Want to hide your metadata? You probably can't
How not to hide from George Brandis' new surveillance laws
With every development in Australia's data retention debate, the question arises: “how can I stop the government getting its hands on my metadata?”
Routinely, often non-technical journalists give the glib answer to “use encryption”, rattle off their favourite list of technologies, and over-simplify things to the point of danger.
The depressing truth is that most people aren't equipped to do a good job of protecting either their metadata or their content, and it's irresponsible for anyone to say otherwise without covering all the risks.
The notion that all you need is encryption and anonymity technologies to get around law enforcement is dangerously simplistic.
Few people have put this better than Cryptome, the world's oldest drop site, here: “Consider that the odds are very high that Cryptome or any other disclosure initiative (anonymizer, leak site, paste, doc-drop, torrent) is a deception operation, witting or unwitting, and avoid their use”, and “never trust any method proposed by a receiver of your material”.
Keep in mind that Cryptome has been handling leaked documents for a long time – since 1996 – and its founders (John Young and Deborah Natsios) remain out of jail. It's at least likely that they understand what they're saying.
However, since there's still a belief that even the non-technical user can take a “One Weird Trick” approach to getting around the Australian government's data retention regime, Vulture South would like to explain the risks at each stage.
Using Tor: Tor provides limited anonymity. The best-documented and best-tested attacks against Tor have one demanding requirement – that the attacker have access to the network infrastructure carrying the traffic.
De-anonymising Tor traffic works even better if you're able to see traffic at both ends – where it enters a network, and where it leaves the network.
While it's paranoid to think that any government would bother de-anonymising Tor on a mass scale, it's fair to say that if you, as an individual, end up being of interest to spooks, you can be identified – at least in theory.
Public WiFi: A public WiFi hotspot, the argument goes, won't be handing your metadata over to the government, because there's an exemption of sorts in the legislation.
The first problem here is that only one layer of data – your connection to an ISP – is protected.
If you were foolish enough (for example) to use that connection to send an e-mail via a vanilla SMTP account, the server logs will still retain some of the kind of data the government wants.
If you made or took a phone call from the cafe, your number and location (to whatever granularity the carrier captures) will be retained.
Also: what confidence can you have in the security of the public hotspot itself?
For example, do you know which model of WiFi router the public network is using? Which level of firmware the hotspot is running? Which patches should have been installed but haven't?
Encrypt your e-mails: Plenty of journalists believe that a tool like PGP is a response to the government's data retention regime, when it's not.
It should be obvious to say this, but it's not: PGP protects the content of the e-mail, not the “non-content data” the Australian government wants retained.
It's an example of dangerously-woolly thinking, because it could encourage someone without technical nous to think “okay, got PGP, now it's safe to leak”.
In fact, the simplistic “use encryption” advice could increase the risk both for journalist and source. What if, for example, a court took a journalist's ability to open a document encrypted by a leaker as indicating collusion between the two?
Yes, there are ways to mitigate the risks – but the over-simplification of operational security into “use encryption, use Tor, you're protected” is what concerns me here.
Leak via a secure drop site: This is also problematic.
In giving this advice, security advisors are once again confusing content and non-content data. The secure drop-site is designed to protect your identity and content at the server end, but it does not intrinsically protect non-content data at your end – your connection to the Internet, your location, the fact that you made a connection to an IP address associated with the drop site, and so on.
The business of protecting that non-content data is down to you.
And as far as the drop-site's security: it's only as good as the code base. In a world that's experienced Heartbleed, Poodle and FREAK in the space of a year, trusting a drop-site's security seems rash, to say the least.
Where does that leave me? Dangerously insecure, as you always have been; or perhaps, less secure than you might be.
While The Register is not a subscriber to “nothing to hide, nothing to fear” theory, the operational security concerns we've discussed here start with the assumption that you're already of interest to authorities. If you're not, then the data collected about you probably won't be used.
It's that word “probably” that underlines, in party, why Vulture South remains unhappy about the rushed passage of the legislation, the inadequate political debate surrounding it, and the woefully inadequate protections offered to the ordinary citizen.
In particular, the legislation's apparent exposure of stored data to civil litigation, even though the government has tried to say otherwise. The government has protected data gathered “for the purposes of the legislation” – which leaves lots of scope for lawyers to pick out a victim for a test case. ®