Here’s an interesting problem. In the movies we always see scenes where the good guy is fighting the Evil Conspiracy (EvilCon) and he tells them he’s hidden the incriminating evidence with a friend who will release it to the papers if the good guy disappears under mysterious circumstances. Today EvilCon would just quickly mine your social networking platform to find all your friends and shake them down for the evidence.
So here’s the challenge. Design a system so that if you want to escrow some evidence, you can do it quickly, reliably and not too expensively, at a brief stop at an internet terminal while on the run from EvilCon. Assume EvilCon is extremely powerful, like the NSA. Here are some of the challenges:
- You need to be able to pay those who do escrow, as this is risky work. At the same time there must be no way to trace the payment.
- You don’t want the escrow agents to be able to read the data. Instead, you will split the encryption keys among several escrow agents in a way that some subset of them must declare you missing to assemble the key and publish the data.
- You need some way to vet escrow agents to assure they will do their job faithfully, but at the same time you must assume some of them work for EvilCon if there is a large pool.
- They must have some way to check if you are still alive. Regularly searching for you in Google or going to your web site regularly might be traced.
Some thoughts below…
There are many threat models of EvilCon, of course. For ordinary bad guys you can get away with simpler systems. The hiding company can simply pick some escrow agents at random, send them the info, and erase all knowledge of which ones were picked. They must take care that no accounting records reveal who got paid for escrow. If there are a very large number of escrow agents, it’s OK if it’s not too hard to figure out who agents are so long as its impossible to search them all.
The agents need not be human beings. They can just be computers waiting for a signal, or more likely the absence of a regular signed message posted in a very public place (like USENET) from you. Of course, you had better be sure to remember to post the message regularly. Don’t go off the net for a month.
The fact that you hired the escrow service is not secret, in fact you want that to be provable, to scare Evilcon. As such the escrow service can send you regular reminders to post your “I’m still alive” message.
You might decide to make the system permanent, so you have no way to turn it off, or you might be able to turn it off later if you come to trust EvilCon again. Of course, if you can do this, they might find a way to force you to turn it off. Or try to get your key so they can fake being you. They might even torture you or loved ones to get that key. The only way to stop that is if you have at least some escrow agents who truly are checking for mysterious disappearances, etc. If you’re not famous, this could be hard to do without leaving a trail, but you could have agents who just routinely download police reports, death certificates, missing persons etc.
Paying the escrow agents is hard. Paying them on they day they take the work seems out of the question as that would probably leave a trial to them. The government is trying hard to make it difficult to pay people anonymously. One idea I had would be to create a bank account with the fees in it, and then somehow send the agent an ATM card (with known PIN.) They can go to any ATM anywhere, with a ski mask, and get the money. Of course, you can just mail cash, or other instruments like bearer bonds. But you must be sure the record of where you sent them is wiped. An ideal system has the agency not even knowing who or where the escrow agents are, paying them in advance and somehow trusting them to do the job. Or you could send them cryptographic tokens which are not linked to the work but which can later be redeemed for money. They prove the agent did some work, but not what work.
However, all these complications make it harder to imagine the system I describe where you go to a web site, upload your secret encrypted file, distribute your key fragments and paypal $1,000 or less. It may be that the only way to do it cheaply is with machines doing most of the work and trusting the company to destroy the temporary records of how it all got set up.