[guardian-dev] A critique of ProofMode

Nathan of Guardian nathan at guardianproject.info
Tue Mar 7 10:58:47 EST 2017


This was posted to Twitter today:
http://www.lieberbiber.de/2017/03/07/the-guardian-projects-proof-mode-app-for-activists-doesnt-work/

I think there are some valid concerns that we should mostly address in
more FAQ about the app. ProofMode was meant to say that X file existed
at Y time and here is the Z data generated when we detected that files
existence. The idea that you could generate a photo or create a camera
app that creates a "fake" or filtered photo is definitely something we
understood was possible.

My general statement is that there are always bad actors and malicious
intent, and that the role of humans in building relationships,
reputation and veracity still matter. This is particularly true with
human rights advocacy groups gathering data from witnesses and
investigatory bodies like the International Criminal Court. Like any
evidence, it requires an investigation to verify that data you have.
ProofMode is just meant to provide more data, rather than the current
case where there is no data at all.

As far as technical changes we could make to make it more difficult to
adversaries, there are some possibilities including:

- Storing the key in a way that can't be exported from the device, even
if rooted. I've been looking at the KeyChain API for this. Has anyone
had experience storing app generated key data in this way?

- Notarizing the key on a special cloud service (or keybase.io perhaps)
to ensure it came from the actual ProofMode app and not a random PGP
command line... again, any thoughts on somehow tagging the origins of a
key to a specific instance or hardware?

- Not running proofmode when a USB device is connected, or when a device
is rooted (We can detect both), or simply logging facts in the proof CSV
file.

- Add more sensor data into proof to make it harder to convincingly
fake... this includes putting the gestures/accelerator data and compass
data back in from CameraV. We used to have this, and you could easily
match the motion of the person holding the camera while shooting a photo
or video to the image or video you were seeing. 

Like I said, this is not a surprising critique, and something with
CameraV and its built-in encrypted camera and "closed ecosystem"
approach, we actively worked to combat. With ProofMode, we opened up the
system a bit more, and dialed back the paranoia. What we are seeking is
a balance, while keeping the insanely simple user experience intact.

+n

-- 
  Nathan of Guardian
  nathan at guardianproject.info


More information about the guardian-dev mailing list