Freitag, 5. Juli 2013

In Sensr We Trust

Open letter to Adam Beguelin

founder and CEO of,

I have already covered and promoted your service in my personal blog (German text, use the translation service on the right).
I have some thought I'd like to share with you.
These subjects will be covered:
  1. two factor authentication
  2. basic access protection
  3. end-to-end encryption
  4. local cloud platforms on secure infrastructure

It may seem a little bit pardoxical that I use the most open form of communication in order to write about the sensitive subject of privacy. But I believe that it's a good idea to talk about the principles of freedom, privacy and security in public.
Source: Wikipedia
When everybody has reviewed your data protection concept and agreed on it's high level of security -  then they are more than willing to use your service to hide away their personal, sensitive content without any dangers from the public.

Furthermore it's the 5th of July and the 4th of July has just passed away. This is a very appropriate date to think about restoring the 4th amendment of the US constituion. I won't just give my two cents on this subject. I'll even give five cents. Especially since there is a stamp with Benjamin Franklin on it.

A lot my fellow German citizens are deeply concerned about what they learned about PRISM and the NSA's collection of data. Since I wouldn't consider Kim Dotcom as the usual German and I hadn't thought that I ever, ever would quote him in another than in a despicable way, I have to admit that he made some really good points on this subject in the Guardian's commentary.

A person with a much better reputation is founding father Benjamin Franklin. He said/wrote:

"They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety."

From this perspective it's easier to understand, why especially Germans are very concerned. They already established, suffered and abolished two totalitarian systems where its citizens under total surveillance. From time to time there are more Germans who learned their lessons. I hope that we already reached a critical mass for continous and sustainable insight without the necessity to relive a third Third Reich.

And this is the point where your great invention get's into this play: Sensr.
"Watch your stuff" is about safety/security for the masses. Knowing that my stuff is securely watched gives me the opportunity to enjoy the freedom of leaving my home/office carelessly. Being able to move around freely is the essence of freedom. The most common place without this freedom is called jail.

But now we learned that the NSA has a backdoor to Google's, Facebook's other servers. Well - Amazon isn't on this list, but I cannot believe that they weren't blackmailed convinced into cooperation with the administration as well. Amazon's S3 service is the where Sensr's very sensitive data is stored. This data contains pictures of your children, your customers, your employees and yourself - and of course, your stuff.

If a data-thief - a criminal, stalker, child abuser or a spy from the US or foreign government succeeds in obtaining access to a Sensr Account, he would have a direct and untraceable video link to your most private area. For instance a jewellery store whose owner thought it would be a good idea to use Sensr to have its surveillance video securely stored in the cloud. In fact, this is a very good idea. But even a good idea can be improved.
I lay my trust into you, Adam, and your company. I still think that you really care about privacy. But in my opinion and my mediocre level of technical understanding Sensr just offers medium security. This is what you disclose in your FAQ:

How secure are the images?

Once public, the pictures of your crack can be
accessed even if you switched your camera's
account from public to private mode. This picture
is just an example. There are much more revealing
pictures accessible on Sensr.
Currently, we don't encrypt or password protect the images that we store for you. However the URL itself is generated using a cryptographic hash, meaning it's virtually impossible for someone to guess the URLs for your images. This means that it's possible for anyone to view the images if they have the URL to the image, even for private cameras. This means that you should not share the image URLs if you don't want others to see the images.
So every frame of the recorded videos can be obtained by anyone who knows its URL. OK - the URLs are rather complex and hard to guess. The protection layer is your middleware database where the URLs of the single images are linked to a single camera and brought into the right sequence.

One factor is the user itself. I've already contacted two other Sensr users who obviously had left their cam on public while having set up their camera in their living rooms. One was a ship captain who was very surprised and thanked me for this information. The other one had hidden his cam in order to spy on his female host. He felt guilty and simply turned his cam private mode without any answer. Unfortunately the URLs of the revealing pictures URLs were still in my Browser's history. How the people use the technology shouldn't be judged or controlled by Sensr or anybody else - except local jurisdiction. So even if a producer of private adult entertainment decides to use Sensr in order to record inappropriate videos, he expects Sensr to effectively protect these sensitive recordings as soon as he switches his cam to private.

This can be achieved by at least 4 (or more) steps.


Step one: two factor authentication

To avoid a direct attack on a Sensr user's password, you already confirmed that a two factor authentication is already on your future feature list. That's great.

But a data-thief could also make a brute-force attack on your S3-storage, hack into your mapping-database or break your crypto algorithm.
Your personal track record, Adam, shows how technology could help with these kind of attacks. At Truveo you and your team developed advanced video analysis algorithms in order to achieve ingenious things like identifying a special for a search engine.

With this power your team made a big leap on the way to software capable of passing the Turing test because it can gather information on a much deeper level than former machines could. It's an important module of the computer which was faked for the motion picture Eagle Eye.
Well, when advanced picture analysis and raw computing power are these days easily avaible on cloud computing platforms like Amazon's AWS, Microsoft's Azure or other PaaS-providers (German link). This lowers the bar for penetrating Sensrs security walls a lot.
This is a very serious threat to Sensr's business model. If customers don't believe that their data is stored securely, Sensr wouldn't differ much from YouTube. In fact YouTube's level of protection is even a little bit higher since you could switch a recorded video to private. Just from this second nobody else can access your files - except Google's admins and the US-government.

How can Sensr raise the level of trust?


Step two - basic access protection

This step would be to get level with YouTube's level of file protection. Give up the old storage model and develop a secure mode where every frame's access requires successful authentication (two factor authentication - if demanded).
But you could still move a further beyond this point.

NSA doesn't only steal private data but logos too (source)


Step three - end-to-end encryption

Support end-to-end encryption of the stored data. Find a way how the files stored on your servers can be encrypted with strong encryption as in EncFS. The crypto key would be only stored on your customer's systems. So he can be sure that neither a bastard operator from hell at Sensr or anyone else could easily browse through his private recordings.

Sure - the customers would have to give up features that rely on Sensr's server based analysis as YouTube sharing, public sharing, motion detection or the storage saving drop of files where no change from one frame to another had been detected. These features would be normally unusable. But that wouldn't be a loss. Private cams have a completely different use case than public cams. So most users of this segment wouldn't miss these features a lot. I assume that they even are willing to pay more than the other user group.

But they still could use them. They only have to be simply transferred to the local device. My Axis webcam supports this analysis. I only lack the encryption layer between my cam's FTP Client and your storage service. When retrieving the pictures my local crypto keychain must somehow be used by my web browser in order to decrypt the stored files. This feature is implemented in Kim Dotcom's new filesharing service . But since his service is still threatened to be taken down because of copyright violations I wouldn't trust his infrastructure.


Step four - trusted, local platforms and infrastructure

Support local, trusted infrastructures - but as cloud services.
I consider the remote cloud-based recording as the essential USP of Sensr against local recording solutions as Synology's NAS based Surveillance Station. A burglar who already got into your house can easily destroy or even steal your NAS server along with your webcam and other precious belongings.  Sensrs software has some really cool and advanced features - but the underlying US-based infrastructure has lost a lot of reputatio inside and outside the US.
What if a Sensr user could choose from different options? One could be a local storage service in his home country. Being in Canada, New Zealand, Ireland, GB, France or Germany he would supposedly trust his local data centers more than a foreign one. Maybe he wouldn't even directly sign his service contract directly with Sensr.
A local provider could use the Sensr Middleware as a white label/franchise platform and offer a local service in strict compliance with local laws concerning data privacy, data security and infrastructure security. Here in Germany, it could be a service like with its open API that could be a perfect platform-as-a-service partner for Sensr.

As secure as Gringott's

With the steps
  1. two factor authentication
  2. basic access protection
  3. end-to-end encryption
  4. local cloud platforms on secure infrastructure
Sensr could become as secure as Gringott's bank in Harry Potter's world - and would be secure enough to provide corporate level camera surveillance even for this institute itself. Nobody but the owners would know what's inside and nobody else could access the safe deposit lockers. OK, nobody but a fictional character invented by a British muggle bestselling author using a lot of magical tricks which can't be performed in our real world.

I'm aware or at least I suppose that these things would have big impact on Sensr's software architecture and couldn't be achieved without a groundbraking redesign.
Gayforce guys protecting Gringotts?
I even have to admit that the business case for these kind of very secure services is very risky. Would there be a return on invest? Or even worse - would a more secure Sensr be considered as a threat and treated like the providers of VPN services, who got cut off their main cash collection service. There are even legal issues concerning strong cryptography . Since they can't rely on genius minds like Alan Turing who's team broke the code of the Enigma (German link, translation needed) some countries like Russia and France simply had banned strong cryptography and the US-government still considers it as a weapon of mass protection. I am questioning this profoundly. A gun is a weapon. The gayforce-bomb might have been a weapon. A lock isn't a weapon - it's a harmless defensive tool (as long it's not part of a jail).

I personally consider Ed Snowden as a hero (German content, use translation). Well, it's up to you if you're willing to take these kind of risks, especially since they're much lower than the one a real NSA whistleblower has to face. You have the chance to develop your service platform a lot further than today's products on the cloud market.
It's highly probable that this letter contains so many keywords
that it will show up on an NSA agents screen.
Since it's the 5th of July this is a good day to look forward and see what comes after Independence: Security and Freedom.

When I play around with Benjamin Franklin's quote about freedom and safety:
"They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety."

 than it says

"They who obtain a little more safety, can enjoy more essential liberty, because WE THE POEPLE deserve liberty AND safety."
I think that you have to agree that this open letter doesn't reveal any secrets. None of the concepts are new - but nobody had taken the steps for a real world implementation. Until now - as I know.
I would be really happy to see Sensr as a pioneer in this field.
A faithful customer from Germany

I thank Markus Lauber for his great grammar and typo support.

0 Kommentare:

Kommentar veröffentlichen