People of ACM - Joan Feigenbaum
February 21, 2017
Why is this an exciting time to be working in the computer security and privacy field?
Today we use networked, digital devices in almost all aspects of daily life: commerce, recreation, government, and even friendship and romance. These networked devices create records of our daily activities, either as their primary products or as by-products. For better and for worse, the huge amount of personal and potentially valuable information that is now routinely recorded has led to an era of mass surveillance. Companies capture us on surveillance cameras as we come and go, monitor our financial transactions for suspicious patterns, and scan our email messages for selected keywords. Ad-supported cloud services record and mine our online activities so that they can target advertisements more precisely. As we learned during the Summer of Snowden in 2013, governments have been surveilling our electronic communications on a breathtaking scale in the name of national security. Recently, we have learned that US Customs and Border Patrol agents sometimes demand phone and social-media passwords—even of US citizens.
Although the questions are not new, they are finally commanding our attention: Is mass surveillance a necessary tool for national security and an ingenious way to pay for the "free" services of cloud providers such as Google and Facebook, or is it a creepy invasion of privacy and a violation of the Fourth Amendment of the US Constitution? If we reject it as invasive and unconstitutional, what alternative approaches might we take in our efforts to promote national security and to support powerful cloud services?
The Pri-Fi project, on which you are a principal investigator, and the Dissent project that it builds on, seek to build practical anonymity systems. Why are you hopeful that progress can be made in this area?
At this point, the security community has many years of experience with Tor, which uses “onion routing” to send traffic through randomly chosen relays scattered around the Internet. Onion routing is a scalable, general-purpose, point-to-point anonymity substrate, and it appears to be effective against many of the attacks currently in use. Unfortunately, it is also vulnerable to several known attacks, including “traffic confirmation” (in which an attacker who compromises a major ISP or Internet exchange might be able to de-anonymize many Tor users in a matter of days) and “intersection attacks” (in which an adversary can rapidly narrow the anonymity of a target via actions linkable across time).
Dissent takes a collective approach to anonymity that is fundamentally different from onion routing; the approach is based on “dining cryptographers,” or DC nets, which offer provable anonymity guarantees. The Dissent approach can be used in many real-world scenarios to achieve critical objectives; for example, our ongoing Pri-Fi project builds upon Dissent to achieve untrackable communication over wireless LANs. However, this approach is unlikely ever to provide a completely general-purpose, unconstrained, individualistic anonymity substrate in the style of Tor, because there may be unavoidable tradeoffs between perfect generality and provable anonymity. The fact that the security community now has the experience to recognize tradeoffs and the technical tools to increase the diversity of practical systems is the reason I’m hopeful that we’ll see progress on the anonymity front.
You have pointed out that, although the study of anonymous-communication technology is usually motivated by high-stakes use cases (e.g., battlefield communication and whistle-blowing), anonymity is actually a feature of many quotidian activities (e.g., paying cash, voting, participating in opinion polls, and browsing printed material in a bookstore or library). You’ve gone on to argue that we need technology that enables people to perform these quotidian activities online in the same anonymous fashion in which they perform them offline. Can’t tools used by ordinary Internet users to conceal their identity also be used by criminals and terrorists to avoid detection?
Of course they can, but that’s not a good reason not to deploy them. Technological progress is inherently available to everyone. Criminals and terrorists can use airplanes and phones to travel and communicate in pursuit of their illegal activity, but that’s not a good reason to deprive the rest of us of access to airplanes and phones. They can conduct their illegal activity behind locked doors in private homes, but that’s not a good reason to mandate that the rest of us leave the doors to our homes unlocked. Law enforcement and intelligence officers have many ways to acquire information about legitimate targets. Armed with knowledge about the physical locations, schedules, friends, business associates, or other features of a target, which they can acquire using standard investigative techniques supported by proper warrants, they may be able to catch that target; remember that they caught Ross Ulbricht of the Silk Road, even though he was using Tor and Bitcoin. It’s simply not the case that the ability to send an email message or make a phone call anonymously renders someone invulnerable to all of the government’s investigative powers.
For the Celebration of 50 Years of the ACM Turing Award conference in June, you will be moderating the panel “Restoring Personal Privacy without Compromising National Security.” One topic that will be addressed is the importance of holding government agencies accountable for the proper use of information. What legal mechanisms need to be put in place to strengthen government accountability?
In ongoing work with Bryan Ford of EPFL, who will be one of the “privacy and security” panelists at the Turing 50 conference, I take the position that neither technical mechanisms nor legal mechanisms are sufficient on their own. We need to integrate cryptographic protocols with laws, regulations, and administrative procedures in order to facilitate warranted electronic surveillance that is privacy-preserving with respect to innocent bystanders, limited in scope, subject to oversight by both regulatory agencies and ordinary citizens, and governed by open processes that the public can debate and challenge in court.
With proper system design, this combination of surveillance power and privacy safeguards is sometimes achievable with existing, well studied technology. For example, Ford and I showed in joint work with our former student Aaron Segal (now at Google) that the NSA could achieve a key goal of its CO-TRAVELER program (i.e., identifying the unknown associates of a known target of investigation) without acquiring the identities of the very large number of innocent people who occasionally coincide with the target physically or electronically. The key technical ingredient in our solution is privacy-preserving set intersection, a mature and practical technology developed by the cryptographic-research community. We believe that many of the powerful computational techniques that the community has proposed can be integrated with law and policy in a manner that delivers both privacy and security to law-abiding citizens.
Joan Feigenbaum is Department Chair and Grace Murray Hopper Professor of Computer Science and Adjunct Professor of Law at Yale University. Her research interests include security and privacy, computational complexity, and Internet algorithms.
She was named an ACM Fellow for foundational and highly influential contributions to cryptographic complexity theory, authorization and trust management, massive datastream computation, and algorithmic mechanism design. She is also an AAAS Fellow, a member of the Connecticut Academy of Science and Engineering, and a Connecticut Technology Council Woman of Innovation. Feigenbaum will be a panel moderator during the Celebration of 50 Years of the ACM Turing Award conference on June 23-24, 2017.