[Ssc-dev] IBA meeting raw notes
Bryan Nunez
bryan at witness.org
Wed Jun 20 13:05:25 EDT 2012
Here are the notes Jackie took during the meeting:
*Monday, June 18, 2012
IBA-WITNESS-Guardian Meeting - InformaCam (IC)
Link to Guardian Powerpoint Deck here:
https://www.dropbox.com/s/2fvxhmib72yzqmt/InformaCam_phase_1_report.pdf
Attendees
Bryan Nunez-WITNESS
Harlo Homes-Guardian Project
Nathan Freitas-Guardian Project
Alison Cole-Forensic Video, OSI
Phil Zeidman-DLA Piper
Ronald-DLA Piper
John Shrives-IBA
Tim Hughes-IBA
Mandy Lee-IBA
Wendy Betts-IBA
Mark Ellis-IBA
Yvonne Ng-WITNESS
Tim Licence-IBA
Ricky Cortez-WITNESS
Sam Gregory-WITNESS
Theresa Harrison-DLA Piper
Tanya Karanasios-WITNESS
Jackie Zammuto-WITNESS
Nathan:
- Update on Guardian project-open source research and development
project, focus on mobile security and privacy, threats in the world to
mobile users. Using free software to improve state of mobile security. Want
to design for users like those that WITNESS works with, human rights
activists, vs. standard commercial users
- Team of 8 with 4 full time. Ties to NYU and other research groups.
$800,000 in funding this year, including Google and Radio Free Asia, and
HIVOS funded group.
- Research side-InformaCam
- Mainstream Apps side-Over 500,000 users, including in Iran and China
and more local
- Twitter added a feature that works with our application to enable
people to access Twitter in countries where it’s blocked-Interesting year
for hr activists
Harlo (PowerPoint<https://www.dropbox.com/s/2fvxhmib72yzqmt/InformaCam_phase_1_report.pdf>
):
- Cameras are now software, not hardware, they are general purpose
computers with image sensors
- Good developments-defined meta-data specifications, need your feedback
if we should define it more
- Designed the backend architecture
- Got the app working and communicating with the backend
- Broke up project into 3 parts-(J3M) or Gem:
- App
- Secure Backend
- Meta-data specification
- “A gem-enhanced video”
- “Please search the gem for that submission”
- “We have validated the gem”
- J3M stands for: JSON <http://en.wikipedia.org/wiki/JSON> Evidentiary
Mobile Media Metadata, we are proposing standardize metadata in media files
in a way that can be adopted by hardware and software manufacturers as way
to create media that’s verifiable and interoperable through various types
of processing and analysis for evidentiary purposes
- More info about J3M can be found here: http://j3m.info/
- Gem specification describes the content of media objects and maintains
a trusted record of chain of custody-wanted to create a workflow that
allows you to have a clear picture of when info is captured, transmitted,
received-all of this info will be embedded
- Shows surrounding objects captured; geolocation, altitude, bluetooth
and wifi networks surrounding the device.
- Able to record metadata on video in moving car, vehicle. Keep an
active log while recording is happening and is embedded as timecoded
metadata. It’s a lot of data, would like to discuss how to fine-tune this.
- If you generate too much metadata it could affect the image or
video, need to determine how often to log
- Using Android because it allows background services, so sensors can
be running while video is being recorded
- Provides metrics for analyzing content and authenticity of media object
- Embeds extra user input into media object-forms or surveys, varies
depending on use. Example-If journalist takes photos of someone, will be
prompted to ask for consent. Journalist fills out a permission form on the
device by checking boxes. These actions are assigned pieces of the
metadata.
- Ability to build out your own forms. Forms are optional. Editing
isn’t synchronous with the capture, can do at a later time but will still
record data into image.
- Could include form where someone could annotate a statement that
someone makes about hearing/seeing a specific incident. Example: A
journalist making a voice recording about why they went outside to capture
footage of a protest-heard noises and knew something was going on.
- Would want to create another piece of media, including audio to
record this statement. Certain types of annotations will happen
on the fly,
using same type of media and recording someone’s statement.
- On the backend, people could include additional information. Want
people to be able to come back in and provide additional information for
evidentiary purposes in collaboration with the IBA.
- Activist isn’t necessarily able to think through the all of the steps,
but the form will help walk people through
- Have the opportunity to figure out the best time/placement for this
form, maybe it would be good to put it in at the beginning where someone
describes what is happening before filming vs. after, which is what we were
originally thinking.
- Good idea to think about how little we can get away with so the media
isn’t getting bogged down with meta data
- ME: Ultimately want to create a trusted dialogue with individual,
maybe we could compromise by getting certain amount of info up front and
then get additional info on the backend
- NF: Can submit a hash, cryptographic verification code-allows data
bundle to be identified by matching the hash with the actual data (hash is
smaller than actual media-can be transmitted more quickly).
- Example: In Syria, can take a long time for 20MB of material to be
uploaded, hash would be submitted immediately and then when media arrives
at destination it would be matched to the hash, even if it’s 2
months later
- NF: Just received money (tied to State Department) to help distribute
the app into areas that it is otherwise difficult to get the app to people,
China. Once one person gets it, it can be shared. Possible for the icon of
the app to be camouflaged.
GEM (J3M) Specification
- Ownership & Genealogy-signed with a key, gives basic info about type
of owner-individual or organization, info about where device originated,
date created and date acquired, time shutter button was released and when
InformaCam was opened, Public Key
- Data Source & Device -Hash entire image, pixel values, timestamps,
device. Each device has its own key that is public and one that is
generated when you use the app for the first time that is anonymous,
optional. App has a Wizard that walks you through the steps the first time,
lets you decide whether or not to be anonymous. Ways to have public audits,
3rd party audits.
- Multi-point Locations-Location and various parameters is captured,
currently recording every 5 seconds. Cell ID-not all devices have it, back
up option when GPS isn’t available. Could be subpoenaed out of mobile
operator.
- Corroboration-Device name and addresses of neighboring bluetooth
devices and nearby wifi networks. Adds another dimension to corroborating
data, wifi networks are typically only in one place where as bluetooth
shows who is around in that moment. Want to make sure it’s being used in
the proper way. Not collecting packets, not monitoring the traffic on these
links. Google has gotten in trouble for this.
- Is there an InformaCam ID to find out if there are other users
nearby? Yes, has it’s own hash. This is more work on backend,
to determine
who was in the same place at the same time. Could generate maps based on
the data recorded by various devices.
- Also engaged with Berkeley Project on how to visualize some of this
information
- Defined Regions-Blur someone out, redact someones face, or ID person
through tagging them. All recorded and allows you to redact info in a way
that isn’t destructive. Can reconstruct data from the original image. This
is where the form and annotation would also be stored-could identify a
building or a tank using a form.
- May want to have 2 versions of media–one that goes to trusted
source and one that is redacted so it can be immediately publicized. Some
people may not have a trusted party to send it to, gives them option to
publicize photo or video without exposing identities while maintaining
original data. Not something that IBA is specifically interested
in because
they are interested in receiving all of the material.
- ME-ObscuraCam maybe not useful for IBA. Would need to educate user
on documentation, might confuse. We want the unobscured image,
can obscure
it when we use it.
- Q: Tim- Choose trusted repository, or is it set beforehand?
- A: Harlo-part of user workflow to choose repository. If making a
specific build for IBA, could be programmed to send only to IBA.
- Alison-anonymizer could be useful in ICC cases if it can do face
recognition -- images documenting chain of command.
- Nathan - app identifies faces, but not whose faces they are
- Tim-IBA will need to show that IBA has not tampered with the image
too.
- Mark: We don’t have to redact, we’re not making it public just
using it for legal purposes.
- Nathan-in the future, will be able to set layers or permissions --
e.g. the judge can see more data than the juror.
- Nathan-while can’t do face recognition, can use geo data to link
recordings of the same event.
Setup Wizard
1st time users are prompted to take a photo-serves 2 purposes:
1) creates clean permanent signing key, fingerprint, source of data
(suggested to take a picture of the wall)
2) used to verify all subsequent images taken from device. Certain amount
of noise on every images that differs from device to device. Ability to
determine device based on the noise in the image. More difficult with
video, need more frames, lower quality resolution. Possibly need people to
take a photo before shooting video if they want this level of security.
- Helps determine if the images were recorded on specific device or if
it was imported to that device. If importing media into InformaCam that
wasn’t shot through InformaCam, would be instant signifier that the media
wasn’t recorded on the device that submitted it.
- Q-ME: Is there any concern that by allowing people to import and then
upload via IC that we are limiting the requirements or undermining
credibility of content? Would it be too draconian to say the info must by
shot and submitted through device using InformaCam?
- Alison: Worth considering, but case to be made for imported video.
Flagging it as imported. Not equal. Could grade the footage, because could
still act as supporting evidence. Currently don’t have the tools to analyze
this, but with IC even if imported you will probably have more info that
you would otherwise.
- JS-Maybe it should be up to the prosecutor vs. the IBA who is
receiving the material. Will likely be getting 3 categories of footage;
InformaCam footage, footage transferred to InformaCam user and then
submitted, all other footage
- ME-IBA needs to decide if we should restrict the importation of video
into our database, or are we going to open it up? Don’t want to jeopardize
our credibility.
- AC-In reality, not everyone is going to have a subscription to
internet and not be able to have IC. Don’t think you want to limit
yourself. Law can make that decision. Various materials can be permissible,
but might not have same value as other evidence.
- ME-Have to manage expectations, only interested in most heinous of
crimes. We’re not opening this up for anyone and everyone. Part of this is
an educational process.
- HH-Doesn't support uploading to secure server through any server
except for the app
- NF-Alpha mode is now setup to record data once photo or video is
taken-looking at how to assess risks to users.
- HH-Certain amount of data recorded into all images. So images shot not
using IC will contain bits of metadata, will help us to flag materials that
aren’t authentic
Workflow:
1) Capture
2) Edit-tap the area you want to edit, get menu with options-pixelate
annotate, identify
3) Annotate
4) Upload-select trusted destination server
Q: JS-Can you add an additional voice track to embed notes about the image
or video from the person who shoots it? Would be useful to have.
A: Not yet, can add.
- Annotation in multiframe/video-can create different versions of the
video, highly compressed version to upload to YouTube. Can trace a path
over frames (bullet path, etc.). All of this is currently working in the
ObscuraCam
- Media Manager-keeps a list of all your media, easy to share. All
metadata is encrypted to you. Can also review the messages or annotations
for images from the server
- Each project is saved in internal encrypted data storage. If user is
stopped and interrogated, the images won’t appear on the phone. Official
would need password
- Cellebrite <http://www.cellebrite.com/>App-our nemesis, this transfers
numbers from old phone to new phone, now being used in forensics. Copies
everything off the phone. Becoming increasingly used. Don’t need a warrant
to ask someone for their phone in U.S.
- Q-TL-Is there a way to install a panic button to wipe the phone?
- NF-Yes, we can do that. Even if it’s plugged into one of these
devices, all of the material is encrypted. Could be subpoenaed for your
password, or could store your password with trusted source.
- ME-Think this is really important. Want a panic button that just
erases the material to ensure that the user is not harmed.
Somewhere on the
home screen
- NF-Other question about hiding the app is something else we can
talk about.
- TL-If someone is under suspicion of having the app on their phone,
it would be good to have a way to hide it so we don’t lose all the info
- NF-Might be able to make specific ways to launch the app...turn the
phone upside down and shake it. Is a critical point. Hoping Google could
help with this development.
- Filemanager-easily rename files. share “outside the loop”.
- NF-Can share encrypted bundle to other source in case they can’t
connect to IBA. Can also transmit bundle to an SD card and then
verify the
key. Could also use Tor to get through firewalls. Seeing Iran
and Ethiopia
blocking Tor. Need to look at primary conduit for media
delivery. Are there
alternatives when this isn’t available? Need to document these other
workflows.
Secure Backend
Can perform analysis on files. Lets talk about this at the end.
- ME-Nathan and Harlo, you have really advanced this and taken it to a
great new level. Thank you, I’m really excited about this.
- NF-Harlo has had the chance to present this with cryptologists and
people know how important it is and people want to help make it a trusted
tool.
DLA Piper Report-Ron (PowerPoint/Print Out)
- This project has led us across the globe, Yugoslavia, Cambodia, ICC,
etc. Hit upon a lot of divergent legal traditions, fortunately not as
spread as out as you might think. Thanks to Claire, it’s 3am where she is,
but she was integral in putting this together.
- Research into common law traditions
- Most fruitful information was based on interviews with prosecutors
from all over the globe about various traditions. Most of the findings are
common sense.
- We’re in terra incognita, no standards on submission of video in
courtrooms. The ‘pure version’ of images, without the metadata can be
submitted as CCTV.
- Always questions of validity. Always questions about who is taking the
video, have to have numerous people testify to the validity; person who
shot the video, accused person.
- Need to be sensitive to different purposes of evidence. Prosecutors
let the evidence in, but take it for what it’s worth.
- Former prosecutors, when presented with InformCam were very happy.
Seems like the gold standard.
- Some say effectively no rules of evidence (Kristen), also warned that
we need to be cautious of people’s trust.
- Need to be careful to capture actual events and not just capturing
oral testimony.
- P. 7: Integrity of evidence, Chain of custody-need to assess these
points.
- Will have people asking very tough questions who are skeptical.
Challenge your friends to crack InformaCam, need to make sure we have
people to vouch for this, need Mark’s word that it’s reliable. Can’t have
cracks in the front or back end.
- NF-Talking about risk model or threat model, can look at how much $ or
people/computer power it would take to crack programs, apps, etc. Need to
figure out what we should create in the audit process to verify this. All
of these points of skepticism should be noted so we can figure out how to
back them up.
- Would like to have the person who shoots the video be able to testify.
- ME-That is our ultimate goal. If we fall short of this, is the
information still relevant in evidentiary purposes. Looking at the sliding
scale, if they can’t be there, is the evidence good enough to prosecute
someone, or will it just be used as back up evidence
- TL-This also wouldn’t be the sole piece of evidence that the case is
built upon, there would be corroborating evidence
- Phil-Mention of surveillance cameras raises another issue. Does that
alter anything? CCTV doesn’t have a pre-arranged agenda, should we think
about how this can be incorporated into a different way? Think it’s easier
to get access to this footage. Raising possibility of another source that
doesn’t have pre-set agenda
- ME-Harder to get footage in conflict situations. What is the
likelihood that it’s so relevant that we need to build it into our thinking?
- Alison-May need to think about structuring this into the backend,
database analysis. Written statements collected by NGOs and crime analysis
was drawn out of it. Future of this is video and images. Critical aspect
was the expert who could explain what the mass quantities of evidence
amounted to. Situation in Libya is activating this issue-most of the
evidence against Gaddafi is YT videos. Seems like there are 2 options; in
the past entire databases of witness testimony has been submitted, 92 bits.
New question on how this type of submission will be admitted. Can be a
powerful tool.
- If you have a photo, but don’t know photographer, could use photo for
the indictment, but not to prosecute.
- Phil-Interviews showed us that there are a lot of defense lawyers who
will specialize in keeping video out. Those skills won’t carry through if
we’re using an app like this that verifies the data and corroborates it.
- TL-This app will help build a trusted path
- Sam-Analyzing the quantity of data means we need to think about how to
visualize the data. Working on this with UC Berkeley. Figuring out how to
integrate all of these resources in a comprehensive way.
- JS-Are we submitting a comprehensive data base, or just a lot of stuff
that someone will have to sift through.
- TL-Want to try to limit the possibility of interpretation as much as
possible
- Ron-Cambodia prosecution-video of bodies being brought in by Khmer
Rouge, didn’t admit the video because there was a lot of other evidence.
With this app, having the metadata already embedded would make it more
likely that evidence is admissible.
- Selective editing is important, don’t have ability to edit out
footage.
- Would like to see a demonstration of the product, will bring up more
obvious questions
- Anyone using IC has an agenda and bias. Metadata makes it clear that
the image is what it is.
- Video vs audio-audio may not be admissible because it’s believed to be
biased
- Auto generated vs manually generated-not much of a choice
- NF-activist groups are already deploying small drones with cell
cameras on them. Could eventually be using InformaCam on these. May not
always be a human holding the smartphone.
- Going to start seeing more of this and drone surveillance
- May want to look at streaming footage in Phase 2 of the project
- Contemporaneousness-option of doing a 2nd upload. Don’t want to
pollute the database
- ME-Because you’re raising this issue, think we need to talk this out.
Maybe we need to get back to the idea of only accepting footage that comes
from this app.
- Ron-If it’s transparent where the images come from, I think it is
still ok for evidence
- Think this will be used in ways that we aren’t even thinking about
right now
- P. 9: Closest analogy-CCTV footage, make it so the person analyzing or
downloading the video can also testify, not just the shooter
- P.11: DRC
- Conclusions: Whatever markers of authenticity can be included will
make this golden. Sounds like it’s already there in the metadata, need to
be seen with intelligent eyes. Do you ask people to consent to use the
video?
- Alison-Depends on collection point. When it’s coming from public sites
there is no consent process. Witness statements we need consent to use
their material, otherwise we can’t use their statement.
- Picture evidence used in Nuremburg, Nazi’s amassed data that was then
used against them.
- Don’t need a jury to tell you that video and images make a much bigger
impression that written statements.
- NF-We need you to play the adversarial voice to help us expose issues
and weaknesses. Will continue to test to discover the bad cases.
- Alison: Was there any demand for the physical device in any of the
cases that you reviewed? Worked on a case where we seized the computer of
the suspect and it was opened by both parties.
- Ron: With more evidence, probably yes, but don’t have specific
examples.
- TL-Goes to Nathan’s point that a camera is now software
- NF-Even if totally erased, the data from the image will still match
the IMEI-unique number that every cellphone has. Illegal to change these
numbers.
- Ron-May want to do a credibility test by viewing every image or video
on the device. May require that the device be brought in or that all
content on the device be submitted.
- ME-My sense is that would not be held up in courts, based on your
research it seems unlikely
- Ron-Depends where we are on the spectrum, if it’s to gain a
conviction, maybe not. Not sure how burdensome it would be to do that.
- Sam-Think it would be good to talk to defense attorneys to get that
feedback.
- NF-Could we do a mock trial?
- ME-Yes, would be fascinating to do that. Let the defense attorneys to
have at it.
- NF-Could deploy the backend server to go to all of the different
parties
Thomson-Reuters
- Phil-Journalist going to join us with a few questions. Ran into
problem when Reuters disseminated material that turned out to be
manipulated.
- Tom-Possibility of data being altered. No way to determine when a
photo is manipulated. Can even be an unintentional altering of the picture.
Want to know how you will filter and verify this, especially from people
whose motivation might be to alter the situation?
- Phil-What is Reuters doing to verify this? What’s your process?
- Tom-Global picture desk in Singapore that reviews most of the images,
especially from the Middle East. Photos from North Korea are always
scrutinized. Images coming from social media are looked at carefully. Some
techniques in Photoshop that help to determine this.
- Phil-Relying heavily on knowledge of trained individuals. Are you
using technology to help with this?
- Tom-It would be great to have a method outside of Photoshop to catch
these issues. A very suspicious photo can go through various different
people who give different opinions. Haven’t found reliable technology to
sift through large numbers of pictures.
- NF-Do you work with trusted people who submit material on a regular
basis?
- Tom-Yes, but you have to be careful in certain regions. With social
media it’s hard to know if the picture is even what it’s supposed to be. In
Thailand we got a photo of a tidal wave, tried to analyze it by looking at
trees of license plates, etc. Finally determined that it was actually an
image from China. This happens frequently.
- NF-Are you looking at the metadata of photos.
- Tom- Yes, we do. Photos from mobile phones are becoming the easiest
way of getting images from certain regions. If it comes from the phone
without anyone touching, it is more likely to be reliable. Camera to
client. Worked with a company called Fiddlers that had a good system for
verifying video from mobile phones or videos. Unfortunately technology is
always ahead of us. Photoshop is advancing, people can remove objects more
easily. We are trying to catch up.
- Sam-Looking at 2 types of scenarios-1) Rapid news scenario, 2) More
long term
- Working with Storyful on Human Rights Channel. Even with InformCam,
still good to have another party to verify material. Should look at as an
additional tool, not silver bullet. Might alter the time frame.
- NF-Our bar is setting high in terms of setting verification in terms
of who the sources are, we have a better idea vs. Reuters that accepts from
a range of sources
- Tom-What device do you think would be used?
- NF-We are starting on Android, looking to move into iPhone. It’s open
source, so we’d love for Reuters to help analyze/use this.
- Phil-May want to come back to you for your opinion on this app. Also
need to look at levels of pre-qualification of the source. Appreciate your
time.
- TL-Photoshop now has content aware editing, fills in the background of
an image that is removed. With IC, you have the metadata, which helps
bypass this issue. Their problem is what we’re avoiding, using various
sources.
- JS-Once we get this piece of data, we need to prove to everybody that
we’re not tampering with the data.
- NF-One part of the backend design that could complicate things is that
a 3rd party could host the hash server. Service would just store timestamp
and number. Already exists with digital currency.
- TL-How does a hash file work for video?
- HH-Would want to do it for the entire video. Want to work with the
pixel values. Could do it for every frame. Need to continue testing this.
- NF-Tom echoed our sentiment that camera to client is the most reliable
source. Think we should push this, at least in the first release.
iWitness Build Process (PowerPoint)
JS-
- Chart of areas that we still need to build on; encryption, panic button
- Still need to determine transmission-how do we get it from the phone
to us?
- Tor-need alternatives. Governments may sense increase in traffic. May
mean that we just send out the hash and the rest comes by courier pigeon.
- Access-who will have access, public, private?
- How will people access the info? What forms will they access it in? Do
we need things to look at the taxonomy or metadata? Will it be a computer
or a human?
- Access control-Google docs. IBA uses private Google docs.
Progress
- Already addressed issues from DLA Piper
Data and Database Questions
- Similar questions, want to make sure we have answers; What do we need
to collect? How do we capture, record, prove, project, transmit, protect,
keep? How do we improve, collate, filter, search, report, publish?
Data Flow
- Coming back to databases, should we take the info offline as soon as
we receive it? Should we build into the process a way for copies to be
taken offline and stored elsewhere.
- Who has access to the info, how do we decide this?
- How do we find the info? Google approach? Advanced filtering. JS-I
find Google frustrating.
- TL-could possibly add your own filtering system. Depends on who is
going to be using it.
- NF-depends on chain of custody also, not just one giant database
- TL-Depends on if human will be doing searching, or if a computer will
do this based on the metadata, timestamp, etc. What level do we want to
take it?
- JS-Will it lead to an investigation that no one else wants to talk
about? Could have a private Google Docs.
- TL-Or more of a AP archive approach, different type of search engine.
Gives more of a description. Could be what the person chooses to enter into
the form. Important to think about the end user and how they will be
searching for info.
- NF-Could also take unique identifier of phone and ID what type of
phone it is. Would like to see what the Google docs can index.
- TL-It’s a completely frontend tool that will enable people to browse.
- Phil-If this were a commercial service we’d need to look at this. But
it’s a pretty limited number of users, pretty much already know who the
users will be.
- JS-Questions with the users is how will they use the information.
- Phil-What if the prosecutor calls you and wants to see the 1 of the
500 images you have, what happens when defense wants to see the other 499?
- Alison-Judge could say it needs to be give to the defense with no
limits. NGOs don’t want to cooperate with ICC
- ME-Originally thinking about this was more nuanced approach. Were
advocating for piece of evidence that we’ve looked at, assessed, hopefully
created communication with creator of image or video and we have assessed
that it needs to be brought to the next stage and that we bring it to the
prosecutor
- Phil-has to do with philosophy of when IBA becomes an assessor vs an
honest repository of information
- ME-Have to be seen as an entity that has credibility that is
a-political and is using media in a way beyond just looking at material on
YouTube. Don’t think we want to open it to the prosecutor to mine the
evidence
- Phil-There will be a screening process at some stage and we need to
think about where in the process the defense will questions
- JS-In my mind, the beginning would be like a bucket where we are
storing the films securely. Then we decide how we are going to use the
information that is coming in. May be able to determine that we need a Tor
here or there. Mentioned work with Berkeley on visualizing
- NF-j3m.info, beginning to advocate for other vendors to use and
produce this. Trying to recruit other toolmakers to use this
- Rashomon Project-Working on idea of timeline viewer, can scrub
through the timeline. Can view multiple videos at the same time,
synced in
real time. Can view one scenario from different viewpoints. Here
the video
is all manually entered, want to make it auto
- Also looking at helmetcam that has GPS-Contour website started
showing videos with map next to it, can see altitude visualization and
course (snowboarding, motorcycle racing). Can follow subject along map as
they move
- Alison-Have any Ushahidi platforms moved to video?
- NF-They don’t have a lot of video capability at the moment, but
good for mapping.
- NF-Currently they shove all of the GPS data into the subtitles
track. Great potential for using j3m here.
JS-Need to discuss how the data moves from the phone to the central server,
where is the central server and what security measures need to be taken.
How is it retrieved based on metadata. Also need to look at policy pieces
in terms of accessibility, storage.
- Yvonne-Also sounds like there is a lot of metadata you’ll want to
store on the files on your end. You’ll need to collect metadata for your
metadata.
- JS-Will need to figure out how to store the data in a way that can’t
be overwritten
Evidence.com <http://evidence.com/>-Created by people who designed the
taser. Have new glasses for police to wear. Have cloud service where the
footage is uploaded-’Incident recording and digital management’
-Break-
Secure Backend-Harlo
- Instead of having visible web server with IP, URL, decided to take it
offline and hide it offline using Tor.
- Workflow-When you submit your image to trusted destination (has to be
running Orbot), goes from phone to hidden server on encrypted drive (less
exposure)
NF-Tor is like traditional VPN, but run by global volunteers service.
Connect to an entrance mode into network, data is passed through number of
machines. Enter in one place, exit in another. Web server cannot tie your
access back to original location. Example: If using in country blocking
Twitter, you will likely exit in country not blocking Twitter
- Onion Addresses-Cryptographic keys. Can turn any machine into a
server. Only host at an onion address. No ways to enter data or connect
address with user.
- Can stop traffic surveillance.
- Phone with Tor & Laptop running Tor with hidden service> both enter
Tor Node
- Benefit of Tor-used for a variety of things. Instead of using obvious
VPN, Tor is used by military, investigators, State Department
- Google Play-App Store-Orbot is app for accessing Tor on mobile
devices. Working on over 1/2 million devices around the world. Mostly
really good feedback.
- Combined with InformCam it creates the gold standard.
- It is one more step to download Orbot, but no additional expense
- One downside-Ethiopia has banned Skype, Twitter, Tor-haven’t banned
contacting the IBA. Could contact IBA via other methods, but not secure
network
- Are we putting them at more risk by requiring this extra software?
- Q: TL-Is it possible to build this into the IC app? This would
eliminate one step.
- A: Yes, this is a possibility. Would make it a little larger, but
doable. Right now they have to download a separate app, but
InformCam does
the rest. IC can prompt user to download Tor
- Even though it’s illegal, often not persecuted in many places
- Q: TL-If someone already had Tor downloaded, would this interfere?
- A: We could work around this.
- Do we also want to support a secondary mode, https? In terms of
simplifying and protecting, this is the easiest option.
- Q: Phil-Who runs Tor and how do they make money?
- A: NF-Started as MIT research project funded by Navy, evolved into
EFF project. Ultimately it is a network of volunteers, including
organizations that have a stake in keeping the internet free. State
Department is auditing their every move.
- China and Iran have been successful at blocking Tor because they
have a lot of programming talent in the government. There are
workarounds.
Increasing battle with growing tech abilities in these regimes.
Q: JS-Where would this laptop be?
A: HH-Encrypted drive that could be onsite, on your desk. Under duress, you
unplug it/turn off and the submissions received will be locked down. A
cloud based server would be impossible to unplug. Don’t need open ports to
the internet.
NF-Adds a layer of who’s running your data center, this means it’s on your
premises
Q:TL-In terms of data compression, how much space would you need?
A: HH-We use standard H264. Output we create is 3PG, standard video codec,
pretty small. What we export to the server is in Metroksa format, can
inject more metadata into this. Issue of quality vs. speed of upload
NF-Capturing about 1MB/sec, 60MB/min. We don’t compress it more than this.
Depends on default, which we can control. For people on a slower
connection, may want to suggest lower resolution.
TL-Better quality video, better the evidence. Maybe could offer different
compression rates depending on internet speed.
NF-Private key for decrypting bundles would be on a different server. If
public machine were compromised, files wouldn’t be openable. Designing with
a malicious network context in mind. Problem with Ushahidi, take in data
that isn’t secure.
JS-If data comes in and then we copy it off to somewhere else, then we work
on it offline. The server can then continue collecting data as we analyze
material on separate device.
NF-Could have USB key, enter password, extract bundles, generate your
Google Docs, unplug key and then originals area safe. Create a workflow for
who has access to private key. We feel that everything should be encrypted
until time of use. Eventually would have to make an unencrypted copy.
- Repo is about securely storing the data and sending messages back
Current Server-Harlo
- Prototype, has to be Tor enabled, grants permissions to users who are
uploading files. Selected server called LightTPD, similar to Apache.
Running PHP, Curl.
- In terms of backend, want to keep web interface. Browser accessible
backend, runs locally on your machine.
- NF-Don’t have to download Tor, just run it. Can see all of the
computers I am connecting to. Can see what organizations are using it and
which ones are running servers. Doesn’t use the computers actual IP address
(example-thinks we are in Sweden). You can choose to say that you’re not in
Sweden, show who you actually are
- Proven that IP doesn’t mean human-Tor trips this up. Protects both the
sender and recipient.
- HH-Not yet possible to publish onion certificates, get ‘Connection
Untrusted’ page. No one will ever know your onion address except for this
app
- NF-First connection using Tor can be slow
- HH-Walk through of InformaCam process-trying to figure out what other
info to include on the backend process
- JS-So if we have a spare server in the office, we can get it set up
with your specifications?
- HH-Yes, and you’d want to get a .onion. We could walk you through all
of this.
- JS-How important is the chain of custody to determine that it hasn’t
been tampered with.
- NF-The hash will be like a stamp that says at this date and time, this
is how the media looked. Encryption is additional
- JS-Does encryption alone bring about suspicion?
- NF-Tor is increasingly being fingerprinted, but being used for
multiple purposes. Better than just going direct to IBA. Some of our design
is influenced by previous instances where organizations are raided and
servers are taken out of the building. By crypting automatically, anything
that is taken would require a key.
- Recently in NY an organization was raided and the server went
missing. They weren’t informed what happened with the server. Footage of
men in black suites bringing it back, surreal. Fortunately the
material was
encrypted. Need to determine whether or not it’s worth
- Need to figure out at what point we would decrypt the info.
- NF-Questions like-do you keep a decrypted copy available? Should you
be able to email the photo around easily? Have a rich data source, need to
develop tools for working with it.
- JS-Depends on how often you will want to share/how many people will
see it
- Alison-View that evidence can be looked at and then decide if they
want to take it on. If it is accepted, it has to go into their database,
their vaults-can’t encrypt it from there. Ringtail-evidence management
database, able to determine who can see that evidence
- JS-So if a video went into that process, you’d want to be cautious
about how it entered their system so that it’s not tampered with. Chain of
custody should be clear the whole way through
- Ringtail has access control, but no encryption system
- NF-Would want to indicate somewhere in a log that it was transferred
to this system. In some ways we should limit what we do. Could write script
in a format that Google Doc could read, thumbnail only, search this way.
Need a way to have a workflow, search, hand it off to other groups
- JS-That would be a good proof of concept, to see how all of that is
setup. Create the script to take it off that server and moved to another
one...
- NF-Yes, something like put your USB card into the server, enter your
key, see what video has been uploaded that day, de-encrypt it into the
Google doc
- Q: Phil-Other projects that you are involved with, but are relevant to
what we are doing, can we expect you to come back to us with that?
- JS-Is it worth setting up a conference call in 2 weeks to work out the
deployable bits and create a checklist that we could follow (get a server,
.onion address, etc.)
- NF-Yes, we could do that and pull someone else on our team help you
out with that
Threats & Risks (PowerPoint)
Threat Model-STRIDE-look at all the possible ways the service could be
infiltrated
S-Spoofing identity. Someone is detained and their device is compromised
and someone starts submitting data using their key. Need protocol around
this. Medium level threat.
T-Tampering-Low level threat, high impact
R-Repudiation. Can this be traced back to the person? Currently it is
traced back based on the key, but it’s a secret key. High level threat.
- Q-How does it get intercepted?
- A-If Tor broke and China ran their own Tor network and people used the
wrong network, someone didn’t understand Tor and used it incorrectly. Or if
your device was infiltrated
I-Information Disclosure-Do we want make info available. Low level threat,
high impact.
D-Denial of Service, blocking Tor. Medium level threat.
E-Elevation of privilege, unprivileged user gains access. Medium level
threat.
- Look at likelihood and impact of each risk
- If we’re saying this is secure and reliable, need to make sure it
really is
- Will not trust tampered phones
-See slides for more info on threat levels, actors, assets-
Wrapping Up
At an Alpha stage, software is stable, but not complete
- ME-What is your timeframe?
- HH-In terms of client side, we’re on track for a beta release of app
at the end of the summer. For the backend of the structure, the part that
receives and stores info is close to being ready. Will take a lot of
creative work to get backend browsing possible.
- ME-In all honesty, you’re way ahead of where we thought you would be.
I hadn’t expected this, it’s great.
- NF- We want to try to build a complete working model and then break
and improve it.
- ME-Think we need to integrate into your team pretty fast now. Perfect
way of joining forces now
- Phil-We talked earlier about doing a dry run or mock trial, figuring
out the flaws with defense lawyers. Want to have the best possible model
before they tear it apart, but also want to be able to incorporate
feedback. How do we deal with this.
- ME-Don’t think we’d mock trial before this summer is over. Harlo, when
would be a reasonable time to do the mock trial, when would it be helpful.
Think it’d be a great process.
- NF-WITNESS is funding us generally, need to consider other funding and
working towards the timeframe that we have established. We want success,
growth and excitement...but if there are a ton of problems we haven’t
thought of, we need to take a step back. Think we can get pretty far with
this group, then move towards the mock trial.
- Phil-Where do you see Dublin fitting into this? IBA annual conference
- ME-THink it’s more getting people up to speed. Don’t see a major
release. Will be on the quiet side
- NF-We can add you to our project management site so you can see what
updates we are making
- ME-Do we need to revisit any of the details about the database. You
guys were ahead of us.
- TL-Think we can do that in a separate conversation
- NF-Think you have a great list of questions, want to make sure they
are all answered.
- JS-Some policy questions
- TH-Set of guidelines to the user is also important. Want to establish
this and figure out a way not to scare off the user, but make sure they are
informed.
- TL-Could lead them to another web page for more info.
- NF-Default to WITNESS on training details.
- Bryan-Think there needs to be a baseline understanding of mobile
security before it is distributed. Should also consider targeted malware.
Phone is like a PC. We can create encryption, but it doesn’t protect you
from bad practice or malware.
- NF- There is a model where we could distribute the phones set up with
the software in trainings. Also apps to scan for malware. We can address a
certain amount in the Wizard.
- JS-We have the product, need to look at packaging
- Bryan-Needs to be tested in the field before any use in the field is
happening. Any outreach activity needs to be based on the type of user that
we are targeting.
- NF-Maybe would choose reporters or trained professionals first to test
it. Or maybe community journalists in Portland, Oregon. Good ways to step
up from nothing to deployment. Can be dangerous when someone is so excited
to use it because they are in a dangerous situation, but then they don’t
use it properly.
- ME-We might be able to help with that by pulling together groups to
test this in a controlled environment.
- Bryan-Also want to ease into. Don’t want to go straight to Syria or
somewhere that having the app on your phone is a death sentence
- JS-Assume you don’t need to test the metadata, but more the user’s
perspective
- Phil-In terms of identifying people who could poke holes, news
stations also have the incentive to remove the disclaimers ‘can’t verify
this clip’, maybe we could get feedback from news people who would be
interested in the possibilities of this.
- Bryan-Talking to Columbia Digital Humanities Center about partnering
to have them help us test out the app. Think that our ability to get
journalists to use these applications is key to normalizing this process
- Phil-As citizen journalism becomes bigger, the more important this
becomes.
- NF-Would it be good if CNN adopted this
- ME-It’s not our purpose, but think it could be useful
- Phil-One of the things we want to do is make more people willing to do
this and do it the right way. More people using it will work to our benefit
- TL-Think journalists wouldn’t be as interested in using it for IBA
because they want to get the info out there.
- ME-Not sure this is true. Think they could use it. Would keep the
video alive beyond just getting a bunch of hits on the news station
- Phil-Next Tiananmen Square could go very differently if we are
encouraging people to use this, including journalists
- JS-Example of taking an image, sending one to IBA and one to another
source, do we face issues of it sensationalizing the issue.
- Alison-Historically journalism hasn’t been excited about international
courts, don’t want to testify. Might be useful not to mention that the
potential user is ICC, better to frame it as IBA
- NF-Think engaging with Reuters would be great potential, or to use
them to help verify info
- Usability: Does the 3 secs it take to encrypt the video seem confusing
to the user?; language issue –don’t want literacy to be a huge barrier to
entry (visual instructions);
- Critical issues: crashes
- Want authenticated video so it can be used from prosecutions –news
stations should want this too –they are not our target market, but maybe we
can get them to help (poking holes, etc.)
- Phil-Important to control the message going out to who is using the
app, otherwise it will get lost
- NF-Think we need to come up with the 2 sentence pitch. What is a
process people trust and how do we compare that to this app
- TL-Bryan said WITNESS has footage in their archives that could be used
to help promote this
- NF-Few technical points we are challenged by. Will advise you as these
things progress. In terms of the major challenges, we’ve overcome those in
the last 6 months
- JS-Are we in a position to start deploying the pieces, or do we have a
few more weeks work before this happens
- HH-It’ll take a little more time to firming up the model
- ME-Take your time, you guys are doing great. I feel like you’re ahead
of schedule
*
On Wed, Jun 20, 2012 at 1:00 PM, Nathan of Guardian <
nathan at guardianproject.info> wrote:
> Straight from my tab to you...
>
> ***
>
> Informacam output is more like satellite or cctv footage.
> Need to focus on capturing actual events and not oral affidavit.
> Need to beat up the chain of custody model and ensure it can withstand
> integrity audit.
> Hashing and immediate submission of custody media and package is critical.
> Combination of external sources like surveillance cams
> Import entire database
> Audio narration or prereport
> Streaming or recording
> Secondary upload is troubling
>
> Thompson Reuters
> Had a case of media manipulation even unintentional altering
> Motivations of source may be to alter public opinion
> Group in Singapore that expert photo editors
> Scrutiny is human powered
> Photoshop techniques can be used that are difficult to detect manipulation
>
> _______________________________________________
> Ssc-dev mailing list
>
> Post: Ssc-dev at lists.mayfirst.org
> List info: https://lists.mayfirst.org/mailman/listinfo/ssc-dev
>
> To Unsubscribe
> Send email to: Ssc-dev-unsubscribe at lists.mayfirst.org
> Or visit:
> https://lists.mayfirst.org/mailman/options/ssc-dev/bryan%40witness.org
>
> You are subscribed as: bryan at witness.org
>
--
Bryan Nunez
Technology Manager
WITNESS
+1 (718) 783-2000 x-311
Check out our new Human Rights Channel <http://www.youtube.com/humanrights> on
YouTube
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mayfirst.org/pipermail/ssc-dev/attachments/20120620/82210d62/attachment-0001.htm>
More information about the Ssc-dev
mailing list