[guardian-dev] ChatSecure "Burner" accounts

[Tom Ritter]

This is cool.  I have some thoughts and speculation about it, but to
be clear all of these use cases are coming from my head.  Do you have
specific users who are asking for this, or in-the-field use cases to
support?  If so, those should take precedence - but nonetheless, my
thoughts.

The point of a Burner Account seems to be to disassociate identifying
information (IP address, real name) from an account.  Okay, cool.
Burner Accounts make that more easy, sold.  (It's clear Burner
Accounts should then be restricted to only communicate over Tor.  )

But the burner account, in the current implementation, sounds like I
basically use it in place of my main account.  So Jabber will get my
contact list, and get all the metadata of who I'm talking to and when.
 But not identifying information.  That's kind of a win I think.  But
not a huge one IMO.  The contact list, metadata, that's a huge
identifying piece of information still.

And the problem I see is how do I communicate to my contacts that a) I
have this burner account and b) you should talk to me over this burner
account and c) no really, it's really me, you can trust it.  That's
going to be painful, and slow, and it's annoying to type a random
username on a phone keypad (there definitely needs to be a "Copy
burner account to clipboard button).

And to Abel's suggestion, if the burner account dies shortly
thereafter, you're going to have to repeat this arduous process, a
lot.  I'm not sure what use case you're supporting, in the current
incarnation, that makes this amount of effort for the user worthwhile,
when they still leak a lot of metadata.

But let me immediately jump 10 steps ahead.

So I have a chat account, lets' say on gmail.  I want to talk to
someone with a gmail chat account.  Google can see all the metadata -
that we're talking, how often, sizes, etc.  It would be very, very
cool to click a menu option on my trusted gmail contact, and that
button takes care of the whole process:

a) Create a burner account
b) Ask my contact to create a burner account
c) Transmit my burner account to my contact
d) Vice Versa
e) Automatically communicate, transparently, with that contact using
the burner account instead of their google account.

Steps (b,c,d) are of course communicated end-to-end encrypted to my
contact, and most importantly should not be distingusihable from a
normal chat conversation (indistinguishable ciphertext, not sent in a
control channel, not constant sized, ideally not constant-timed).

How does this look from a traffic analysis standpoint?  Well, now when
I communicate with my contact, Google isn't getting the metadata.
Jabber, however, *is*.  Let's say I'm _not_ using Tor.  Jabber would
know that one IP address is using, say, 3 accounts, each account
talking to one other account, and each of those accounts has the same
pattern.  It's obvious to Jabber I'm doing this burner account thing.
 But they may not know who I am.  (They probably can figure it out
though, let's not stretch ourselves.)  I'd consider that a win,
especially if burner accounts are made on servers I have more faith in
that Google (like CCC's jabber server).  If I am using Tor, and a
different circuit for each account, I get much much much stronger
traffic analysis protection.

I think if the model was extended a little bit, and made very
transparent to the user, you could get something truly innovative and
awesome.  In its current incarnation I think it's pretty cool but I'm
a little unclear on the use cases, and the additional user experience
vs privacy gained.

-tom