The Gold Standard in Free Communications Technology

In a previous blog entry, I posed the question whether open source communications software is really free and came to the conclusion that additional principles need to be defined for free communications, above and beyond the normal expectations of free software.

This is a fundamental problem that projects like the FreedomBox, Lumicall and other privacy-enabling free communications solutions must be familiar with. Otherwise there is a risk that development will never end as there is no finish line in sight.

Practical solutions are not so easily defined though: so let's just imagine a perfect solution for a moment. Later, we can contemplate the trade-offs that are necessary to make it practical.

Perfect privacy

Here are some attributes that may exist for a perfect solution:

Privacy must be the default: the user should not have to explicitly request privacy. If there is a risk that an incoming communication will establish a session without full privacy, the user should be able to decline the opportunity to participate.

Only participants to a communication can receive the communication

A third party should not be able to replay, modify or forge any aspect of the communication or the request to initiate a session

Only participants to a communication are aware that a communication occurred

Only participants to the communication are aware of who participated in the communication

A participant may be anonymous: but in this case, all other participants will be aware that there is an anonymous party present in the communication

Participants may not deduce any information about the other participants that is not explicitly shared (e.g. location, type of device, service provider)

In the case of real-time communication, a participant may leave the communication without any other party even realising that they left or why.

Communication is off-the-record: No participant can save and reproduce a copy of the communication in such a way that a third-party will know it was authentic.

Anonymous reception of communications - the perfect post-office box: someone may create an anonymous identifier that allows other people to call them without being able to trace their location or identity

Some consequences of a perfect solution

Just imagine if all communications worked in this manner.

There are many potential consequences. For example, if you call somebody and the call is not connected, you will get no feedback about whether their line is busy, out of service or whether they deliberately chose to reject your call.

Another example is somebody who is driving while talking on a telephone. If they have an accident, there will be no way to prove that they were using the phone. This may already be the case if somebody uses a VoIP app on their phone - the police investigating the accident later will simply find no records of calls through the mobile phone account.

Conclusion

The perfect solution described here is something of a holy grail rather than a recipe that a developer can implement. It is unlikely that such a solution will fall out of the sky in the immediate future. Most software products that offer secure communications only address less than half the issues described above: for example, digital mobile phones prevent eavesdropping with arbitrary radio receivers, but they don't prevent shops detecting the IMEI (serial numbers) of phones that pass through their store and using that information to identify repeat visits to their store.

Comments

The "off-the-record" bits seem like something slightly different from what I'd like to see. I'd say that any participant should be able to save an authenticated and verifiable record of *their* part of the conversation if they wish, and it should be possible in-protocol for one participant to request logging of the whole thing, with any participants that do not wish to be logged not included. This would work similarly to your idea about anonymous participation: anyone can choose to not be logged, but anyone who requests logging can see that there are people who don't want to be logged.

You cannot have all those guarantees at the same time.

For example that nobody can preserve a copy of the communication, the only way to do that would be to allow communications only through blackboxes that are not modifieable by the owner but then the owner can't check the box really does what it says it does.

That one is actually quite doable; take a look at how OTR messaging works. You can save a log if you like, but not one that preserves the authentication properties you had during the call if the sender doesn't want you to.

"Only participants to a communication are aware that a communication occurred" -- this attribute requires that the traffic patterns don't change whether communication occurs or not, so AFAICT it would require permanent "cover traffic" in the periods where no communication occurs (such traffic is used in some remailer networks). This would make privacy quite expensive with the current overpriced data plans for mobile phones...