Math is Universal; Ethics Are Not

So I just finished up reading Quinn Norton defending TOR in a counter-piece to Yasha Levine’s initial questioning of the funding behind the developers that create TOR, and while there were some things I think that she said well, particularly in how systems like TOR work and the math that underlies strong-cryptography, I still found myself shaking my head by the end of the article from some of the things that she left unsaid.

First off, what she gets right:

I want to say immediately that when Yasha Levine went looking at the project’s funding, he was following a tradition of vital and good journalism. “Follow the money” is a maxim of investigation that will rarely lead you wrong, especially in matters of political policy. There are only a few places where funding can’t influence the contents of the outcome – maybe fundamental physics, and math, and not much else. Math is as far from policy as human endeavor gets. Math either works or it doesn’t work, and that is true for everyone in this galactic cluster, at the very least. What makes Tor different from the usual thesaurus-full of government projects is that Tor is essentially a very elaborate math trick, using layers of math puzzles to create a network-within-the-network. That math is being implemented in front of a global audience of millions of sophisticated watchers. It is likely the most examined codebase in the world. It has been subjected to multiple public audits. The math, well known and widely standardized, will work for everyone, or it will not, whoever pays the bills.

This is spot-on from a technical standpoint.  Policy decisions don’t change math, anymore than ignoring climate change will make it go away.  My initial view of Yasha Levine’s article was much in the same vein that Norton’s take on it above is: from a journalistic standpoint he was doing his due diligence, but from a technical standpoint the funding didn’t matter.  So far so good.

But there’s a problem with taking a purely technical angle on this: any project like TOR, math and all, *is* subject to subversion in any number of scenarios.  To expand on that, first I’ll quote Norton again:

Occasionally the stars align between spooks and activists and governments and anarchists. Tor, like a road system or a telephone network or many pieces of public infrastructure, is useful to all of these people and more (hence the debate on child pornographers and drug markets), because it’s just such a general architecture of encryption. The FBI may want Tor to be broken, but I promise any spies who are counting on it for mission and life don’t. Once again, math makes the final call — a bug in Tor exposes the US Government users as surely as it does a Silk Road-style site. A “backdoor” could get concealed in code or in the particular implementation of the cryptographic math, but there’s no way it could only be a backdoor for the US Government, and there’s no way anyone using such a flaw could ever know if it was being used by someone else.

There’s an underlying assumption being made by Norton here that deserves being challenged: the idea that the U.S. Government is a monolithic entity, that the bonds of government brotherhood (or even the bonds of practicality) will hold different alphabet soup lettered agencies together. That the FBI wants TOR broken is not speculation, they’ve said as much. That the spies who rely on it don’t want it broken is also a fair assumption.  But what Norton has missed here is that not all spies are necessarily working in lockstep. It’s not too difficult to imagine a scenario where, say, the CIA wants TOR to be functional and rock solid for their own purposes – but the NSA, on the other hand would rather TOR have a back door in it.  We live in a country that has 17 different intelligence agencies; agencies with different budgets, different people running the show, and even from what we lowly peons can see, often different agendas.  And remember: the power that these agencies hold is *staggering* – if you think it’s inconceivable that the NSA would do everything it could to undermine TOR despite the fact that it would weaken it for CIA agents in the field, well I have some beachfront property in Oklahoma to sell you.

Now, all that being said I’m obviously speculating here. For all I know, things stand as Norton has claimed – indeed as someone who’s used TOR extensively in the past, I’d love to believe it does stand this way. But there’s another troubling aspect to this that she fails in her entire post to even mention indirectly: the conduct of the developers behind any given project should be taken into account when that conduct itself is directly counter to their stated aims.

Behind the above board wrangling between various TOR developers and Yasha Levine, something else happened that Norton is certainly aware of, and ought to have mentioned: some of the lead developers of TOR doxxed a critic of theirs. Doxxing, if you’re unfamiliar with the term, is stripping someone’s anonymity online by posting up personal information.  It’s a shitty, shitty practice with often life-ruining consequences.  The critic in this case was a twitter user by the name of JBJabroni.  JB was obnoxious in my view, insulting often, and definitely walked a line of misogyny (again in my view – I’m not particularly interested in debating whether it was or not).  But he was also, very very often, putting forth legitimate criticisms.  Those of us who interacted with him on twitter usually characterized him as someone who “connected dots”.  Again, I’m not defending his ‘trolling’ as the TOR devs have labeled it – because it’s frankly irrelevant. [Note: in case it was  unclear from this, I don’t even *provisionally* support doxxing – even if it’s someone I don’t personally agree with.  For more on this particular doxxing, and the absolute viciousness behind it, I’d recommend this excellent piece from @RancidSassy] [Note 2: I’m not going to edit it, since I said it I’ll own it, but several people have pointed out that JB really wasn’t misogynist – and I think I agree.  Sexist, maybe, but not misogynist]

The TOR devs that performed the doxx (and their supporters) 1) unmasked his anonymity and 2) apparently called his place of work and got him fired.

Think about that for a minute.

TOR’s primary purpose is anonymity. It’s devs pride themselves on keeping activists around the world anonymous, protecting them from the repercussions of having unpopular opinions in regards to power, etc. They champion anonymity as a way for this to work, and they say that TOR is their contribution to that.

And they unceremoniously ripped that anonymity away from someone because they didn’t like what they had to say.

What Quinn Norton’s post misses, as it so deftly explains the math behind cryptography, is that as non-technical users we are forced to trust the motives of the people developing the software that *uses* that math.  Yasha Levine’s article was in that vein, even if it was hamfisted in places when it came to the tech – but if that had been the end of it, if the TOR devs had simply said “here’s what we have developed, and here’s our track record of being committed to anonymity” then I’d have very little to say.  But how am I supposed to trust TOR now?  Given the Chinese government’s history of online censorship, would I trust them if they told me that a tool they’d developed would help me avoid censorship?  Like it or not, TOR devs live in a world where most people aren’t as technical as them.  They can say until they’re blue in the face that we can trust the code, trust the math, trust the audits, trust that the project is Open Source – but for the average TOR user, they have to trust the people telling them to trust.

When anonymity activists violate someone’s anonymity… well, trust is thin at that point.

 

6 thoughts on “Math is Universal; Ethics Are Not”

  1. There’s an underlying assumption being made by Norton here that deserves being challenged: the idea that the U.S. Government is a monolithic entity, that the bonds of government brotherhood (or even the bonds of practicality) will hold different alphabet soup lettered agencies together. That the FBI wants TOR broken is not speculation, they’ve said as much. That the spies who rely on it don’t want it broken is also a fair assumption. But what Norton has missed here is that not all spies are necessarily working in lockstep. It’s not too difficult to imagine a scenario where, say, the CIA wants TOR to be functional and rock solid for their own purposes – but the NSA, on the other hand would rather TOR have a back door in it. We live in a country that has 17 different intelligence agencies; agencies with different budgets, different people running the show, and even from what we lowly peons can see, often different agendas. And remember: the power that these agencies hold is *staggering* – if you think it’s inconceivable that the NSA would do everything it could to undermine TOR despite the fact that it would weaken it for CIA agents in the field, well I have some beachfront property in Oklahoma to sell you.

    Just to give you some argument on this – Tor usually levies in its own defense that “the U.S. government is not a monolithic entity.”

    This is to demonstrate to people why it could be that the Navy and other military groups that run field intelligence might want to keep Tor strong and operational for its agents or the State Department might want to make sure it keeps Iranian teenagers reading US propaganda in the Times but some parts of the FBI want to shut it down the DOJ wants it backdoored and the NSA wants to totally own the network.

    Their argument (a fairly interesting one) is that Tor exists because it is able to play one government department’s need for a functional net-neutral anonymity network against another department’s desire to shut such a thing down. This is carried out by engaging in extensive lobbying and outreach to all stakeholders. Meaning they are able to define a space in which such an unlikely compromise as Tor can exist. If the government weren’t split on Tor it would have gone down long ago. As a result they tend to present as canny pragmatists who are willing to negotiate various factions in order to provide society with something they believe beneficial rather than the conflicted libertarian zealots who just don’t realize they are USG patsies Levine tried to cast them as.

    Historically they have assumed the NSA will “do everything it can to undermine TOR despite the fact it would weaken it for CIA agents in the field.” Snowden showed the NSA was significantly less advanced then their worst fears, which is why they seemed more pleased than worried – they had predicted most of it already.

    No argument on your second point.

  2. The thing that strikes me about Norton’s article is that it simultaneously dismisses Levine’s criticisms while also being a demonstration of one of the most important aspects of the criticism: that TOR’s supporters are deceptive and dodgy about its ability to protect you from the US government. Norton argues the math “just works”, and uses being hidden from the USG as an example, but we know *for a fact* that TOR can’t reliably protect its users from an entity that controls a majority (or at least a significant portion) of entry/exit nodes, as a matter of the way the technology/math works – and the one known entity that does so is the USG. TOR supporters’ response to this being pointed out has been, as ever, that this is public knowledge, discussed within the TOR community etc… which is technically true, but doesn’t change that TOR’s more prominent promotions – such as Norton’s here – blatantly misrepresent these facts.

  3. @gbelljnr – I’m going to go with @circadianwolf on this one – I understand the argument that TOR supporters are making here – but playing various factions of the USG off each other is still policy type stuff – it’s a bit disingenuous for Norton to suggest first that policy can’t effect math, and then make a defense of the use of that math based on… policy.

    @thepoettrap – I’m regretting the ‘misogyny’ term – I should have said ‘bordering on sexist’, rather than misogyny – Tarzie pointed that distinction out to me, and I think he (and you) are right – I added a note to the post to reflect that distinction. Thanks!

  4. @roastagain it’s a worthy point. In fact the NSA was found influencing the design of one algorithm http://en.wikipedia.org/wiki/RSA_BSAFE — it’s telling that the algorithm was never taken seriously (i.e. the math showed it had weak randomness, a non-starter for crypto). You can conclude a lot from that revelation, but it seems incredibly risky for a highly visible project like Tor to be subject to a backroom tamper in the same way BSAFE was.

    @stillroast first, great article. second, a small quibble: I don’t think Norton’s point is leaning on the characterization of the government as monolithic or heterogeneous in it’s attitudes or goals. The point is that if one agency backdoors Tor it doesn’t **simply** give that one agency the key, it leaves evidence for any adversary to levy the same backdoor.

    The larger problem with backdoors in crypto:

    Backdoors get found out. Crypto is secure because of time/energy tradeoffs. Given unlimited time and energy all crypto will be broken. Backdoors are hard to conceal (see above) because the novel and weird approach to making public-key crypto work is to create a mathematical problem that is easy one way, but not the other way. If it’s easy both ways than your shit is broken.

    The main weakness of crypto systems isn’t the math (which is studied immensely), it’s the fact that deploying crypto is hard for consumers, and even when it’s done correctly on Tor (with a GUI and everything), the user still needs to understand advanced operational security in order to ensure full anonymity.

    When Levine calls Tor a giant honeypot he’s on to something interesting, not because Tor’s developers are devious, are being duped into shipping a weak product or any number of canards; I don’t know much about the Tor codebase but my gut says it’s heavily audited and constantly being improved (no backdoors, etc.).

    I think Tor is a honeypot because even within the darkweb context there are risks that IP anonymity won’t protect you from. This idea you can evade a government, or other powerful groups is true to the extent that your operational security and capabilities have to be better than your adversaries’ operational capabilities and privilege on the network.

    Getting back to time and energy tradeoffs, long term operational security of a few individuals in the face of the Feds is daunting, esp. when the Feds don’t like that you’re flagrantly defying the War on Drugs. Tor can help you avoid early detection, but it’s unlikely that any persistent Silk Road X.0 site will last for any meaningful amount of time if it’s being run by the usual bitcoin loving techno libertarian middle-class-geeks. The War on Drugs is too hot, and the Feds will come down on them. Every. Single. Time.

    Brining it back to the point of Tor as a honeypot, it’s a bonus feature for the NSA while the Navy might have agents who legitimately need their anonymity protected.

    Anyway, thanks for the insightful article. Interesting debate.

  5. Roasty,
    Thanks for the excellent post and the many comments here. They have done much to synthesize my thoughts on the matter.

    Mark,
    Regarding Tor-as-honeypot, is the danger really a false sense of security? This seems to be what you are implying with your 6th paragraph.

    Reading on, are you perhaps implying that Tor allows asymmetrical usage? This has been sort my feeling (as a coding neophyte) from the beginning.

    Tor is a tool being wielded by numerous people. What the developers fail to acknowledge in their haste to defend the code, is the fact that with any tool, its usefulness depends directly on the skill-level of its users. The more skill and resources brought to bear, the greater the usage.

    It is similar to the idea of the US military as the largest defense contractor in the world. Just because we sell the same weapons to other countries does not mean we still don’t have the monopoly on the ability to utilize those weapons to the maximum extent possible.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s