totally private blogging II: encryption

A while after starting the Logging It service, I realized you might like to use it to log truly private information, like a dream journal, or your finances, bills, etc.

In a previous post, I wrote about how the site is designed so that your logs are protected: only after signing in with your user id and password can your logs be read. That covers access to your logs from the “outside”, through the website;  no one else can read your logs  (unless you give them your password).

“Inside” Access

Today I’m writing about access from the “inside”. The “inside” meaning people who have access to the infrastructure that runs the site. Me, mostly, at the moment, being the sole employee (and owner) of The Buckmaster Insitute.

Well, your log messages have to be stored. If they are stored on a computer that I have access to, I can read them. I may not want to read them, but when one is looking after a system,  it is difficult to rule out that one may look at the wrong file, and come across your messages. It doesn’t need to be malicious, or nosy. It is simply the nature of the situation.

One simple way to resolve this is to encrypt all messages! Don’t store them in a readable form.  So I started to work on encrypting all messages, with the encryption key based on your password.

But, while the messages are encrypted you should still be able you to search your logs.

Nowadays, there is a lot of software available to solve many different problems. I couldn’t find one suitable for this case: message-by-message encryption plus a full-text search index that is also encrypted. So I implemented it myself. It took longer than I thought.

Loggingit encrypts all your logs

I switched over in October of 2009.  If you signed in at secure.loggingit.com, or signed up at secure.loggingit.com since then, all your logs are encrypted before storing them. It has been working for almost one year now without a single glitch! The nice thing is you do not even notice that encryption is involved.  Everything is still easy, nice and fast.

You may ask, why didn’t I write about this change then?

While writing the programs to perform the encryption, I thought that technically, the service doesn’t need to ever decrypt your logs. I could just make the service such that without your user id and password there is no way at all to decrypt your messages.

I was even envisioning not even to store your user-id (which is possible too with state-of-the-art encryption protocols), and to make payments for the service anonymous. As long as the money comes in to pay for the operation, it doesn’t affect the service at all whether the system has a record of your name or address! Totally anonymous logging, where only you know that you even have an account. The common “I forgot my password, email me a new one” would not be possible since there would be no help once you lost the password.

But I was not certain that this level of privacy and anonymity is legally allowed. I contacted several lawyers, but couldn’t find much useful advice. I got the impression that this ambition was too new, too unusual, and would require much expensive legal research, at the end of which laws might have changed, and it would all be for naught.

The Hushmail Case

Then I came across the case of hushmail.com.

Hushmail.com offers an encrypted email service. On the face of it it works like any other web-based email site, but under the hood all messages are encrypted, with the help of a Java applet that is loaded into user’s web browsers. They promised totally private email.

The promise didn’t hold up. I think it is fair to say that it didn’t hold up in a bad way. The police managed to obtain a court order that Hushmail could not fight. The police wanted to read someone’s email. And so Hushmail poisoned the Java applet, for that single user, to make their messages readable for the police.

You can read about that here:

And here is a quote from privacy advocate and PGP creator Phil Zimmermann (member of the advisory board of Hush Communications)

Their hearts are in the right place but there are certain kinds of attacks that are beyond the scope of their abilities to thwart. They are not a sovereign state.

So here is a company proclaiming that the emails passing through their system will be safe from any prying eyes, but they found that they cannot live up to their promise. It also strikes me that Hushmail was compelled to change the software running their service. To me as a professional software developer, that is alarming: changing software, although easy to do, is difficult to do right. I am used to, and expect, extensive testing for all changes.

This was a sad blow to my vision and hopes for Logging It.

Full Encryption

Not for long, though. I realized if you really want to protect a message, you do not need to (and should not) rely on another party such as Logging It. You can encrypt it using your own encryption software, and post it in your logs on Logging It. For example, a browser plugin can make it completely transparent for you. You would only lose the ability to search through your logs at Logging It.

So I hope you will agree that this is a good compromise: Logging It encrypts all messages and promises to decrypt them only
when compelled by a court, and only on a user by user basis. This protects your logs against “inside access”, lost backup tapes, stolen hard disks etc. If you do need stronger protection for some logs, you can take care of that yourself.

More work needed

In the long run, encrypting log entries is only a first step. It is a basic step, and a useful step. But there are more issues involved, and I’ll be working on them, and keep you informed.

To enjoy enrypted private logging, sign up or sign in!

Thanks for your trust.

Cheers,

Stephan

1 comment so far ↓

There are no comments yet...Kick things off by filling out the form below.

Leave a Comment