Middle-School Dropout Codes Clever Chat Program That Foils NSA Spying

The best hope of shielding your metadata from the NSA was invented by a middle-school dropout in his spare time.
usspy
Shadow of businessman spying on colleague using computerGetty

The National Security Agency has some of the brightest minds working on its sophisticated surveillance programs, including its metadata collection efforts. But a new chat program designed by a middle-school dropout in his spare time may turn out to be one of the best solutions to thwart those efforts.

Prompted by Edward Snowden's revelations about the government's intrusive surveillance activities, loosely knit citizen militias of technologists and security professionals have cropped up around the world to develop systems to protect us from government agencies out to identify us online and grab our communications.

John Brooks is now among them.

Brooks, who is just 22 and a self-taught coder who dropped out of school at 13, was always concerned about privacy and civil liberties. Four years ago he began work on a program for encrypted instant messaging that uses Tor hidden services for the protected transmission of communications. The program, which he dubbed Ricochet, began as a hobby. But by the time he finished, he had a full-fledged desktop client that was easy to use, offered anonymity and encryption, and even resolved the issue of metadata---the "to" and "from" headers and IP addresses spy agencies use to identify and track communications---long before the public was aware that the NSA was routinely collecting metadata in bulk for its spy programs. The only problem Brooks had with the program was that few people were interested in using it. Although he'd made Ricochet's code open source, Brooks never had it formally audited for security and did nothing to promote it, so few people even knew about it.

>"Ricochet is idiot-proof and anonymous."

Then the Snowden leaks happened and metadata made headlines. Brooks realized he already had a solution that resolved a problem everyone else was suddenly scrambling to fix. Though ordinary encrypted email and instant messaging protect the contents of communications, metadata allows authorities to map relationships between communicants and subpoena service providers for subscriber information that can help unmask whistleblowers, journalists's sources and others. It's not just these kind of people whose privacy is harmed by metadata, however; in 2012 it was telltale email metadata that helped unmask former CIA director and war commander General David Petraeus and unravel his affair with Paula Broadwall.

With metadata suddenly in the spotlight, Brooks decided earlier this year to dust off his Ricochet program and tweak it to make it more elegant---he knew he'd still have a problem, however, getting anyone to adopt it. He wasn't a known name in the security world and there was no reason anyone should trust him or his program.

Enter Invisible.im, a group formed by Australian security journalist Patrick Gray. Last July, Gray announced that he was working with HD Moore, developer of the Metasploit Framework tool used by security researchers to pen-test systems, and with another respected security professional who goes by his hacker handle The Grugq, to craft a secure, open-source encrypted chat program cobbled together from parts of existing anonymity and messaging systems---such as Prosody, Pidgin and Tor. They wanted a system that was highly secure, user friendly and metadata-free. Gray says his primary motivation was to protect the anonymity of sources who contact journalists.

"At the moment, when sources contact a journalist, they're going to leave a metadata trail, whether it's a phone call record or instant message or email record [regardless of whether or not the content of their communication is encrypted]," he says. "And that data is currently accessible to authorities without a warrant."

When Brooks wrote to say he'd already designed a chat program that eliminated metadata, Gray and his group took a look at the code and quickly dropped their plan to develop their own tool, in favor of working with Brooks to develop his.

"He writes incredible code," Gray says, "and really thinks like a hacker, even though he doesn't have a security background."

Brooks, who moves around a lot but currently resides with his parents in Utah, has been working as a contract software engineer developing a Linux-based smartphone for the Finnish firm Jolla.

Why It May Be Better Than the Competition

Although a number of encrypted communications solutions already exist for email and chats, many are not entirely secure or are difficult to use. What's more, few solutions purport to eliminate the metadata problem. Ricochet's absence of metadata, and its ease of use, means it has a good chance of going mainstream in a way others have not.

Wickr, for example, is a competing encrypted chat program that doesn't preserve the communication or metadata of users, so there's nothing recorded by default for spy agencies or law enforcement to collect from Wickr with a court order. But unlike Ricochet, it uses central servers to transmit the communication, which Brooks says make users vulnerable to timing attacks. Anyone tapping the connections to Wickr's servers could conceivably map the parties who are communicating and establish relationships between them.

>Ricochet's absence of metadata, and its ease of use, means it has a good chance of going mainstream in a way others have not.

"[I]ntel agencies can watch the traffic going in and out, and just the timing of those messages will probably be enough to tell you which IP address is talking to this IP address," Brooks notes.

Wickr CEO Nico Sell says the company has implemented a number of solutions, including proprietary ones that she declined to identify, that prevent timing attacks from occurring. So far, however, Wickr is only available for the mobile platform, though Sell says they're expanding to other platforms soon.

Tox is another solution that isn't ideal in its current state. A protocol developed by members of the 4Chan forum, it uses peer-to-peer technology to securely transmit files, text, and voice communication. But it has at least one problem.

"Tox pushes [secure communication] forward in that there's not really a central server...but as it's currently designed, it allows a direct IP-to-IP connection [that can be tracked]," says Gray. "That's the problem with this whole anonymous space. Nine out of ten people who are trying to do it don't really know what the problem is. The problem is metadata."

Brooks says he's surprised it has taken this long to address the metadata problem; though given that user-friendly email encryption is still something developers have yet to perfect, it perhaps shouldn't be a surprise.

"We should have had [content encryption] figured out fifteen years ago," he says. "It's embarrassing as a securing industry that...we're scrambling to [get it right] now. But the metadata is something fairly new and very challenging and something we're only figuring out now."

How Ricochet Works

To build Ricochet, Brooks patterned his program on something that already existed---TorChat, a peer-to-peer instant messaging program released in 2007 that used Tor hidden services to transmit communications. TorChat had a number of implementation problems when it came out, however, and has largely been abandoned by users and its developers. Brooks vastly improved the concept.

Ricochet doesn't communicate with central servers like Wickr and doesn't allow direct connections like Tox. Instead, each desktop client operates as a Tor hidden service and uses the Tor network to transmit encrypted and anonymous communication. The client generates a random 16-character public key or ID to authenticate the user and establish the channel for secure communication in a simple way that doesn't require users to install Tor separately. Generating the public key occurs with a single click, and the key is stored on the user's machine, or on a USB drive so a user can communicate with Ricochet from different machines.

"It is idiot-proof and anonymous," says Gray.

When someone wants to communicate with another Ricochet user, their client reaches out through the Tor network to arrange a rendezvous point. The client first connects anonymously via three hops to a Tor relay, which doesn't know where the connection originated. That relay looks up the other person's Ricochet client ID---published by the person in their Twitter profile or email signature---and obtains a list of other Tor relays that can be used to reach out to the other party's Ricochet client---a list that changes every 24 hours. When the message reaches the other Ricochet client indicating a neutral relay for the rendezvous, the two clients meet there to exchange communication. But at any time, there are at least six relays between the two users, three on each side.

"At no point do you ever contact anyone directly," Brooks says. "There is no way you could find my IP address or anything about who I am or where I am. [A]nd the rendezvous point in the middle can't find out anything about either of us."

The first relay is the only one that knows your IP address, but it doesn't know the ID of your Ricochet client and can't match your IP address to that ID. It also doesn't know the Ricochet ID of the person you're trying to contact. That only gets revealed to the relay three hops down the line from you, which peels off a layer of the Tor encryption to reveal the ID.

"If you have two people communicating and someone is [passively] monitoring one or the other party, this will protect them," Moore says. "Unless someone is [directly] monitoring that person and you at the same time, it will be very hard to identify the communication."

>"At no point do you ever contact anyone directly," Brooks says. "There is no way you could find my IP address or anything about who I am or where I am."

Ricochet is already available for download as a binary. But Brooks has been revamping the custom protocol Ricochet uses to make it more secure before they release a new version in November. Invisible.im recently got $10,000 from Blueprint for Free Speech, an Australian non-profit, to fund Brooks' development costs and with that group as a fiscal sponsor now, Invisible.im can also apply for grants as an NGO.

The new version of Ricochet they plan to release in November will use the revamped protocol and have a file-transfer feature. Although the code hasn't undergone a proper security audit yet, the group is negotiating with a code-review firm to run a scan on the completed program, and they plan to conduct a full security audit once the revamped protocol is done. They don't anticipate any surprises, though.

"John writes good code, so we're not expecting a horror show," Gray says.

They also eventually want to add another layer of encryption on top of the existing Tor encryption---given that the NSA has reportedly been trying for years to crack Tor---as well as more features to authenticate users.

When it's all done, Gray says Ricochet will have "meaningfully" advanced the state of communications privacy.

He notes that their aim, however, isn't to stop the NSA from tracking legitimate national security threats but to simply prevent people "from leaving vast trails" of what should be considered private data.

"It's a matter of being able to have some confidence that a conversation you're having is private. If the NSA is already targeting you, you're screwed," he says, because the NSA likely already knows who you are and has compromised your computer. "But this is about stopping the wholesale violation of privacy and making it harder for people who shouldn't have access to this information from having access to it."