Whilst I commend any attempt to avoid the police kettling we have seen in the UK at recent demonstrations, I have a number of concerns about Sukey which I made to them at launch - and never received a response. I will try and reiterate here:
* I urge nobody to trust a protest tool that is closed. Where is the source? Where is the documentation on its architecture? The official line is:
"It has always been our plan to make the code open source. Security is paramount and we feel it would benefit from being released to the public after each protest."
I'm sorry but retrospective release of source code is simply not good enough. Security software (which this is, essentially) needs to be out in the open from the start. Not after a protest has happened and all data collected. The wider community must be able to audit this software before it can be trusted. No exceptions.
* If the security depends on secrecy before a protest, is it dependant on a random seed? Can this seed be extracted from a binary (IPA, for example)?
* Sukey has one of the worst pages on "security" I have ever read (see http://sukey.org/security). To paraphrase:
"The team members involved on the security side are a mix of commercial information security experts and computer nerd under/post graduates who love nothing better than a complex algorithm."
That scares me. Complex algorithms are not normally conducive to secure applications. I want to hear about cryptographers - not computer nerds. I want to know what crypto implementations you are using.
Continuing:
"One of our key team members has technical commercial data security patents in his name and has provided information security consultancy to IBM, Lockheed Martin, and to the NHS."
Let's have a citation then please. Who is this expert and what (where?) are the granted patents?
"Your data is safe with Sukey."
Okay, prove it.
* How can we prove the application distributed on the App Store matches that which we (hopefully, in future) have the source for? Is there a mechanism for which we could compare checksums - if the provisioning certificates were also published? This needs to be considered. There is more to trust than merely publishing a source tree.
Let me finally restate my original point: I commend the effort (and I was once involved in a similar application). However, these are serious concerns that need to be addressed.
I'll get one of the team who specialises in security to answer your questions. I've emailed everyone but it may not be until tomorrow if they are out or asleep right now.
You're right that it is paramount that we be open about security and I apologise for the rushed nature of our security pages. Rewriting all of the copy on the site is on our road map right now.
Seems far better to offer the system to be managed by the protest organisers. This means the organisers can delegate 'scouts' and 'commanders', yet still allow anyone to submit data. The whole thing sounds shady by technical buzzwords and not showing the product.
Even then, I'd prefer to make Kettling illegal over implementing schemes that are reinforcing the unhealthy "Us vs Them" mentality. It seems that Sukey.org have no intent to make Kettling illegal which leads me to believe that they're exploiting the situation (A campaign section would mitigate this, eg ministers against kettling, plans to make it banned, etc).
Right now it's a service: there's no product to see, just a live updated map during the demonstration on Saturday.
We are not giving instructions to people as to the route to follow. That is the role of the stewards (what you call organisers, scouts, commanders). We merely provide people with information with which they can make their own decisions.
We aim to reduce tension between police and protesters by increasing transparency: our approach is the diametric opposite of encouraging us and them thinking. I would personally be very happy to see kettling banned and support the legal challenges being made to it at the moment.
However, if the threat of kettling is being used to prevent peaceful protest and to scare people away from exercising their democrat right to do so then I believe that a tool like Sukey is essential rather than waiting years and years for the law to be changed, not knowing if it ever will be.
If the responses there don't answer all your questions, please come back to me. In fact, email the sukey team and address it in the body "attention [redacted]" or contact me via the address on the About page on beyondclicktivism and I promise you I will make sure that each and every one of your legitimate concerns is addressed.
Security is highly important to us and if we have failed to communicate that clearly then we need to do better.
We are receiving literally thousands of emails, tweets and phone calls, including requests for interviews and clarifications from press around the world.
We have a shoe-string budget, no equipment beyond our own personal phones and laptops, no office space beyond what we can borrow for free. None of us are paid for our work on Sukey and many of us also have full-time careers.
Please be patient with us. All concerns will be addressed as soon as possible - but there are only so many nights you can do without sleep :)
Thanks for taking the time and the link. But I'm not sure that thread answers any of the above concerns, really.
"We have a shoe-string budget, no equipment beyond our own personal phones and laptops, no office space beyond what we can borrow for free. None of us are paid for our work on Sukey and many of us also have full-time careers."
I wont point out the benefits of actually being "open" in then. Limited resources can traditionally be overcome with collaborative development.
Again, I commend the effort. But I continue to urge nobody to trust a protest tool until these concerns are properly addressed.
These are not difficult questions and the continued absence of answers only confirms my fears for the project.
Glad to hear you will be getting the code on Github. I look forward to it.
My first paragraph? You mean when I commended the project and it's motivation?
"But I'm not sure any of this is really relevant. The key question is: how sensitive is the data?"
If it identifies my participation in potentially anti-Government protest, then rather.
All I have asked for is transparency and disclosure. If security is not so important, why have you gone to the trouble of the pitching for trust so heavily on your website?
"We can do nothing about the telcos using their geolocation features to track the whereabouts of phones."
Of course, you surrendor certain freedoms whenever you carry a mobile phone. But there is an important distinction between triangulating my cell position and this application.
Furthermore, I think my concerns have been concise enough. You have just refused to answer them. If you did that, there would be no more discussion. And that's why the original post has been consistently upvoted on this thread.
"I've extended an invitation to you privately to come along to a hackathon and to help us. And I extend it again."
When did you invite me the first time? No really, I have no idea.
Anyway, I might have taken you up on that offer if you didn't just call me a "self important pompous windbag".
That's a real mature and educated argument, thank you.
Congratulations on doing your project a momentous disservice.
"Some minds are like concrete - thoroughly mixed and permanently set" - Benjamin Franklyn or Karl Marx or John Lennon (or insert any other name you like)
We're hoping to get code up onto the git today, maybe tomorrow. The guy who's volunteered to do it spent the evening at a party then the night at the New Cross library occupation. He's just gone to bed.
I'm sure you'll find something to moan about in the code when you see it - i read negativity towards the entire project from your very first paragraph.
When you trawl through the code you'll note that no personal identifiers are stored anywhere. We had to finish the proof of concept in a rush so you'll also see function stubs that do nothing, inconsistencies in APIs, poorly commented code and incredible inefficiencies. These flag some of the areas of future development. But you'll also note that the unfinished or inefficient bits are to do with user functionality. Anything to do with security is not compromised.
But I'm not sure any of this is really relevant. The key question is: how sensitive is the data?
Sure, we don't encrypt the SMS messages we send to old phones - if we did the users couldn't read them so it would be pointless sending them in the first place. But the content of those messages is innocent.
Likewise we don't encrypt tweets (in or out). What would be the point? If you lose the original then I'm sure our friends at Cheltenham will have a backup....
We can do nothing about the telcos using their geolocation features to track the whereabouts of phones. But that's really not a Sukey issue - cos the same issues apply to anyone using a mobile phone for any purpose at any dem. You could of course advocate people leave their own fones at home and buy a disposable and untraceable (yeah, right!) phone just for the dem. Good luck with that one.
You "continue to urge nobody to trust a protest tool until these concerns are properly addressed" - yet I'm still to see a concise description of what these purported concerns are. A cynical man might say: "I would urge nobody to take any notice of a self important pompous windbag who seems to want to obstruct something he clearly doesn't understand".
I've extended an invitation to you privately to come along to a hackathon and to help us. And I extend it again. This genuine and heartfelt invitation remains open - come along, understand what we're doing, add your experience and knowledge to the pot and help to shape the design. Get into a positive frame of mind and be a part of this.
It's funny. This is in some ways the best answer I've seen to the security questions to date from anyone connected to the project. In particular, you're absolutely right that "the key question is: how sensitive is the data?" So long as you're only aggregating stuff that was already public anyway (e.g., public tweet streams), you're not adding additional risk in any obvious way.
But on the other hand, to the extent that you're going beyond aggregating and curating public data, you are adding risk. And on both your web site and in other public discussions, you seem to acknowledge that there's something there to talk about (why have a security page otherwise?), but there's been a continual marked reluctance to get into specifics about even the nature of what data you're collecting, let alone how you're managing it.
What's more worrisome, this all comes after the assertion that even though the "user functionality" code is slipshod, you're still confident that "anything to do with security is not compromised." Security doesn't work like that. If you're unfortunate enough to have a buffer overflow on the machine running your stuff, it's compromised. Even if that's only in the "user functionality" code. Even if it isn't your code at all, but some other service that you weren't using, but forgot to turn off or firewall away.
You might also want to try a bit harder to see things from the point of view of your critics. One of the things they're thinking about is the Haystack anti-censorship project, which attracted enormous hype in the technical and mainstream press, but collapsed after a much-delayed security audit found the code badly wanting. I now find a collection of laments about it[1] as the top result in a Google search for "iran social media security fiasco". That's what your critics are worried about. And I'm not sure it's entirely fair on your part to ask for a more specific run-down of technical risks than that when outsiders haven't yet seen, in specific technical detail, a full run-down from your side of what the system is supposed to do in the first place.
EDIT [in response to [name redacted]]: I understand that you guys are under time constraints, but you and Gausie did find time to write over 1500 words of comments between you on this HN page alone. If you'd written half that much text describing your security model in a concrete, specific, technical way we'd be having a much more productive conversation.
Thank you, yes we know about haystack and are very aware of the dangers. I also have a heavily annotated copy of The Net Delusion sat on my desk right now. We're not going into this blindly and each of us has a tin foil hat ;)
I do apologise if we're coming over as distracted by this conversation and in a hurry to get back with our work. I fear this risks becoming an "emacs vs vi" thread that ultimately resolves nothing - I've worked close to 100 hours already this week and will be working flat out until well past midnight GMT tonight. To be brutally honest while security is critical participating in this particular conversation cannot be an immediate priority for me and the team even though we do welcome your interest and criticisms.
I asked for patience. I'll repeat that again. We are exhausted and rushed off our feet not least because we have to earn a living when not working on Sukey. Please give us time. By all means if you don't trust us, don't use it and don't sign up now. Wait and see.
We are in a massive crunch to get ready for the TUC demonstration on 26 March. We are supporting the legal, democratic right of peaceful protest within a democratic society. If and when we extend the tool - as we hope to do - so that it could be used in authoritarian regimes then it has to be bullet proof security but right now we want our users to go into it with open eyes - aware of all the criticisms you guys have raised and having read our: http://sukey.org/idiotwarning
I hope that we will have addressed all of your issues and will have got the code up under a licence that makes everybody happy before the 26 March.
I'm really sorry if that answer doesn't satisfy some of you. We are not bad people just very busy and under enormous stress. I apologise if that has made us seem curt or evasive. I do hope that you come to realise that with time.
An email from RMS has to be one of the high points of my life so far: front page, however briefly, on HN comes second :) You are important to us but our priority right now has to be getting the code right and ready and addressing criticisms in the code rather than debating it online.
[in response to edited comment above]
My point exactly - this thread was a massive distraction from our core tasks which is why I asked for patience.
Doing a "hit and run" response to comments on HN between other tasks takes far, far less time than writing a concrete, specific, water-tight technical document on security. No one on this thread was happy with the one we rushed out before and rightly so. We're not going to repeat that mistake :)
This may thwart kettling but I think it also thwarts protesting.
The whole idea of the kinds of protests which get kettled is to show that a large number of people care about an issue. If the software advises people to disperse if the police show up where is the protesting?
I'd have thought the best response to kettling would be distributed civil disobedience. It could easily be far more economically costly which would hopefully persuade the politicians and police that mass gatherings of people don't require impromptu imprisonment.
Kettling also discourages protest. We have had many emails from elderly individuals, people with disabilities, families with young children who have been scared to march. There is a massive demonstration being planned in the UK by the TUC on 26 March against the savage cuts being imposed in the UK and a whole raft of ideological reforms that are being pushed through by a minority government and which have nothing to do with the state of the nations finances.
We have just had an election in which MPs courted votes with a signed pledge to scrap tuition fees - then slashed funding to the universities by up to 100% in many subjects and tripled the fees. When a mockery is made of the ballot and the voting system by such duplicitous behaviour, then people have a moral and legal right to take to the streets in mass, peaceful demonstrations.
When aggressive police tactics are used to dissuade people from doing so you have a serious failure of the democratic process.
We see our role as one of increasing transparency and accountability and reducing tensions in the street and we hope that we can help people legally and peacefully demonstrate and by doing so put pressure on the government to change their policies.
That is something all people, I hope, would want to see in a healthy, democratic society.
The idea is that people temporarily disperse and regroup elsewhere.
Often, things like 'free speech zones' keep the protest away from the actual venue of the thing being protested. In Pittsburgh for the G20, for example, we weren't able to get within two miles of the actual summit happening. Yeah, people saw the news, which was a bunch of images of people breaking stuff, but they didn't see that people started breaking stuff because the police started throwing tear gas. And using the LRAD.
Unfortunately, the geography here really sucks for this kind of thing, but in a more gridlike city, the main body of people could have dispersed and filtered through police lines.
An English nursery rhyme inspired the name: "Polly puts the kettle on, Sukey takes it off again."
(As for people debating the pronounciation, there's obviously no debate, because nursery rhymes are oral texts. If it's a nursery rhyme then everyone who knows it knows how to pronounce it. But even apart from that, x-ukey isn't an ambiguous form in English. Say you disliked a movie so much that it made you want to vomit. Would you describe it as "pucky"?)
You can call me a paranoid, tin foil hat wearing purveyor of bulldada if you like, but unless this is open source it could just be an efficient way for undercover police of the kind recently highlighted amongst environmental campaigners to obtain the IP addresses or mobile phone numbers of anyone involved in public protests.
You're right, there are many dangers here and we are taking them extremely seriously. As I said above, I apologise for any confusion and lack of clarity caused by the rush to have it ready in time. All this will be fixed!
Hi, I'm Tim from the Sukey team and editor of beyondclicktivism.com. I'd like to address each of your questions.
Please bear with me a moment - it's nearly 1am here and I've just got in so I'm going to take off my coat and grab a drink first then I'll come right back.
First up, yes, we are going to OS all the code and have been talking with Richard Stallman himself about which is the right licence (yes, really - you should have seen the response when he emailed us. I stopped dead in the street and shouted "Oh my god!" to the bemusement of passers by when the email popped up on my phone).
This project has come about at great speed, none of us has slept much in weeks, there are many, many things we need to do - we're not hiding the source because we're evil, we just haven't had a minute to put it up on git or whatever public svn system we decide to go with. Please be patient with us :)
More answers to follow as I read through the comments below.
Impressive, but they aren't really thwarting kettling, are they? They inform twitter users of where the police is gathering so protesters can leave/avoid that particular spot.
When processing messages, why would the software put trust in information from data soure(s) that were credible up till now? It seems easy to be fooled by a well-informed source that keeps posting accurate information from beginning right until the `trap' (police kettle) springs -- and kelping the kettle by posting a false piece of information at the right time.
Kettle planers would have both means and incentives in doing just that.
Two keys over on the keyboard, potentially just one if you hit F and the software or the human corrected wrongly. Should have been caught after being made, though.
I apologize for being off topic, but the last national convention I went to (many years ago), the cops rounded up the protestors, blocked off cross streets and then forced them into a line of cops with billy clubs who beat the hell out of them. Fortunately, I was elsewhere so I didn't get my "fair share of abuse" as the stones(?) put it. But a lot of friends did, and I decided that if this is what "democracy" was like in the USA, I was not interested in it. (Attempting to educate people about the political reality of their government is more effective than massing large number of people in one location to protest... just my choice.)
It's become common in the UK over the past decade or so. I believe they borrowed the name, and the tactic, from the German police, who have been doing it much longer:
http://de.wikipedia.org/wiki/Polizeikessel
The main objection is not so much about police violence (though that certainly happens), but that the kettle is used to discourage legitimate protests. you have a right to protest -- but if you do, the police will probably keep you pressed together on the street for 10 hours or so, in freezing temperatures, without access to food or water or toilets.
> but the last national convention I went to (many years ago), the cops rounded up the protestors, blocked off cross streets and then forced them into a line of cops with billy clubs who beat the hell out of them.
FWIW, I try to ignore folks who engage in counter-protests. The reasonable alternative is to assume that their cause is wrong.
Counter-protests are basically an attempt to stop someone from doing something that they have some right to do. If you're trying to persuade me, a third party, that said someone is wrong, counter-protests are, at best, completely useless. In practice, they're often an exercise in thuggery, either to make it more expensive for said folks to do what they have a right to do (have a convention, for example) or to intimidate them from doing so.
I's sure that you felt that your cause was just and that those folks were wrong/evil/etc. The way to persuade me is to do your own events and make your own argument.
No, you don't have a right to address an audience that someone else has attracted. You only have a right to address folks who have decided that they want to be addressed by you.
* I urge nobody to trust a protest tool that is closed. Where is the source? Where is the documentation on its architecture? The official line is:
"It has always been our plan to make the code open source. Security is paramount and we feel it would benefit from being released to the public after each protest."
I'm sorry but retrospective release of source code is simply not good enough. Security software (which this is, essentially) needs to be out in the open from the start. Not after a protest has happened and all data collected. The wider community must be able to audit this software before it can be trusted. No exceptions.
* If the security depends on secrecy before a protest, is it dependant on a random seed? Can this seed be extracted from a binary (IPA, for example)?
* Sukey has one of the worst pages on "security" I have ever read (see http://sukey.org/security). To paraphrase:
"The team members involved on the security side are a mix of commercial information security experts and computer nerd under/post graduates who love nothing better than a complex algorithm."
That scares me. Complex algorithms are not normally conducive to secure applications. I want to hear about cryptographers - not computer nerds. I want to know what crypto implementations you are using.
Continuing:
"One of our key team members has technical commercial data security patents in his name and has provided information security consultancy to IBM, Lockheed Martin, and to the NHS."
Let's have a citation then please. Who is this expert and what (where?) are the granted patents?
"Your data is safe with Sukey."
Okay, prove it.
* How can we prove the application distributed on the App Store matches that which we (hopefully, in future) have the source for? Is there a mechanism for which we could compare checksums - if the provisioning certificates were also published? This needs to be considered. There is more to trust than merely publishing a source tree.
Let me finally restate my original point: I commend the effort (and I was once involved in a similar application). However, these are serious concerns that need to be addressed.