Re: [E2ee] Does the presence of overt, "Non-Ghost" surveillance actors/bots, inhibit E2E Security?

[Vittorio Bertola <vittorio.bertola@open-xchange.com>]

>     Il 28/07/2021 21:33 Alec Muffett <alec.muffett@gmail.com> ha scritto:
> 
> 
>     Hi All!
> 
>     I'll be presenting this to the CFRG (Crypto Forum Research Group) at IETF 111, late on Friday evening (London time):
> 
>     "A 'Duck Test' for End-to-End Secure Messaging" 
>     https://alecmuffett.com/alecm/ietf-111/draft-muffett-e2esm-v1.18a.pdf
> 
>     It's a reasonably short presentation-deck (albeit with a lot of slides) offering a simple, robust, and easily understood metric for people to use when judging assertions like:
> 
>     "The GCHQ 'Ghost' Proposal does not harm End-to-End Security"
> 
>     One interesting discussion that I *have* had, twice, regarding my draft is regarding (Slide 25) whether "overt, blatant surveillance" inhibits a system from being E2E-Secure - "because people will not be able to avoid surveillance."
> 
>     It's a great question, which I've answered with two different thought experiments:
> 
>     Surveillance Scenario A:
> 
>     Imagine that the UK Government imposes a "Technical Capability Notice" on WhatsApp and requires surveillance on everybody. Further imagine that WhatsApp has the decency to tell everybody that surveillance is enabled.
> 
>     Then Alice, in the UK, wants to talk to Bob with WhatsApp, but without Surveillance. What does Alice do? Answer: there is nothing she can do except "Fix the Government" or "Select a platform which does not implement surveillance on behalf of the UK Government". Her intentions or desires are incapable of changing anything about the situation, other than via political means.
> 
>     Surveillance Scenario B:
> 
>     Say that you are using Signal to hold a group chat, and suddenly after a month or so, it gets out that one of the people in the group chat ("Eve?") is actually a member of the state security services.
> 
>     Would that mean that Signal was suddenly no longer end-to-end encrypted? No. If one did believe that, then E2E would have a "Schrodinger's Cat"-quality - that it stops being E2E as soon as a spook looks at it.
> 
>     But if the presence of unknown surveillance does not prevent something being end-to-end encrypted, would the presence of *known* surveillance, up-front, prevent something being considered end-to-end encrypted? Well, when Eve was "outed", nothing has changed with the system other than user choice to continue/not-continue to participate in the chat.
> 
>     As 'user choice" was the only variable, user choice was also the differentiator - including (big picture) the choice to use an individual group chat *or* a messenger platform that was overtly enabled for state surveillance. The choice to pull that surveilled chat or that surveilled platform into one's own TCB/Trusted Compute Base/Zone of Trust, was a user choice.
> 
>     Perspective
> 
>     In short: I think that "end-to-end secure messaging with state surveillance overtly and transparently baked-in", is precisely *that*, and should be highlighted as such, for exactly the reasons as explained in RFC2804. Thus if people want to avoid surveillance, they should vote with their feet and use a different platform, or obtain a different government; however the surveillance should never be opaque, ghostly, or hidden.
> 
>     What do others think, please?
> 
I think that you are mixing three separate concepts:
1) end-to-end encryption, which is a technical property of a communication system;
2) end-to-end security, which is a somewhat abstract concept possibly including other factors than just the communication system;
3) an appropriate disclosure policy for lawful interception, which is interesting but possibly out of scope for the IETF, and more in scope for law-making venues.

By the way, the apps you mention (Whatsapp and Signal) do not provide "end-to-end encryption" but "managed end-to-end encryption" - exactly for the reason you point out. A communication is end-to-end-encrypted if the text enters the communication system already encrypted; otherwise, if the communication system also manages your keys and the encryption/decryption procedure, the content is not a secret between the sender and the recipient, but only a secret between the sender, the recipient and the application maker, who could easily include features to screen and report your communication before encrypting it, either to its own servers for business purposes, or, as you suggest, to a third party.

Of course, managed e2ee is much easier to use while still providing a good degree of protection, but it requires you to trust the provider of the communication system, and there are clear reasons why people who really need absolute protection from any kind of screening should not rely on it; they should only encrypt and decrypt messages on trusted, separate applications that are not connected to the Internet. But even the average user should be made aware of the risks of managed e2ee, as it's unclear why a for-profit should provide a free communication app without monetizing users in any way; users might then want to pick a provider which is less likely to monetize them.

In terms of #3, I'm not sure if it's on topic, but I will note that by definition lawful interception happens according to a law, so the fact that it exists is public. What you as a user do not generally know is if it has been turned on on your account, but there are reasons for that, and also - in democratic countries - appropriate guarantees. Nothing would anyway prevent the app from reminding that, in some cases, your communications could be reported according to a law or court order.

--

Vittorio Bertola | Head of Policy & Innovation, Open-Xchange
vittorio.bertola@open-xchange.com mailto:vittorio.bertola@open-xchange.com 
Office @ Via Treviso 12, 10144 Torino, Italy