logo

drewdevault.com

[mirror] blog and personal website of Drew DeVault git clone https://hacktivis.me/git/mirror/drewdevault.com.git

Smarter-every-day-and-4privacy.md (11783B)

    

  1. ---
  2. title: How SmarterEveryDay's 4privacy can, and cannot, meet its goals
  3. date: 2021-10-22
  4. ---
  6. I don't particularly find myself to be a fan of the SmarterEveryDay YouTube
  7. channel, simply for being outside of Destin's target audience most of the time.
  8. I understand that Destin, the channel's host, is a friendly person and a great
  9. asset to his peers, and that he generally strives to do good. When I saw that he
  10. was involved in a Kickstarter to develop a privacy product, it piqued my
  11. interest. As a privacy advocate and jaded software engineer, I set out to find
  12. out what it's all about.
  14. *You can watch the YouTube video [here][0], and a short follow-up [here][1].*
  16. [0]: https://www.youtube.com/watch?v=KMtrY6lbjcY
  17. [1]: https://www.youtube.com/watch?v=Hy6STq337qo
  19. There are several things to praise here. I honestly thought that Destin's
  20. coverage of the topic of privacy for the layman was really well presented, and
  21. took some notes to use the next time I'm explaining privacy issues to my
  22. friends. The coverage of the history of wiretapping and the pivotal role played
  23. by 9/11, complete with an empathetic view of the mindset of American adults
  24. contemporary to it that many find hard to express, along with great drone shots
  25. of Big Tech's mysterious datacenters, this is all great stuff. For the right
  26. project, Destin is a valuable asset with a large audience and a lot of
  27. experience in making complex issues digestible for the every-person, and
  28. 4privacy is lucky to have access to him.
  30. A lot of the buzzwords and things found on their [technology page][2] are
  31. promising as well. The focus on end-to-end encryption and zero-knowledge
  32. principles, *and* the commitment to open source, are absolutely necessary and
  33. are great to see here. A lot of the tech described, although briefly, seems like
  34. it's on the right track. The ability to use your own service provider, and the
  35. focus on decentralization and federation, is very good.
  37. [2]: https://4privacy.com/our-technology/
  39. I do have some concerns, however. Let's break them down into these categories:
  41. 1. Incentives and economics
  42. 2. Responsibilities and cultivating trust
  43. 3. Ambitions and feasibility
  45. Given the value ($$$) associated with private user information, it's important
  46. to know that the trove of private information overseen by a company like this is
  47. safe from threats from the robber-barons of tech. 4privacy is [looking for
  48. investors][3], which is a red flag: investors demand a return, and if the
  49. product isn't profitable, user data is the first thing up for auction. So, how
  50. will 4privacy make money? We need to know. They might say that the E2EE prevents
  51. them from directly monetizing user data, and they're right, but that's only for
  52. today. If they become a market incumbent, they will have the power to change the
  53. technology in a way which compromises privacy faster than we can move to another
  54. system, and we need to understand that this will not happen.
  56. [3]: https://4privacy.com/contact-us/
  58. Growing consumer awareness in privacy issues over the past decade, combined with
  59. a generally low level of technology literacy in the population, has allowed a
  60. lot of grifters to arise. One of the common forms these grifts take is seen in
  61. the rise of VPN companies, which prey on consumer fear and often use YouTube as
  62. a marketing channel, [including on Destin's previous videos][4]. Another giant,
  63. flaming red flag appears whenever cryptocurrency is involved. In general terms,
  64. the privacy space is thoroughly infested with bad actors, which makes matters of
  65. trust very difficult. 4privacy needs to be prepared to be very honest and
  66. transparent with not only their tech, but their financial structure and
  67. incentives. With SourceHut, I had to *engineer* our incentives to suit stated
  68. goals, and I communicate this to users so that they can make informed choices
  69. about us. 4privacy would be wise to take similar steps, in full view of the
  70. public.
  72. [4]: https://www.youtube.com/watch?v=OdPoVi_h0r0
  74. Empowering users to make informed choices leads me into our next point: is
  75. 4privacy ready to bear the burden of responsibility for this system? As far as I
  76. can glean from their mock-ups, they plan to be handling your government IDs,
  77. passwords, healthcare information, confidential attorney/client communications,
  78. and so on.  The consequences of having this information compromised are grave,
  79. and this demands world-class security. It's also extremely important for
  80. 4privacy to be honest with their users about what their security model can, and
  81. cannot, make promises about.
  83. You must be honest with your users, and help them to understand how the system
  84. works, and when it doesn't work, so that they can make informed choices about
  85. how to trust it. This can be difficult when the profit motive is involved,
  86. because they might conclude that they *don't* want to use your service. It's
  87. even more difficult when you exist in a space full of grifters that are happy to
  88. tell sweet lies to your users about fixing all of their problems. However, it
  89. must be done.
  91. Privacy tools are relied upon by vulnerable people facing challenging
  92. situations. If you promise something you cannot deliver on, and they depend on
  93. you to keep their information private in impossible conditions, when the other
  94. shoe drops there could be dramatic consequences for their lives. If a journalist
  95. in a war-torn country depends on you to keep their documents private, and you
  96. fail, they could end up in prison or a labor camp or splattered on the wall of a
  97. dark alley, and it'll have been your fault. You *must* be forthright and
  98. realistic with users about how your system can and cannot keep them safe. I hope
  99. Destin's future videos in the privacy series will cover how the system works in
  100. more detail, including its limitations. He is skilled at explaining complicated
  101. topics in a comprehensible manner for everyday people to understand, and I hope
  102. he will leverage these skills here.
  104. I have already noticed one place where they have failed to be honest in their
  105. limitations, however, and it presents a major concern for me. Much of their
  106. marketing speaks of the ability to *revoke* access to your private information
  107. *after* a third-party has been provided access to it. This is, frankly, entirely
  108. impossible, and I think it is extraordinarily irresponsible to design your
  109. application in a manner that suggests that it can be done. To keep things short,
  110. I'll refute the idea as briefly as possible: what's to stop someone from taking
  111. a picture of the phone while it's displaying your private info? Or writing it
  112. down? When you press the "revoke" button in the app, and it dutifully disappears
  113. from their phone screen,[^1] the private information is still written on a piece
  114. of paper in their desk drawer and you're none the wiser. The application has
  115. given you a *false sense of security*, which is a major problem for a
  116. privacy-oriented tool.
  118. [^1]: And there's no guarantee that it will, for the record.
  120. You *can* work in this problem space, albeit under severely limited constraints.
  121. For example, consider how the SSH agent works: an application which wants to use
  122. your private keys to sign something can ask the agent for help, but the agent
  123. will not provide the cryptographic keys for it to use directly — the agent
  124. will do the cryptographic operation on the application's *behalf* and send the
  125. *results* to the application to use. These constraints limit the use-cases
  126. significantly, such that, for example, you could not send someone your social
  127. security number using this system. You could, however, design a protocol in
  128. which an organization which needs to verify your identity can ask, in
  129. programmatic terms, "is this person who they say they are?", and 4privacy
  130. answers, possibly consulting their SSN, "yes" or "no". This does not seem to be
  131. what they're aiming for, however.
  133. So, with all of this in mind, how ambitious is their idea as a whole? Is it
  134. feasible? What kind of resources will they need to pull it off?
  136. In short, this idea is extraordinarily ambitious. They are designing a novel
  137. cryptosystem, which is an immediate red flag: designing a secure cryptosystem is
  138. one of the most technologically challenging feats a programming team can
  139. undertake. Furthermore, they're building a distributed, federated system, which
  140. is itself a highly complex and challenging task, even more so when the system is
  141. leveraged to exchange sensitive information. It can be done, but it takes an
  142. extraordinarily talented team with hard-core technical chops and a lot of
  143. experience.
  145. What's more, if they were to do this well, it would involve developing and
  146. standardizing open protocols. This requires a greater degree of openness and
  147. community participation than [they are planning to do][5]. Furthermore, they
  148. need to get others to agree to implement these protocols, which involves solving
  149. social and political problems — both in technical and non-technical
  150. senses. For instance, the Dutch government stores much of my personal
  151. information in the DigiD system. Will they be able to convince the Netherlands
  152. to work with their protocols? How about every other country? And, if they want
  153. me to store my health insurance in the app, how are they going to convince my
  154. doctor to use the app to receive it? And how about every other doctor? And what
  155. about all of the other domains they want to be involved in outside of healthcare
  156. data? Will they interoperate with legacy systems to achieve the market
  157. penetration they need? Will those legacy systems provide for their end-to-end
  158. encryption needs, and if not, will users understand the consequences?
  160. [5]: https://github.com/4PrivacyEngine/4PrivacyEngine-Core
  162. I'm not saying that any of this is impossible — only that it is
  163. extraordinarily difficult to pull off. Extraordinary projects require
  164. extraordinary resources.  They will need multiple highly talented engineering
  165. teams working in parallel, and the support staff necessary to keep them going.
  167. Their goal on Kickstarter, which was quickly met and exceeded, is $175,000. This
  168. is nowhere near enough, so either they aren't going to pull it off, or they have
  169. more money from somewhere else. Destin is acknowledged as an investor, and they
  170. are seeking more investments on their website — how much money, and from
  171. whom, now and in the future? By taking the lion's share from entities other than
  172. their users, they have set up concerning incentives in which the entities
  173. responsible for private data have millions on the line and are itchy to get
  174. returns, and the entities whom the private data concerns haven't been invited to
  175. the negotiating table.
  177. In short, I would urge them to do the following:
  179. - Make clear their funding sources, incentive model, and plans for monetization.
  180.   Tell everyone the pitch they tell to private investors.
  181. - Publish their whitepaper draft and invite public comment now, rather than when
  182.   it's "finished". Consider doing the same with the source code.
  183. - Work to inform potential users about how the technology works, to the extent
  184.   that they can make informed choices about it. Destin would be a great help for
  185.   this.
  187. 4privacy should generally institute a policy of greater transparency and
  188. openness by default, preferring to keep private only what they absolutely must.
  189. There is no shame in iterating on an incomplete product in the view of the
  190. public. On the contrary, I am quite proud that my business works in this manner.
  192. The fundraising campaign quickly met its goal and will presumably only continue
  193. to grow in the coming weeks — it's reasonably certain that it will close
  194. with at least $1M raised. Having met their goal, the product will presumably
  195. ship, and we'll see the answers to these questions eventually. The team has a
  196. lot of work ahead of them: good luck.