There is a little bit of crypto-anarchist in all of us, and bowing to that spirit, I’ve been checking out Bitmessage, the peer-to-peer encrypted messaging protocol, which I commend to you as a fun experiment. It is not ready for mass-consumption (yet), but it shows a lot of promise. If you would like to test for yourself whether or not the software is actually impervious to the NSA’s prying eyes, download the software with a friend (Mac, PC) and send each other messages whose content would normally get you on the “do not fly” list, then book a flight and go to the airport. Say goodbye to your loved ones before you leave—there is limited internet access for inmates at Guantanamo Bay.
“I have no need to use Bitmessage because I have nothing to hide”
You might be asking yourself why anyone would even be interested in using Bitmessage. After all, if you are not emailing about child pornography or drug trafficking, you have nothing to worry about, right? I can think of 4 reasons why I might want to switch as many of my communications to Bitmessage as possible. I will outline them below, and then go into some of the more interesting aspects of the protocol that I’ve been thinking about.
1. You’re probably guilty of something.
The laws of Canada, the United States and pretty much every modern nation state are at the moment, so convoluted, contradictory and difficult to understand and follow, that it is likely that every single person alive today has already done enough to warrant time in jail, whether they realise it or not.
Affluent straight white males without mental health issues don’t notice this because it is not good politics to arrest them very much. But it doesn’t take much of an excuse for the police to take a homeless guy away, or to declare that a black guy was acting suspiciously and treat him accordingly. This might not bother you if you are, in fact, an affluent straight white male without mental health issues, until you realise that:
2. Sometimes messages that are perfectly acceptable in their proper context, can be very damning when quoted out of context.
I don’t know from first-hand experience, but I’m betting that the NSA/CSIS/whoever’s getting my email doesn’t have a human carefully reading through every single email and flagging the ones that are explicitly related to terrorism. I bet they’re searching for key words and phrases. And if you happen to have the wrong sorts of phrases in your emails, combined with the wrong sorts of Google searches, etc., you might find that the government might decide to scrutinise what you’re doing, and this is a problem because of reason 1, outlined above.
3. Just because you know that what you’re doing is fine doesn’t mean that someone else won’t punish you for it.
For example, I am a homosexual. This is fine. My family/friends/co-workers think it’s fine. I’ve never been physically attacked or had anything like that happen to me because of it. However, if I were planning on going to Russia as a tourist during the Olympics, I would be rightly afraid, and not because I’m doing anything even slightly wrong.
4. Solidarity with the less privileged is a generous gesture.
Let’s imagine that you are an affluent straight white male who has very vanilla sexual tastes and no mental health issues, whose email correspondence is so clear that it could never be misconstrued badly, and against all odds, you know for certain that nothing you have done is now, or ever will be illegal. You still might want to switch to something like Bitmessage, just out of solidarity with the rest of us who aren’t so privileged. After all, if we have to constantly switch between regular email and Bitmessage, we’ll eventually mess up.
Now that you’re all on-board the Bitmessage train, let’s settle down and look at what it is and what it does differently.
What I find interesting about the Bitmessage protocol itself
Bitmessage is still in a beta-version, so it does not allow rich text formatting, attachments (although in principle, it could) or any sort of filtering, searching tagging or sorting of your messages once they’re in your inbox. It’s more of a proof-of-principle release, than anything that’s designed for actual communication.
Unfortunately, it’s not pretty.
The big selling point of Bitmessage is that all messages are encrypted, and the protocol makes it difficult even to discern the sender / receiver of a message. Beyond that, it has some interesting properties that could be exploited, the most interesting of which I will explain here:
The address of the sender of a bitmessage can’t be faked
Something you may not have known about regular email: There is nothing preventing anyone from sending an email from any address she chooses. Any person could send an email from your email address to any other email address, without needing to get access to the sender’s email account. That’s why you sometimes see extra information next to the sender’s name in Gmail. It’s kind of like regular mail. You can write anyone’s name you like in the top-left corner of an envelope and have it delivered.
Have you ever wondered why, whenever you sign up for something online, you have to put in your username / password, then it sends you an email, and then you click a link in the email, which sends you back to the site you came from? It’s a weird and awkward system, and it’s not even very secure, but we’ve been doing it for so long that we’ve forgotten just how weird it is.
If a website required a bitmessage address for sign-up instead of an email address, the sign-up process could be streamlined or changed in a number of ways: It could be as simple as, “Fill out the Captcha to reveal a bitmessage address. Send a blank bitmessage to the address to sign up. Your bitmessage address is your username. You will receive a password in reply to the message you sent.” There you go. That might be what sign-ups look like, once web servers start installing a bitmessage client.
Just by building a protocol such that sender addresses can’t be faked, we can finally eliminate the cost of constantly writing software to confirm the identity of a user.
Proof of work: the end of spam?
If you’ve tried sending a bitmessage, one thing you might have noticed is that it needs to do a “proof of work” before the network will accept a message for sending. It takes about a minute on my year-old MacBook Air to do, but the bigger the message is, the more difficult the proof of work becomes.
This isn’t much of a burden, if you’re sending messages only as fast as you can type them, but it becomes a huge drain on computer resources and electricity if you’re trying to send thousands of spam messages. This in itself may make spam uneconomical. Also, having an incentive to keep emails short and to keep attachments to a minimum is a good thing.
There are some legit cases in which you may want to send out a message to a large number of recipients. Some people actually do want to receive updates on projects they’re interested in, for example. Bitmessage allows “broadcasting” for this. Users subscribe to a bitmessage address, and anyone who has the address receives messages broadcast to it, which requires only one proof of work.
Addresses are not human-readable
A bitmessage address doesn’t look like an email address or a Twitter handle. In fact, you can’t really pick an address in the same way you did for pretty much every other web service you ever signed up for. Addresses are generated either randomly or deterministically from a user-chosen passphrase.
This is an example of a bitmessage address:
These addresses are not meant to be read and transcribed by humans. To be honest, relying on humans to remember and reliably communicate specific exact strings of characters never worked really well. (E.g. “Was that a one or a lower-case L in your email?” or “Did you mean the numeral ‘6’ or the letters ‘S-I-X’?”)
Even better, it means that we can finally move past “vanity” email addresses. You don’t have to deal with addresses like [email protected]xmail.com and you don’t have to try to think up a dignified user name when signing up for a Gmail to use for applying for jobs when your real name is already taken. We can give up on human-readable addresses and let QR codes and the copy / paste commands take over.
Addresses are “disposable” by design
You can make as many addresses as you like, and by virtue of the fact that they are disposable, you can use one per project / contact / context, and keep track of how other users get your contact info. For example, you might be a member of a message board for Russian political dissidents. You could post a bitmessage address there, and mark in your bitmessage client where you posted it and when, and if you ever received a message on that address, you’d know that ultimately, that’s where the guy got it from. You could trade another address with your family, use another just for a particular school project, or print a QR code for another one on a poster for your indy-music band, etc.
Deterministically generated addresses are an interesting property of the bitmessage protocol as well. Be sure to use a very good passphrase if you want to generate them in this way, otherwise you run the risk of an “address collision,” where you and another person have generated the same address. If this happens, you will receive each other’s messages.
This could be a bug or a feature, depending on how you look at it. I can imagine that a government agency or a company might want to have a copy of all their employees’ communications—one that can’t be deleted in the case of a scandal. You could write a little application for use on company computers that generates addresses, and when it does so, it informs the user, as well as a “listening computer,” which uses an agreed-upon set of passphrases to deterministically generate the same addresses. In this way, a government agency or a department within a company wouldn’t have the option of deleting old emails that would reflect poorly on them, unless they go and delete them on the “listening computer.”
Emails were never really reliable, anyway
Do you remember when Gmail went down for a few hours a couple years ago? I really didn’t know what to do. I was in shock. I went outside, wandered around and reconsidered the priorities in my life.
Gmail, like all email servers, has a single central physical location. This means that if power goes out, or a meteorite strikes, or if climate change floods that location, you no longer have your normal means of communication. It doesn’t happen much, but it could. Bitmessage is a distributed peer-to-peer network, so it doesn’t have the same sorts of vulnerabilities.
Even outside of catastrophes, email is a bit unreliable. Sometimes emails legitimately go missing. Again, not often—it’s usually a user error or a misfiled message. But the fact is, you can’t tell if someone has received a message you sent them, or if the message disappeared into the ether. Automatic spam filters are also common culprits for the loss of email messages.
Bitmessage sends receipts for messages, indicating that the receiver’s client has downloaded the message from the network, but not that she has read it.
Have you tried Bitmessage yet?
Let me know if you do download it and give it a try. Hit me up and we can send secret messages to each other!