Tuesday, June 12, 2012

Detaining Developer At US Border Increases Cryptocat Popularity

By Jon Matonis
Forbes
Thursday, June 7, 2012 

http://www.forbes.com/sites/jonmatonis/2012/06/07/detaining-developer-at-us-border-increases-cryptocat-popularity/

The developer of a leading open source application for encrypted online chat, Nadim Kobeissi, claims to have been detained and interrogated at the US-Canadian border yesterday. "Out of my 4 DHS interrogations in the past 3 weeks, it's the first time I'm asked about Cryptocat crypto and my passport is confiscated," tweets Kobeissi. The US interrogator also asked about which encryption algorithms Cryptocat deployed and they were curious about its level of censorship resistance.


Cryptocat establishes a secure, encrypted chat session that is allegedly not subject to commercial or government surveillance. It uses client-side JavaScript to implement 256-bit Advanced Encryption Standard for message encryption and Elliptic curve Diffie-Hellman for key agreement. Similar to the Off-the-record Messaging (OTR) cryptographic protocol available via plugin, Cryptocat generates new key pairs for every chat implementing a form of perfect forward secrecy and deniable encryption. However, the web-based Cryptocat can also accommodate multiple parties to an encrypted chat session.

Kobeissi recently tweeted, "it's important that my interrogation doesn't blow confidence in Cryptocat out of proportion. It's still an experiment that needs work." Of course, JavaScript crypto does have its limitations (and critics) since it would still be susceptible to a server-side code poisoning attack.

But, the implications for privacy and freedom are truly astounding. An application like this can save lives, because during the tense moments of the Arab Spring the sources of certain instant messages and other online communications were tracked down and killed for their political views and organizational skills. Indeed, in journalism sourcing also, the privacy of an off-the-record source can be a matter of life and death.

Unlike other cryptography products that can later be used as a verifiable record of the communication event and the identities of the participants, perfect forward secrecy leaves no such trail. Kobeissi readily admits that this feature can be used for bad as well as good but it's worth the risk: "It's like if someone says 'Hamburgers: they can be used to feed the good and they can be used to feed the Taliban. I guess that means we should get rid of hamburgers then.' It bothers me that we're so afraid that our freedom will be used against us that we're willing to just give it up."

On television, RT America has even gone so far as to refer to Cryptocat as CISPA's kryptonite because it's a service that denies third-party access to private conversations online thereby making the Cyber Intelligence Sharing Protection Act largely irrelevant.

Encryption programs like Cryptocat that safeguard our private conversations and correspondence may not be the only government target. Just last year, a bitcoin developer coming from China was denied entry and questioned for hours by US Customs agents about how Bitcoin worked, where he got them, and how he traded Bitcoin for legal tender.

According to the ACLU, the border interrogation about Kobeissi's encryption program raises troubling questions about the government's claimed powers at the border. The "SSSS" designation stands for Secondary Security Screening Selection and if selected you become subject to extensive searches and interrogations -- for any reason whatsoever. Ironically, since overall awareness about the existence of the Cryptocat program has increased, perhaps this unfortunate detention at the US border has done some good after all.

For further reading:
"Anti-surveillance App Developer Targeted at Border by Department of Homeland Security", Brandon Turbeville, Activist Post, June 9, 2012

1 comment:

  1. So the question I have is: how were these particular border officers told to ask these particular guys about their chat or Bitcoin software?

    Think about it. It's not like your average customs or INS officer knows much about software or encryption, let alone what the implications of that software are.

    Somebody with access to the border control computer system has flagged these guys for questioning, specifically WRT their software. That's the part of this story that should be concerning us all: draw the attention of the wrong person in DHS, and the entire border apparatus of the USA becomes impermeable, no matter where you try to enter the US you go straight into detention for questioning. Does this also extend to quasi-US territory like embaseis and consulates?

    ReplyDelete

Note: Only a member of this blog may post a comment.