By Jon Matonis
Forbes
Thursday, June 7, 2012
The developer of a leading open source application for encrypted
online chat, Nadim Kobeissi, claims to have been detained and
interrogated at the US-Canadian border yesterday. “Out of my 4 DHS
interrogations in the past 3 weeks, it’s the first time I’m asked about
Cryptocat crypto and my passport is confiscated,” tweets
Kobeissi. The US interrogator also asked about which encryption
algorithms Cryptocat deployed and they were curious about its level of
censorship resistance.
establishes a secure, encrypted chat session that is not subject to
commercial or government surveillance. It uses client-side JavaScript to
implement 256-bit Advanced Encryption Standard for message encryption
and Elliptic curve Diffie-Hellman for key agreement. Similar to the Off-the-record Messaging (OTR) cryptographic protocol available via plugin, Cryptocat generates new key pairs for every chat implementing a form of perfect forward secrecy and deniable encryption. However, the web-based Cryptocat can also accommodate multiple parties to an encrypted chat session.
“it’s important that my interrogation doesn’t blow confidence in
Cryptocat out of proportion. It’s still an experiment that needs work.”
Of course, JavaScript crypto does have its limitations (and critics)
since it would still be susceptible to a server-side code poisoning
attack.
But, the implications for privacy and freedom are truly
astounding. An application like this can save lives, because during the
tense moments of the Arab Spring the sources of certain instant messages
and other online communications were tracked down and killed for their
political views and organizational skills. Indeed, in journalism
sourcing also, the privacy of an off-the-record source can be a matter
of life and death.
Unlike other cryptography products that can
later be used as a verifiable record of the communication event and the
identities of the participants, perfect forward secrecy leaves no such
trail. Kobeissi readily admits
that this feature can be used for bad as well as good but it’s worth
the risk: “It’s like if someone says ‘Hamburgers: they can be used to
feed the good and they can be used to feed the Taliban. I guess that
means we should get rid of hamburgers then.’ It bothers me that we’re so
afraid that our freedom will be used against us that we’re willing to
just give it up.”
On television, RT America has even gone so far as to refer to Cryptocat as CISPA’s kryptonite
because it’s a service that denies third-party access to private
conversations online thereby making the Cyber Intelligence Sharing
Protection Act largely irrelevant.
Encryption programs like
Cryptocat that safeguard our private conversations and correspondence
may not be the only government target. Just last year, a bitcoin
developer coming from China was denied entry and questioned for hours by US Customs agents about how Bitcoin worked, where he got them, and how he traded Bitcoin for legal tender.
According to the ACLU,
the border interrogation about Kobeissi’s encryption program raises
troubling questions about the government’s claimed powers at the border.
The “SSSS” designation stands for Secondary Security Screening Selection
and if selected you become subject to extensive searches and
interrogations — for any reason whatsoever. Ironically, since overall
awareness about the existence of the Cryptocat program has increased,
perhaps this unfortunate detention at the US border has done some good
after all.
