[messaging] the Whisper problem

elijah elijah at riseup.net
Thu Oct 16 17:09:47 PDT 2014


What could Whisper do if it wanted to make its claims of "we can't know"
into a reality?

How about this?:

The app could require a Facebook login (or whatever the kids are using
these days with a horrible policy that disallows pseudo identities). The
user would then get Whisper points for each day of activity on Facebook
(that Whisper determined was not the product of a robot, no small task).
The app then connects via Tor to Whisper servers to exchange these
points for a "whisper token" using an unlinkable blind signature
(Camenisch-Lysyanskaya?).

Every user gets a unique identifier composed by HMAC(facebook-login,
device-id). Every message gets a random uuid (to check for replies).

Token and identifier in hand, the app now lets you post a message. The
message compose box show exactly what information is sent to Whisper
(date, place, message, identifier, uuid).

The user has the option to switch among city, province, country, or
planet for place granularity (maybe in NYC the smallest unit should
borough, but in Wyoming it should be state). When geolocation is
disabled on the device, the app uses a local copy of the geolite country
database (1mb) plus maybe a bloom filter of the city database (normally
15mb).

When the user hits send, the message is routed over Tor, bundled with
the token. When the server receives the message, the signature on the
token is checked, expiration is checked, and token is compared to
previously consumed tokens. Whisper checks to make sure that identifier
has not posted messages in the past that have been flagged as abusive.
Before getting posted to the network, the message is delayed some random
offset.

This actually gives Whisper some information they do not currently have:
an identifier that ties all the user's messages from a particular device
together. Maybe there is some better way that a user can prove to
Whisper that they do not have a history of flagged messages?

I don't know how Whisper could ensure that app has not been modified to
secretly report the facebook account when a message is posted or a token
requested. I assume reproducible builds are not an option when you
support Facebook login in your app?

I am not sure something like Whisper should exist. Anonymous
communication may be necessary for democracy, but anonymous
communication does not mean you need to create an engine for harassment
and abuse. I imagine Whisper is only able to keep the hate speech and
harassment in check with a lot of labor and a lot of analytics (and they
don't seem to be doing a very good job currently, nor do they seem to
care).

-elijah



More information about the Messaging mailing list