Katzenpost Politics and Values
Why we started creating Katzenpost and what principles guide us.
Our position
Never before in human history have we been under as much surveillance as today by governments and corporations. Our current situation came about gradually, the result of computer scientists and software engineers who were “just doing their jobs”, what Hannah Arendt called the banality of evil. They turned the Internet into an instrument of total surveillance without considering the moral character of their work.
We assert that privacy is important for both the individual and the collective good. The benefit to the individual is obvious. The benefit to the collective is less so, but empirical studies confirm that people modify their behaviour when they know they are surveilled, a form of self-censorship (Penney 2016; Stoycheff 2016). When this happens during collective decision-making, minority views are less likely to be voiced. Mass surveillance makes people shallow and compliant, and thwarts collective social progress.
There are many forms of online surveillance and we are not trying to fix them all. Our focus is the traffic analysis problem: current best practice for messaging encryption does not defend against an adversary who can observe encrypted traffic and extract metadata such as geographical location, position on the network, the social graph, message sizes, message timing, and the rate and frequency of communication. The “secure messaging” problem, in its full traffic-analysis-resistant form, has not been solved at scale.
Katzenpost is a mix network: an anonymous communication network designed to reduce the metadata that leaks from a conversation. It is designed to allow people to communicate without leaking the fact that they are communicating with one another. It is a joint effort between cryptographers, computer scientists, mathematicians and software engineers.
There is one further observation worth making. We assume that nation-state military and intelligence groups already use mix networks or similar techniques to protect their own communications metadata as routine operational security. But if every user of such a network is a high-value target, then much of the leaked metadata is still useful to an adversary. Anonymity Loves Company: the network needs a varied user base spanning the full range of adversary interest, so that the ordinary users provide cover traffic for the high-risk users who are themselves the targets of surveillance.
It is our view that strong anonymous communication networks should not remain the privilege of secret groups within nation states; their use is a mode of self-defence and should be available to all. You may point out that Tor is widely used and is the most successful publicly deployed anonymous communication network in the world. That is correct. However, Tor does not defend against a global passive adversary (Tor’s own threat model says so explicitly), whereas mix networks do. Tor is not considered to provide strong anonymity; this is well established in the published academic literature, for example the Anonymity Trilemma.
We build Katzenpost for ourselves and for others. We do not directly control who benefits from our mix network. It may be of use to law enforcement, military and intelligence groups; it may equally benefit journalists, whistleblowers and political activists. The law-enforcement counter-argument, that anonymous communication networks help terrorists and human traffickers, is not factually wrong, but it is a manipulative one-sided argument that ignores all of human history and the collective harm of mass surveillance.
Two framings of mass surveillance
The two tables below are reproduced from Phil Rogaway’s slides for The Moral Character of Cryptographic Work (IACR Distinguished Lecture, Asiacrypt 2015).
| Privacy is a personal good | Security is a collective good |
| Inherently in conflict | Encryption has destroyed the balance. Privacy wins |
| The bad guys may win | Risk of Going Dark |
| Surveillance is an instrument of power | Technology makes it cheap |
| Tied to cyberwar and assassinations | Privacy and security usually not in conflict |
| Makes people conformant, fearful, boring. Stifles dissent | Hard to stop. Cryptography offers hope |
Further reading
Anonymous communication research
- Chaum, D. (1981). Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms. Communications of the ACM 24(2).
- Dingledine, R., Mathewson, N. & Syverson, P. (2004). Tor: The Second-Generation Onion Router. USENIX Security.
- Dingledine, R. & Mathewson, N. (2006). Anonymity Loves Company: Usability and the Network Effect. Workshop on the Economics of Information Security (WEIS).
- Unger, N. et al. (2015). SoK: Secure Messaging. IEEE Symposium on Security and Privacy.
- Das, D., Meiser, S., Mohammadi, E. & Kate, A. (2018). Anonymity Trilemma: Strong Anonymity, Low Bandwidth Overhead, Low Latency, Choose Two. IEEE Symposium on Security and Privacy.
Surveillance, politics, philosophy
- Arendt, H. (1958). The Human Condition.
- Bankston, K. & Soltani, A. (2014). Tiny Constables and the Cost of Surveillance: Making Cents Out of United States v. Jones. Yale Law Journal Forum 123.
- Rogaway, P. (2015). The Moral Character of Cryptographic Work. IACR Distinguished Lecture, Asiacrypt 2015. (USENIX Security 2016 video)
Empirical evidence on chilling effects
- Penney, J. (2016). Chilling Effects: Online Surveillance and Wikipedia Use. Berkeley Technology Law Journal 31(1).
- Stoycheff, E. (2016). Under Surveillance: Examining Facebook’s Spiral of Silence Effects in the Wake of NSA Internet Monitoring. Journalism & Mass Communication Quarterly 93(2).
Further bibliography
- Selected Papers in Anonymity, Free Haven’s curated bibliography of academic work on anonymity and privacy.