[liberationtech] OSS Devs: Talk about metadata!

[Tom Ritter]

On 8 June 2013 22:04, Nadim Kobeissi <nadim at nadim.cc> wrote:
> I want to encourage all the open source, communication and security software developers on this list to start talking about metadata.
>
> 1. Start raising awareness on what metadata is given to your software and how it's handled.
> 2. Don't limit your privacy policy to content but also clarify what's done with metadata.
>
> [Shameless plug] We've already done this at Cryptocat. Our table can serve as a template:
> https://blog.crypto.cat/2013/06/cryptocat-who-has-your-metadata/


Something I would add (there's no comments enabled, or I missed them)
is that most online messaging protocols (XMPP, Email, OTR, IRC,
Cryptocat I think, etc) enable attackers to de-anonymize recipients if
they have a publicly accessible point of contact that accepts data
from unknown senders, and the attacker can watch the network.  Stated
more simply, if the Syrian government sends 5MB emails to
syriandissidentXOXO at yahoo.com, they just have to look for who receives
that much data from the appropriate server at appropriate
intervals.[0]  This can work over Tor too, although it's a tad more
difficult.  This may be obvious to us... but then again, that table is
obvious to us also, we're aiming this at everyone else ;)

The solution is something as complex as Pond (which requires users to
be authorized) or possibly XMPP contact lists requests (I'm not
actually sure if those prevent you from sending lots of data to a user
before they accept you.)

-tom

[0] I mention this briefly in https://crypto.is/blog/tagging_attacks,
but owe a better blog post to it.