In association with heise online

Firefox is already one of the best platforms for browsing securely, with a huge range of options for moving around the internet as anonymously as possible, and ensuring that no one is eavesdropping on communications across it. Mozilla's Thunderbird email client, by contrast, is rather neglected – reflecting, in part, the drift towards web-based email that is part of the problem. That's yet another reason to start beefing up security on Thunderbird so that people can communicate safely using email.

That, of course, requires encryption. It's already available in the form of an OpenPGP plugin, but as a user I have to say it's pretty user-unfriendly, and there's no way that ordinary users will adopt it. What we need is a version of Thunderbird that comes with encryption built in, and with the process of generating keys, and sharing them, made as easy as possible. Mozilla is ideally placed to create and popularise such an approach – because of its hard-won reputation, users trust it in a way they rightly would never trust an ordinary company. It has worked hard on making Firefox responsive to the needs of general users; it should now do the same for Thunderbird, as a matter or urgency.

But I'd also really like to see it creating or at least supporting entirely new kinds of software that are designed to combat the massive, thoroughgoing erosion of our privacy and freedom online. Something like this, for example:

Corporate or official corruption and malfeasance can be difficult to uncover without information provided by insiders, so-called whistleblowers.

However, the proliferation of surveillance technology and the retention of Internet protocol data records has a chilling effect on potential whistleblowers. The mere act of connecting to an online whistleblowing Website may suffice to raise suspicion, leading to cautionary advice for potential whistleblowers.

The current best practice for online submissions is to use an SSL connection over an anonymizing network such as Tor. This hides the end points of the connection and it protects against malicious exit nodes and Internet Service Providers (ISPs) who may otherwise eavesdrop on or tamper with the connection. However, this does not protect against an adversary who can see most of the traffic in a network, such as national intelligence agencies with a global reach and view.

We suggest a novel type of submission system for online whistleblowing platforms that we call AdLeaks. The objective of the AdLeaks system is to make whistleblower submissions unobservable even if the adversary sees the entire network traffic. A crucial aspect of the AdLeaks design is that it eliminates any signal of intent that could be interpreted as the desire to contact an online whistleblowing platform.

This is still a research project, but the code is already available under the GNU GPLv3 licence.

It gives a hint of the kind of thing that could be done, coupling hacker ingenuity with free code to produce tools to support whistleblowing of the kind that recently has provided us with many valuable insights into the ways governments – notably those in the US and UK – are turning the internet (and even open source) against us with large-scale surveillance.

Of course, code is not the solution on its own – we desperately need a wide public debate on what's going on here, and reform of laws that are hopelessly outdated and thus liable to being abused; but it's an important safeguard while we wait for that to happen. And if it doesn't – always a risk given the attempts to downplay the seriousness of what is happening – these kind of free software tools may be the only thing we have left, making their creation even more crucial.

Follow me @glynmoody on Twitter or, and on Google+. For other feature articles by Glyn Moody, please see the archive.

Print Version | Permalink:
  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit