Entries Tagged 'Privacy' ↓

totally private blogging II: encryption

A while after starting the Logging It service, I realized you might like to use it to log truly private information, like a dream journal, or your finances, bills, etc.

In a previous post, I wrote about how the site is designed so that your logs are protected: only after signing in with your user id and password can your logs be read. That covers access to your logs from the “outside”, through the website;  no one else can read your logs  (unless you give them your password).

“Inside” Access

Today I’m writing about access from the “inside”. The “inside” meaning people who have access to the infrastructure that runs the site. Me, mostly, at the moment, being the sole employee (and owner) of The Buckmaster Insitute.

Well, your log messages have to be stored. If they are stored on a computer that I have access to, I can read them. I may not want to read them, but when one is looking after a system,  it is difficult to rule out that one may look at the wrong file, and come across your messages. It doesn’t need to be malicious, or nosy. It is simply the nature of the situation.

One simple way to resolve this is to encrypt all messages! Don’t store them in a readable form.  So I started to work on encrypting all messages, with the encryption key based on your password.

But, while the messages are encrypted you should still be able you to search your logs.

Nowadays, there is a lot of software available to solve many different problems. I couldn’t find one suitable for this case: message-by-message encryption plus a full-text search index that is also encrypted. So I implemented it myself. It took longer than I thought.

Loggingit encrypts all your logs

I switched over in October of 2009.  If you signed in at secure.loggingit.com, or signed up at secure.loggingit.com since then, all your logs are encrypted before storing them. It has been working for almost one year now without a single glitch! The nice thing is you do not even notice that encryption is involved.  Everything is still easy, nice and fast.

You may ask, why didn’t I write about this change then?

While writing the programs to perform the encryption, I thought that technically, the service doesn’t need to ever decrypt your logs. I could just make the service such that without your user id and password there is no way at all to decrypt your messages.

I was even envisioning not even to store your user-id (which is possible too with state-of-the-art encryption protocols), and to make payments for the service anonymous. As long as the money comes in to pay for the operation, it doesn’t affect the service at all whether the system has a record of your name or address! Totally anonymous logging, where only you know that you even have an account. The common “I forgot my password, email me a new one” would not be possible since there would be no help once you lost the password.

But I was not certain that this level of privacy and anonymity is legally allowed. I contacted several lawyers, but couldn’t find much useful advice. I got the impression that this ambition was too new, too unusual, and would require much expensive legal research, at the end of which laws might have changed, and it would all be for naught.

The Hushmail Case

Then I came across the case of hushmail.com.

Hushmail.com offers an encrypted email service. On the face of it it works like any other web-based email site, but under the hood all messages are encrypted, with the help of a Java applet that is loaded into user’s web browsers. They promised totally private email.

The promise didn’t hold up. I think it is fair to say that it didn’t hold up in a bad way. The police managed to obtain a court order that Hushmail could not fight. The police wanted to read someone’s email. And so Hushmail poisoned the Java applet, for that single user, to make their messages readable for the police.

You can read about that here:

And here is a quote from privacy advocate and PGP creator Phil Zimmermann (member of the advisory board of Hush Communications)

Their hearts are in the right place but there are certain kinds of attacks that are beyond the scope of their abilities to thwart. They are not a sovereign state.

So here is a company proclaiming that the emails passing through their system will be safe from any prying eyes, but they found that they cannot live up to their promise. It also strikes me that Hushmail was compelled to change the software running their service. To me as a professional software developer, that is alarming: changing software, although easy to do, is difficult to do right. I am used to, and expect, extensive testing for all changes.

This was a sad blow to my vision and hopes for Logging It.

Full Encryption

Not for long, though. I realized if you really want to protect a message, you do not need to (and should not) rely on another party such as Logging It. You can encrypt it using your own encryption software, and post it in your logs on Logging It. For example, a browser plugin can make it completely transparent for you. You would only lose the ability to search through your logs at Logging It.

So I hope you will agree that this is a good compromise: Logging It encrypts all messages and promises to decrypt them only
when compelled by a court, and only on a user by user basis. This protects your logs against “inside access”, lost backup tapes, stolen hard disks etc. If you do need stronger protection for some logs, you can take care of that yourself.

More work needed

In the long run, encrypting log entries is only a first step. It is a basic step, and a useful step. But there are more issues involved, and I’ll be working on them, and keep you informed.

To enjoy enrypted private logging, sign up or sign in!

Thanks for your trust.

Cheers,

Stephan

totally private blogging

A few days ago it occurred to me to search the Internet for the headline of the loggingit.com website, “Totally Private Blogging”.

For example, with Google, the first search result is Make [a] Totally Private Blog on the The Real Blogger Status blog, by self-declared “Techno Nerd” Chuck. He explains that with some blogging software “you can block public access to your blog.” You can still “let strangers request access.” And then

“While you close the blog, if you have other administrators, and want to keep them out, you may want to suspend their administrator status.

Of course, this won’t make any blog completely invisible, on the Internet. All of the search engines – Google, MSN, Yahoo, and the others – will have the blog in their cache. That cache won’t go away immediately, or at all in some cases.”

All right, looks like blogger doesn’t make all the options clear to users.

Significantly, however, your blog’s content may be stored by some unrelated search engine, unrelated to the blogger service, and unrelated to you. Well, if you overlooked that, maybe it wasn’t completely private after all. Could be a small problem, could be a huge problem, if you wrote something that you didn’t want to see published.

Similarly, you can find at the blogger forum, a question asked,

[...] i set my settings so only people invited can view it, and i only invited myself, but if i type in it’s web address, it still shows up! everything! why? i have to stop this!

with the answer

Did you have it public when it was setup?  It won’t disappear from public view, in the search engine caches, for a long time.

“A long time” ?!

Turning to another popular blogging tool, wordpress, there is an announcement on their blog about the privacy settings that wordpress supports. They also point out an issue with search engines:

[...] we can’t prevent you [your blog] from showing up in things we don’t control. So if a search engine still indexes you or has a cache of your page, you either have to contact them about it or wait for it to expire eventually. However if you mark your blog as private from the beginning (and it’s now an option on signup) you should be fairly safe from engines like Google.

“Fairly safe”? At their present wordpress features page, there is a list of privacy options. For me, too many options will lead to mistakes, whereas less power means also more reliability.

The loggingit.com service is private from the time you sign up: only when they know your user id and password will anyone else be able to read your logs.

Cheers,

Stephan

Update: just a few hours after posting, the Google search for totally private blogging lists this very post as the second search result.

Update 2: Twitter has some privacy feature, which also has (unexpected) back doors, see the LA Times blog about Twitter holes and the Digital Soapbox blog about Protected Tweets – Oxymoron?