cryptee / web-client

Cryptee's web client source code for all platforms.
https://crypt.ee
Other
458 stars 23 forks source link

Add Google-less Sign-up #29

Closed mbande closed 5 years ago

mbande commented 5 years ago

It seems that the only way to sign up in web-client is through googleapis. as google can block users (an is doing right now for some countries), is there any way/plan to go out of it's territory?

johnozbay commented 5 years ago

Hi there,

First of all, before I start explaining why this is the case, I think it's best that I break down the two statements you've got, in the interest of understanding what your personal threat model is.

Because no single solution can provide you a solution for all these. So in extension of my previous questions, can you provide sources for this :

as google can block users (an is doing right now for some countries)

Are you referring to Google following US sanctions or something else?

is there any way/plan to go out of it's territory?

We're not in Google's territory (by which I'm guessing you mean U.S.), we're based in Estonia, and bound by Estonia's laws.

Now with these two in mind, I'll write a long answer here, so that I can refer to this in the future as well.

While it does sound scary to many users, there are a few good and justifiable reasons why Cryptee makes a few connections to Google. 

First, during login, it's to facilitate Google Login. (First connection allows detecting if you're already logged into your google account, and log you in automatically.) – I'll talk more about this below.

Secondly, Cryptee utilizes Google Cloud Platform for realtime web-sockets and real-time sync'ing. So for example if you have two devices open simultaneously, if you change a doc's name on one, the other will update in realtime. Or if you edit a doc, the other will sync etc.

All data that touches Google is 100% encrypted on your device, client-side, and users are anonymized with unique user IDs. So in essence google doesn't know anything that passes through. They're merely the carrier, which carries encrypted data. You can verify this by reading through the source code here yourself.

On the surface, I understand that hearing Cryptee utilizing Google's servers / login services –even to a limited degree– sounds bad. While it may sound counterproductive, this is a more future-proof way to continue to provide privacy and security to users in countries where there's oppression, and I am of the personal opinion that it is incredibly important in the context of a privacy service.

In short this results in piggybacking on Google's IP addresses for some parts of the service, and in countries like Russia, Greece, Turkey, Belarus, Moldova etc. where there's oppression, racial targeting, censorship, etc. this makes it very difficult to shut-down services like Cryptee.

And Cryptee's not alone in doing this – Other privacy companies like Signal (source) & Telegram (source) are doing exactly the same.

Because shutting down Cryptee / Signal / Telegram would also mean shutting down 30% of the internet hosted on Google, and google itself. Or if they shutdown Amazon's IP addresses, another big chunk of the internet.

This is called "Collateral Freedom" (https://en.wikipedia.org/wiki/Collateral_freedom) among privacy activists and security researchers, and it's generally an excellent deterrent against nation state level censorships. 

I am happy & proud to say Cryptee's one of the leading examples of "difficult to censor/shutdown" websites, so much so that, when there's a censorship, a few newspapers reach out to Cryptee or myself to ask what could be done about this. For example recently, when Sri Lanka banned social media, I gave an interview to The Guardian (EN) / Deutschlandfunk (DE) / Eldiario (ES) on this topic.

Third, this approach actually gives the best of both worlds. I don't trust Google with their data collection policies. BUT I do trust their engineering skills. I think they employ some of the best of the world's security, datacenter and availability talent.

To reiterate, everything on Cryptee happens on the client-side, with pretty much no server-side processes.(Only billing/subscription triggers, delete account triggers, daily backups or abuse prevention happens on the server) So it's not like folks at google can even take a look at the servers to find out anything about Cryptee users either.

Using their servers / data-centers guarantees that Cryptee / Signal / Telegram's servers / data-centers are in fact harder to hack than say ProtonMail's in the sense that, I would argue, regardless of however good ProtonMail's 5-10 person datacenter engineering team may be, they only have to deal with attacks on their own systems. (and theirs alone) – which means their experience in defense is limited in comparative scope. Whereas Google's hundreds of cloud platform engineers have to defend monolithic companies like twitter / spotify / paypal / ebay etc. all of which are on Google Cloud Platform, and basically this means that G's security team can learn from an attack that was made to Twitter, and proactively defend Spotify against it before it happens to them too etc. Meaning that being on their cloud platform enables comparatively tiny companies like cryptee / signal / telegram etc. to get the same datacenter / server-level protections these giants do, without having to pour hundreds of thousands of dollars into server-security.

Now let me briefly talk about the login part as I mentioned earlier.

Currently about 70% of Cryptee's users use Google auth login. And in my opinion that speaks volume. I think that it's really important that encryption is accessible to everyone, and in Cryptee's case it's a matter of convenience for them.

The unfortunate reality is most & largest percentage of internet users aren't tech-savvy. And these non-techie users need security and privacy too. Like my parents for example. They can't set up a private box at home to host their own server instance, when they can barely use email & word. Nor do they seem to understand why they need password managers, despite my monthly attempts at trying to explain to them why. But they know how to use google to login, and take pride in their ability to do that. So if someone wants to / or has to use a gmail account for any personal reason, but still have private docs / photos on Cryptee, I'd be honored and happy to hear that they choose Cryptee over Google's own eco-system alternatives.

And these are only a few of the many reasons why it's difficult to decouple Google from the platform at the moment, and in my personal opinion, a downright bad idea that would effect users from countries with higher levels of privacy violations severely.

Finally, I completely stand in solidarity with those who are affected by government-sanctions against other countries. I wish these didn't have to happen, but they do. If it ever comes to a point where Cryptee's geopolitical homebase-location, Estonia, starts taking unfair privacy-threatening actions / unfair sanctions towards other countries, you can be rest assured that I'd be the first to move to another country with better privacy and data protections. I used to live in NY, and moved to Estonia specifically to start up Cryptee, and have been living in Estonia ever since. If I ever have to move again to continue to provide further privacy and protections to our users, I wouldn't waste a single day, move again, and relocate the company right away.

Hoping this all makes sense. Security and privacy is all about the implementation. With or without google in it. – and you can verify the implementation yourself, here on GitHub, since it's all open source.

In summary, I hear you, loud and clear, and I completely agree and understand your concerns. But without concrete sources and mounting evidence proving the very-limited link to Google logins or sockets, pushing client-side encrypted data around is jeopardizing our users' privacy in a significant way, I don't think I will decouple things. Partly because of the technical security benefits I've explained above, and partly because I am not willing to put thousands and thousands of Cryptee users from countries where their data privacy are at a much higher risk than those of us in slightly more data-protected parts of the world. Keeping in mind that if you're living in a country like Kazakhstan, Google could be one of the rare few companies willing to stand up to defend your privacy.

Let me know if you have any further questions! I'd be more than happy to bring more transparency.

Best, J

mbande commented 5 years ago

@johnozbay thank you for providing through response. regarding your questions about threat model: I can't register/use in cryptee from Iran because google banned it's API followinging U.S. sanctions. it mean's that cryptee is bound by U.S laws in some way, which i mentioned as google territory. it would be great if there is a "disable google things" option for cases when google APIs is not available for any reason.

johnozbay commented 5 years ago

I completely get it now. Checking with our attorney to see what our options are legally, and in addition will look into technical ways to remedy this as soon as possible.

If I may ask, I've read that Github is blocked as well. Does the same method you use to access GitHub not work for Cryptee?

mbande commented 5 years ago

@johnozbay github is not blocked totally, it just prevents us from creating private projects. but google made it worse by blocking almost all of its APIs!

johnozbay commented 5 years ago

Thanks a lot for this! I've already tasked our attorneys. They're actively investigating all possible legal angles, and I'm looking into all the technical angles. We hope to have a solution for this as soon as humanly possible. Many thanks for your patience and understanding in the meantime.