How do we make web stuff that's secure enough for human rights workers?

Patrick Ball sez, "Lots of people in the world depend on electronic security. That means it has to be seriously strong, and I have been worrying that lots of folks -- esp media folks -- are eager for easy-to-use shortcuts, even if those shortcuts aren't actually secure. CryptoCat is one such shortcut, as was Hushmail, and I believe neither are adequate for the hard case of protecting human rights information. There are solid security solutions, though we have a long way to go to improve user interfaces and overall user experience."

Any host-based system that delivers the encryption engine to you each time you log in, and in which your keys reside on the server, you are never secure against the host (there’s new research on this called “host-proof hosting,” but it’s a long way from being ready to use in real applications). That means that if the host attacks you, or they fail to protect themselves, your encrypted data will be available to them. Remember that the host might attack you because someone evil has taken control of the host. If you are the hypothetical dissident in the Middle East, your government might contract a hacker to break into the CryptoCat server, Hushmail, or other host-based server, and thereby get access to all your data. Or they could bribe an employee at a host-based service. Again: in host-based security, all your security rests on your personal trust for the people at the host, and their ability to protect the server. There’s no real security in a technical sense.

This means that Hushmail is no more secure than any other email service, like Gmail. In fact, Gmail might be more secure than Hushmail, if we think that Gmail has better personnel screening and more skillful engineers protecting their servers against malicious attacks than Hushmail does (many experts do believe this). By the same logic, CryptoCat is no more secure than Yahoo chat.

At Benentech, we’ve been working with human rights data for over twenty years, and providing secure software for ten. Martus has been downloaded by users in more than 100 countries. We’ve learned that, unfortunately, security is hard, and people who tell you that it’s easy or that there are shortcuts are probably fooling you — and maybe themselves. Our best efforts have all come from building security into the applications we already want to use, like Martus, which has security built into a database. For both email and chat, there are real security solutions (GPG and Pidgin/OTR). They’re a little harder to use, but their security is real.

When It Comes to Human Rights, There Are No Online Security Shortcuts (Thanks, Patrick!)


  1. This is something that Google Ideas and their head, Jared Cohen, are very concerned with and may actually be working on.  How much I trust them with it is another question.

  2. When communicating with amateur and non-technical people there is nothing you can do to ensure high security of your communications. The best solution I can suggest is public key cryptography, but that doesn’t help secure your key at the receiving end and it doesn’t solve the rubber hose problem or just people filming your fingers while you enter the passphrase.

Comments are closed.