CybersecurityProtecting Sensitive Metadata So It Cannot Be Used for Surveillance
MIT researchers have designed a scalable system that secures the metadata of millions of users in communications networks, to help protect the information against possible state-level surveillance. The system ensures hackers eavesdropping on large networks cannot find out who is communicating and when they’re doing so.
MIT researchers have designed a scalable system that secures the metadata — such as who’s corresponding and when — of millions of users in communications networks, to help protect the information against possible state-level surveillance.
Data encryption schemes that protect the content of online communications are prevalent today. Apps like WhatsApp, for instance, use “end-to-end encryption” (E2EE), a scheme that ensures third-party eavesdroppers can’t read messages sent by end users.
But most of those schemes overlook metadata, which contains information about who’s talking, when the messages are sent, the size of message, and other information. Many times, that’s all a government or other hacker needs to know to track an individual. This can be especially dangerous for, say, a government whistleblower or people living in oppressive regimes talking with journalists.
Systems that fully protect user metadata with cryptographic privacy are complex, and they suffer scalability and speed issues that have so far limited their practicality. Some methods can operate quickly but provide much weaker security. In a paper being presented at the USENIX Symposium on Networked Systems Design and Implementation, the MIT researchers describe “XRD” (for Crossroads), a metadata-protection scheme that can handle cryptographic communications from millions of users in minutes, whereas traditional methods with the same level of security would take hours to send everyone’s messages.
“There is a huge lack in protection for metadata, which is sometimes very sensitive. The fact that I’m sending someone a message at all is not protected by encryption,” says first author Albert Kwon PhD ’19, a recent graduate from the Computer Science and Artificial Intelligence Laboratory (CSAIL). “Encryption can protect content well. But how can we fully protect users from metadata leaks that a state-level adversary can leverage?”
Joining Kwon on the paper are David Lu, an undergraduate in the Department of Electrical Engineering and Computer Science; and Srinivas Devadas, the Edwin Sibley Webster Professor of Electrical Engineering and Computer Science in CSAIL.
New Spin on Mix Nets
Starting in 2013, disclosures of classified information by Edward Snowden revealed widespread global surveillance by the U.S. government. Although the mass collection of metadata by the National Security Agency was subsequently discontinued, in 2014 former director of the NSA and the Central Intelligence Agency Michael Hayden explained that the government can often rely solely on metadata to find the information it’s seeking. As it happens, this is right around the time Kwon started his PhD studies.