A cryptographic solution to securely aggregate allegations could make it easier to come forward
Nobody wants to be the first person to do or say a risky thing. One recent example of this is the revelations that a number of powerful figures, like Harvey Weinstein, Roger Ailes, Bill O'Reilly and Bill Cosby, had a long pattern of sexual harassment and even assault, and many people were aware of it, but nobody came forward until much later.
People finally come forward when one brave person goes public, and then another, and finally people see they are not alone. They might be believed, and action might be done.
Eleven years ago, I proposed a system to test radical ideas, primarily aimed at voting in bodies like congress. The idea was to create a voting system where people could cast encrypted votes, with the voter's identity unrevealed. Once a majority of yes votes were cast, however, the fragments of the decoding key would assemble and the votes and the voter identities could be decoded.
This would allow, for example, a vote on issues where a majority of the members support something but few are willing to admit it. Once the total hit the majority, it would become a passed bill, with no fear in voting.
I still would like to see that happen, but I wonder if the approach could have more application. The cryptographic approach is doable when you have a fixed group of members voting who can even meet physically. It's much harder when you want to collect "votes" from the whole world.
You can easily build the system, though, if you have a well trusted agency. It must be extremely trusted, and even protected from court orders telling it to hand over its data. Let's discuss the logistics below, but first give a description of how it would work.
Say somebody wants to make an allegation, such as "I was raped by Bill Cosby" or "The Mayor insisted I pay a bribe" or "This bank cheated me." They would enter that allegation as some form of sworn legal statement, but additional details and their identity would be encrypted. Along with the allegation would be instructions, "Reveal my allegation once more than N people make the same allegation (at threshold N or less.)"
In effect, it would make saying "#metoo" have power, and even legal force. It also tries to balance the following important principles, which are very difficult to balance otherwise:
- Those wronged by the powerful must be able to get justice
- People are presumed innocent
- The accused have a right to confront the evidence against them and their accusers
How well this work would depend on various forms of how public the information is:
- A cryptographic system would require less (or no) trusting individual entities or governments, but would make public the number of allegations entered. It would be incorruptible if designed well.
- An agency system which publishes allegation counts and actual allegations when the threshold is reached.
- An agency system which keeps allegation counts private until the threshold is reached.
- An agency system which keeps everything private, and when the threshold is reached discloses the allegation only to authorities (police, boards of directors).
There are trade-offs as can be shown above. If allegations are public, that can tell other victims they are not alone. However, it can also be a tool in gaming the system.
The allegation must be binding, in that there will be consequences for making a false allegation once the allegations are disclosed, especially if the number of existing allegations is public. We do not want to create a power to make false anonymous allegations. If it were public that "3 people allege rape by person X" that would still create a lot of public shame and questions for X, which is fine if the allegations are true, but terrible if they are not. If X is not a rapist, for example, and the threshold is high, it will never be reached, and those making the allegations would know that. Our system of justice is based important principles of presumption of innocence, and a right to confront your accusers and the evidence against you.
It must not be possible for the target of the allegations to insert false claims just to bump things over the threshold to unmask the accusers. The target might be powerful and have many allies who would submit a fake allegation and retract it after things went public. That's why the allegation must be sworn and binding, with severe consequences for deliberately making a false allegation.
Applying a test of deliberate falseness is also problematic, though. For an extreme example, consider the mob boss who forces innocent people at gunpoint to register false allegations to get over the threshold and reveal who the rats are. As such, this may only work well if the multiple allegations trigger a forced action. For example, a company might make a rule that "50 complaints of sexual harassment means automatic firing," with the fired person able to sue false complainers but not get their job back for some time period.
For criminal allegations, however, witnesses are allowed to withdraw complaints making this difficult to solve.
It also works better if the number of people who can submit an allegation is constrained. If only employees of a section of a company can submit a complaint, it makes it harder to game the system.
It seems that outside of constrained areas like a small group or company, a trusted agency must be used. Agencies, however, can be corrupted by powerful parties or governments. You might not trust them with dangerous secrets, and the public may not trust them to reveal what they are supposed to reveal. They will have bugs in their internal systems which can be exploited, as well as corruptible humans.
The best design may involve breaking up the various steps in the process into different agencies which do not share information, and which securely erase information once it is no longer needed. The agencies might exist in different countries and be audited by multiple auditors.
Here's what the typical process might look like. First, let me describe it in a non-technical way.
- If your complaint takes place within the context of an organization like a company, school or society, you would receive an identity certificate. For general complaints, an identity card will be used.
- You would go to a lawyer who handles such complaints. Ideally most lawyers would be trained in this, and in most cases this consultation would be free or subsidized by organizations working to fight the sort of thing you're complaining about. The lawyer will help you understand the rules around the allegation and the consequences to you when it is disclosed. The lawyer will take a sworn statement. If using a general complaint, the lawyer will help you generate an encoding of your identity. In your complaint, you will set a "threshold" for disclosure. If you set a threshold of 10, for example, it means that your complaint will be decoded once 9 other complaints for the same act are filed.
- The lawyer will assist you in finding the right special agencies for this sort of complaint, and in sending your complaint to them. The first agency, known as the key agency, generates a computer encrypted version of your complaint and assures you have not filed a complaint of this class before. It then forgets all it knew or generated about you and forwards it to the "holding" agency which records your encrypted complaint.
- If, and only if, the holding agency gets enough complaints to match or exceed the threshold, can the complaints be decoded. Once decoded they will be acted on as instructed -- for example forwarded to police or other authorities, or published. Once decoded they will have your sworn statement and identity.
Now let's look at how the technology might make this happen.
At some point you are issued an identity certificate which has your "real name" and certifies you are a member of the class of people who might file a certain type of complaint. For example, for complaints within a company or organization, those would be issued upon joining. For the general public, you would get one based on other ID systems. Your allegation is going to contain your encrypted identity. It is essential these certificates validly tie to a real person. If the identity is pre-issued, it can be split into two halves, so that one half is useless but both halves unmask you.
The lawyer takes and notarizes your complaint, and assists you, if needed, with encoding it for the key agency.
To do this, the victim or lawyer would request a public key from a key issuing agency. Ie. it says, "We want a key for complaints of offence X by person Y sworn by person w with threshold Z. It would also receive keys for a series of thresholds higher than Z, in a pre-set sequence. You want to create complaints at the higher threshold so that your complaint still counts if everybody else wants a higher threshold than you. Along with the public encryption key is generated a 1/Z fragment of the private decryption key. Anybody who gathers all Z of these fragments will be able to decrypt all the complaints.
Your real identity has been notarized by the lawyer but that's encrypted. If you have an identity token which has been split into two halves, the key agency will request one of the halves, at random. This means if you try to file two complaints, you have a 50% chance of being asked for the two different halves. If this happens, you are unmasked and presumably will be punished. If you don't have an identity token split into halves, they key agency will need to record that you filed a complaint, and has to remember that so it can detect if you do a duplicate.
The final encrypted complaint and all keys are then forgotten by the key agency and forwarded to the holding agency. The holding agency doesn't know anything about the complaints. It knows that groups of them are about the same party, but not the identity of the party. It knows the threshold level of all the complaints.
When the holding agency has enough complaints to reach a threshold, it means it now has enough fragments of the decoding key. So it decodes the complaints, including the details and identities of the complainers. And it takes whatever action is called for, such as forwarding complaints to the police, press, school, board of directors or other authorities.
This is a rough layout. I suspect we can make it even more secure through the use of things like blinding. Right now the complainant has to trust their lawyer, and we must trust the key issuing agency to both forget what it's been told, and to keep its key fragments secure and private. Once it has forgotten even a single key fragment, it can no longer decode the complaints unless it colludes with the holding agency or all the other complainers. Key fragments would themselves be encrypted with decryption possible only by the holding agency.
The agencies must use very good security, and keep the sensitive data off the internet. If the number of allegations hits the threshold, that can trigger the fetching of offline/paper records.
The key agency must be trusted by complainants, particularly the first. Since it can create fake "new allegations" it can cause the threshold to be reached early, but it will be obvious that it has faked it.
The key agency to avoid the legal power of those it processes allegations on. You don't want it being sued to unmask complainants ahead of time. At the same time, making anything above the law is always risky.
Detecting repeat complaints
The big problem at present is how to keep everything secret but forbid the same person filing the same complaint twice. Because there are only 7 billion people in the world, you can't really hide an identity by hashing or encrypting it in a standard way. And some people will want to file more than one complaint about different incidents. The method of splitting identities into two "halves," invented by David Chaum, can discourage re-use of an identity token, but it's less clear how to let people re-use the token for complaints on two different people.
There is an existing system, Project Callisto which allows encrypted reporting, and it has the ability to say that the report should only be forwarded to the university in question if another report is done about the same person. It is meant only for sexual assault on campus, and triggers only 2 reports. Because it is not run by the campus, it has a better chance of being trusted, but even so, the average victim waits 11 months before filing a report in the system. 8 universities and colleges, including Stanford.
The Callisto approach -- with a single agency -- may suggest that everything written above is overkill. It depends on how much power the subjects of the allegations have. Generally, if people are afraid to come forward alone, it is because they fear that power somewhat, but for allegations of wrongdoing by middle management there may be no need for cryptographic strength.
I propose the above system so that you can both give high confidence in the privacy of the allegations before the threshold is reached, and to deal with the very powerful -- top government officials, CEOs and even organized crime leaders. In the latter case, the crime bosses might extort people to register false complaints just to unmask earlier complainers, and it's very difficult to defend against that with a single agency. One has to expect that single agencies will be compromised with bribes and extortion from time to time.
Israel Reporting System
In Israel there is this reporting system (Hebrew) which takes a different but very interesting approach. Here, people can file reports. They are then told (or told in the future) that there are other reports of sexual assault by the same perpetrator. They are not told the names of the other victims. All they get is a "You should know, 3 others have also reported the same person in our system." It has apparently caught 16 offenders. A victim, knowing there are others out there, is more willing to make a more official charge, and this makes the others, who see that, also willing to do so.
This very different approach simply bolsters the victims' confidence by telling them they are not alone, and that the others know they are not alone. The perpetrator could also pretend to make an entry, and learn that others have complained, but would not be told who. This might falsely encourage a victim to come forward, but no perpetrator wants that.