[messaging] Value of deniability

[Jacob Appelbaum]

On 12/10/14, Eleanor Saitta <ella at dymaxion.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> On 2014.12.10 14.57, Jacob Appelbaum wrote:
>> On 12/10/14, Eleanor Saitta <ella at dymaxion.org> wrote:
>>> On 2014.12.10 13.56, Mike Hearn wrote:
>>>> From a privacy perspective the rationale is fairly clear.
>>>
>>> Has anyone ever seen a case where cryptographic deniability was
>>> accepted by a judge?  As far as I can tell, its legal value is a
>>> fiction from the cryptographic community.
>>
>> Yes, I think so. The lack of signatures ensures that a text log is
>> just that - a text file without cryptographic assurances. It is
>> subject to tampering. If I recall correctly, this issue came up a
>> bit in Anakata's recent trials.
>
> No, I want specific case law that directly addresses deniability.
> Because this still doesn't frankly pass the laugh test from any lawyer
> I've seen asked about it, and yet we keep bending over backwards for it.
>

A digital signature is binding. A lack of a digital signature on a
text file certainly leaves room for assertion of tampering and of
repudiation of the statements contained in the text file. As I
understand the legal case in Denmark, at least one of the two people
in Anakata's case declared denied the contents of what appears to be a
logged OTR conversation. If they had used PGP encrypted/signed mails,
I think the prosecution would have made a very strong argument about
PGP signatures.

Does that count as a reference to case law? I've requested transcripts
of the trial but after over a month of waiting, I'm not sure when they
will be delivered.

>> Furthermore, the inverse is accepted routinely - digital signature
>> laws in some US states. Washington State in the United States seems
>> to be an example. If you have a PGP signed email, I'd expect some
>> binding laws to apply for statements made in the signed portion of
>> the text. Without a signature, I don't it will fall under the same
>> digital signature statutes.
>
> That the inverse is accepted does not provide any predictive
> properties about the value of the supposed forgability in allowing the
> value of a police evidence chain to be called into question.

If recall some of the things from the Danish case involving Anakata
and another person, they specifically raised the issue of plausible
tampering with the logs.

>
> It's worth noting, further, that the *only* argument in question here
> is whether there is any value of deniability during a trial.  It is
> clear that there is zero operational security value* to deniability in
> any plausible case, something rather more critical to the life-safety
> use of such systems.
>

I think Anakata's case, at least in Denmark, might be one measure of
the value of this line of argumentation. I'm not totally sure how well
it worked out for either of them though.

>> Repudiation and non-Repudiation are real properties that they have
>> contextual value.
>
> Deniability is not the same as repudiation in practice; conflating
> them is not reasonable.

I'm not sure that I follow. Why isn't it reasonable to link
deniability to repudiation?

One of the goals of OTR's deniability property is to ensure that any
log is simply a he-said-she-said text file game rather than a
cryptographic certainty. That allows in practice for repudiation - the
efficacy as a legal strategy is not completely clear to me and it
seems case by case to require analysis. A signature system that has
non-repudiation as a property seems to leave little room for anything
except an argument of some other kind of deniability such as "bob took
my PGP key."

Why not have both options, legally and cryptographically?

All the best,
Jacob