed as known-good by them, and if something goes wrong, I point at… hm… no. No good, because we’ve broken ANONYMITY as a goal state. Try again.
Now, ANONYMITY is a problem. I want to get these CP peddling mofos as much as you do. What I really want is PSEUDONYMITY and REASONABLE COURTS. I want stuff like SOURCE PROTECTION for journalists. I want to know, for sure, that if this person is evil me and my friends can reveal their identity in a legally binding form, but I don’t want to be pressured into doing that.
This is Zero Knowledge Proof territory, perhaps. So let’s examine a protocol.
=== PROTOCOL BEGINS ===
1) We meet, and I agree I’ll take a share of your Secret Identity.
2) I don’t want sole responsibility for this, no sir, so we’re doing this Jury Style – a committee of 12 of your peers, or 15 because this is the internet and people are flakes.
3) We’ve got two technical assets – Secret Sharing (e.g. gfshare or ssss in Ubuntu) and zero knowledge proofs.
4) Brute force: You take your passport, and you show it to the 12 of us. You then take your laptop and prepare the following.
4.1) a PNG of your passport, and a digitally signed legal document asking us to act as a JURY and turn it over to relevant authorities under a set of conditions (this akin to a legal escrow agreement, or a will)
4.2) This file split into 15 pieces, of which 12 enable recovery, or some similar scheme.
4.3) You prepare 100,000 sets of 15 files.
5) We agree on 99,999 sets of these files, and check (by recombining parts) that they, indeed, sum to your Identity. Ideally we’d like to do this in a clever way which prevents us seeing YOUR IDENTITY but still proves it was in there, but that’s a Hard Problem, so we’re going to accept that we’ve seen your identity.
6) If 99,999 files were legit, there is an extremely high probability that file 100,000 is legit. Again, consult the Zero Knowledge Proof literature for ways of doing this in a few dozen turns, not 100k turns, but we’re thinking this through in brute force terms.
7) I now have a share of your identity, which I have excellent reason to believe is you I can’t prove that it is you without 11/15 others helping me. We’ve locked your identity where we can’t get it (assuming that we really did delete those other shares…)
8 ) Everybody involved now signs each of these shares, blind signatures (i.e. of the hash, not the file) and signs your key with those blind signatures.
9) We have now legally and technically escrowed your identity – this committee of 15 people knows who this individual is, for sure, but only 12/15 of us in agreement can legally prove it
10) I can now take this document to escrow brokers of other kinds and use it to generate, for example, PSEUDONYMS (subsidiary keys) with any given of security or reliability.
11) Let’s call an identity like this an ESCROWNYM. An ESCROWNYM creates PSEUDONYMS, because the intermediary generating the PSEUDONYM keeps a copy of the ESCROWNYM document, possibly split in shares etc. as illustrated, and all legally binding like.
=== PROTOCOL ENDS ===
Congratulations. You’ve just re-invented Jury Trial, more or less.
Now let’s go back to our file hosting problem.
I REQUIRE any content that I am hosting to be backed by an ESCROWNYM which is backed by a Nation State passport. But because Nation States are being pathological bitches right now, most smart people prepare one of these ESCROWNYM documents backed by SIGNERS in 14 jurisdictions, including hard-to-navigate spaces like Iceland, Russia, Sweden, Palestine, South Africa and so on. And, of course, people signing these ESCROWNYM documents are actually often using ESCROWNYMs to sign them – we have an absolutely solid chain of legal responsibility here, to named individuals identified by their Nation State identity documents, but the overheads of FORCING these individuals to reveal the identity of a person behind such an ESCROWNYM are genuinely formidable.
But if I get a PSEUDONYM-signed file, tracked to a Known-Good ESCROWNYM (i.e. the pseudonym generated by a service I trust, such as a reputable City of London legal firm), I’m comfortable hosting it. Because IF it turns out that I’m hosting a share of a CP file, or nuclear bomb making instructions or something, I’m absolutely sure that either the Person Who Made This Data, or the Persons Protecting Them, can be made fully and legally transparent.
Now let’s stop and think about that for a moment, maybe take a breather.
=== breath ===
=== breath ===
=== breath ===
So I’m hosting a file on my machine. I’ve digitally signed it with a PSEUDONYM backed by an ESCROWNYM and now I’m getting slammed because the file is Very Popular. My network of buddies take the LUMPs of the file that I have prepared (and signed) and carry them, and people coming to my site get served a tiny METADATA file which tells them what the LUMPIDs are to reconstitute the file, and the decryption key. In the event that the file allows, for example, comments or modifications at a later date, the DECRYPTION KEY is actually a PUBLIC KEY, which can be used to decrypt the METADATA for future versions of the file.
Hm.
This isn’t really very technically sophisticated, is it?
You know, if we were just a bit more technically sophisticated, I bet we could generate PSEUDONYMS from an ESCROWNYM automatically. That’s something along the line of blind signatures, or some of that tricky Chaumian stuff which is typically used on digital cash. You sign my ESCROWNYM and, at the same time, 1000 PSUEDONYMS which you never ever see, not even for a moment. Yes, there’s tech for this, no, I don’t understand it well enough to know exactly what the edge on that envelope is – I’m a cryptographic applications designer, not a cryptographer or cryptologist, and there’s a big, big difference. Trust me on this: past a certain point, cryptosystems and algorithms are black boxes to me. But I can think about code and politics at the same time, and that is useful. Bear with my technical limits.
Now, what I’m proposing here is obviously a socially-networked anonymous publishing system with full legal and community accountability. PSEUDONYMS backtrack to ESCROWNYMs backtrack to IDENTITIES through a series of nestled processes. You can see a version of this thinking, assuming (ahem) trustworthy Nation State and International Organization actors in CheapID (which, let us remember, was produced for the Office of the Secretary of Defense with the US National Security Agency doing the technical oversight.)
But my faith in the Nation State’s trustworthiness has been shaken so much by #NDAA and the legalization of indefinite detention without trial in America that I’ve been forced to go back to the drawing board.
Don’t blame me: I’m trying to preserve the existing rights and freedoms of our societies, things we all voted on, things we all agreed, things that have been historically Known Good for hundred and hundreds of years in many cultures. This is not vagabondish Cryptoanarchy and end-running around taxes, this is right to a trial by jury in a digital domain in a situation where, alas, jury trials are being denied to people by their governments.
Now, do you understand my lines, and what it means when The State crosses them? I am FUCKING SERIOUS about the Free Society, and I’ll do what it takes to defend it.
Let those with ears hear me: civil rights, and the democracy that arises from them, stay, at the point of a sword if needs be. I am not easily provoked, but I know the history of the Holocaust, of Stalinism, of Maoism, of Pol Pot, and yes, of Vietnam and El Salvador and all the rest well enough to know one thing.
None of us are safe from a government which has breached Habeas Corpus and claimed a Global Jurisdiction. I did a pretty good analysis of this kind of Transnational Sovereignty stuff a few years ago (for the DoD), I know the terrain, and I believe I understand the Bush-Cheney-Rumsfeld-Rove-Feith type thinking behind it pretty well.
I’ve drawn a line in the sand here. I know how dangerous cryptography is: when they said “munitions” they meant it. I’ve stayed scrupulously clean, out of the field, for years, while friends of mine went off and did things like Wikileaks and Openleaks.
I don’t even use encryption in my personal life – I don’t use PGP, I don’t use GPG, I don’t use OTR, I try to avoid using Skype because I do not want any TLA (three letter agency) worrying about what’s on my mind. I keep all my shit in Gmail, for god’s sake.
But, seriously, this shit will not stand.
If I have to actually build prototypes, hell if I have to build a team with diverse skills and actually build a working system for a properly secure, legally and politically sophisticated global protected publishing system, I will. I’m hoping to inspire people younger, sharper and more technically capable than me to ask the right questions of the cryptographic applications they may be writing right now.
But if it comes to it, I think I’m smart enough to evade making most of the mistakes made by other attempts to solve this problem, and I’d point to the dents I’ve put in certain other intractable problems as evidence to that effect.
I don’t want to go down that path, I have many other things which call for my time, but I’m here for civil rights, and if I have to fight for them, I’m not going to make the mistake of bringing a knife to a gun fight.
If we have to take back the internet one byte at a time, line by line, network by network, wire by wire encrypting everything as we go, building new jurisdictions in which the antient Rule of Law is observed, so be it. We have agreed on these laws, they are in the Constitution of the United States of America, and no mere Law or President may abrogate them. They are in the laws of Great Britain. They are present in the Constitutions, Laws and Practices of nearly all countries.
We need to start building Jurisdictions which respect free speech, including political free speech, but do not violate other Common Law. We need to obey basic rules in these Jurisdictions to protect them from shutdown by the State on the basis of copyright infringement or similar crimes, including distribution of terrorist materials, CP and similar.
The internet is not going to police itself. If we do not do it, the State will, and right now, the State is in really serious danger of going right off the cliff into Fascism, at least in America.
There are rules. Governments must obey them, even the Americans. Liberty will not be lost.
Not on my watch.
4 Responses to Taking a crack at a practical system (introducing the ESCROWNYM)