AUDIT holds governments to account for their online spying

The system enforces transparency and aims to protect innocents unaware they were the targets of surveillance.

The mass-surveillance activities of the US National Security Agency (NSA) back in 2013, exposed by Edward Snowden, had a chilling effect worldwide.

For the first time, the evidence in front of us revealed that government spying and data collection was out of control.

Technology vendors and individuals alike turned towards encryption in response, the latter angered that law enforcement saw fit to go beyond the boundaries, not of which might be illegal, but rather, what some would see as morally acceptable.

A mess of their own making, government surveillance is now more difficult to perform due to the uptick in encrypted services.

However, another means to spy on potential criminal suspects is to make direct requests to technology firms and service providers for information on their customers.

Many of these requests are kept sealed and gag orders are issued, which prevents both the guilty and innocent of being aware of being watched. However, in the latter case, many charges never come to fruition -- and it may not be considered fair that the innocent are left in the dark.

Maintaining the balance between the public right to know and the need for secrecy is a difficult proposition, but one that MIT hopes to accomplish through cryptography.

On Wednesday, researchers from MIT's Computer Science and Artificial Intelligence Laboratory (CSAIL) revealed a new project which utilizes cryptography and a public ledger to hold governments accountable for their surveillance exploits, as well as keep some information confidential enough for law enforcement and officials to do their jobs.

Presented at this week's USENIX Security conference in Baltimore, the cryptographic system, dubbed AUDIT, is a multi-purpose tool which can be used to keep surveillance and record requests above board, prove that these requests were lawfully made, and also hold governments to account in relation to how, and why, records are requested.

See also: Dawn of the smart surveillance cameras

AUDIT, otherwise known as Accountability of Unreleased Data for Improved Transparency, is the work of MIT CSAIL graduate student Jonathan Frankle, MIT professor Shafi Goldwasser, CSAIL Ph.D. graduate Sunoo Park, undergraduate Daniel Shaar, and MIT principal research scientist Daniel Weitzner.

"While certain information may need to stay secret for an investigation to be done properly, some details have to be revealed for accountability to even be possible," says Frankle. "This work is about using modern cryptography to develop creative ways to balance these conflicting issues."

TechRepublic: 4 tips for designing and installing a surveillance system in your business

AUDIT uses a cryptographic method called "zero-knowledge proofs" to make sure law enforcement agencies' surveillance activities are held within the boundaries set by court orders. Commitments are made and information relating to surveillance is aggregated by multi-party computation (MPC) -- which is currently scattered across voluntary transparency reports -- without revealing sensitive data.

"Zero-knowledge arguments can demonstrate that a particular surveillance action (e.g., requesting data from a company) follows properly from a previous surveillance action (e.g., a judge's order) without revealing the contents of either item," the team says. "All of this information is stored on an append-only ledger, giving the courts a way to release information and the public a definitive place to find it."

screen-shot-2018-08-03-at-12-49-14.jpg
MIT CSAIL

In addition, AUDIT can be used to aggregate statistical data on the extent of government surveillance and information requests -- which can give ammunition to the public, when required, to question not only general spying practices, but how their data is being shared, and which companies are also receiving the most orders.

screen-shot-2018-08-03-at-12-49-06.jpg
MIT CSAIL

According to the team, AUDIT can be applied to any process which needs secrecy but is also subject to public scrutiny.

This could include information requests as well as clinical trials which need to be transparent enough to keep regulators happy but also include private information belonging to participants.

Frankle hopes that a set of court-issued transparency reports could be established based on this technology, rather than the scattergun, voluntary reports which are currently in existence.

CNET: Best Home Security Cameras for 2018

The next stage of the project is to investigate ways to ensure AUDIT can handle the most complicated data requests. The team is also exploring the possibility of working with federal judges for real-world applications.

"It's completely reasonable for government officials to want some level of secrecy, so that they can perform their duties without fear of interference from those who are under investigation," Frankle says. "But that secrecy can't be permanent. People have a right to know if their personal data has been accessed, and at a higher level, we as a public have the right to know how much surveillance is going on."

The research was supported by the National Science Foundation, the Defense Advanced Research Projects Agency and the Simons Foundation.

Previous and related coverage