[Cryptography] "Ulysses pacts": better than "warrant canaries" ?
hbaker1 at pipeline.com
Sun Sep 13 10:58:32 EDT 2015
"But technology gives us a new, stronger kind of Ulysses pact, one that takes the choice out of managements hands a self-enforcing self-destruct button, which has the potential to make some secret warrants totally useless: binary transparency."
"If a spy agency knows that any attempt to implant malware on a users computer through a software update will both fail and raise an alarm, there is absolutely no reason even to try."
Guardian column: Ulysses pacts and spying hacks: warrant canaries and binary transparency
August 20, 2015 / Cory Doctorow / Articles, News
As the worlds governments exercise exciting new gag-order snooping warrants that companies can never, ever talk about, companies are trying out a variety of Ulysses pacts that automatically disclose secret spying orders, putting them out of business.
A Ulysses pact is a negotiating tactic in which one party voluntarily surrenders some freedom of action, named for the story of Ulysses ordering his men to tie him to the mast of his ship so that he couldnt jump into the sea when he heard the sirens song. For example, a union leader heading into a negotiation might promise to resign rather than take a pay cut, making pay-cut demands useless (because if she acceded to such a demand, shed have to resign before she could formalize the agreement).
In the world of secret spying orders, companies use warrant canaries as a kind of dead mans switch: at regular intervals, they publish a transparency report with statistics for each kind of government request theyve received, including Secret spying orders: 0. After receiving their first secret spying order, they stop publishing that line altogether. If the company sells its service as privacy-oriented, this is, effectively, suicide: the services users quit using it, and the spies have nothing.
But its a weak kind of Ulysses pact, because a CEO contemplating suicide-by-canary might just decide that one teensy lie isnt such a big deal after all and if spy agencies believe that this is the case, theyll have every reason to use secret warrants, forcing the issue.
But technology gives us a new, stronger kind of Ulysses pact, one that takes the choice out of managements hands a self-enforcing self-destruct button, which has the potential to make some secret warrants totally useless: binary transparency.
Theres another kind of secret spying: malware implantation. This is when a government body orders a company to send some of its customers a software update that includes a backdoor. For example, the Saudi government once convinced Research in Motion to backdoor Blackberry devices within its borders. In May, 2014, the anonymously maintained Truecrypt project mysteriously shut down, leaving behind a cryptic note (possibly with a Dan-Brown-esque secret message in it). Many believe that they shut down in response to a government demand to weaken some or all of the Truecrypt programs in the wild.
In the case of programs that run on users computers theres binary transparency. When a program with binary transparency receives an update, it computes that updates hash (a mathematical fingerprint) and sends it to a server maintained by a disinterested third party. It also checks the hashes of all the other updates that have been received by all the other versions of the program that have checked in. If it sees that it has got a special update, it refuses to install it and alerts the user.
This is much stronger, more effective Ulysses pact. If a spy agency knows that any attempt to implant malware on a users computer through a software update will both fail and raise an alarm, there is absolutely no reason even to try.
More information about the cryptography