“Privacy, sadly, doesn't mean protection against the law," Gwren explains.
Fred von Lohmann, the Senior Intellectual Property Attorney for the EFF
, highlights the importance of the privacy provided by these networks. “It is important to remember that anonymizing proxy networks have lots of uses unrelated to file-sharing, including for anonymous web browsing, email, and instant messaging,” he told Slyck.
MUTE provides very low-level privacy. Although the information travelling between individual nodes is encrypted, each node has full access to the data travelling through the network.
This contrasts with ANts, which also encrypts data sent between the source node and the destination node. This is called endpoint encryption. Theoretically, endpoint encryption means proxy nodes cannot identify the data they proxy.
“A network where only point-to-point communication is encrypted is not private! Every node can read everything it is routing (is this privacy? The Internet works like this and we know its limits). Using endpoint encryption, which implies only an insignificant amount of overhead, you get real privacy, because only the two who communicate can decrypt the messages,” Gwren explains.
To discover the effect endpoint encryption, Slyck contacted an information security specialist, Graham Morris, who is a graduate of the Information Security Group at Royal Holloway College, University of London. Morris was impressed with the security level provided by ANts, describing it as, “a file sharing program that goes a long way to offering anonymity and confidentiality.”
However, he also had some criticism. To obscure the files being transferred so that proxies cannot identify them, the encryption mechanism “The Advanced Encryption Standard” (AES) is used. To be able to do this, the two file sharers must have a secret code (or “key”) that only they know. For them both to know the key, the Diffe-Hellman (DH) Key Exchange Protocol is used, but Morris raised some questions over the implementation of DH in ANts.
“The security of the system relies on this key exchange, but anyone could potentially launch a man-in-the-middle attack. This attack would allow an adversary to obtain the secret key and see the file being transferred,” he said.
This is usually combated with trusted third party involvement using “certificates”. These certificates are not implemented in the ANts network. To a determined node, ANts therefore provides no extra information security.
“I never said this program will not support certificates,” Gwren defends, “ANts is still beta, the next releases will support this feature. This means it will be possible to create internal communities based on certificate exchanges. The current endpoint DH exchange is very important, as it provides the bases for easily adding the certificate exchange at a later date. It is therefore not just an overhead.”
Endpoint encryption is a suitable system for groups of trusted peers to use. However, Morris still has some concerns.
“Implementing a certificate system is not a simple task. You need to be able to create, issue and revoke certificates, and you need a party that you trust to do this securely. You also remove anonymity, and may even introduce the concept of non-repudiation. This means that after sharing a file, you can’t later deny that you were the source.”
Ultimately this raises further questions of the use of an anonymising system between trusted peers. Indeed, if you trust them, why not make a direct connection? However, Morris is clear that there are many different methods of employing certificates. To discuss and analyze even one system would be a report in itself.
Whatever structure is used for trading amongst trusted peers, we know this is not how mass scale P2P networks operate. Users mainly communicate with untrustworthy peers, existing only as an IP address. As demonstrated by Morris, ANts cannot promise security between these majority transfers, due to lacking certificates.
But how much does this even matter? If the file is public enough to be in a shared folder, then how much does it really matter that proxy nodes can read the message?
Gwren described this issue as, “very complex, almost philosophical.”
This practical result is easiest summarized in two sections. The first, what ANts means to those who are trading in trusted groups. The second section looks at the more common scenario of users trading with unknown peers.
Trading in trusted groups
Highly dependant on the realization of certificates, communication between endpoints will be virtually impossible to break. This will ensure absolute privacy. Such a system will be akin to the waste network, but with the benefits of swarming.
The MUTE network does not provide this confidentiality.
However, questions remain as to how ANts will remain an anonymising system, whilst sources and recipients certify the file transfer.
It also represents the use of some very important software technology.
Trading between untrustworthy peers
Who reads the message is of little or no importance, as the information is public anyway. In turn, the weakness in the endpoint encryption is of no relevance.
Instead of privacy, users are provided anonymity.
“Anonymous means that nobody knows who puts something in the network. Say you want to talk ill of your employer. What do you do? You write anonymous letters to 200 people… each one of them will know perfectly well who their mailman is (in ANts’ case, it’s their neighbor, a well-known IP): the mailman is delivering the letter. But nobody will know who sent the letter,” Gwren explains.
The network also provides security for this through point-to-point encryption, as Gwren nicely illustrates:
Continuing his postman theme, “Regarding security, it refers to those cases in which someone puts a video camera in your house and gets a tape proving that you’re the one who wrote the letter. Thanks to encryption, ANts impedes an attack of this sort. Nobody can sniff out the packets to prove that you put any content on line.”
It should be pointed out that this anonymity and security, although very strong, is no more than provided by MUTE.
Legal protection is increasingly what file sharers are caring about when choosing a file sharing application. Numerous music lovers have fallen victim to lawsuits against file sharers. With over 4500 such cases in America, along with a mass of cease and desist letters worldwide, protection from the prying eyes of organizations who think they are the law becomes ever more important.
In anonymising networks, it is impossible to detect who seeded a file. The same routing mechanism that provides anonymity also provides legal protection. As files make their way through the network, no peer can know if the file they are receiving has come from the original source or a proxy.
This system destroys the current targeting method used by organizations that object to the sharing of certain files. In traditional file sharing systems, file sources are tied to an IP address. But it is this attachment of IP address and file that makes targeting users sharing copyright works, for example, such an easy process. In anonymising networks, files are tied only to a virtual address. More details of how this provides legal protection can be found on the MUTE
Any two computers that are directly connected in a network are called neighbors. Neighbours must know each other’s IP addresses in order to keep the connection. As already established, when neighbors send each other files, the receiver does not know if their neighbor is the original seed, or a proxy. However, they do know their IP address and what has been sent.
“ANts and MUTE are anonymous, you never know who put the information onto the net,” Gwren explains nicely. “The problem is that you do know who is passing that information on to you. It’s like anonymous mail: you know the postman but you don't know the sender. ANts offers an additional element of security, because the postman cannot read your mail (unless he is the sender himself, but you have no way of knowing this!).”
Proxies are therefore in a weak position, as any peer can catch their neighbor proxying an objectionable file.
Slyck therefore sought to discover the legal implications of being a proxy in a file sharing network.
“It would be like killing the postman because he delivered a letter you don’t like,” Gwren joked.
Turning to a lawyer instead, Fred von Lohmann explained, “The law is simply unclear. No court has ever considered whether you can be held liable for copyright infringement simply for proxying data in a network. EFF strongly believes that the answer should be that, assuming you have no knowledge of what the packets are that you're passing, you should not be liable for the contents of the packets. That is, after all, the rule for ISPs. The same rule should apply for individuals,” he explained.
If the law favors the EFF view, then neither MUTE nor ANts peers can be held liable for proxying objectionable files. Although ANts provides endpoint encryption, the average user of MUTE would not know where to begin discovering what they are proxying. The overhead of endpoint encryption provided by ANts would therefore be wasted in a legal context.
When questioned about this, Gwren admitted that he does not know if the encryption is a wasted overhead or not. After all, the encryption is not in place for legal protection.
“Sorry, I'm not a lawyer, and I have no idea of law-related issues,” he explained. “I can only say that ANts protects your privacy and it is 100% secure only if you are communicating with a known trusted peer. The point is that a “cancerous” peer [any node which challenges the integrity of the network] can easily identify its neighbors; making them vulnerable to legal action should proxies be held responsible for the data they unknowingly pass on. Using ANts, it is possible to provide scientific evidence that the intermediate node did not know what it was routing, as a DH-secured channel between two endpoints is unbreakable.”
When questioned further about legal issues and encryption, Gwren reminded Slyck, “ANts was not born to break the law, it was born to give endpoint privacy in ad-hoc routing systems.”
So it currently appears that ANts and MUTE do provide protection from the law, but it will be last word to the lawyers and the courts. The biggest question will be whether proxies can be held responsible. Then we will see the value, if any, of endpoint encryption. It is also worth noting that the EFF are convinced that proxies will be safe even in the event of the INDUCE Act passing.
In the mean time, users can help themselves by manually connecting to neighbors they know and trust. By doing so, users can download from untrustworthy peers, with the safety of the information being sent via a trusted peer.
By having all users connecting solely to IP addresses they trust, users can develop sub-networks, where each user can operate safe in the knowledge that the only people who can see their IP address, are those who they have deemed trustworthy to.
The Future of Anonymising P2P
File sharers swapping the latest pop-track is one thing, but less savory characters may use the system to commit crimes. Pedophiles for example could use the system to hide their activities. Users of the network would unknowingly be proxying child pornography.
Gwren is quick to defend the development of anonymous P2P, saying, “with this way of reasoning, people should still live in caves. Do you think the US forefathers thought of this sort of thing when they first set up the US Mail service? Our mail is still protected today. No one can open a letter I send to you, and doing so is breaking the law. Privacy is a constitutional right all over the world and it must be protected."
Although there may not be a worldwide constitutional right, Gwren makes a valid point that such people should not hold back development of the Internet. The risks involved of proxying such material will be down to individuals to think about before joining. It really is impossible to have it both ways.
As networks become more anonymous, further problems will arise. Anonymity is also provided to those fighting the development of P2P technology. Data and information can be corrupted in transit. Rohrer, the MUTE developer, once said, “It is impossible to have both true anonymity and true message security/integrity.” A view supported by Gwren. This may translate into more corrupt files and wasted bandwidth in the future, as groups corrupt files in transit, rather than sharing files already corrupted.
Beta tests of MUTE have so far been successful. ANts in comparison is still too young to be making any judgments.
Both networks will be working hard to improve their services. ANts already features multiple source downloads, swarming and resumable transfers, all absent from MUTE.
MUTE is the easier network to connect to, as there is no need to visit an IRC room. However, Gwren argues this represents a more sophisticated connection system.
“MUTE uses a web cache. I preferred not to use a web cache because I don't like to store the user’s IP on a website. So ANts uses a volatile IP cache that is hosted on the network itself,” Gwren explains, “In comparison, the system is very advanced, because it can exchange IPs through the network itself and be transparent to NATs and firewalls.”
The value of the endpoint encryption used by ANts and not MUTE can only be determined by the file sharers themselves.
So where is anonymising P2P taking us?
“Have you seen Jurassic Park?” Gwren asks. “Remember what the park creator said... ‘Life will find a way’. I don't know what this way will be, but I'm sure that people will find a way to exchange information in a secured and efficient way... this is what people want, and we live in democracy.”