[messaging] Value of deniability
jacob at appelbaum.net
Thu Dec 11 05:22:09 PST 2014
On 12/11/14, Mike Hearn <mike at plan99.net> wrote:
> For anyone following along who also never heard of "the anakata case", this
> is the trial of Per Gottfrid Svartholm Warg for hacking Danish government
> He was found guilty for two years. Part of the evidence was chat logs
> showing him chatting with an accomplice. Presumably he tried to claim the
> logs were forged:
> *The Court said that it had found the prosecution’s case against Gottfrid
> and his accomplice convincing, since among other things it ruled out the
> possibility that a third party could have carried out the hacking from the
> defendants’ computers.*
> *The Court also noted that chat conversations between the defendants showed
> that in addition to being the perpetrators of the hacking offenses, they
> also acted in concert.*
> *As a result, Gottfrid was found guilty of hacking, aggravated fraud and
> attempted aggravated fraud, and sentenced to two years in prison. His
> 36-year-old accomplice was sentenced to probation.*
That summary isn't entire correct and in some cases is wildly
incorrect. I've requested transcripts for the trial but I'm not sure
if or when they will be delivered. I was an expert witness in the case
for the defense, I should add. This was related to a previous case
where in Sweden, I was similarly an expert witness. He was partially
acquitted in Sweden. Things in Denmark are a bit unclear but his
co-defendant was eventually found guilty of a crime that he wasn't
even indicted for originally. That person did successfully and
unsuccessfully dispute parts of some chat logs, as I understand the
outcome of the case.
> I think I agree with Eleanor that the costs of real deniability seem to
> radically outweigh the benefits, as anything that doesn't involve a simple
> on-screen editor for chat logs probably wouldn't be convincing, and that
> seems like a lot of effort and UI complexity.
Ease of forgery was never raised as an issue - the log files in
question were simple text files on a disk. Thus when the computer was
said to be compromised, it was decided that the text files on the disk
could also be tampered with at the time of compromise. This is part of
why the Swedish case and the Danish case went in the direction that
Also, the police appear to have lied in court and at least one Danish
police officer may be charged for lying under oath and/or for
tampering with evidence. I don't know the exact charges but it is
exactly such a case where not having non-reputable signatures seem
> Moreover, I'm struggling to find a use case for this that doesn't involve
> someone lying in court.
In Anakata's long legal saga, it appears that there were other parties
- thus from what I've seen - it isn't a matter of someone lying in
court, it is a matter of the person in court disputing things on a
pretty obviously compromised and shared computer. The other party
wasn't in court as far as I understand things. It's actually a lot
less clear than that and since most of the case that I heard was in
Danish, I'm mostly in the dark without translated transcripts.
> If I'm in a two-party chat, and we have strong
> privacy, then I'd probably prefer to have strong evidence (on my local
> device only) that what was said, was said. It seems like it can only help
> me because:
> - .... if I'm saying "hey dude, let's engage in conspiracy against the
> government!" and I'm talking to a double agent, that guy can probably
> convince me to do something that isn't deniable i.e. in the real world
> before closing the net. So it's hardly enough, to be a dissident.
That doesn't really convince me. With the prevalence of RAT
(FinFisher, HackingTeam, UNITED RAKE) like tools, your strong evidence
(or keying material) will probably not stay on your local device.
> - .... if I'm an ordinary every day guy who is talking to someone, they
> accuse me of something and the text message evidence supports my case, I
> very much want it to be undeniable.
This exact scenario came up in the court case:
Alice: "Who wants ice cream?"
Alice: "Who wants to kill the president?"
Bob: "I do"
In your case, you'd want it to be undeniable that you wanted which of
the two exactly?
> - .... I don't want to ask every chat participant to activate some
> special signing mode before they chat to me. This would be interpreted
> saying "I don't trust you". Of course people only usually want
> chat logs after it turns out their trust was misplaced. I'd much prefer
> use a chat network where the social default was undeniability. You never
> know when you might turn out to be the poor guy in the newspaper
If you use such a system, I think you've clearly signaled that you
don't trust me. I wouldn't chat with you and in fact, I didn't sign
this email. :)
> W.R.T being quoted out of context, that happens with private speech
> conversations all the time and hardly anyone ever says "I didn't say that",
> they say "I'm being quoted out of context, here's the full conversation".
As a journalist, I think your protocol design would be fantastic for
ensuring that no one ever used that protocol to talk to a journalist.
That property would be a total no-go for people who want the ability
to deny it. As a technologist, I'm mostly glad that this discussion is
already solved in OTR and seemingly also in (n+1)sec/TextSecure
designs. Those three protocols seem to have denability of a sort
without creating the opportunity for horrible unintended consequences.
> Are there other use cases I've overlooked?
End point security is rather weak and so I'd wager that you're aiming
to design a protocol "feature" that will be fantastic for framing
someone. Or in some cases, when the law is "bad" - confirming
something that shouldn't be confirmed.
There are probably other cases but I'm not up for providing an
exhaustive list at the moment. Perhaps after a coffee!
All the best,
More information about the Messaging