A cryptographic solution to securely aggregate allegations could make it easier to come forward

Nobody wants to be the first person to do or say a risky thing. One recent example of this is the revelations that a number of powerful figures, like Harvey Weinstein, Roger Ailes, Bill O'Reilly and Bill Cosby, had a long pattern of sexual harassment and even assault, and many people were aware of it, but nobody came forward until much later.

People finally come forward when one brave person goes public, and then another, and finally people see they are not alone. They might be believed, and action might be done.

Eleven years ago, I proposed a system to test radical ideas, primarily aimed at voting in bodies like congress. The idea was to create a voting system where people could cast encrypted votes, with the voter's identity unrevealed. Once a majority of yes votes were cast, however, the fragments of the decoding key would assemble and the votes and the voter identities could be decoded.

This would allow, for example, a vote on issues where a majority of the members support something but few are willing to admit it. Once the total hit the majority, it would become a passed bill, with no fear in voting.

I still would like to see that happen, but I wonder if the approach could have more application. The cryptographic approach is doable when you have a fixed group of members voting who can even meet physically. It's much harder when you want to collect "votes" from the whole world.

You can easily build the system, though, if you have a well trusted agency. It must be extremely trusted, and even protected from court orders telling it to hand over its data. Let's discuss the logistics below, but first give a description of how it would work.

Say somebody wants to make an allegation, such as "I was raped by Bill Cosby" or "The Mayor insisted I pay a bribe" or "This bank cheated me." They would enter that allegation as some form of sworn legal statement, but additional details and their identity would be encrypted. Along with the allegation would be instructions, "Reveal my allegation once more than N people make the same allegation (at threshold N or less.)"

In effect, it would make saying "#metoo" have power, and even legal force. It also tries to balance the following important principles, which are very difficult to balance otherwise:

  1. Those wronged by the powerful must be able to get justice
  2. People are presumed innocent
  3. The accused have a right to confront the evidence against them and their accusers

How well this work would depend on various forms of how public the information is:

  • A cryptographic system would require less (or no) trusting individual entities or governments, but would make public the number of allegations entered. It would be incorruptible if designed well.
  • An agency system which publishes allegation counts and actual allegations when the threshold is reached.
  • An agency system which keeps allegation counts private until the threshold is reached.
  • An agency system which keeps everything private, and when the threshold is reached discloses the allegation only to authorities (police, boards of directors).

There are trade-offs as can be shown above. If allegations are public, that can tell other victims they are not alone. However, it can also be a tool in gaming the system.

The allegation must be binding, in that there will be consequences for making a false allegation once the allegations are disclosed, especially if the number of existing allegations is public. We do not want to create a power to make false anonymous allegations. If it were public that "3 people allege rape by person X" that would still create a lot of public shame and questions for X, which is fine if the allegations are true, but terrible if they are not. If X is not a rapist, for example, and the threshold is high, it will never be reached, and those making the allegations would know that. Our system of justice is based important principles of presumption of innocence, and a right to confront your accusers and the evidence against you.

It must not be possible for the target of the allegations to insert false claims just to bump things over the threshold to unmask the accusers. The target might be powerful and have many allies who would submit a fake allegation and retract it after things went public. That's why the allegation must be sworn and binding, with severe consequences for deliberately making a false allegation.

Applying a test of deliberate falseness is also problematic, though. For an extreme example, consider the mob boss who forces innocent people at gunpoint to register false allegations to get over the threshold and reveal who the rats are. As such, this may only work well if the multiple allegations trigger a forced action. For example, a company might make a rule that "50 complaints of sexual harassment means automatic firing," with the fired person able to sue false complainers but not get their job back for some time period.

For criminal allegations, however, witnesses are allowed to withdraw complaints making this difficult to solve.

It also works better if the number of people who can submit an allegation is constrained. If only employees of a section of a company can submit a complaint, it makes it harder to game the system.

It seems that outside of constrained areas like a small group or company, a trusted agency must be used. Agencies, however, can be corrupted by powerful parties or governments. You might not trust them with dangerous secrets, and the public may not trust them to reveal what they are supposed to reveal. They will have bugs in their internal systems which can be exploited, as well as corruptible humans.

The best design may involve breaking up the various steps in the process into different agencies which do not share information, and which securely erase information once it is no longer needed. The agencies might exist in different countries and be audited by multiple auditors.

Here's what the typical process might look like. First, let me describe it in a non-technical way.

  1. If your complaint takes place within the context of an organization like a company, school or society, you would receive an identity certificate. For general complaints, an identity card will be used.
  2. You would go to a lawyer who handles such complaints. Ideally most lawyers would be trained in this, and in most cases this consultation would be free or subsidized by organizations working to fight the sort of thing you're complaining about. The lawyer will help you understand the rules around the allegation and the consequences to you when it is disclosed. The lawyer will take a sworn statement. If using a general complaint, the lawyer will help you generate an encoding of your identity. In your complaint, you will set a "threshold" for disclosure. If you set a threshold of 10, for example, it means that your complaint will be decoded once 9 other complaints for the same act are filed.
  3. The lawyer will assist you in finding the right special agencies for this sort of complaint, and in sending your complaint to them. The first agency, known as the key agency, generates a computer encrypted version of your complaint and assures you have not filed a complaint of this class before. It then forgets all it knew or generated about you and forwards it to the "holding" agency which records your encrypted complaint.
  4. If, and only if, the holding agency gets enough complaints to match or exceed the threshold, can the complaints be decoded. Once decoded they will be acted on as instructed -- for example forwarded to police or other authorities, or published. Once decoded they will have your sworn statement and identity.

Now let's look at how the technology might make this happen.

  1. At some point you are issued an identity certificate which has your "real name" and certifies you are a member of the class of people who might file a certain type of complaint. For example, for complaints within a company or organization, those would be issued upon joining. For the general public, you would get one based on other ID systems. Your allegation is going to contain your encrypted identity. It is essential these certificates validly tie to a real person. If the identity is pre-issued, it can be split into two halves, so that one half is useless but both halves unmask you.

  2. The lawyer takes and notarizes your complaint, and assists you, if needed, with encoding it for the key agency.

  3. To do this, the victim or lawyer would request a public key from a key issuing agency. Ie. it says, "We want a key for complaints of offence X by person Y sworn by person w with threshold Z. It would also receive keys for a series of thresholds higher than Z, in a pre-set sequence. You want to create complaints at the higher threshold so that your complaint still counts if everybody else wants a higher threshold than you. Along with the public encryption key is generated a 1/Z fragment of the private decryption key. Anybody who gathers all Z of these fragments will be able to decrypt all the complaints.

  4. Your real identity has been notarized by the lawyer but that's encrypted. If you have an identity token which has been split into two halves, the key agency will request one of the halves, at random. This means if you try to file two complaints, you have a 50% chance of being asked for the two different halves. If this happens, you are unmasked and presumably will be punished. If you don't have an identity token split into halves, they key agency will need to record that you filed a complaint, and has to remember that so it can detect if you do a duplicate.

  5. The final encrypted complaint and all keys are then forgotten by the key agency and forwarded to the holding agency. The holding agency doesn't know anything about the complaints. It knows that groups of them are about the same party, but not the identity of the party. It knows the threshold level of all the complaints.

  6. When the holding agency has enough complaints to reach a threshold, it means it now has enough fragments of the decoding key. So it decodes the complaints, including the details and identities of the complainers. And it takes whatever action is called for, such as forwarding complaints to the police, press, school, board of directors or other authorities.

This is a rough layout. I suspect we can make it even more secure through the use of things like blinding. Right now the complainant has to trust their lawyer, and we must trust the key issuing agency to both forget what it's been told, and to keep its key fragments secure and private. Once it has forgotten even a single key fragment, it can no longer decode the complaints unless it colludes with the holding agency or all the other complainers. Key fragments would themselves be encrypted with decryption possible only by the holding agency.

The agencies must use very good security, and keep the sensitive data off the internet. If the number of allegations hits the threshold, that can trigger the fetching of offline/paper records.

The key agency must be trusted by complainants, particularly the first. Since it can create fake "new allegations" it can cause the threshold to be reached early, but it will be obvious that it has faked it.

The key agency to avoid the legal power of those it processes allegations on. You don't want it being sued to unmask complainants ahead of time. At the same time, making anything above the law is always risky.

Detecting repeat complaints

The big problem at present is how to keep everything secret but forbid the same person filing the same complaint twice. Because there are only 7 billion people in the world, you can't really hide an identity by hashing or encrypting it in a standard way. And some people will want to file more than one complaint about different incidents. The method of splitting identities into two "halves," invented by David Chaum, can discourage re-use of an identity token, but it's less clear how to let people re-use the token for complaints on two different people.

Project Callisto

There is an existing system, Project Callisto which allows encrypted reporting, and it has the ability to say that the report should only be forwarded to the university in question if another report is done about the same person. It is meant only for sexual assault on campus, and triggers only 2 reports. Because it is not run by the campus, it has a better chance of being trusted, but even so, the average victim waits 11 months before filing a report in the system. 8 universities and colleges, including Stanford.

The Callisto approach -- with a single agency -- may suggest that everything written above is overkill. It depends on how much power the subjects of the allegations have. Generally, if people are afraid to come forward alone, it is because they fear that power somewhat, but for allegations of wrongdoing by middle management there may be no need for cryptographic strength.

I propose the above system so that you can both give high confidence in the privacy of the allegations before the threshold is reached, and to deal with the very powerful -- top government officials, CEOs and even organized crime leaders. In the latter case, the crime bosses might extort people to register false complaints just to unmask earlier complainers, and it's very difficult to defend against that with a single agency. One has to expect that single agencies will be compromised with bribes and extortion from time to time.

Israel Reporting System

In Israel there is this reporting system (Hebrew) which takes a different but very interesting approach. Here, people can file reports. They are then told (or told in the future) that there are other reports of sexual assault by the same perpetrator. They are not told the names of the other victims. All they get is a "You should know, 3 others have also reported the same person in our system." It has apparently caught 16 offenders. A victim, knowing there are others out there, is more willing to make a more official charge, and this makes the others, who see that, also willing to do so.

This very different approach simply bolsters the victims' confidence by telling them they are not alone, and that the others know they are not alone. The perpetrator could also pretend to make an entry, and learn that others have complained, but would not be told who. This might falsely encourage a victim to come forward, but no perpetrator wants that.

Comments

Given how quickly Hate Mobs have become a thing (both offline, as at Berkeley, and online, with people being kicked off Twitter due to excessive reports or media being review-bombed into nonexistence) are you really sure that you want to invent a new kind of Anonymous Reporting Box? Particularly for something that involves accusations of actual criminal behavior.

Not to mention that nothing of this sort will ever, ever be secure. "oh no but we'll just--" you'll just make social engineering or man-in-the-middle intercepts impossible? Good luck with that.

And there are even more subtle attacks. Obviously you could co-opt the reporting agency and make sure that your number is always set to zero--no matter how many reports get filed, they're always told that they're the only one who ever reported a problem. Or you don't even have to attack or sneak into anything--just file a report so you can see how many other reports have been filed, then retract yours. "Joe So-and-So claims that he's a moral exemplar, but look at this--the SexCrime Database reports that he's got ten sexual-assault incidents listed!" Heck, you could do it to yourself to get an idea of how high your profile's gotten.

As I say above, central to the plan is that the accusations must be real, and serious, with consequences for a false accusation. If a hate mob wants to conspire, their identities will be disclosed and their sworn statements examined, and there was a conspiracy to make false sworn statements, they could all be subject to criminal or civil penalties.

People don't get told how many people have submitted a problem. It is important that nobody can find out how many there are until the threshold is reached. They cryptographic test ideally does not reveal how many there are, but that's a hard problem so the first blush does have the agency knowing how many. But reports can't be retracted until all is revealed. And in some situations you can get punished for retraction, though solo retractions probably don't. Group ones would be a different story.

It is very important that you can't say "the database says there are 10 incidents listed" -- that again is described explicitly above. My goal is in fact that no one party can even find out that number until they are all assembled. But for now, one can hopefully trust that the collecting agency, which was selected and trusted by the complaintants, is hard to compromise to assist perpetrators. Not impossible, but unlikely. Is an anti-sexual-assault group going to be corrupted to help sexual abusers? Possibly, but at great risk to itself.

"for now, one can hopefully trust that the collecting agency..."

It's not even about trusting the collecting agency. If people want there to be criminal penalties for false reporting then the reports must include specific identity and contact information for each report--which means that this Powerful Fellow now knows exactly who's done him dirt. You better hope like hell that he goes down and doesn't have any way to mess with you afterwards.

And if you say "well, but the company can set a rule saying that once you have (number) of incidents filed you're fired, so that will stop them being able to retaliate", then we're at the place I described in my first post; get a hate mob together and blow up some dude's life. Criminal penalties? Shit bro, we live in a world where a screamingly insane cop can shoot a seated unarmed man in full view of a camera and get away with no punishment because he "felt threatened", you think that something as nebulous and subjective as "was she lying when she said she felt sexually harassmed" is gonna put people in jail? And good luck filing a civil lawsuit when you've got no paycheck--and even then you'll have an uphill climb convincing a jury eager to signal its virtue that you aren't a low-down dirty sexual harasser.

The issue is not that there's no anonymous or identity-concealed reporting method. We already have that and it's called "the company's HR department". If company HR departments are shit then that's not a problem that geek fetishes are going to solve.

The point is that accusations must come with some risk, or they become too dangerous a weapon on their own. However, today they come with too much risk. Prior to #metoo and still after, people were afraid to do a solo accusation because the danger was high that they would not be believed and get nothing and suffer negative consequences. That risk can be reduced with a system like I proposed.

And quite a bit. Yes, the accused will know who the accusers are (that's a fundamental principle of justice.) The accuser can judge how many other accusations have to come so that the power to retaliate is much less likely, and the good outweighs the risk. There will still be cases where many accusers come forward, and the perpetrator escapes justice and can retaliate. But hopefully few. However, they will also be able to retaliate with libel lawsuits. Most accused don't retaliate with libel lawsuits today because:

  • They are very expensive, and the accusers often don't have much money to pay judgments
  • The standards of proof are lower than in criminal cases, so you can lose a civil suit when acquitted in criminal court. (See OJ Simpson.)
  • The suit is public and drags your name through the muck for a long time.
  • You had better be innocent or the risk of losing is too high to take considering all this

In addition, people will now be watching for non-legal retaliation.

Add new comment