[Freedombox-discuss] Freedombox threat model

ian at churchkey.org ian at churchkey.org
Tue Jun 28 16:23:28 UTC 2011

On 06/28/2011 08:55 AM, bertagaz at ptitcanardnoir.org wrote:
> First, there is no real "central" logging, no unique big
> brother that the freedombox might want to defeat, but a lot of different
> (from size to content) logging databases out there, maintained by a lot of
> different actors.

. . .

> Often, interesting databases are the one maintained by ISPs. Even if a
> hosting doesn't log anything and try to avoid the "central logging of
> activities" this way, ISPs are at the right place to reveal a lot of
> things about "activities of the masses" (i.e revealing who browsed a
> website when posts were made).
> I guess the easy answer to this other "central logging of activities"
> threat is to use Tor when needed/possible. But then, wouldn't that be to
> close to the "more complex problem of activists needing secrecy,
> anonymity..."?

I think this is a great point and one we should pay a good deal of
attention to in our threat model. I don't actually think Tor is an easy
answer. If we build a system that routes everyone's web traffic through
Tor as a general practice, we will never gain adoption beyond the
members of this list and the existing Tor user base.

Most people will plug the box in, discover that their online banking
doesn't work any more, that every website treats them like they are in
Germany, destroying their ability to conveniently read things on many
sites, to stream video from anywhere, etc, and that the general speed of
their internet browsing has dropped substantially. Most people will see
these results of plugging in a FreedomBox and quickly unplug it.

There is a scale, it goes from the worse case scenario where everyone
you interact with online knows everything else you do online, to the
best case scenario, where no one you interact with knows enough about
you to be sure that you are the same person from interaction to

Currently most people are almost all the way towards the worse case
scenario. We are not going to get them all the way towards the other end
at once, but we can move them along incrementally and the first step
towards that is to identify the places where the most information about
us is being collected and start pushing back. For that reason, my
current threat model is the over-concentration of personal information
in a handful of places. At the moment, the biggest information
centralizers I know about are: ISPs, search engines, and advertisers.

(Governments are also large information collectors but, in the US at
least, they function through the hands of the private industries. So
when the NSA wants to follow all the calls in the US, it gets that
information from the phone carriers rather than actually going out and
bugging every phone, or even installing tracking devices on every phone

We can push back against ISPs, search engines, and advertisers without
having to route everything through Tor. We can use local proxies that
automate best practices for direct surfing, things like the
HTTPS-everywhere, TrackMeNot, and CustomizeGoogle firefox plugins.

Right there we could cut down on direct click tracking and unencrypted
http connections while also adding some basic data set poising for the
rest of the monitoring. Throw in ad blocking and we move a step past
that. Add an email and chat system and we pull even more data out of the
center. Encrypt that data, even just with secure SMTP and OTR by
default, and we cut the ISPs out as well. Do that with enough services
and people might stop logging in to google every day.

Alternately, if people are going to be logging in to Google/Yahoo, etc
every day, we could offer to block that cookie to sites other than
google, or to re-route search engine searches to another provider or
many providers, so that one company doesn't have a complete picture of
your activity online.

Importantly, all of these things will work without damaging people's
experience of browsing the web. Some, like ad blocking, will make pages
load faster and look cleaner. Some, like HTTPS-everywhere, are simple
enough that any delay should be unnoticeable. The rest, like
TrackMeNot-like dataset poisoning, we should set up only to use excess
bandwidth during otherwise down connection time.

If we get too caught up in trying to build a box that makes people
completely invisible at the cost of making the internet unusable, I fear
our tools will never make it far enough in society to actually do much good.


More information about the Freedombox-discuss mailing list