Projects and observations
Currently Browsing: Technology

We shouldn’t have to wait for camera encryption

I recently completed a project wherein I built a proof-of-concept encrypting camera that included no changes to the essential hardware or user interface of the device, yet provided strong, on-the-fly encryption of digital photos. I want to discuss more about why I created that project.

I have been aware of the targeting of journalists for decades. This is certainly not new – leaders of all kinds of organizations have known that keeping information out of the public view is how power is amassed and retained. Stories of journalists detained, and even killed, existed in my childhood. The Committee to Protect Journalists counts 1237 journalists killed since 1992.

Throughout this time, the raw information collected by journalists has also been a target. The seizing of cameras and notebooks is not a new phenomenon. The difference today is in the magnitude of information that is captured by journalists and the difficulty in securing it against seizure. Not only that, but the very equipment that journalists have come to rely upon can betray them in ways that notebooks and film cameras never could. We no longer expect journalists to return from the field with a couple of notebooks and a few rolls of film, but rather with hours of video and audio recordings, detailed location information, and thousands of high-resolution photos of their sources. To capture and store this information, journalists rely on a lot of technological equipment.

Yet the industries that provide this equipment are stubbornly behind in providing what should be considered routine and minimal capabilities to protect users, including journalists.

I was fortunate enough to attend MIT Media Lab’s Forbidden Research conference last year during which Andrew “bunnie” Huang and Edward Snowden released their initial research into better tools for monitoring cell phone transmissions. (It is possible for some phones, even in an “off” state, to transmit wireless signals.) One of the inspirations for this work was the tragic story of Marie Colvin.

Marie was a journalist in Syria preparing to report about attacks on civilian targets near the city of Homs. She and photographer Remi Ochlik were killed when radio emissions from their electronic devices, including cell phones, were used to find and target their camp with artillery. This deliberate, state-directed act against a journalist really made clear how the vast amounts of technology that have become mainstays of the journalist have also substantially increased the risk they take.

While I may not be able to do much about rogue wireless transmissions (other than to remind everyone to carry a good faraday bag), I do think I can shed a little light on how direct the path to better encryption on cameras is. As a letter, published by the Freedom of the Press Foundation and signed by 150 documentary filmmakers and photojournalists says, many manufacturers of electronic equipment have begun to implement strong, useful encryption on devices, putting the notes and other content gathered by journalists beyond the reach of those who may want to use it nefariously. However, in the area of high-quality, professional cameras, no on-the-fly encryption is currently available.

This is, simply, not an excusable state. There are no good excuses for Canon, Nikon, Sony, Fuji, Olympus and others not to have added real-time encryption by now. The professional cameras offered by these companies contain very fast processing chips, and while the pursuit of faster frame rates and quicker focus is to be lauded, to not give users the choice to trade some of that performance for basic safety is pernicious.

The driving factor behind why I created my proof of concept encrypting camera is to show that it is possible to retrofit current camera models – even those on the market for years – with strong, easy-to-use encryption without hardware or user interface updates required. I want to show that it is not technical limitations preventing camera vendors from producing these devices but rather an unwillingness to provide the technology that keeps our journalists (and others) in unnecessary danger.

Cameras are seized all the time throughout the world, and with every seizure both the journalist and their sources are endangered. The Committee to Protect Journalists tells Freedom of the Press Foundation:

“Confiscating the cameras of photojournalists is a blatant attempt to silence and intimidate them, yet such attacks are so common that we could not realistically track all these incidents. The unfortunate truth is that photojournalists are regularly targeted and threatened as they seek to document and bear witness, but there is little they can do to protect their equipment and their photos.”

I am tired of waiting for companies to decide adding encryption is a commercially viable feature. I’m tired of companies actively endangering the lives of journalists when this problem that is as old as photojournalism itself can finally be solved. While the best user experience may, indeed require hardware updates, camera vendors can fix this problem now, with a software update alone, so don’t believe any of them that claim there is a major technological hurdle to jump. Don’t believe them when they say you must buy a pricey new model to get these features when they eventually do show up. These cameras can offer encryption today, and vendors should be racing to provide it.

 

Note: Look, cryptography can be complex and getting it right requires time and care, I fully understand this. Additionally, retrofitting a custom processor for new tasks can be problematic and may not result in the best possible performance. However, my research indicates that the custom processors in digital cameras may be well-suited to encryption tasks, even though there will certainly be a substantial performance penalty to pay initially. This is not an excuse for not offering the security and safety of a software update enabling real-time encryption for, at a minimum, still photos to those who are willing to make the trade-off.


Automatic Encrypting Camera Proof-of-Concept

A collage including people icons in the upper right, a camera icon with a compute chip and key icon included, and an old-style photograph with the image replaced by random text representing an encrypted photo.A few months ago, I ran across a post at Boing Boing by Cory Doctorow in which he relayed the desire of journalists to have cameras that would encrypt images on the fly. The uses for this are many and can protect journalists and also, crucially, those the journalist has documented. Siezed images can be used against people by governments and other agencies. It seemed a pretty sound idea to me.
The post imagines the requirement for new user interfaces on cameras to allow the entering of passphrases and the like. While certainly I don’t think that would be a bad idea, the format of dedicated digital cameras does make it a challenge. Small screens are prone to typing errors when using touch-screen keyboards and the small form factor of most dedicated cameras limit hardware input options. However, what immediately struck me was that no changes really need to be made at all, as long as one crucial trade-off is accepted: not being able to review images on-camera.
Since public key cryptography feels well-suited to the task of encrypting images on the fly, I imagined an interfaceless update to existing cameras that would provide strong encryption but without the need to enter a passphrase or any other information. It is, effectively, transparent.

Here is the system I imagined:

  1. Use a well-known (and thoroughtly vetted) public key crypto package on a computer to generate a keypair
  2. Copy the public key to the removable media used by the camera
  3. Insert the media in the camera, which imports the public key included thereon
  4. All images taken by the camera and written to the media will be encypted by the key included on that media
  5. The key is purged from the camera when the media is removed

In this system, the camera never writes an image to storage without first encrypting it. There is nothing for other parties to recover from the media apart from the strongly encrypted images and the public key – which cannot be used to decrypt the images stored. This does bring up the one tradeoff I mentioned previously – there is no way to view any of the images taken on camera. In practice this should not be too difficult to live with as taking lots of shots to be sure a good one is captured has become standard practice, but certainly this could be an unacceptable tradeoff in some situations.

 

Theory is all well and good, but I wanted to see if this system could be realized in the flesh. Since affordable prototyping platforms abound these days, I decided to build a proof of concept encrypting digital camera.

First, I chose a platform – this was a very easy decision. I went with the Raspberry Pi as it is readily available, has substantial online resources available for it, it very cost effective, and supports a native camera device. It ended up being particularly wonderful that Adafruit (an online retailer of electronics) also had a tutorial and software available to turn the Pi into a ready-to-use point-and-shoot camera — that made this a relatively straightforward project.

A clear plastic box containing a circuit board and camera. A power cable is attached to the top and a removable USB drive to the side.

The Raspberry Pi 3 with camera mounted in a case from Adafruit

Step one was getting the hardware. As I live in the Boston area, I’m lucky enough to have a Micro Center local to me which carried everything I needed. (I used the BOM from Adafruit’s camera build.)

  • Raspberry Pi 3 (the faster processor is good for prototyping and encryption, but a Zero might work)
  • Adafruit touch screen
  • Nifty case for the screen+Pi
  • Pi camera w/cable
  • 64GB USB flash drive (I used one with an A and micro-B connector so it could be tested with a Zero in the future – one could also use an SD card reader with card.)
A black plastic case with an opening for a 2.3" touch screen displaying a "gear" and "play" icon. Four hardware buttons are on the right of the case, a USB drive is attached on the left and a power cable is attached on the top.

The back of the Adafruit case with their touch screen installed displaying the camera UI developed for the linked tutorial.

From there, I simply followed Adafruit’s tutorial until I had a working digital camera. If you’d like to build one of these for yourself, follow Adafruit’s build and then come back for the rest.

Please note that this is intentionally not a detailed tutorial. This is a proof-of-concept project and it is not audited or secured in any way. If you need the protection of an encrypting camera, you’ll need to understand it deeper than following a recipe allows. However, below is a discussion of the steps I followed to implement the camera along with snippets of my custom code. With work and understanding, you’ll be able to re-create my project.

Once I had the camera working, I needed to identify how I would have the system perform the encryption. I chose GPG (Gnu Privacy Guard) because it is well-vetted, available for every platform, includes a Python library (conveniently, the camera software is Python) and already familiar to many. I installed GPG on my laptop and on the Pi and performed a few excercies to familiarize myself with the tool, such as generating, exporting, and importing keys, and encrypting/decrypting files between systems. Once I was comfortable, it was time to automate things on the Pi.

I installed the usbmount library on the pi and created a mount script for my USB device in /etc/usbmount/mount.d. Usbmount allows the system to automatically run a script when a specific USB device or class of device is inserted or removed. An included script ensures that the flash drive is always mounted at /etc/usb0 so I can make sure to put images in the right place. My custom script then automatically imports a GPG key from the “key.asc” file found on the drive into a known GPG homedir. That way the camera script has the key available in a known location later. In addition, I created an unmount script that removes the key from the system once the drive is removed.

Mount Script
#!/bin/sh
mkdir /tmp/gnupg
export GNUPGHOME=/tmp/gnupg
gpg --import /media/usb0/key.asc
gpg --list-keys --with-colons 2>/dev/null| awk -F: /^pub/{print\$5} > /tmp/gnupg/keyid
exit 0
Unmount Script
#!/bin/sh
rm /tmp/gnupg/*
exit 0

After a few rounds of testing, I was ultimately happy that this solution was reasonably robust. To get the key onto the camera, one only has to export it from GPG into “key.asc” and place it in the root of the media. Every drive/card could have a different key if needed, and all could be prepared ahead of time. (In fact, the system containing the private key need not even be in the same country as the camera or even available to the camera user!)

Next, I needed to modify the camera script that was installed as part of the Adafruit tutorial. This turned out to be pretty straightforward. (Though there was a bit of trial-and-error getting the python gnupg package to properly encrypt.) Ultimately, I simply needed to intercept the saving of the image to camera, run the in-memory image through the encryption package instead, and redirect the output to the configured USB drive. Just a few lines of code (mostly to import and configure python-gpg) were needed. Note that I did not take the time to disable alternate saving methods like Dropbox, and I did not test what happens should one try to use them with my script modifications.

#At the top of the file with the other imports:
import gnupg

#I modified the array (~line 260) used to direct where images are stored this way:
pathData = [
 '/media/usb0/DCIM', # Path for storeMode = 0 (Removable Media)
 '/boot/DCIM/CANON999', # Path for storeMode = 1 (Boot partition)
 '/home/pi/Photos'] # Path for storeMode = 2 (Dropbox)
]

#In the takePicture() routine (about line 450) I added these GPG-related lines to
# read the key ID that the usbmount script helpfully stored for us:
gpg = gnupg.GPG(gnupghome = '/tmp/gnupg')
 infile = open('/tmp/gnupg/keyid', 'r')
 gpgTempKey = infile.read()
 gpgKeyID2 = gpgTempKey.rstrip('\n')

#A little further down in takePicture() I intercepted the camera capture
# and writing commands and replaced with this:
camera.capture(camera_image, 'jpeg')
#I found gpg.encrypt didn't play well with the BytesIO() object
temp_image = camera_image.getvalue() 
#encrypts and automatically writes the output to filename
encrypted_image = gpg.encrypt(temp_image,gpgKeyID2,always_trust=True, output=filename) 

A photo inside a building including part of a table-top in the foreground with a wood door and glass door in the background a few feet away.

This haphazard photo of the inside of the Democracy Center in Cambridge, MA was the first encrypted photo to be taken with my camera.

Finally, I had a working Encrypting Digital Camera! Whenever I insert media in the camera that contains a valid GPG key in a file called “key.asc” the camera then begins to encrypt every image taken until the media is removed. On my computer, I can then use the private key (protected by a passphrase) to decrypt the images on the command line and I’m left with pristine* jpgs! (*Well, 8MP noisy JPGs but that’s a function of the mediocre Pi camera, not the encryption!) It’s not exactly fast, though. It took approximately 6-10 seconds to encrypt and write the JPG to disk. Of course, this is a low-powered processor and a single-threaded encryption engine. It is, however, a very successful proof that this system can work.

I have shown that with minimal software changes, cameras can support robust encryption with no changes to user interface at all. I would hope that we see commercial camera producers consider integrating a system like this in the near future. Additionally, I have to wonder if third-party firmware updates (like CHKDSK for Canon cameras) could add such support. At worst, with some effort, platforms like the Raspberry Pi could offer a decent starting point. Of course speed may be an issue until dedicated encryption hardware is added to cameras. I am unclear as to how well-suited the DSP custom processors found in digital cameras could be adapted for encryption tasks (possibly very well!) but in the near future, retrofit software would probably preclude the super-fast capture rates that professional photographers have come to expect.

Now, for the BIG HUGE DISCLAIMER: This is a PROOF OF CONCEPT. While I’m providing some code snippits here so that others can recreate my work, it’s super important that everyone understand that this project has not be audited or vetted by security professionals, nor was it created with the intention of being used in the field. It’s possible that this project could give some level of protection as-is, but it’s also possible that there are glaring errors that would erase any gains or even exacerbate the situation you may be trying to avoid. Please don’t use this in production! (As a note, I have made no attempt to harden the Pi against access, for instance via wifi, ethernet, or USB. It could be trivial to circumvent the entire encryption system via these vectors.)


Community Supported Propaganda

I’ve been thinking about things that we as small groups and individuals can do to temper and eventually turn the frightening political front that the US (and, indeed, others) are seeing at this moment. We know that media plays an outsized role, even compared to the recent past, in the general thoughts and feelings of much of the country and the world. Media companies are corporations, first and foremost (some exceptions exist) and are interested primarily in a continued, profitable existence. With the extreme changes in the media landscape over the last two decades, this is not a certainty for most media corporations and, therefore, they have become much more risk-averse than in the past. This can translate into business strategies much more focused on attracting and maintaining audiences than in reporting fair and accurate news. You can’t be the only outlet not reporting on the scandal of the day lest you loose eyeballs and, therefore, revenue.

However, media – primarily video content – is not about to lose its influence in our daily lives. What I think that we as concerned individuals must do is device new ways to have media work for us, and to spread the messages we feel are important rather than leaving that choice up to profit-motivated newsrooms.

You have likely heard of a “CSA” before – usually meaning “Community Supported Agriculture” but expanded to include “Aquaculture,” and, particularly relevant to this concept, “Art.” In my community, I can participate in a Community Supported Art group which allows about 150-200 people each quarter to pay into a pool which is then distributed among a juried group of local artists, each of whom must create an art object for each of the supporters. I think we can look to this model for inspiration in getting small, targeted bits of media in front of the people who most need to hear our messages.

This is, on the surface, a simple concept:

  • Social media ads are pretty cheap (or at least have a low barrier to entry)
  • Targeting tools on those platforms are creepily specific
  • We have so many creative people who want to do something to help
  • We can crowdfund the running of ad spots targeting those who most need to hear our messages

I envision a group who evaluates submissions from the community on a variety of criteria and then manages the running of the submissions in appropriate targeted groups on sites like Facebook, Instagram, Twitter, Snapchat, and more. Supporters pay into the pool on a regular basis (similar to Patreon) and receive updates about which ads were run and potentially engagement reports from interactions with those ads. I would hope that such situations were able to provide some compensation and/or production assistance to those creating the media content as necessary and possible.

In short, we as regular individuals could come together to put small-creator-made ads in front of hundreds of thousands of people who need to hear from anyone outside their echo chamber. We would, in effect, open up those chambers and inject our own little bit of reverb into the echoes.

There are some potential pitfalls. Any tool can be used for good and evil, and there is great potential for harmful mis-use of this concept. In fact, I would be surprised if this isn’t already happening. It’s easy to imagine, for instance, a group running ads targeting LGBT+ youth with messages encouraging self-harm, or one offering assistance to undocumented immigrants which actually handed over their information to authorities. But, while tempting, it doesn’t help to try to keep tactics secret. When used openly, everyone can better understand how they work and can use them, and devise antidotes to them, more effectively.

For my case, I would want to see ads that humanize those who are under the heaviest persecution at the moment and make it difficult for far-right conservatives to other them. I would support messages of unity and warmth, but also a lot of messages of facts –  the kinds of facts that make strong conservatives question the stories we are getting from our current administration. (Honest, creative presentation of those facts are key to encourage the necessary engagement.)

I would not personally support groups running aggressive messaging that is more likely to cause a backlash effect than a critical evaluation of beliefs. But that is a choice, not a requirement for such a thing. It makes me wonder whether contributors should have a say in which ads are run and whether voting on a juried selection may be feasible.

The media is a weapon at this point, and I see no way to stuff it back in the bottle, so let’s at least make things as even as we can.

 


Speaking up: Corporate edition

I am really impressed and proud of Lyft this morning. A private company, one that has potentially much to lose under a Trump administration, has sent and email to (all?) customers denouncing the ethically bankrupt actions of Trump with his recent immediate ban on refugees. It’s a deplorable move, and one that embarrasses me as an American. I really think we need many, many more companies to start stepping up and denouncing these actions. After all, corporations are people too, and it seems the only ones the administration will listen to. (The email came with announcement of a generous donation to the ACLU too!)

[Text reads:

Defending Our Values

Hi William,

We created Lyft to be a model for the type of community we want our world to be: diverse, inclusive, and safe.

This weekend, Trump closed the country’s borders to refugees, immigrants, and even documented residents from around the world based on their country of origin. Banning people of a particular faith or creed, race or identity, sexuality or ethnicity, from entering the U.S. is antithetical to both Lyft’s and our nation’s core values. We stand firmly against these actions, and will not be silent on issues that threaten the values of our community.

We know this directly impacts many of our community members, their families, and friends. We stand with you, and are donating $1,000,000 over the next four years to the ACLU to defend our constitution. We ask that you continue to be there for each other – and together, continue proving the power of community.

John & Logan
Lyft Co-Founders]

 

Nicely done, Lyft. I hope you inspire others.

[UPDATE: Apple too: http://www.macrumors.com/2017/01/28/tim-cook-on-immigration-order/]


Gamification of Ideological Exposure


Much is being written about ideological echo chambers. In particular, I’m enjoying Ethan Zukerman’s REWIRE, published in 2013, in advance of this seemingly sudden revelation after the 2016 US presidential election. Zukerman perfectly predicts (maybe it’s more accurate to say he observed) the phenomenon years ago. The idea that the great wondrous world of the internet has actually shrunk the points of view and differing ideals many of us are exposed to is counterintuitive, frustrating, and initially seems shocking. But it also makes perfect sense. We know that, left to our own devices, most of us seek out comfort, not challenge. We choose familiar ideas instead of ones that run contrary to our own. In short, we choose the easy path, not the hard one.

This is not unique to the media we consume, the people we follow on social media, or the neighborhoods we choose to live in. It also occurs when we look at the efforts put into political engagement (low), actions to mitigate climate change (low), and, perhaps most personally, the work most of us put into our own health and fitness. That latter category has had a great amount R&D devoted to it by researchers – mostly employed by, corporations who felt there was a way to make money by addressing this need. Weight-loss and fitness have been perennial money makers for generations, after all. When companies realized there was a way to add expensive tech to an established business model, the marketing campaigns practically wrote themselves.
Fitness trackers have boomed over the last few years. At their core, they serve as an easier way to quantify and visualize our physical activity over a given amount of time. Certainly they have helped me to better realize some of my bad habits, and to keep me more honest about the patterns in my exercise routine. This quantification is, most often, presented as a goal to reach each day/week/month and the awarding of virtual prizes and praise is nearly ubiquitous in these models. This is, clearly, the gamification of fitness. While the long-term effects are unclear, it is undeniable that some have benefited from this model.

I wonder what will happen if we apply this concept of gamifying a behavior that we generally dislike to encourage exposure to media that presents ideologies that we may not subscribe to ourselves?
The general idea behind a lot of gamification is to make an unpleasant activity fun, or at least to provide motivation for performing the activity. There are a great number of ways that rewards and motivations can present, but they are obviously effective for some. Getting in our step goal for the day, for instance, can result in a flashy animation and message of congratulations from our fitness apps, and even virtual medals for specific achievements. Even if the activity never becomes fun, if we can be motivated by these progress trackers, we can make progress towards our goals.
When it comes to exposure to dissimilar ideologies, goals are not nearly so clear or easy to quantify as for fitness. While I think that echo chambers are bad for everyone, I think it’s unlikely for most people to move too far beyond, say, a “reverb room” of ideological exposure very quickly. However, even that much of a move on the part of even a moderate portion of the population could have profound effects on our civic society. So, if our goals cannot be specific, how do we gamify exposure to ideologies? I think that measuring activity against a set of anti-goals may be useful. While it’s hard to say that “50% of your weekly reading should be outside your reverb room” it’s easier to say “less than 100% of your reading should come from within it.” It’s the extreme of the echo chamber that we need to avoid, not necessarily a perfect balance in all exposure.
But how do we even measure such things? That’s tough, to be sure. We have a general idea that some news sources lean one way or another (if you want to use the simplistic liberal/conservative spectrum for a measure) and we could, simply, categorize all stories from a specific outlet to be some percentage left or right of center. (see here and here) We could also use crowdsourcing to evaluate articles, provided enough people participating rate a specific story to avoid mischief. We could even use machine learning systems, trained on pre-scored corpora of material to evaluate individual news stories. (Seethe work of Marek Rei. I’m frustrated trying to find another researcher who trained a machine learning system to evaluate conservative vs liberal sources. I’ll update when I eventually find her again!)
If we have a reasonable way to score arbitrary content between the (again, much simplified but still useful) conservative and liberal extremes, then, much like counting steps and calories burned, we can tabulate an average for any set of stories. This could certainly be implemented in the form of a browser plugin, and could likely take other forms as well. For a responsible citizen of the US, making sure their browser bar contains, say, a purple dot, rather than a blue or red one, could become a personal goal.
We know that, for most of us, it is human nature to avoid hard things, especially when it seems we are the only ones to suffer from that avoidance. But accountability is an extremely important motivator, as are rewards. An automated system that tracks what we read, and gives us a reasonable estimate of its diversity, could assist a great many people in opening up their echo chambers, even if it is just a simple first step.


Powered by WordPress | Designed by Elegant Themes

Pin It on Pinterest