Request: Ability to capture, store and backup sensitive information securely


#1

One of Martus’s most popular features was its end-to-end encryption. In our first Martus Community Call, many current users explained that this felt like an important feature because it keeps their information safe. We want to use this thread to explore the use of this feature, its advantages and disadvantages, and how other security features might be able to address the users’ needs.

Here are some questions to get the conversation started:

  1. What is the role client-side end-to-end encryption plays, or should play, in the documentation space? What need is there for it?
  2. If we don’t implement it, does that expose HRDs to attack? And if we do, how can we do make it easy and safe (e.g. avoid efail, discussion of open vs closed systems, etc.)
  3. At what points in the data lifecycle is it important to encrypt?
  4. What about the risk of people losing their keys, and therefore losing their data? Is e2e worth that risk?

Please share your reflections on the need for end-to-end encryption in human rights documentation!


#2

I think this topic should be expanded to consider all the places where encryption, or cryptographic operations, can be used:

  1. encryption of storage at rest on the client/mobile/desktop and server/cloud devices
  2. end-to-end encryption/verification of each message or request/response within a protocol (allows for messaging queuing / async handling, as opposed to typical HTTP model)
  3. transport layer encryption (with protocol and endpoint obfuscation) to defend against identification, tracking, blocking of users
  4. signing and encryption for privacy, confidentiality and identity authentication for specific content, reports
  5. end-to-end message encryption between users of the system

I do think key management must be considered as part of all this, but need to think about that more.


#3

One point that came out of today’s Martus Community Call related to security was a concern about using any tool that is web-based to work with (e.g. upload, share, search) data about human rights violations.

Martus does not need a web browser to do anything - instead it has a desktop client that is installed on a computer. The user can pull down data from the server (encrypted), work with it on their desktop, and then put it back on the server (encrypted) - is that correct @collin?

I’m really interested to learn more about the pros/cons of web-based tools. What are the security concerns? Are there ways to mitigate them?

Thanks, all!


#4

Thanks so much for listing out all of these important consideration, @n8fr8!
I actually took your advice one step further and expanded this topic to securing information - because end-to-end encryption is just one possible solution to this bigger question/concern.


#5

In addition to end-to-end encryption, Martus allows the chain of custody enabling human rights documenters to crosscheck whether the share information shared vertically or horizontally was changed. More information on the chain of custody is being compiled.


#6

Without End-to-End encryption, end users should rely more on intermediaries, who technically could have an easy access to the Data. Users should trust the technology and services that they are provided with as well as the data policies and the ethics of those intermediary.

Tor Hidden services can be used for anonymity. I am not sure if that is present in Martus, but it is available on whisleblowing platforms suggesting/forcing to the user to go through the tor network.

I think that even if security features are well implemented and well maintained, the weakest link remains the end user who should be trained properly to securely manage his data, identify threats and respond to those threats effectively.


#7

Martus software has built-in encryption and TOR to protect the data from unauthorized users and to help users to circumvent censorship. This has also increased the confidence of users and their trust in Benetech and cloud back-up because they know that both Benetech and servers maintenance team are not able to see their data. Other developers could borrow a leaf from Benetech or work with Benetech to incorporate automatic security system in human rights documentation tools. Encryption and anonymization will be done automatically once users start using a certain tool. The removes the burden for additional training in how to ensure the security of the data and users. The automatization of security protocols solves the issues of forgetfulness on the side of the users and a third party and enhances the trust. This is the golden principle for both physical and digital security management that states that Security starts with you. Other features to be emulated are secure automatic back-up system and chain of custody.


#8

Thanks for sharing these thoughts!

I completely agree that as much as possible tools should earn trust by making it easy for the user to know that their data is only accessed by those authorised, backed up, and they support circumvention. For that, I think it is also essential that they are open source, so that it is not just claims made by the developers, but that they can be independently verified.

At the same time, I see some risks with making end-to-end encryption and TOR integration a necessary condition for all documentation tools, and that they should be always on. Risks I see include the following examples:

  • data loss because of key management issues
  • a false sense of security, as in cases where the use of circumvention tools has users stick out rather than providing anonymity (example: https://www.dailydot.com/crime/tor-harvard-bomb-suspect/)
  • a false sense of security, if there is a chance of device access with access credentials, or through compelling the user to give them up.
  • de-prioritisation of desired functionality (including on collaboration, more sophisticated data models), leading to users either being frustrated, as their primary purpose of effective information management is not reached, or turning to less safe alternatives

Security is complex and as @Janvier1 and @alwalid have pointed out relies on people. In my opinion, a tool can guide and support practices, but it never is a magic bullet and cannot replace making decisions on what trade-offs are acceptable, including the one to decide to not do/use anything at all.