This message will self-destruct in five seconds
By: Ian Goldberg
April 5, 2005
The Internet is fraught with threats to your privacy and anonymity: any time you communicate online, whether it be through email, instant messaging, web browsing, filesharing, or any other means, the contents of your messages are sent through many (often dozens of) intermediate machines and networks on their way to their destination. That content can be intercepted, or stored for later perusal, either lawfully or not.
What can you do to protect yourself? Researchers in Privacy-Enhancing Technologies design applications, systems, and products you can use to help stave off the threats.
The most obvious technology to keep your Internet messages private is simply encryption: Alice can encrypt her messages to Bob so that only he can read them. But that's not enough: Bob would also like to have some assurance that it's really Alice sending him the messages, and not someone posing as Alice. For that, Alice and Bob can use authentication technologies.
Encryption and authentication have been broadly applied as a general solution for privacy protection. However, this is problematic; the issue is that different communications paradigms call for different solutions. Security mechanisms appropriate for signing contracts (public-key encryption techniques, such as digital signatures) are not appropriate for other types of communication, such as preserving the privacy of casual conversations.
Many uses of email do benefit from contract-like security: email is stored, copied, retrieved, and filed; messages may need to be readable at unknown times in the future, and still have their authenticity be verifiable. Email encryption programs like Pretty Good Privacy and GNU Privacy Guard do an effective job at this task.
On the other hand, Instant messaging (IM) is a method of online communication that feels like it should behave like a face-to-face private chat. Unlike email, instant messages seem to have an ephemeral quality to them. Alice and Bob still want their messages to be encrypted, and they want to be assured of each others' identities, but they no longer have to ensure the messages are readable in the future. Indeed, what they want is deniability: there should be no long-lasting proof that either of them said anything in particular.
These are the properties one would expect from a private face-to-face conversation, and this is what we would like to provide to users of instant messaging. But let's look at how instant messages generally travel across the Internet.
If Alice and Bob are each members of the same IM network, Alice can send Bob an IM as follows:
- Alice sends the message over the Internet to the operator of the IM service (for example, AOL, Microsoft, or Yahoo), with instructions to send it on to Bob.
- The operator of the IM service checks if Bob is currently logged in, and if so, sends the message over the Internet to Bob.
- If Bob is not currently logged in to the IM service, some networks will reject Alice's message, and others will store it, delivering it to Bob the next time he does log in.
It is clear that, at the very least, the operator of the IM server has direct access to all of the instant messages. (In fact, the operators of all the networks over which the message travel also have direct access.) In March, AOL announced a change to its Terms of Service which included:
"by posting Content on an AIM Product, you grant AOL, its parent, affiliates, subsidiaries, assigns, agents and licensees the irrevocable, perpetual, worldwide right to reproduce, display, perform, distribute, adapt and promote this Content in any medium. You waive any right to privacy. You waive any right to inspect or approve uses of the Content or to be compensated for any such uses."
AOL claimed they never meant for these clauses to apply to personal messages sent over AIM, but the uproar over this change caused them to update their Terms of Service yet again, four days later, including the removal of the line "You waive any right to privacy." But AOL is of course free to change its Terms of Service whenever it likes, as are all the other IM network operators. It is clear that these operators are technically able to read and use your instant messages however they like; if they choose not to look at them, it is only by their good graces.
Off-the-Record Messaging (OTR) is a project I co-founded to enable private communications over IM. It is free (both as in "speech" and as in "beer"), and runs on Windows, Linux, OS X, and others. OTR provides the following properties:
Encryption: No third party can listen in on Alice and Bob's conversation. Authentication: Alice and Bob are assured that they're actually talking to each other, and not an imposter. Deniability: Bob could report to Charlie (a third party), everything that Alice said to him. But he can't prove it. Charlie will have to take his word for it. Forward secrecy: If Bob or his computer is compromised today (through legal means, such as a subpoena, or extra-legal means, such as a stolen laptop), the conversations he had with Alice yesterday are not revealed.
OTR uses very short-lived encryption keys to protect the instant messages. After Bob receives Alice's message, the key used to protect it is thrown away, and a new one is generated for the next message. Messages are not digitally signed; rather, Message Authentication Codes are used, a technique which allows Bob to check that either Alice or himself wrote any particular message. Since he knows he himself didn't write the ones he receives from Alice, he can be assured that they did in fact come from her. But he can't prove this to Charlie: as far as Charlie knows, Bob could indeed have created all of those messages himself, in order to frame Alice.
OTR also allows third parties like Charlie to produce completely fake transcripts of messages that look every bit as valid as real ones. (In fact, a toolkit to help you do this is provided with the software.) Because of this, Alice can easily claim any given transcript of her messages has been faked, providing her with additional deniability.
It is important to use the right tool for the job at hand. Traditional public-key encryption provides privacy protections appropriate to long-lived email messages and contracts, while OTR provides protections suitable for casual conversations.