There Are No Online Security Shortcuts for Human Rights
At Benetech, we're thinking about human rights activists everyday. We're not human rights advocates: we're a group of technologists and scientists dedicated to helping the human rights movement be safer and more effective. We prefer to work mainly behind the scenes, helping the activists pursue their mission of improving respect for human rights, advocating for policy change that advance rights and sometimes even obtaining justice against the perpetrators.
However, there are times where we need to weigh in on a technical issue that impacts human rights activists. Following an admiring Wired.com profile of the web-based chat program, Cryptocat, a fair amount of discussion ensued about the security risks of using a tool with this kind of web-based design. The relevant Wired.com editor responded with an endorsement for use by Middle Eastern dissidents of Hushmail, an online web mail site with a similar design.
The discussion, and this (to us) risky recommendation from a publication with a long history of covering these issues, led Benetech chief scientist, Dr. Patrick Ball, to respond. His oped, When It Comes to Human Rights, There Are No Online Security Shortcuts, was just published on Wired.com. We appreciate the opportunity from Wired to talk about our different views on this critically important issue.
The tech community has immense power in the global battle for human rights. Tech companies supply the tools to help repressive governments suppress human rights and access to information. Those of us in technology who seek to tip the balance back towards advocates of human rights have a responsibility to approach these issues with great care. We need tools that defend the defenders of human rights, and that activists will actually use.
The Benetech team has looked frequently at web-based (or more precisely: web-served) design for the tools we provide for activists, around securely capturing information about human rights abuses. We don't make chat or email tools like Cryptocat or Hushmail, but the security challenges we face in design are similar. To date, we haven't felt we could responsibly design around the intrinsic risks inherent in a web-based tool (although we have been interested in a new set of innovations called host-proof hosting that hold the potential of overcoming these risks).
The Wired piece correctly identifies one of the core challenges faced by designers of tech tools for use in the human rights field: the difficult tradeoff between security and usability. We were inspired to work in this field by Patrick Ball's work training activists around the world to use the first generation of crypto, the seminal program Pretty Good Privacy (PGP) invented by Phil Zimmermann. Patrick found that very few of the activists he trained ended up using PGP, because it was too hard to use. We feel we've made huge strides in usability with our Martus design without compromising security. But, we thought the only way to make it sufficiently secure was to create a standalone application, with separate servers isolated from the users so that they don't run the risk of possibly having access to the user's secrets.
We know that much more needs to be done to make these tools more user-friendly. We know the Cryptocat team is working hard on a new generation of their tool which will try to overcome the weaknesses in the current version, and we welcome their efforts. We want to make sure that security doesn't suffer when it comes to serving those at greatest threat from repressive governments. At this point, we believe that the risks of straight web-based solutions are too high to recommend them to activists and dissidents who run personal safety risks in their work.
Bravo! The Cryptocat developers have taken the advice of the security community. They've moved the design to a more secure architecture. Their new version 2, now in beta, is implemented as a browser plugin which will keep the encryption keys on each user's local computer. This model avoids the inherent problems with storing private keys on hosted servers. It's too early to tell whether Cryptocat 2 will live up to its promise, but it is exciting to see that the developers are moving in the right direction.