OLPC's Bitfrost: Privacy disaster, or security haven?

Faced with a young, tech-inexperienced user base, the One Laptop Per Child foundation set out to build an easy to use security system, Bitfrost — but did it create a privacy threat that tracks users' identity instead?

Faced with a young, tech-inexperienced user base, the One Laptop Per Child foundation set out to build an easy to use security system, Bitfrost — but did it create a privacy threat that tracks users' identity instead?

According to a paper presented at the March USENIX UPSEC conference in San Francisco by Meredith Patterson, CTO of Osogato and Iowa University student; Len Sassaman doctoral student at Katholieke Universiteit Leuven; and David Chaum, Digicash founder; Bitfrost raises serious security concerns.

The paper's authors criticised Bitfrost for storing the digital identity of the XO user — likely to be a schoolchild in a developing country — when the laptop is activated. The user's name and photo is linked to a pair of keys, generated upon activation, and then sent to their school's activation server and central backup server.

"Thus, the child is immediately linkable, by name and appearance, to the laptop he or she has been issued," the paper notes.

The paper also expresses concerns over the XO's automatic back-up facility, saying that since there are no passwords attached to the XO's identity keys, any individual who gains access to the key store can pretend to be a backup service and so compromise private data.

The paper also examines a phrase in Bitfrost's P_IDENT identity management policy which says that all computer-to-computer communications such as emails and IMs can be cryptographically signed — a threat to the users' anonymity. The policy does not say when the signing will occur, leading the authors to assume all communications will always be signed. "It is impossible for XO users to use any form of anonymous communication with confidence", making P_IDENT a "threat to many forms of speech which have been shielded by anonymity in the past".

Bitfrost's anti-theft system P_THEFT, which works by having the XO connect to a server once a day, is also called into question. If the XO is reported stolen, the P_THEFT daemon shuts the machine down, with a new activation key required for it to work again.

The paper concludes that where internet connectivity is scarce, P-THEFT could mean computers being shut down for no reason when users aren't able to get online every day. It also said the system can be easily abused by governments: "A country can also shut off all its XOs in one fell swoop by flagging them all, or simply shutting off the anti-theft server and waiting for all the leases to expire."

A volunteer for OLPC Australia, Joel Stanley, says the paper is purely hypothetical and full of "hot air". According to Stanley, the P_THEFT functionality isn't even switched on in the devices which have been deployed to date, and for most users tracking is the "least of their problems" because of a lack of available internet connection: "In the deployments so far, getting onto the internet is more of a problem," he told ZDNet.com.au.

"When technology evolves to the point where every laptop can have high bandwidth connections then sure, it's something to worry about," he added.

People should be concentrating on the positive points of Bitfrost. "It lets you launch a program on your computer which may have malicious intent, and it can't take out the whole system," he said. "That's the bit that's actually been implemented. If people have comments or criticism, they should focus on that."