\documentclass[letterpaper,10pt,twocolumn]{article} \usepackage{url} \usepackage{usenix} \usepackage{graphics} \usepackage{amssymb} \usepackage{amsmath} \usepackage{subfigure} \usepackage{endnotes} \usepackage[left=2cm,top=2cm,right=2cm,nohead,nofoot]{geometry} %\textwidth 17.0cm %\textheight 22.8cm \date{} \title{\Large \bf Freezing More Than Bits:\\Chilling Effects of the OLPC XO Security Model} \author{ {\rm Meredith L.\ Patterson}\\ University of Iowa \and {\rm Len Sassaman}\\ Katholieke Universiteit Leuven \and {\rm David Chaum}\\ Katholieke Universiteit Leuven } % Cut down on whitespace above and below figures displayed at head/foot of % page. \setlength{\textfloatsep}{3mm} % Cut down on whitespace above and below figures displayed in middle of page \setlength{\intextsep}{3mm} \setlength{\columnsep}{0.2125in} \begin{document} \pagestyle{empty} \maketitle \thispagestyle{empty} \subsection*{Abstract} In this paper, we discuss \emph{Bitfrost}, the security model developed by the One Laptop Per Child project for its XO laptop computers. Bitfrost implements a number of security measures intended primarily to deter theft and malware, but which also introduce severe threats to data security and individual privacy. We describe several of the technical provisions in Bitfrost, outline the risks they enable, and consider their legal ramifications and the psychological impact posed for children and society. % LEN: one case that I think we really need to make in here is that the policies we're criticising are *not necessary* to achieve the goals of the threat-model. % somewhere in here, cite acquisti on perceived communities. there IS a perceived community here, the school. the whole thing is heavily school-focused, but what they've got up their sleeve is that the government is the actual community % lack of open standards (Bitfrost is still a "work in progress"), lack of transparency, lack of dealing with a standards body... % you don't know whether you have anonymity or not, so you have to act as if you don't, and that's a chilling effect %is designed to have... (we didn't eval this) %What HCI principles is Sugar based on? %Talk about voting issues. \section{Introduction} Since its announcement in 2005~\cite{olpc-announce}, the OLPC XO laptop computer has been hailed as a revolutionary innovation in the quest to bring computer literacy to the majority of the world's population. The small, sturdy laptop is extremely inexpensive, consumes very little power (and can be charged with a hand crank or foot pedal), has no failure-prone moving parts, provides wireless mesh networking, includes a built-in video camera and microphone, and features a novel graphical user interface (known as \emph{Sugar}) which is intended to ``turn the laptop into a fun, easy-to-use, social experience that promotes sharing and learning''~\cite{sugar}. To date, the governments of Argentina, Brazil, Libya, Nigeria, Peru, Rwanda, Thailand and Uruguay have agreed to purchase XOs for their schoolchildren; it is estimated that between 5 and 10 million XOs will be distributed in 2008~\cite{itworld}. The first deployments of XOs have already begun in Mongolia~\cite{Mongolia} and Uruguay~\cite{Uruguay}. Due to concerns about theft, the XO design team has taken measures to render the laptop a less attractive target for illicit resale. %, whether as a unit or disassembled. Most components are soldered directly to the motherboard, to %make them more difficult to remove and discourage parting out the machines. The XO also implements a software and firmware security platform, dubbed \emph{Bitfrost}, aimed at preventing theft, damage from malicious software, compromise of user privacy, and compromise by software which harms other network users (e.g. botnets or spam relays)~\cite{bitfrost}. Although these are noble goals, many of Bitfrost's provisions present much more dramatic risks to XO users than those the policy is intended to deter. In this paper, we analyze the technical weaknesses of the Bitfrost security policy; enumerate the dangers which Bitfrost not only fails to prevent, but indeed actively \emph{encourages}; and discuss the sociological ramifications of the human-computer interaction model which Bitfrost is poised to unleash on an unsuspecting user-base. % thesis statement: OLPCs are a danger to the kids who use them. \section{Technical Concerns} \subsection{Principles, Goals, and Threat Model} The Bitfrost specification outlines four principles and five goals intended to guide the technical features of the platform: ``Open design,'' ``No lockdown,'' ``No reading required,'' and ``Unobtrusive security;'' and ``No user passwords,'' ``No unencrypted authentication,'' ``Out-of-the-box security,'' ``Limited institutional public key infrastructure,'' and ``No permanent data loss.'' These are laudable aspirations, particularly given that most of the XO's userbase will have had limited prior exposure to technology and many will be too young to read. % ``usability itself is a security concern''? Bitfrost also establishes a five-point software threat model, intended to encompass the categories of `` `bad things' that software could do.'' It comprises: \begin{itemize} \item Damaging the machine; \item Compromising privacy; \item Damaging the user's data; \item Doing bad things to other people; and \item Impersonating the user. \end{itemize} These are quite reasonable threats to consider, and Bitfrost shows much promise in protecting its users from unauthorized abuses (intentional or accidental) from misbehavior of software applications. % maybe say something in here about how these are reasonable things to consider threats? The Bitfrost specification includes a lengthy list of hardware/firmware, kernel-space, and user-space policies and \texttt{chroot} environments intended to prevent malicious software from accomplishing any of the above goals. The OLPC XO is designed such that it cannot be activated without complying with these policies, thus discouraging attempts to divert XOs away from the supply chain and onto the black market (a goal stated in section 3 of the specification). These measures will be costly and inconvenient to subvert. However, many of Bitfrost's policies introduce more problems than they solve. We will examine several of these policies in detail, identifying areas where Bitfrost generates a scenario which diverges considerably from the rosy picture which its principles and goals paint. \subsection{A Peculiar Definition of ``Open''} Although Bitfrost advocates open design, we note that the only available draft of the specification states that it is not the final version, and that a full technical specification is ``being prepared''~\cite{bitfrost}. There is no indication that the specification has been submitted to any recognized standards body for approval, or even when a final draft will be made available. Were Bitfrost still merely a proposal, this would not be such a cause for concern. However, 1000 XOs have already been deployed in Mongolia~\cite{Mongolia}, and 8000 in Uruguay, with another 90,000 to be deployed in the next several months~\cite{Uruguay}. A \emph{de facto} standard has thus been defined, in the form of the source code of the release builds of the operating system. Although the source code is publicly available, this alone does not constitute a standards specification. A true specification provides implementors with reference guidelines to use to verify the correctness of the implementation, and to ensure interoperability.\endnote{The Internet Engineering Task Force provides an excellent guideline for writing standards specifications in RFC 2360~\cite{rfc-2360}. While this is oriented toward the RFC series of documents published by the IETF, it can be used as a template for easily-readable and auditable standards published independently as well.} The lack of a formal specification bespeaks poor management practices, and leads us to question the quality of the implementation---if there is no standard, how is the platform to be tested? %, this is not the point of an open standard; standards exist to be implemented, not vice versa. %cite rfc whatever In the remainder of this section, we discuss policies as they are described in the available documentation. \subsection{Digital Identity: the first-boot protocol} Each XO has a unique identifier tuple consisting of its serial number, $SN$, and a randomly-generated 32-byte identifier, $U\#$. When a country receives a shipment of deactivated XOs, it also receives the corresponding identifier tuples, and generates a unique \emph{activation code} for each tuple. When the country sends XOs to a school, it also sends a USB key with the codes for each XO in a separate shipment; the school plugs this key into a server connected to a wireless network, which acts as an \emph{activation server} for that batch of XOs. To activate an XO, a child powers it on within range of the activation server; the XO sends its identifier tuple to the server, which responds with the appropriate activation code, and the XO initiates its ``first boot'' process. As the very first step of this process, the XO asks for the child's name and takes a digital photograph\endnote{While the OLPC design criteria calls for an LED on the activation circuit for the camera and microphone to discourage their use as surveillance devices, the developer models of the XO we have used lack this LED. It is unknown if the currently deployed units provide any visual status indicators for these hardware components.} of the child. It also generates an ECC keypair (without a passphrase; the key size is unspecified) and signs the name and photograph with this key. The resulting 8-tuple $\langle SN, U\#, N, P, ECC_{pub}, ECC_{private}, sig_{N}, sig_{P} \rangle$ forms the child's \emph{digital identity}. It is immediately transmitted to the activation server (which serves as the primary backup server) and the country's central backup server. Thus, the child is immediately linkable, by name and appearance, to the laptop he or she has been issued---and, more importantly, to a long-lived keypair which is now no longer under his or her sole control. We question the need for such invasive measures. The specification provides no rationale for storing the name and photograph, but presumably it is so that if a stolen laptop is recovered, its owner can strongly identify herself. Other biometric factors, e.g. voiceprints, might be a less privacy-invasive but equivalently strong means of satisfying this goal. \subsection{Data Security and Key Escrow} Recall that the Bitfrost specification explicitly lists ``compromising the user's privacy'' and ``impersonating the user'' as things that software running on the XO should not be able to achieve. However, without giving the user any other option\endnote{Possibly without notifying the user at all; the Bitfrost specification is silent on this issue.}, the XO transmits both halves of a keypair which is permanently associated with the user's identity to two separate entities, all before the user fully assumes control of the laptop! Bitfrost lists ``limited institutional public key infrastructure'' as one of its goals, but by default it establishes the most user-hostile form of key escrow~\cite{risks97}. The user has no control over the deposit, recovery or maintenance of her keypair; compromising a key store compromises all keys in it (since they have no passphrases), and the Bitfrost designers consider this an ``acceptable risk''~\cite{bitfrost}. According to the \textsc{p\_document\_backup} policy, this is motivated by a desire to avoid having to regenerate a child's digital identity if her XO is lost or destroyed. We question the importance of this goal, particularly given how unobtrusive the digital identity creation process is. The current structure requires key escrow for recovery of encrypted backups, but decoupling the data recovery process from the identity and authentication components would allow each problem to be addressed according to its specific requirements. %It appears the designers were unaware of systems which obviate the need for key escrow or which share a master key among multiple servers. %Identity-based encryption~\cite{ibe} would meet either of these requirements and make it much harder for an attacker to obtain a user's private key. %; it would also remove the need to generate a new digital identity if the private key generator were compromised, since users can continue to use the same public key; the PKG server need only generate a new master key. The \textsc{p\_document\_backup} policy also allows any server advertising itself as a ``backup service'' to trigger automatic incremental backups of an XO's data. Although these backups are encrypted to the user's ECC key, this provides negligible protection against a skilled third party. Any individual who gains access to the key store (via ``black-bag cryptanalysis'' or ``aluminum-briefcase cryptanalysis'') can set up a backup service as a honeypot and compromise the private data of any XO in the ``neighborhood''. \subsection{Anonymity and Deniability } Thanks to Bitfrost's key escrow policy, it is trivial for anyone with access to an XO user's primary backup server to forge the user's signature on any document, with no way for the user to repudiate the signature. However, the threats Bitfrost poses against user anonymity are much farther-reaching than forged signatures. The \textsc{p\_ident} policy states that ``all digital peer interactions or communication (e-mails, instant messages, and so forth) can be cryptographically signed to maintain integrity even as they're routed through potentially malicious peers on the mesh.'' Since the policy does not state the conditions under which traffic will or will not be signed, and the ``unobtrusive security'' goal emphasizes that ``strong unobtrusive security'' will occur ``behind the scenes'' unless it impacts usability---\emph{not} privacy---we must assume that all outgoing traffic will be signed by default when possible. Since IP, TCP and UDP provide no mechanism for signing, this operation presumably takes place at the application layer, through overt message signing as described, or by signing the message body and embedding the signature in a header---the From request-header of HTTP~\cite{rfc2616} is an obvious candidate. Signing, whether at the message or packet level, implies non-repudiability of all signed messages or packets. Ergo, it is impossible for XO users to use any form of anonymous communication with confidence. % There are a bitchton of extra fields in HTTP (as one example) that can be repurposed to hold a signature. Signing payloads == signing packets. %Nor is deniability an option, whether the user is the actual author of a message or whether it is a forgery. The \textsc{p\_ident} policy is thus a threat to many forms of speech which have been shielded by anonymity in the past: political speech, ``whistleblowing'' against corporate or governmental abuses of power, and religious speech, to name a few. (Granted, in the West, schoolchildren are not often in a position to expose corporate or governmental malfeasance---but in the Third World, corruption is often far more overt due to the belief of those in power that no one can do anything about it. The XO has great potential to empower the common citizen, but not if citizens cannot speak without fear of repercussion. In nations where it is not uncommon for schoolchildren to be drafted as soldiers, it is certainly possible for children to become whistleblowers.) The United Nations Universal Declaration of Human Rights protects not only the freedom of expression, but the right to privacy for member states' citizens~\cite{udhr}. Given that the OLPC project transacts with the national governments of UN member states, much more attention should have been paid to the security policy's effects on protected speech. This policy additionally limits the utility of the XO by making it an unsuitable platform for networked voting systems in elections that require secret ballots. Nevertheless, S.T.I.R.M.E., an electronic voting project for the XO platform, is being developed~\cite{stirme}. If it is used beyond its current scope of classroom and open source project elections, S.T.I.R.M.E. could place users at risk or compromise election integrity due to the implications of the \textsc{p\_ident} policy. % FIXME What the hell is P_IDENT intended to solve, anyway? There's got to be a better answer to whatever they're on about than signing every goddamn fucking thing. \subsection{A Very Expensive Paperweight} XOs with the \textsc{p\_theft} policy enabled must obtain a limited-duration lease---the specification suggests 21 days---from their home country's anti-theft server in order to remain activated. When an XO connects to the Internet, the \textsc{p\_theft} daemon (``a privileged process that cannot be disabled or terminated even by the root user''~\cite{bitfrost}) ``calls home'' at most once per day to renew the lease. If an XO is reported stolen, the next time it attempts to renew its lease, the \textsc{p\_theft} daemon shuts it down and returns it to a deactivated state. A new activation key is needed for the laptop to function again. If an XO's lease expires while it is not connected to the Internet, it likewise deactivates. Leases can be renewed manually by means of a USB drive manually delivered to a school's activation server, but we question the utility of this approach in the event of natural disasters. Many of the target XO deployment locations are in remote, difficult-to-access areas which could be cut off from travel by earthquakes, floods or other catastrophes. If a school unexpectedly loses its Internet access for a long enough time, all its attached XOs will automatically deactivate, leaving students out of contact even after connectivity is restored (e.g., by repairing a broken satellite dish). This is at best inconvenient, and at worst, a serious hazard if people have come to rely on XOs as a primary means for long-distance communication. More relevant from a security and privacy perspective, however, this policy is rife with potential for abuse. Combined with the anti-anonymity features of \textsc{p\_ident}, \textsc{p\_theft} is an extremely effective way of silencing specific individuals. Signed messages are linked to the XO they came from, so a government need only flag that XO as ``stolen'' in the anti-theft database in order to shut it off permanently. A country can also shut off all its XOs in one fell swoop by flagging them all, or simply shutting off the anti-theft server and waiting for all the leases to expire. % FIXME do we have a better answer to this? \subsection{Replacement Firmware?} Children who become extremely proficient at working with the underlying components of their XO have the possibility of being granted ``developer keys'' that allow them to make modifications to the system, including potentially overwriting the existing firmware with their own software, or even their own operating system. The spec is unclear on how the precise mechanisms function in this case, but the existing spec proposes \textsc{p\_bios\_copy}, a secondary BIOS containing an immutable copy of the primary BIOS firmware. This would allow the restoration of the original operating system and all of its controls, with no possibility of permanently disabling them. It is unclear under what circumstances this restoration can be invoked, or indeed what the limits of the the secondary BIOS's capabilities are. \section{Sociological Concerns} \subsection{Human Rights and Chilling Effects} The privacy-eroding aspects of Bitfrost are of particular concern when one examines the human-rights records of the countries enrolled in the OLPC program. In Libya, criticizing the government is grounds for arrest and torture~\cite{Libya}. In Nigeria, citizens who speak out against government corruption face threats and physical violence, which has deterred civil rights groups from speaking up~\cite{Nigeria}. In Thailand, political activists have reported illegal surveillance by the military junta which took power in September 2006, and which claims the right to detain citizens without charge~\cite{Thailand}. According to the legal doctrine of \emph{chilling effects}, an activity, e.g. criticizing a corrupt regime, ``is chilled if people are deterred from participating in that activity'', whether through punishment or merely the threat thereof~\cite{chillingeffects}. Bitfrost's design may not \emph{intend} to facilitate surveillance on children, but as we have shown, it certainly does so. Combined with the powers the \textsc{p\_theft} policy provides, it is easy to envision a scenario where a child blogs or e-mails a document which the government wants to quash, it is traced back to the child, and the child's XO is suddenly reported ``stolen'' and deactivated. Fear of a similar punishment would certainly chill controversial speech on the part of other XO users. % chilling effects paper quote: "The second fundamental proposition underlying the chilling effect doctrine [is] that an erroneous limitation of speech has more social disutility than an erroneous overextension of freedom of speech." \subsection{Habituation and Indoctrination} Founder Nicholas Negroponte says of OLPC, ``It's an education project, not a laptop project.'' Taking a cue from the field of educational psychology, we examine the lessons that Bitfrost is likely to impart to XO users. The XO's target audience is children between the ages of 6 and 12~\cite{core}. In Piaget's theory of cognitive development~\cite{piaget}, this corresponds to the \emph{concrete operational} stage, when children acquire logical reasoning abilities and use them to form automatic working models of the world, or \emph{schemas}. Erikson's theory of psychosocial development associates this age group with the \emph{psychosocial crisis} of ``industry vs.~inferiority,'' wherein children are eager to learn but afraid of failure and punishment~\cite{erikson}. This is a pivotal stage of emotional growth, and the schemas children form during this timeframe persist for years. Traumatic events---particularly ones indirectly connected to a cause, such as being punished for ``unapproved'' speech by having one's laptop suddenly deactivate seemingly on its own---may have dramatic and long-lived negative effects on a child's view of the world and her place in it~\cite{trauma}. Even seemingly innocuous events can have an insidious effect on schema formation; children who grow up learning that handing over their identity to a remote authority is the ``price'' of Internet access may internalize giving up their right to privacy as a commonplace, expected event.\endnote{Privacy advocate Cory Doctorow relates a recent incident at Disney World, which has begun linking park visitors' tickets with a finger-geometry scan: ``One morning at Epcot Center, as we offered our ID to the castmember at the turnstile and began to argue (again -- they're very poorly trained on this point) that we could indeed opt to show ID instead of being printed, a small boy behind us chirped up, `No, you have to be fingerprinted! Everybody has to be fingerprinted!'''~\cite{boingboing-disney}} Elliot Turiel's \emph{domain theory} distinguishes between \emph{moral values}, which are universalizable beliefs founded in concepts of justice, rights, and welfare; and \emph{social conventions}, context-dependent standards of behavior tied to the social system~\cite{turiel83}. Bitfrost's policies enforce a set of social conventions starkly at odds with those of the broader Internet. On the Bitfrost Internet, children may learn to view controversial speech as dangerous due to the risk of punishment, rather than a fact of life. This puts them at risk of failing to develop an autonomous sense of social responsibility, since the imposed social convention makes it difficult for children to identify the moral values which underpin responsible Internet citizenship~\cite{willard97}; given the conditioning they are subject to, they may come to advocate censorship and anti-anonymity policies which negatively affect the rest of the world, as well. The Internet's predecessor, DARPAnet, was designed to be robust in the event of physical damage, providing flexible re-routing if a previous path becomes unusable. This architecture has given rise to John Gilmore's famous remark, ``The Internet perceives censorship as damage and routes around it.'' However, if the \textsc{p\_ident} policy extends to signing of all traffic, or if the \textsc{p\_document\_backup} policy extends to archiving students' browsing histories (which can then be examined for ``forbidden'' content), this is no longer an option---a child's Internet access can simply be cut off at the source. This is a profoundly depersonalizing act, and one which threatens a child's sense of individuality and personal agency~\cite{nucci96}. People have a right to expect that what they read, write and create, their correspondence and recreation, are a matter of personal choice. Subjecting children to constant surveillance damages their ability to establish personal boundaries and identify as an individual within a society; and yet the Bitfrost model opens the door to precisely that. \subsection{Imagined Communities} The XO is designed for use focused around local schools. Thus, the designers should be aware of the threats that users may face due to the misperception that their data is only accessible locally, or that they are only speaking to individuals within their own communities. For an in-depth look at the impact of ``imagined communities'', those that appear restricted to a given boundary but are in fact open to the Internet as a whole, we refer to Acquisti and Gross~\cite{acquisti06}. While this work focuses on the impact that social network sites with imagined communities have upon their users' behavior, the principle can be extended to any scenario where an imagined community may be perceived by the user. Further research into the impact the XO local network and Internet interaction has upon the users of these systems will be needed once live deployments can be studied. % Also want to talk about habituation -- maybe from an HCI perspective, hahahahahaha. Do we really want to be teaching kids that it's perfectly reasonable for Big Brother to be watching at every moment, and that the magical Internet that teaches them so many awesome things is something that can be taken away with the flip of a switch if Big Brother gets upset at them, so they'd better keep in line and keep Big Brother happy? Psych. things to note: schema-formation, forfeiture punishment, adversive punishment \section{Conclusion and Future Work} Any security policy must be evaluated on its appropriateness and its efficacy: does it address threats users are likely to face, and do its provisions actually mitigate threats? In this paper, we have examined several pieces of the Bitfrost security policy, and conclude that it suffers from an inappropriate threat model and an incomplete solution to the threats it outlines. Furthermore, several policies play a minimal role in the threat model, but expose children to threats which the Bitfrost model fails to include. The specification goes into great detail about what user-space code is not allowed to do, thus defining that threat model and protection bounds quite well. It does not give the hardware or operating system components the same level of scrutiny. As there has been much work on privacy-preserving systems in recent years, it is our intuition that most, if not all, of the problematic aspects of Bitfrost can be eliminated by refining the specification to consider the dangers we have highlighted in this paper, while also considering the existing threat models. It would be ideal if we were able to work from a static specification, but we intend to experiment with replacement primitives for existing components in the draft spec to achieve the same security properties while eliminating the threats that the current methods introduce. %Indicate that there exist better tools in the toolbox to achieve the stated threat model, and that analysis of the bitfrost spec should have been performed before rolling out these systems, and that it would be nice to know what the de facto spec is, what the final spec is, and how both differ from the published spec % future work: building a non-user-handicapping alternative. \section{Acknowledgments} We would like to thank Lindsay Patterson for assistance with research into the psychological effects of traumatic events on children, and Wendy Seltzer for providing background material on the Chilling Effects Doctrine. The work of Len Sassaman and David Chaum was supported in part by the Concerted Research Action (GOA) Ambiorics 2005/11 of the Flemish Government, by the IBBT (Flemish Government) and by the IAP Programme P6/26 BCRYPT of the Belgian State (Belgian Science Policy). Additional support was provided by the EU within the PRIME Project under contract IST-2002-507591. %\bibliographystyle{abbrv} %\bibliography{olpc} {\footnotesize \bibliographystyle{acm} \bibliography{olpc} \theendnotes \end{document}