Re: [Social-discuss] On Data Privacy

[Ted Smith]

On Sun, 2010-04-11 at 08:18 -0500, Max Shinn wrote:
> Once data is made digital, there is no controlling it, especially when it
> is put online.

So you assert if I have a file on my hard drive, "there is no
controlling it"? That seems tenuous, at best - certainly if I uploaded
the file, and the data it contained was not encrypted, it would be
trivially copyable, but if the data is encrypted, and I control the key,
I certainly control the data.

>   Security exploits in GNU Social WILL occur, but they are
> only the beginning.  Running individual instances on personally owned and
> managed hardware certainly helps the problem, but it will never solve it. 
> The more individually-run servers that exist, in general, the less secure
> they will be.  Running them on a hosting company or any other host for
> that matter will make them more secure, but it sends the user back to
> stage one: putting their data on someone else's server, just like
> Facebook.  That hosting company will be able to take down or manipulate
> the data on a dime.

I don't see why you think that an instance running on a hosted server is
any more or less secure than an instance running on a personal computer.
The personal computer is probably running fewer services, and
(especially if GNU Social is NOT written as a GLAMP application) the
code running on it is the same as the code running on the hosted server.
If we're talking about exploits in GNU Social, then all GNU Social
instances are equally vulnerable. If we're talking about the security of
the machine running GNU Social, I doubt we can really get anywhere.

Additionally, the hosting company will not be able to manipulate data
(I'll concede taking it down) if the system doesn't "trust the cloud",
similar to Tahoe-LAFS, for instance.

> So, really, only seasoned users who run their own professional hosting, or
> those who know one of these people, will have their information 100%
> private.  Right?  Not quite.  If one server is exploited, my how easy it
> would be to exploit another server that "trusts" that server, or at the
> very least, gain access to private information of other people on other
> servers.  Giving a user on a different server access to a piece of
> information also gives the server operator access to that information.

Only if we assume that when a user accesses data, the server that is
their local GNU Social instance has access to that data. If there is a
separation between the user interface and the social networking daemon,
this assumption doesn't hold, because we can send the encrypted data to
the user and have it decrypted on their UI.

> In addition, unless encryption is used between servers, ISPs can snoop on
> data as it is being transfered.  The stipulations of privacy keep adding
> up.  Technical solutions may help a bit here or there, but in all reality,
> the only way to prevent private information from becoming public is to not
> post it online.

Of course encryption will be used between servers. And ideally, the data
would be encrypted end-to-end, as well. This goes for personal messages,
sure, but also for pictures, event invitations, event pages, etc. This
would be similar to XMPP S2S crypto and OTR crypto, or STARTTLS and
OpenPGP. This isn't particularly demanding - at least both of those
systems exist, and probably a few others that I'm unaware of do as well.

I am willing to put my money where my mouth is, so attached is a truth
about myself that I would like to keep private. It's encrypted to my own
public key. If anyone can recover the cleartext, it will demonstrate
that you are correct, and that the only way to prevent private
information from being public is not to put it online.

> This leads one to question the scope of GNU Social.  Just because Facebook
> provides something doesn't mean GNU Social MUST have it.  For instance,
> personal messaging.  If you want to send private personal messages, use
> email and GPG; DON'T send that information through a web service so that
> your data can sit on who knows what server.  Encrypting that information
> before sending it through the server, and making the user download it
> before decrypting ruins the whole point of going through GNU Social in the
> first place.

I disagree entirely. If Facebook provides something, GNU Social has to
have that and have it better, or it'll never grow beyond the Free
Software Activist ghetto. One feature GNU Social definitely needs to
have is messaging - *everything* has messaging. We can reduce everything
to "just use something else for that" and end up with a GNU Social based
on people using emacs to add links to web pages to html files that are
hosted on a webserver, or sharing pictures via emails with really long
To/Cc fields.

> So for those who just skimmed the the message, what I want to say is that
> the expectation of privacy we set should be no greater than that of
> Facebook.  The most advanced level of privacy that can possibly be given
> by a web service is that MOST of your data will be private; in other
> words, a rudimentary "we'll do our best" followed by a firm handshake.
> 

I think this would miss the point of writing a user-freedom-respecting
social networking system. Yes, our code will at some point be exploited,
and we'll have to fix it, and for that window of time there will be a
flaw in our system, but that's life, and there's no reason to throw
privacy out the window because of that.

secret.txt.pgp
Description: application/pgp-encrypted

signature.asc
Description: This is a digitally signed message part