Is open source communications software really free?

Does every communications technology based on open source and open standards enable free communications? Or is something more necessary?

The FSF's campaign for a Skype replacement gives some indication that existing free software solutions have shortcomings.

The opening paragraph of their campaign pitch suggests that with proprietary solutions, "we can't be sure who is listening in". Many open source solutions (including VoIP, IRC and email) have exactly the same limitation depending upon how they are configured and used.

If the option of privacy is an essential characteristic of a communications system that should be considered a free solution, then simply using open source and open standards does not make a solution free. Some additional criteria are needed to help evaluate each solution to find out if it is free.

Most major Linux distributions have criteria for evaluating software freedom. Debian has it's free software guidelines and provides an interesting set of tests that can be used when evaluating whether a license is free. Yet I could not find any evidence that the FSF or any other organisation has taken steps to define a similar set of guidelines for communications freedom

The recent incident involved phone tapping at Associated Press gives more hints: journalists expect a certain amount of freedom to interact with and protect sources as they go about their work in a free society but their technology platform failed to give them that freedom. It is not just journalists who have this expectation and it is not just the Government who might be listening: in the UK, the roles were reversed as News International journalists allegedly gained access to communications records from crime victims and Government officials

Defining concise high-level guidelines for communications technology that is genuinely free will not only help us in fulfilling the search for a Skype replacement but it could also have consequences for the evolution of email and other protocols that have evolved with relatively poor privacy support up to now or the successful design of completely self-contained solutions like the FreedomBox.

This is one of the topics that has been raised recently on the Free Real-time Communications mailing list sponsored by FSF Europe.

Comments

Daniel, I am afraid that the information security is rather a political problem. Of course, we can try to make the software more "free" and more "secure" but the government(s) have simply enormous resources to crack anything. And by the nature of the law you are required to disclose some sensitive information about yourself if you do not want to go underground. In the USA, even the tax board (IRS) is used to prosecute the "dissidents", and the tax information (that is supposed to be strictly confidential, non-political and secure) is used by the White House to suppress the people. The AP scandal is rather minor, in comparison to that. I believe that this is even worse in other countries.

There are slight differences in the encryption of communications and regular encryption. You are quite right about large Government having additional resources to monitor or decrypt. One factor with communications is that the SRTP keys are generated dynamically - especially with ZRTP, the user has no way to recover the keys. So if somebody with a packet sniffer has recorded an encrypted SRTP flow, the user will not be able to give them any help decrypting it later. This is very different from the case of hard drive encryption, where the user must have the key.

Daniel, unfortunately, SRTP can be cracked with sufficient CPU power. I cannot go into details because this is an open page, but the government indeed is doing such things - and I even know the people. I implemented an SRTP engine a while ago, and I know how it works - and the algorithm is tough but not 100% bulletproof.

Please explain how SRTP can be cracked.