July 26, 2018

MySudo and the EFF Secure Messaging Guides

MySudo and the EFF Secure Messaging Guides

The Electronic Frontier Foundation (EFF) recently released a series of articles under the theme Building a Secure Messenger. In these articles the EFF concedes how difficult it is to compare different secure messaging apps – because each is targeted for a specific set of users and use cases. This paragraph sums up their findings:

There is no such thing as a perfect or one-size-fits-all messaging app. For users, a messenger that is reasonable for one person could be dangerous for another. And for developers, there is no single correct way to balance security features, usability, and the countless other variables that go into making a high-quality, secure communications tool.

Instead of trying to rate individual secure messaging apps, the EFF articles give a detailed analysis of different types of capabilities that should be considered when thinking about secure messaging. It is then left to the user to decide which of the capabilities is most appropriate for them.

At Anonyome Labs, we believe users should be given a way to interact with the world securely and privately. Secure messaging is very important facet of privacy, but its not everything. We’re focused on the entire interaction, where being private means being able to craft personal identities with all the capabilities they need—including communications – but also includes other capabilities like private browsing and payments. That said, this article focuses on the communication side of MySudo.

A personal identity can be thought of as any identity we create, manage, and maintain for a given context. In the offline world, this may be as a coach, as the neighborhood watch leader, or as the head of the Parent-Teacher Association. In the online world, this might be an avatar in Call-of-Duty, our Twitter handle, or our LinkedIn profile.

Our MySudo app is our down-payment on personal identities. We have built the MySudo app to enable the creation, management, and control of personal identities, which we call Sudo. The Sudo sits at the center of the Sudo Platform which we’ve developed to provide the user greater control, safety and privacy with their online and offline interactions.

Figure 1: Current MySudo Capability Status

The purpose of this article is to reference the capabilities outlined in the EFF articles and identify where MySudo communication sits within this paradigm. Figure 1 shows how MySudo was measured against an EFF capability. I’ve kept it quite high level to keep this article at a reasonable length. There are additional capabilities I added to the analysis that aren’t specifically listed in the EFF articles (or perhaps are implied but not directly addressed).

Figure 2: MySudo Identity Based Capabilities

It is important to assess MySudo features through the lens of managing personal identities. Why? Because the clear difference between MySudo and almost all other communication applications is the concept of multiple identities each with their own independent communication capability (Figure 2):

  1. A key capability of MySudo is the creation and management of personal identities, that we call Sudo. These allow the user to easily compartmentalize their online and offline interactions. Users do this by having multiple Sudo at their disposal, allowing them to interact with various services using these different Sudo.
  2. Closely associated with this concept is the ability to have compartmentalized communication (messaging, voice, video, email) with these different Sudo. That is, each Sudo’s communication is completely separate from the users’ other Sudo.
  3. Closely associated again is the concept that a Sudo, and its email address and phone number, exist for as long as your want them to. That is, if a user is concerned that their Sudo has left a significant digital trail that might lead to their discovery then it is a very simple action to delete the Sudo, or to delete/reset the Sudo’s email address or phone number.

Figure 3: MySudo Core Privacy Capabilities

Figure 3 lists another set of core privacy capabilities. These three capabilities are addressed indirectly in the EFF articles, mainly related to safety and unwanted sharing of personal information:

  1. Zero attribution is a very important concept for privacy. It means that a person cannot be linked to an online or offline interaction. In the context of MySudo it means that a person or organization receiving communication from a Sudo cannot identify the owner of the Sudo, without the user voluntarily giving up this information. The phone number and email address alone will not give up that linkage. This is much different to your mobile phone number. There is a wealth of data linked to your mobile phone number already in the wild and it is available to anyone who is willing to pay for it.
  2. The important principal underpinning no attribution is that MySudo does not collect any identifying personal information about the user. That is, it has zero knowledge of the user. (Note this use of zero knowledge is not related to zero knowledge cryptography.) MySudo does not ask for an email address, password, phone number, use of the MySudo user’s address book to notify other users, or anything else that could be used to identify the user. Therefore there is no username, password, or other credential that, when hacked, could unmask the end user.
  3. No advertising is another extremely important privacy standard. We have all become very familiar with the saying “if you don’t pay for a product, then you are the product”. The reality is that many secure communication companies collect as much personal information about you as they can (the worse two offenders of course are Facebook and Google), and then use that information to target you for advertising. Because Anonyome Labs has no interest in advertising to you, and instead offers paid subscription services, it does not need to harvest your personal information for the purpose of advertising to you. Harvesting your personal information is something that is against our core principles.

Figure 4: MySudo Communication Capabilities

Figure 4 outlines the two main classes of communication capabilities in MySudo:

  1. In common with almost all secure communication apps, MySudo provides advanced in-network communication capabilities. In-network denotes that both users are communicating using the MySudo app. The capability includes end-to-end encrypted messaging, voice, video and email. Combining all of the modes of communication eg. messaging, voice, video, and email is not typical, but is required for a Sudo to communicate securely in any circumstance.
  2. Another useful capability that could be considered non-typical with communication apps is that MySudo supports out-of-network communication capabilities for interaction with non-MySudo users. This includes SMS/MMS, voice calling and email and it is the out-of-network communication that makes MySudo useable across numerous privacy use cases related to shopping, selling, socializing and so on.

The next consideration is the privacy capabilities for out-of-network communication. This describes a scenario where a MySudo user is communicating with a non-MySudo user. For compatibility reasons MySudo currently supports unencrypted SMS/MMS, voice calling and email. You might ask the obvious question. “How does that help with privacy? Shouldn’t all communication be encrypted?” In theory yes, but in practice many services and people you interact with don’t use encrypted communication.

The benefit of using a Sudo is that you can still interact with these services in a private and safe way using your Sudo phone and email. That is, instead of using your personal mobile phone and personal email address, you use your Sudo provided ones, so that the service or person cannot trace the interaction back to you, and cannot sell, mine, track or hack you or your data.

Figure 5: MySudo Out-of-Network Privacy Capabilities

Figure 5 describes an important aspect of out-of-network communications:

  1. The phone numbers provided by MySudo are dual purpose numbers. That is, they are like a traditional mobile phone number and allow both two-way voice calling and SMS/MMS. This is important so that the Sudo phone numbers can be used in a way that matches how you would use your mobile phone number e.g. for selling, shopping and dating. The phone numbers currently provided by MySudo are Voice-over-IP (VoIP) phone numbers.

Figure 6: Other General Communication Capabilities

Figure 6 examines three other aspects of communication privacy capabilities:

  1. All communications meta-data that is stored for the operation of the app (e.g. to display to the user voice calls, messages, message threads) are encrypted so that only the user with a MySudo app with possession of the associated cryptographic keys can access that data. It is a very important tenant of the Sudo system that we do not store unencrypted meta-data about communications on our backend systems.
  2. A user is able to backup their communications off their device in a safe place. There are two options: into the user’s own cloud service, or to the user’s desktop computer. We are currently researching this capability with the intention of implementing it for MySudo.
  3. An important capability related to secure communications apps is the concept of communication continuity across devices/platforms. That is, a user can be communicating using MySudo on their iPad, and then switch to their iPhone, and can continue communication where they left off. This capability is currently in development for MySudo.

Figure 7: Capabilities Related to Cryptographic Keys

Figure 7 defines some capabilities related to cryptographic keys. You might be thinking “why do I need to understand this?”. A core underpinning of the MySudo solution is a strong cryptographic design, including cryptographic protocols and key management:

  1. You might have noticed when installing MySudo that the app never prompts you to create a MySudo account e.g. by asking for a username and password, or for your mobile phone number, or anything else. This is because our registration process is underpinned by cryptography. We generate both symmetric AES keys (256 bit) and asymmetric RSA keys (2048 bit) on the device. It is possession of these keys that gives you access to Sudo services and data after registration.
  2. Another important cryptographic capability is that Anonyome Labs never wants access to your cryptographic keys. Instead we ask you to keep safe possession of your cryptographic keys and to protect them using your own systems.
  3. Related to Anonyome Labs not having possession of your cryptographic keys is that we request you to backup your keys to either your own cloud environment or to your desktop. That way, if you replace your device, you can restore your keys to that device.

Figure 8: MySudo App and System Capabilities

Figure 8 is derived directly from the EFF capabilities, and lists some non-functional style requirements of communications apps:

  1. The quality of the source code is a particularly important characteristic for apps focused on security and privacy. There are three main types of code quality audits:
    1. Continuous Automated Code Review: At Anonyome Labs we use the Sonarqube continuous source code quality tool to ensure we are not reducing code quality during our regular releases.
    2. Independent audit of source code by cryptographic experts: We know that implementing cryptographic protocols and key management to the highest level of protection is extremely challenging. Even the best developers can make mistakes. We contracted a third party cryptographic source code analysis team to perform this audit for us.
    3. Pen-testing: This involves finding security/privacy vulnerabilities through remote black-box testing of our Sudo Systems. We have pen-tests performed on a regular basis.
  2. One aspect that EFF points out as important is having the solution open i.e. including apps and backend systems’s source code. This way the source code can be reviewed by anyone interested. We are currently researching whether we could open source our MySudo software.
  3. We’ve been building out and running our Sudo Systems for over two years (with our Sudo app) and have increased its resilience and scalability during that time. We also have a team that has been building enterprise scale security systems for over 20 years. We therefore believe we have a Sudo System environment that is able to provide very high service availability.
  4. At Anonyome Labs we have a dedicated User Experience Design Team focused on making our apps easy to use (for normal users). This team continuously “user tests” our designs to ensure they are logical and efficient. Our aim is to continually improve the usability of the MySudo app.

Figure 9: MySudo App and Policy Capabilities

Figure 9 completes the analysis of MySudo by adding two additional EFF capabilities:

  1. The first is broad availability of the app world wide so that large numbers of users can use MySudo. We have initially launched MySudo for iOS in the US and Canada with local phone numbers being provisioned in those countries. We are in the process of adding additional countries and will continue to do so until we have world wide reach.
  2. The second is an understandable and strong privacy policy. The points that EFF make are that some communication apps privacy policies are:
    1. Obfuscated: The privacy policy has been written in a way such that the user needs a legal degree to understand what is happening with their personal data.
    2. Exploiting of user personal data: Many communication apps collect personal data on their users and exploit it for advertising or to sell. They disclose this quite openly in their privacy policy. Please note that it is a core principal of Anonyome labs to not collect the user’s personal data so that it cannot be exploited.

This concludes my summary analysis of MySudo. If you’d like to understand more about this area I would recommend reading the EFF secure messaging articles. They provide an excellent overview of the secure messaging app landscape. And as you’ve seen even for MySudo which has significantly broader capabilities, it is still a worthwhile guide post.

And of course, please let me know your feedback.

Additional Notes