[Freedombox-discuss] Freedombox threat model

Ted Smith tedks at riseup.net
Wed Jun 29 17:35:23 UTC 2011

On Tue, 2011-06-28 at 12:23 -0400, ian at churchkey.org wrote:
> On 06/28/2011 08:55 AM, bertagaz at ptitcanardnoir.org wrote:
> > First, there is no real "central" logging, no unique big
> > brother that the freedombox might want to defeat, but a lot of different
> > (from size to content) logging databases out there, maintained by a lot of
> > different actors.
> . . .
> > Often, interesting databases are the one maintained by ISPs. Even if a
> > hosting doesn't log anything and try to avoid the "central logging of
> > activities" this way, ISPs are at the right place to reveal a lot of
> > things about "activities of the masses" (i.e revealing who browsed a
> > website when posts were made).
> > 
> > I guess the easy answer to this other "central logging of activities"
> > threat is to use Tor when needed/possible. But then, wouldn't that be to
> > close to the "more complex problem of activists needing secrecy,
> > anonymity..."?
> I think this is a great point and one we should pay a good deal of
> attention to in our threat model. I don't actually think Tor is an easy
> answer. If we build a system that routes everyone's web traffic through
> Tor as a general practice, we will never gain adoption beyond the
> members of this list and the existing Tor user base.
> Most people will plug the box in, discover that their online banking
> doesn't work any more, that every website treats them like they are in
> Germany, destroying their ability to conveniently read things on many
> sites, to stream video from anywhere, etc, and that the general speed of
> their internet browsing has dropped substantially. Most people will see
> these results of plugging in a FreedomBox and quickly unplug it.
> There is a scale, it goes from the worse case scenario where everyone
> you interact with online knows everything else you do online, to the
> best case scenario, where no one you interact with knows enough about
> you to be sure that you are the same person from interaction to
> interaction.
> Currently most people are almost all the way towards the worse case
> scenario. We are not going to get them all the way towards the other end
> at once, but we can move them along incrementally and the first step
> towards that is to identify the places where the most information about
> us is being collected and start pushing back. For that reason, my
> current threat model is the over-concentration of personal information
> in a handful of places. At the moment, the biggest information
> centralizers I know about are: ISPs, search engines, and advertisers.
> (Governments are also large information collectors but, in the US at
> least, they function through the hands of the private industries. So
> when the NSA wants to follow all the calls in the US, it gets that
> information from the phone carriers rather than actually going out and
> bugging every phone, or even installing tracking devices on every phone
> tower.)
> We can push back against ISPs, search engines, and advertisers without
> having to route everything through Tor. We can use local proxies that
> automate best practices for direct surfing, things like the
> HTTPS-everywhere, TrackMeNot, and CustomizeGoogle firefox plugins.
> Right there we could cut down on direct click tracking and unencrypted
> http connections while also adding some basic data set poising for the
> rest of the monitoring. Throw in ad blocking and we move a step past
> that. Add an email and chat system and we pull even more data out of the
> center. Encrypt that data, even just with secure SMTP and OTR by
> default, and we cut the ISPs out as well. Do that with enough services
> and people might stop logging in to google every day.
> Alternately, if people are going to be logging in to Google/Yahoo, etc
> every day, we could offer to block that cookie to sites other than
> google, or to re-route search engine searches to another provider or
> many providers, so that one company doesn't have a complete picture of
> your activity online.
> Importantly, all of these things will work without damaging people's
> experience of browsing the web. Some, like ad blocking, will make pages
> load faster and look cleaner. Some, like HTTPS-everywhere, are simple
> enough that any delay should be unnoticeable. The rest, like
> TrackMeNot-like dataset poisoning, we should set up only to use excess
> bandwidth during otherwise down connection time.
> If we get too caught up in trying to build a box that makes people
> completely invisible at the cost of making the internet unusable, I fear
> our tools will never make it far enough in society to actually do much good.
> -Ian

The FreedomBox seems to be much more than a platform for websites. The
last public design document named email, instant messaging, and social
networking as features that the freedombox would have, among others.

Maybe for social networking, users would just go to web pages hosted on
FreedomBoxes. But for email or XMPP (which is the IM standard inevitably
going to be used by the FreedomBox), routing all traffic through Tor is
a very feasible possibility. This would be totally transparent to
end-users, and obfuscate who is emailing or IMing who. If the FreedomBox
social networking system is more interesting than web sites, it could
also use Tor. Since all these protocols would be TLS-encrypted, and the
FreedomBoxes that were the destinations of the traffic could be Tor exit
enclaves, there's little to no chance of traffic analysis from the Tor
exit. Further, using Tor solves a different problem for, say, IM, than
OTR does. OTR keeps an adversary from knowing what you're talking about,
while Tor keeps an adversary from knowing who you're talking to. So the
two systems are complementary, rather than rivals for our attention.

Any time two programs running on FreedomBoxes are talking to each other,
there's very little reason not to use Tor. It only makes sense not to
use Tor if there's no way to anonymize the protocol, in cases like
BitTorrent, or if there's way too much bandwidth required for Tor to
provide, like video streaming. But a BitTorrent client running on
FreedomBox could use Tor to scrape trackers, or to initiate video calls
(but not transport the video). And this would reduce the information
emitted by the FreedomBox that was available for hostile entities to

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/freedombox-discuss/attachments/20110629/6a4abd34/attachment.pgp>

More information about the Freedombox-discuss mailing list