Software Helps Rights Groups Protect Sensitive Information

R. A. Hettinga rah at shipwright.com
Mon May 31 11:17:43 EDT 2004 

<http://www.siliconvalley.com/mld/siliconvalley/8803304.htm?template=contentModules/printstory.jsp>

The San Jose Mercury News

Posted on Mon, May. 31, 2004

SOFTWARE HELPS RIGHTS GROUPS PROTECT SENSITIVE INFORMATION

By Karl Schoenberger
Mercury News

A Palo Alto entrepreneur has come up with a technological fix for a problem
that has dogged human-rights activists in developing societies for years:
How do you keep sensitive information from the prying eyes of police?

Jim Fruchterman, chief executive of the non-profit software firm Benetech,
thinks the answer is Martus, a messaging and database product he developed
that protects data with sophisticated encryption.

Ever since he read about the cover-up of atrocities during El Salvador's
civil war in the 1980s, the Stanford University-trained engineer said he'd
been puzzling over how technology could protect witnesses of human-rights
abuses.

``Techies like to solve problems, and there's nothing more important than
saving lives,'' said Fruchterman, 45, who is best known for his work on
affordable reading systems for the blind.

Martus was designed for people in developing countries with minimal
technology skills, offering greater simplicity than standard encryption
programs such as PGP, Pretty Good Privacy.

Encryption software protects data by using algorithms to scramble the
information into an unreadable code, which can be unlocked only by a
specific key, or string of random numbers. The longer the key, the greater
the security against intruders. Martus eliminates the laborious task of
manually inputting these keys. This results in a relative sacrifice in
security, but Martus users need only to enter their name and password --
the rest is automatic.

After it was tested in Sri Lanka and rolled out in training sessions in the
Philippines earlier this year, human-rights workers are giving it a thumbs
up. But there are a couple of inevitable shortcomings to the Martus vision:
limited access to computers in the Third World, and a lingering mistrust of
technology by people who fear it could be used against them.

``We've been branded as socialists and even communists, so we like the
security and safety measures in Martus,'' said Daisy Arago, director of the
Center for Trade Unions and Human Rights in Manila.

She was trained on the system and has it installed on three computers in
the Manila area. But it will be a while before it can be used by the
group's affiliates.

``Most of our members don't have computers,'' she said. ``They use Internet
cafes to send us e-mails, and we can't expect the owners to install
Martus.''

Used worldwide

Yet Martus has proven immensely popular since its prototype became
available two years ago. Fruchterman said the program is in use in at least
50 countries and estimates the company has handed out about 500 Martus
program CDs and that another 500 copies have been downloaded for free from
the Internet (www.martus.org).

``Martus is responding to a real demand,'' said Patrick Ball, a veteran
human-rights investigator and statistician who joined forces with Benetech
earlier this year. ``People tell me they gather all the data but then they
lose it. The paper documents get eaten by termites; floppy disks and hard
drives get stolen or confiscated in police raids.''

Martus is open-source and offers three levels of encrypted security
depending on how the people intend to share the information. It can be kept
secret with access only for the user, or sent to a central office such as
the headquarters of a non-governmental organization for analysis and action.

``Convincing people that their information is going to be safe and secure
with Martus took a long time,'' said Tom Parks, an Asia Foundation program
officer based in Cambodia who did the project implementation and training
in the Philippines. ``The trust factor was very important. Previously, this
was the kind of information that was so sensitive they didn't write it
down. Now we were asking them to type it out on a computer and send to a
place they had no control over.''

Data backed up

To prevent loss or theft, the data is backed up automatically and
redundantly on dedicated Martus servers in Manila, Toronto, Seattle and
Budapest. Nobody can read the files without access to the original user's
cryptography key and password -- with the exception of sophisticated
code-cracking organizations such as the U.S. National Security Agency or
China's Public Security Bureau.

Fruchterman said he designed Martus to balance the need for simplicity with
a reasonable level of security, appropriate for the typical technology-shy
human-rights activist. It wouldn't do much to protect terrorists on the FBI
most-wanted list. ``It wouldn't be a smart idea to use Martus in Tibet,
where the Chinese government is using all its resources to maintain
control,'' he said.

Even when the level of encryption technology is appropriate, there are
other security issues to be concerned about, particularly spyware that can
track a person's keystrokes, said Phil Zimmermann, an encryption expert who
developed the Pretty Good Privacy code.

`Real risk'

``The real risk is that if the intruder doesn't get in through the steel
door, he'll use the window,'' Zimmermann said. ``You could have a very good
crypto, but it doesn't do any good if they use keyboard sniffers to get
your password. The biggest danger is deleted plain-text files that can be
easily recovered. You think you deleted it, but it's still there.''

But the aim of Martus is to lower the risks, not create a fail-safe system
that would be so complicated nobody would use it, said Fruchterman and Ball.

The Martus project has obtained $1.5 million in grants during the past
three years, including support from the MacArthur, Ford and Soros
foundations. The Asia Foundation has been a strategic partner on the
ground, connecting the Martus project with human-rights non-governmental
organizations. Fruchterman said he also invested about half the proceeds
from the $3 million sale of Benetech's reading technology for the blind.


-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list