PhD Thesis Proposal for Sarah Cortes

Northeastern University
College of Computing and Informaiton Science (CCIS)
Information Assurance Program

September 14, 2015, 2pm
177 Huntington Avenue, 11th floor conference room
Northeastern University, Boston MA, USA

Jurisdictional Arbitrage: Quantifying and Counteracting the
Invisible Web of Lawful Intercept Cartel Threats in the
Tor Anonymous Communications Network


MLAT.is Query Interface
Figure 1. The MLAT.is tool.
“The US-Germany MLAT is the first United States MLAT to include special investigative techniques among permissible types of assistance. Specifically, Article 12 establishes that the Parties may use telecommunications surveillance. . . It is typical of our over 50 MLATs with countries around the world...It has several innovations, including provisions on special investigative techniques, such as telecommunications surveillance…”[84]

- Statement of Mary Ellen Warlow, Director, Office Of International Affairs, Criminal Division, US Department of Justice: Hearing on Law Enforcement Treaties Before the Senate Committee On Foreign Relations, 109th Cong. 10, November 15, 2005

[We] recommen[d] that LEAs and governments...improve existing MLATs so that...they cover evolving IP-based communications services…includ[ing]...interception of electronic communications,...both communications content and communications data...” [127- 131]

- “Global business recommendations for Lawful Intercept requirements, Using MLATs To Improve Cross-Border Lawful Intercept Procedures, International Chamber of Commerce (ICC) recommended in Global Network Initiative, Data Beyond Borders: Mutual Legal Assistance in the Internet Era,” [key funders: Google, Microsoft] January 28, 2015

MLAT.is Query Interface
Figure 2. GNI Key Funders, GNI 2014 Annual Report [135]

Abstract:

Network security attacks on the Internet have long compromised user security. Whether users realize it or not, some or all of their personal data and communications are vulnerable to access by third parties through many documented attacks, for example, through spyware. Governments may attack individual privacy, anonymity, and security for legitimate purposes, such as investigating criminals, or less legitimate purposes, such as silencing political opponents. But those same governments have other, potentially more threatening, means of attack at their disposal to compromise network security. For example, through lawful intercept (LI), they can dispense altogether with spyware, and simply record all traffic passing through network elements located in their jurisdiction.

Users of anonymous communications networks like Tor seek to ensure privacy and anonymity. While Tor has proven valuable, which is why some governments censor its use, and despite years of research, today’s anonymous communication systems are still vulnerable to passive deanonymization attacks orchestrated by powerful adversaries, such as Government Intelligence Agencies (GIAs).

This dissertation will investigate whether it is possible to quantify trust in anonymous communication networks through metrics that are quantifiable, measurable, and readily available for all, or a significant subset of all, countries of the world. It will identify five LI threat or “hostility” factors, including Mutual Legal Assistance Treaties (MLATs), which can indicate governmental risk to network communications through lawful intercept attacks. It will identify, document and classify thousands of MLATs, examine case law, as well as deep involvement by CSPs like Google and Microsoft in their use.

Having gathered data pertaining to these factors into a database, this dissertation will use them to develop metrics and algorithms that can be applied to real life networks, for example, undersea cables. It will explore quantifying and counteracting threats raised by these factors by empirically examining the public Tor network and the pattern of MLATs through graph theory analysis. Finally, I include a tool, MLAT.is, which will incorporate scalable service providing accurate predictions of worldwide LI threats.

Overview:

Network security attacks on the Internet have long compromised user security. Whether users realize it or not, some or all of their personal data and communications are vulnerable to access by third parties through many documented attacks, for example, through spyware. Governments may attack individual privacy, anonymity, and security for legitimate purposes, such as investigating criminals, or less legitimate purposes, such as silencing political opponents.

But those same governments have other, potentially more threatening, means of attack at their disposal to compromise network security. For example, through lawful intercept (LI), they can dispense altogether with spyware, and simply record all traffic passing through network elements located in, or passing through, their jurisdiction.

Users of anonymous communications networks like Tor seek to ensure privacy and anonymity. While Tor has proven valuable, which is why some governments censor its use, and despite years of research, today’s anonymous communication systems are still vulnerable to passive deanonymization attacks orchestrated by powerful adversaries, such as Government Intelligence Agencies (GIAs). Existing work underestimates the threat posed by country-level attackers, since current models fail to account for legal analysis as well as technical analysis for collusion between allied countries via their legal jurisdiction over Internet resources. Further, existing proposals for improving anonymity systems are too abstract to be deployed. Many proposals call for incorporating “trust” into anonymous path creation algorithms, but none of these works define a quantifiable metric for ascertaining real-world trust.

We propose to investigate whether it is possible to quantify trust in anonymous communication networks through metrics that are quantifiable, measurable, and readily available for all, or a significant subset of all, countries of the world. We identify five LI threat or hostility factors, which can indicate governmental risk to network communications, of lawful intercept attacks. We propose to gather data pertaining to these factors into a database.

We propose to investigate, firstly, whether graph theory and tools can help analyze traffic flow in these anonymous communications networks like Tor, identify jurisdiction-related vulnerabilities, and suggest solutions to improve them. For example, measures of centrality may reveal traffic concentration on a circuit path, where governments may optimally target lawful intercept attacks. Diffusing centrality could mitigate LI vulnerability, by suggesting alterations to the path selection algorithm.

One of the five hostility factors we identify is Mutual Legal Assistance Treaties (MLATs). These are a little-noticed legal tool that link countries of the world in an invisible web of interlocking law enforcement cartels. We propose to investigate, secondly, whether Graph theory and tools may also be applied to analyze the MLAT network, and better understand its characteristics.

In addition to being a possible trust factor for undermining user confidence in online security, privacy and anonymity, MLATs provide their own attack vector for anonymous communications networks. MLATs enable legal pressure on CSPs worldwide, and so offer a significant vector to attempt to “break” Tor or its underlying encryption. Legal pressure on CSPs like Facebook and Google by foreign governments to locate surveillance-enabled servers in their countries, has led them to become deeply involved behind the scenes in the automation or remote global surveillance through MLATs. Industry groups, like the International Chamber of Commerce (ICC), seek to incorporate technical standards for automated surveillance LI into MLATs, through remote “dynamic triggering.” A multi-stakeholder group, the Global Network Initiative, funded principally by Microsoft and Google, announced on January 28, 2015 its public policy agenda, “Data Beyond Borders: Mutual Legal Assistance in the Internet Era,” which sets forth a strategy to further shape MLAT policy. This dissertation will explore the concerns raised in this and other documents by empirically examining the pattern of MLATs through a graph theory analysis.

We propose to create the first database of international MLAT treaties by identifying, documenting, and classifying thousands of MLATs. We further propose the first analysis of MLATs to determine their actual impact on LI. We propose to investigate two vectors to accomplish this task. First, a thorough review of MLAT case law. Second, an investigation into how Google and Microsoft have become deeply involved in MLATs to further implementation of LI dynamic triggering, through international standards bodies such as the European Telecommunications Standards Institute (ETSI), for example in ETSI 102 877.

We propose to construct a tool, MLAT.is, to analyze and map MLAT connections, and provide a means to understand their impact. We propose to incorporate the data and research results into our lawful intercept trust metrics to help better understand lawful intercept risk to network security, privacy and anonymity. Diffusing MLAT risk could also mitigate LI vulnerability, again, by suggesting alterations to the path selection algorithm.

Returning to our five hostility factors as a whole, we propose to develop unique metrics to quantify country hostility risk and circuit hostility risk. We propose to use the results of our evaluation, along with the results of our two-pronged graph theory analysis, to propose novel path selection algorithms to improve security, privacy and anonymity.

We propose to incorporate all the elements of our research back into the MLAT.is tool, make it publicly available, and work with US NRL and Tor to implement the results in the Tor network.

Contributions:

Keywords: Anonymous networks, graph theory, internet communications, network security, privacy, anonymity, Mutual Legal Assistance Treaties (MLATs), surveillance, Lawful Intercept, Tor.

Publications:

Download/Links:

PhD Thesis Committee:

Committee justification: