logo

drewdevault.com

[mirror] blog and personal website of Drew DeVault git clone https://hacktivis.me/git/mirror/drewdevault.com.git
commit: 73864e00a7acc9ea1d3f14a6bb83f3d19380c362
parent a237abaee927d8a92186378972da00058732b22a
Author: Drew DeVault <sir@cmpwn.com>
Date:   Fri, 22 Oct 2021 15:54:17 +0200

How SmarterEveryDay's 4privacy can, and cannot, meet its goals

Diffstat:

Acontent/blog/Smarter-every-day-and-4privacy.md193+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 193 insertions(+), 0 deletions(-)

diff --git a/content/blog/Smarter-every-day-and-4privacy.md b/content/blog/Smarter-every-day-and-4privacy.md @@ -0,0 +1,193 @@ +--- +title: How SmarterEveryDay's 4privacy can, and cannot, meet its goals +date: 2021-10-22 +--- + +I don't particularly find myself to be a fan of the SmarterEveryDay YouTube +channel, simply for being outside of Destin's target audience most of the time. +I understand that Destin, the channel's host, is a friendly person and a great +asset to his peers, and that he generally strives to do good. When I saw that he +was involved in a Kickstarter to develop a privacy product, it piqued my +interest. As a privacy advocate and jaded software engineer, I set out to find +out what it's all about. + +*You can watch the YouTube video [here][0], and a short follow-up [here][1].* + +[0]: https://www.youtube.com/watch?v=KMtrY6lbjcY +[1]: https://www.youtube.com/watch?v=Hy6STq337qo + +There are several things to praise here. I honestly thought that Destin's +coverage of the topic of privacy for the layman was really well presented, and +took some notes to use the next time I'm explaining privacy issues to my +friends. The coverage of the history of wiretapping and the pivotal role played +by 9/11, complete with an empathetic view of the mindset of American adults +contemporary to it that many find hard to express, along with great drone shots +of Big Tech's mysterious datacenters, this is all great stuff. For the right +project, Destin is like a valuable asset with a large audience and a lot of +experience in making complex issues digestible for the every-person, and +4privacy is lucky to have access to him. + +A lot of the buzzwords and things found on their [technology page][2] are +promising as well. The focus on end-to-end encryption and zero-knowledge +principles, *and* the commitment to open source, are absolutely necessary and +are great to see here. A lot of the tech described, although briefly, seems like +it's on the right track. The ability to use your own service provider, and the +focus on decentralization and federation, is very good. + +[2]: https://4privacy.com/our-technology/ + +I do have some concerns, however. Let's break them down into these categories: + +1. Incentives and economics +2. Responsibilities and cultivating trust +3. Ambitions and feasibility + +Given the value ($$$) associated with private user information, it's important +to know that the trove of private information overseen by a company like this is +safe from threats from the robber-barons of tech. 4privacy is [looking for +investors][3], which is a red flag: investors demand a return, and if the +product isn't profitable, user data is the first thing up for auction. So, how +will 4privacy make money? We need to know. They might say that the E2EE prevents +them from directly monetizing user data, and they're right, but that's only for +today. If they become a market incumbent, they will have the power to change the +technology in a way which compromises privacy faster than we can move to another +system, and we need to understand that this will not happen. + +[3]: https://4privacy.com/contact-us/ + +Growing consumer awareness in privacy issues over the past decade, combined with +a generally low level of technology literacy in the population, the privacy +space has allowed a lot of grifters to arise. One of the common forms these +grifts take is seen in the rise of VPN companies, which prey on consumer fear +and often use YouTube as a marketing channel, [including on Destin's previous +videos][4]. Another giant, flaming red flag appears whenever cryptocurrency is +involved. In general terms, the privacy space is thoroughly infested with bad +actors, which makes matters of trust very difficult. 4privacy needs to be +prepared to be very honest and transparent with not only their tech, but their +financial structure and incentives. With SourceHut, I had to *engineer* our +incentives to suit stated goals, and I communicate this to users so that they +can make informed choices about us. 4privacy would be wise to take similar +steps, in full view of the public. + +[4]: https://www.youtube.com/watch?v=OdPoVi_h0r0 + +Empowering users to make informed choices leads me into our next point: is +4privacy ready to bear the burden of responsibility for this system? As far as I +can glean from their mock-ups, they plan to be handling your IDs, passwords, +healthcare information, confidential attorney/client commutations, and so on. +The consequences of having this information compromised are grave, and this +demands world-class security. It's also extremely important for 4privacy to be +honest with their users about what their security model can, and cannot, make +promises about. + +You must be honest with your users, and help them to understand how the system +works, and when it doesn't work, so that they can make informed choices about +how to trust it. This can be difficult when the profit motive is involved, +because they might conclude that they *don't* want to use your service. It's +even more difficult when you exist in a space full of grifters that are happy to +tell sweet lies to your users about fixing all of their problems. However, it +must be done. + +Privacy tools are relied upon by vulnerable people facing challenging +situations. If you promise something you cannot deliver on, and they depend on +you to keep their information private in impossible conditions, when the other +shoe drops there could be dramatic consequences for their lives. If a journalist +in a war-torn country depends on you to keep their documents private, and you +fail, they could end up in prison or a labor camp or splattered on the wall of a +dark alley, and it'll have been your fault. You *must* be forthright and +realistic with users about how your system can and cannot keep them safe. I hope +Destin's future videos in the privacy series will cover how the system works in +more detail, including its limitations. He is skilled at explaining complicated +topics in a comprehensible manner for everyday people to understand, and I hope +he will leverage these skills here. + +I have already noticed one place where they have failed to be honest in their +limitations, however, and it presents a major concern for me. Much of their +marketing speaks of the ability to *revoke* access to your private information +*after* a third-party has been provided access to it. This is, frankly, entirely +impossible, and I think it is extraordinarily irresponsible to design your +application in a manner that suggests that it can be done. To keep things short, +I'll refute the idea as briefly as possible: what's to stop someone from taking +a picture of the phone while it's displaying your private info? Or writing it +down? When you press the "revoke" button in the app, and it dutifully disappears +from their phone screen, the private information is still written on a piece of +paper in their desk drawer and you're none the wiser. The application has given +you a *false sense of security*, which is a major problem for a privacy-oriented +tool. + +You *can* work in this problem space, albeit under severely limited constraints. +For example, consider how the SSH agent works: an application which wants to use +your private keys to sign something can ask the agent for help, but the agent +will not provide the cryptographic keys for it to use directly &mdash; the agent +will do the cryptographic operation on the application's *behalf* and send the +*results* to the application to use. These constraints limit the use-cases +significantly, such that, for example, you could not send someone your social +security number using this system. You could, however, design a protocol in +which an organization which needs to verify your identity can ask, in +programmatic terms, "is this person who they say they are?", and 4privacy +answers, possibly consulting their SSN, "yes" or "no". This does not seem to be +what they're aiming for, however. + +So, with all of this in mind, how ambitious is their idea as a whole? Is it +feasible? What kind of resources will they need to pull it off? + +In short, this idea is extraordinarily ambitious. They are designing a novel +cryptosystem, which is an immediate red flag: designing a secure cryptosystem is +one of the most technologically challenging feats a programming team can +undertake. Furthermore, they're building a distributed, federated system, which +is itself a highly complex and challenging task, even more so when the system is +leveraged to exchange sensitive information. It can be done, but it takes an +extraordinarily talented team with hard-core technical chops and a lot of +experience. + +What's more, if they were to do this well, it would involve developing and +standardizing open protocols. This requires a greater degree of openness and +community participation than [they are planning to do][5]. Furthermore, they +need to get others to agree to implement these protocols, which involves solving +social and political problems &mdash; both in technical and non-technical +senses. For instance, the Dutch government stores much of my personal +information in the DigiD system. Will they be able to convince the Netherlands +to work with their protocols? How about every other country? And, if they want +me to store my health insurance in the app, how are they going to convince my +doctor to use the app to receive it? And how about every other doctor? And what +about all of the other domains they want to be involved in outside of healthcare +data? Will they interoperate with legacy systems to achieve the market +penetration they need? Will those legacy systems provide for their end-to-end +encryption needs, and if not, will users understand the consequences? + +[5]: https://github.com/4PrivacyEngine/4PrivacyEngine-Core + +I'm not saying that any of this is impossible &mdash; only that it is +extraordinarily difficult to pull off. Extraordinary projects require +extraordinary resources. They will need multiple highly talented engineering +teams working in parallel, and the support staff necessary to keep them going. + +Their goal on Kickstarter, which was quickly met and exceeded, is $175,000. This +is nowhere near enough, so either they aren't going to pull it off, or they have +more money from somewhere else. Destin is acknowledged as an investor, and they +are seeking more investments on their website &mdash; how much money, and from +whom, now and in the future? By taking the lion's share from entities other than +their users, they have set up concerning incentives in which the entities +responsible for private data have millions on the line and are itchy to get +returns, and the entities whom the private data concerns haven't been invited to +the negotiating table. + +In short, I would urge them to do the following: + +- Make clear their funding sources, incentive model, and plans for monetization. +- Publish their whitepaper draft and invite public comment now, rather than when + it's "finished". Consider doing the same with the source code. +- Work to inform potential users about how the technology works, to the extent + that they can make informed choices about it. Destin would be a great help for + this. + +4privacy should generally institute a policy of greater transparency and +openness by default, preferring to keep private only what absolutely must. There +is no shame in iterating on an incomplete product in the view of the public. On +the contrary, I am quite proud that my business works in this manner. + +The fundraising campaign quickly met its goal and will presumably only continue +to grow in the coming weeks &mdash; it's reasonably certain that it will close +with at least $1M raised. Having met their goal, the product will presumably +ship, and we'll see the answers to these questions eventually. The team has a +lot of work ahead of them: good luck.