Laptops could betray users in the developing world

IN JANUARY, a court in Mazar-e-Sharif, Afghanistan, sentenced a young journalism student to death. Sayed Pervez Kambaksh's crime was to download and distribute a document about Islam and women's rights to his fellow students at Balkh University in Mazar, an action that the court considered blasphemous. Despite widespread international condemnation, the Afghan Senate later passed a motion confirming the death sentence.

Kambaksh was caught because some of his fellow students reported him to the authorities. But oppressive governments could soon have a simple way to track the internet activity of their citizens directly, potentially paving the way for many more such cases.

For security reasons, sensitive data sent over the internet, such as that used for online banking transactions, is digitally signed at source with a signature that can be traced to the user's computer. This helps validate their identity and guard against fraud. The system is known as non-repudiation, because the person creating the digital signature can reasonably be assumed to be the source of the sensitive data and, in a fraud case, for example, cannot repudiate this.

If this system were to become the default setting for all traffic on a network, there would be nothing to stop authorities from tracing the source of any online activity, says Len Sassaman, a computer security researcher at the Catholic University of Leuven (KUL) in Belgium. Users would be stripped of their anonymity and authorities could identify anyone that criticised them. "If countries like Afghanistan were to switch to a system where the user cannot refute any action they took on the internet, I suspect we'll see more cases like Kambaksh's," says Sassaman.

Now Sassaman and his colleague Meredith Patterson at the University of Iowa in Iowa City claim a prominent philanthropic organisation is inadvertently in the process of introducing just such a system across the developing world.

The One Laptop per Child foundation (OLPC), the brainchild of Nicholas Negroponte, hopes to provide children around the world with a cheap laptop, called the XO, and access to the internet. But rolling out internet-ready laptops to inexperienced users across the developing world poses a huge security problem, not least because the devices could easily get stolen.

To minimise this risk, the OLPC security team, formerly led by Ivan Krsti at Harvard University, developed the Bitfrost security model. Bitfrost has garnered praise from security experts around the world for its innovations, such as its anti-theft system, P_THEFT. Each laptop automatically phones an anti-theft server each day, sending its serial number. The server responds with an activation lease, valid for the next 24 hours. Any laptop that has been reported stolen is denied activation and becomes a useless lump of plastic and metal. While this will discourage theft, Sassaman and Patterson think there is a crucial element missing from the Bitfrost security model - personal privacy.

Because the XO laptops will often be used in areas with limited internet connectivity, the OLPC team chose to use a mesh network, in which all XO computers in the region act as nodes. This means a message might pass through many XOs before it reaches its target, so each one is digitally signed to authenticate its source. While it is possible to use a digital signature that simply confirms the device is legitimate without identifying it, Bitfrost uses non-repudiable digital signatures. These can be traced to a specific laptop and - since children must register their details with a central database on taking possession of their XO - an individual child.

"If a government happens to be monitoring, perhaps by inserting itself into the network between two XOs, it can prove to the world that the communicating parties said what they said," says Sassaman. Then, taking advantage of the P_THEFT system, the government could silence the user by simply denying their laptop a new activation key.

Steven Murdoch, a privacy and security researcher at the University of Cambridge, says that Sassaman and Patterson have made a useful contribution to the Bitfrost model. "What I found most surprising about the Bitfrost specification is that it doesn't appear to consider governments as a risk to security," he says.

Simson Garfinkel, a former security consultant for OLPC, dismisses the claims. He says Bitfrost does not use the signature to track user activity, adding that the model was intensely scrutinised by security experts after it was developed.

"It's an issue of intent versus possibility," counters Sassaman. "They may not intend for the signatures to be used for non-repudiation, but it's possible to use them for this purpose."

That won't be an issue, says Ricky Greenwald, a clinical psychologist and founder of the Child Trauma Institute in Greenfield, Massachusetts. Governments won't need to monitor the internet activity of 5 to 10-year-olds. "Children that age are more likely to use their computer for games and schoolwork," he says. It's very unlikely that a child's laptop would be deactivated by an oppressive regime, he says.

Sassaman disagrees. "Remember where these computers are being deployed," he says. "We have 11-year-olds in some of these countries being drafted as child soldiers. Why would we not want to give them the ability to whistleblow?"

Furthermore, Sassaman points out that it is unlikely that XO laptops will be used by children alone. "The OLPC project is laying the groundwork for a major network across the Third World," he says. "It's rather short-sighted to think that this would be limited to children, or to education." With rumours that an adult XO programme is in development, it is important to tackle security issues now, he says.

To this end, Sassaman and Patterson are working on a modified version of Bitfrost that will allow XO laptops to identify each other without eroding the privacy of their users. Their work is at a preliminary stage, but will be based on existing cryptographic techniques that cannot be used for non-repudiation.

With recent changes at the OLPC project it remains to be seen how widely Bitfrost will be installed in the XO laptops (see "Education, or just the laptop?"). The security system was designed to run alongside the Linux operating system and the experimental Sugar graphical user interface developed for the project. Last month, however, OLPC announced that the latest XO laptops will run Windows XP, although the foundation said the machines will eventually be able to run both operating systems. So far, there are 1000 XOs in Mongolia and 8000 in Uruguay using Bitfrost, with thousands more due to be delivered this year. Other countries that have agreed to buy XOs include Peru, Libya, Nigeria and Rwanda.

Meanwhile Walter Bender, the former president of software and content at the OLPC, has begun talks with a number of ultra-low-cost laptop manufacturers that might see Sugar deployed on non-XO laptops in the near future. "Bitfrost is a far-reaching design," Bender says. "Much of it is of general use, and aspects of Bitfrost will be folded into the Sugar efforts."

Sassaman welcomes this development. "Don't get me wrong, Bitfrost is a highly ambitious project. It's an application of lessons learned in software security and in that respect it has done a great job," he says. "They just happened to overlook a significant issue - user privacy. But those problems can be fixed without changing the goals of Bitfrost."

At the time New Scientist went to press, after four months of international pressure, the Afghan authorities appear to be on the verge of freeing Kambaksh. With modifications to Bitfrost, Sassaman and Patterson hope that, in similar cases, at least people's computers won't betray them.