A Thought Experiment: Evading Echelon Through Peer-to-Peer

by Andy Oram
April 27, 2001

As an adjunct to my article Peer-to-Peer File Sharing Systems Caught Between EMI and Echelon, I propose a system here that could be used to hide communications—including the very fact that two or more people are communicating—from a massive surveillance network like Echelon.

Why would people want a system like this?

An understanding that electronic mail is insecure has spread beyond political dissidents to ordinary businesses and other organizations. Remember that the U.S. government has already admitted using its top-top-secret Echelon system to find information that would aid an American company in a bidding war with a European firm. Echelon is a long-rumored and long-denied surveillance system hosted in the United States and English-speaking allies around the globe; its goal is to monitor all voice, fax, data, and other electronic traffic worldwide. Even though, in the bidding war, dirty hands were involved on the part of the European firm —which was allegedly engaging in bribery—the lesson remains that all our communications are potentially open to powerful forces whom we don’t want reading them. Several countries have mini-Echelons of their own, checking all traffic for material they consider subversive. According to Alan Brown, a human rights activist who designed an anti-censorship system called Red Rover, China has moved past monitoring email and the Web to checking every packet of every kind of Internet communication entering, leaving, or moving about within the country.

While I don’t worry about using email for my own routine communications with friends, business associates, and political collaborators, I can envision a time when I, and many other people, will have reason to hide the content of our communications. We may even need to hide the fact that we are engaging in any communication. Wiretapping law in the U.S. considers both the content of communications and the fact that communication is taking place (available to wire-tappers through pen registers and trap-and-trace) to be worthy of legal protection, although the latter is less closely regulated than the former.

Encryption can protect email, as it currently protects exchanges with SSL-enabled Web sites. But while the infrastructure for SSL is universally available in browsers and servers, it’s relatively crippled for email: few users have it, and they must engage in substantial planning with their correspondents before they can use it. The verification of digital signatures can be a problem on both the Web and email. Finally, neither email encryption nor SSL on the Web hides the fact that the two sites are communicating.

So let’s try to design a system to evade detection by massive surveillance systems. The natural starting point is to use Freenet, thanks to its key feature: once material is loaded into it, observers have great difficulty tracking whose machine it is on, who put it up, and who is requesting it. As I have said earlier, commercial systems without the openly defiant philosophy of Freenet might work just as well.

Secure uploading

The first problem is getting the contraband material onto Freenet. Currently, privacy experts advise people who are seriously concerned with hiding the origin of their documents to submit them through anonymous remailers, like Mixmaster. If the submitter has reason to believe someone is tapping his Internet connection, he can go even further and try to use a public Internet facility.

The most robust way I can think of to protect the channel between the user and Freenet would be to make Freenet universal, the way email programs and Web browsers are today. If a Freenet client is on your machine, you have no channel (except your own data bus) to protect when inserting material. It’s hard to imagine what kind of social pressure would encourage Microsoft to bundle a Freenet client with Windows (maybe it helps to port Freenet from the original Java to C++), so an open source operating system is a better bet. Unfortunately, governments could block distribution of such systems, either through legal sanctions like those the United States government employs to restrict the export of encryption, or through government-imposed filtering at ISPs.

Many new file-sharing systems are emerging that have the potential to add value to business and other above-board Internet activities. A couple companies that I’ve talked to include OpenCola and XDegrees. They differ from Freenet, of course, as well as from each other, and neither would want to be thrown casually into the same bucket as the much-maligned Freenet. But they offer the hope that a distributed system where the exact location of content is hard to determine could become universal.

Governments could try to require built-in digital signatures in order to keep tracking users, but such requirements would be hard to enforce. The issue is reminiscent of the failed pressure by many governments during the 1990s for mandatory key escrow. Can a networked system determine for sure whether someone has inserted material with a valid, traceable digital signature? The requirement to sign documents would have to be accompanied by the requirement to use one of a fixed set of certificate authorities, who in turn would be subject to legal requirements of their own, to the point where the tracking system would become an unbearably heavy weight on an otherwise lithe and flexible file sharing system. So I will assume that anonymity can be preserved on any system that divorces content from location.

Secure downloading

Having listed the problems and possible solutions to uploads, let’s assume the originator of the sensitive content has it safely on Freenet or some other distributed file sharing system. Now the goal is to let the desired recipient, and only that recipient, download the content.

Freenet offers quite good protection for anonymous downloading. A snooper can’t determine what content is being downloaded or who originated the content. If the recipient of a communication wants to hide the very fact that he or she is using Freenet, some precautions must be taken similar to those taken by the sender, as discussed in the previous section. The question that remains is how the recipient can figure out what to download.

Back at the end of World War I, long before computers existed, an American general invented an unbreakable form of encryption called the one-time pad cipher. Before an expedition, two communicating individuals would agree on a set of random keys, which could be written on pads of paper and used one by one. Each correspondent would apply the top-most key to a message and then destroy the sheet of paper that contained it. So long as the keys were long enough to encrypt a whole message and the sheets with the keys were kept out of adversaries’ hands, the encryption was perfectly secure. Its use was limited because of the difficulty of creating and transporting long, random keys.

One-time pads can see a revival with Freenet and other file-sharing systems, which tend to use URL-like sequences to identify files. For instance, Freenet offers “keyword signed keys” and “signature verification keys” that can be freely chosen by users. If somebody uses a random string of characters to identify a file, it can’t be guessed in advance. Even though the file is on a public file-sharing system, there’s no feasible way to get it without knowing the key.

Thus, the one-time pad could be the means of Freenet file retrieval for secret correspondents. They would simply decide on a series of strings in advance, and assign those strings as keys when they put their communications onto Freenet. It might be tempting to use strings that are easily to remember but essentially irrelevant, like lines from Shakespeare or quotations from the Wall Street Journal. But any mnemonic system would make strings easy to guess. An adversary who guesses a string could attack the communication channel from both sides: by guessing the string that lets him retrieve a document, and by putting up false documents using a legitimate string.

Therefore, random-number generating systems should be used to create long strings of random characters for the one-time pad. To make it even harder for an adversary to identify useful content, senders can routinely put up fake documents under random, meaningless keys.

Now the Echelon-evasive system is complete. The two communicating sides must start by creating one-time pads that they agree on and share securely before illicit communication begins. This initial requirement may be complicated logistically, but except for the length of the shared information it is comparable to the problems presented by other forms of encryption.

After they separate, each sender uses the topmost key to name a single communication, and destroys it afterward. The recipient can query Freenet for the next available key at regular intervals or agreed-upon times.

What was the point of this little excursion into high-jinx spying? It is to show that technologies with valuable commercial and social uses can also be employed for the purposes of evading the law. Distributed file-sharing may turn out to be a valuable alternative to conventional caching and downloads—but it comes at a price to law enforcement.

If governments are serious about imposing surveillance on the Internet, they will have to battle peer-to-peer file sharing along with all the potential benefits it brings—and it is probably only the start. Technology tends to outrun legal constraints. Instead of throwing up our hands in horror and calling for witchhunts against the purveyors or users of those systems, we should be asking, “How can we create a social environment where the positive uses of these systems are encouraged and the negative ones are not worth the trouble?”


Andy Oram is an editor at O’Reilly & Associates. This article represents his views only. It was originally published in the online magazine Internet Freedom and subsequently appeared in its current form in Web Review.