What, if anything, can we do, to combat evil uses of Haven?

[n8fr8]

A good tweet here: https://twitter.com/silkiecarlo/status/944314970132631559

"I see what you’re doing here but have you guys considered that an accessible surveillance tool like this might pose a risk to most people, especially women?"

So what can we do?

[dazcode]

Haven is the best defense against Haven and other Haven-like products/devices! Surveillance tools will be there whether we like it or not, so the best thing to do is to continue to make Haven accessible and easy to use for technical and non-technical people alike so they can secure themselves and their property.

[essandess]

Streaming centralized access to a webcam, microphone, motion sensors, and more over an anonymous Tor service hosted on a relatively insecure platform like Android is not a very good idea.

Especially when the target user base belong to a targeted group.

Haven’s security oversights (e.g. open authentication #73 and web servers #71) will be fixed, but its underlying conops will always be vulnerable to exploitation.

This is consistent with active promotion of Haven by authoritarian intelligence services and their propaganda outlets:

• https://mobile.twitter.com/SputnikInt/status/944813690389442560
• https://mobile.twitter.com/ARothWP/status/944653170071998465
• https://mobile.twitter.com/Snowden/status/944227749257990144
• https://mobile.twitter.com/ggreenwald/status/944905831740510208

It’s much better advice to targeted groups to assume that devices not in their physical possession are compromised, and must be handled appropriately, rather than hoping that a cheap burner Android streaming all their sensor data over Tor will protect—and not harm them.

[E3V3A]

I think the point here is that Haven is to protect you when you are not home by using your stay-home crap phone. This is surely much better than not having anything or anyone checking your premises when you're away.

For other mobile based surveillance, there are already dozens of other cam apps out there, that can stream your home-porn out to the bad guys at any time. If they have already intruded your premises!

[essandess]

No, Haven will not protect you when you are not at home.

The risks of using this repo are quite obvious, and widely observed and discussed. Here’s an independent comment of the very same concerns:

Sure, if you think having a crypto dark web CCTV on an old Android Phone in your hotel room at DEFCON is gonna keep your laptop from being hacked by The Feds, go for it. But downloading an Android app and expecting it to provide magic blanket security for at risk users is 🐴 💩 — the grugq (@thegrugq) 12:05 AM · Dec 24, 2017

[E3V3A]

@essandess

No, Haven will not protect you when you are not at home.

Yeah, poor choice of words by me. When I said "protect", I didn't mean it literally, but rather as an option to nothing at all.

[essandess]

@E3V3A

When I said “protect”, I didn’t mean it literally, but rather as an option to nothing at all

Haven isn’t effective against the threat it purports to protect against, and therefore creates a false sense of security.

Using Haven as it’s advertised is worse than “nothing at all.”

Far worse, any at-risk individual that deploys this app is vulnerable to intrusive exploitation, which is precisely the reason authoritarian intelligence services and their proxies are promoting the use of this app in the links above.

It’s irresponsible to encourage targeted individuals to adopt the conops used in Haven.

[tytower]

essandess I think you are getting carried away with yourself . Give it a rest chum Men are getting looked at too maybe but so what . This is a very useable safety device when you are alone and there will be bugs and there will be blood before it is somewhat efficient at its job but it will be useful and lifesaving.

[xloem]

Nobody here has expressed a specific problem scenario.

Are you concerned a controlling individual would use this app to keep power over somebody? For one, more powerful people (money or underground connections) already have apps to do that. For another, it seems quite reasonable to me that the survieled having the ability to publicize what is happening to them in a secure manner could be far more powerful !

Are you concerned about powerful groups/individuals hijacking the stream and observing you through your own cam? They could theoretically already do this through all the existing services, devices, compromises, etc; this is an open source project where anybody can improve the security. It seems better than existing solutions?

There are a lot of negative words here, but no precise criticism.

[xloem]

To address the question in the subject of this issue, I would solve possible evil uses of haven by requiring that all streams be made public.

Now only things the public would allow to continue can be surveiled.

I'd perhaps also broadcast an emergency alarm if the app, or any in its network, determine a recording device has gone offline for any reason other than a low battery after an appropriately long discharge time, or a securely signed manual disable.

[geraldkrug]

Im using as a CID check in devise

[poormystic]

Maybe Haven isn't really meant to provide security in the way that it ostensibly seems to. Maybe it's just meant to bring us to consciousness of how vulnerable we are (to Google, governments and who knows who else?) through our telephones.

[tytower]

Well with Snowden behind it or rather as a front man perhaps its the Russians ? Ruskies under the bed syndrome again?

[poormystic]

Haven certainly has many potential applications well beyond the legitimate. I feel that it is best described as spyware, although it is not spyware in the usual sense. I think Haven might be useful in a certain level of security operation. I think it looks ideal for stakeouts, keeping watch on comings and goings from a phone installed in a car, for instance. It looks to me, although I have not tried it, that concealed stakeouts also might be possible. I find it all a bit scary. Now anybody can set up a system of cameras and track people around the city.

[ghost]

@xloem

Nobody here has expressed a specific problem scenario.

A few AirBNB landlords have been caught planting mobile phones that snoop on guests. This is likely what the OP has in mind.

The problem is that an app should generally be designed to serve its user and master. I do have one idea though:

Logs seem to be un-erasable within the app ATM. At some point, someone will complain about this. We could create expiring logs that erase after a timespan, but then make the min timespan 1 month. And store the logs in the internal app data area where unrooted users cannot reach (https://github.com/lukeswitz/haven/issues/29). That could be rationalized to protect owners, because an owner would not want an unsophisticated thief to be able to erase the logs easily. It would protect guests as well in this context of bug https://github.com/guardianproject/haven/issues/286 by granting guest access, and keeping evidence lingering if a malicious user were caught. It's a good idea to at least make it feasible for honest Airbnb landlords to protect their guests as well as protect themselves from the liability of failing to protect their guests. Legit guests should have a view of the logs and some control as well.

Of course you can't do much against a malicious owner, but you can create features that add transparency and prevent inadvertent snooping.

Another (controversial) idea: Haven instances could send their location to some trusted 3rd party (e.g. a privacy commission for the country it's in), so that rental properties could be cross-referenced. I'd struggle to endorse it myself, but perhaps it's worth discussion. Or perhaps it could be a voluntary feature for honest landlords. OTOH, someone would want to distinguish whether an instance is installed by the landlord or the guest.. so it gets messy.

[ghost]

Idea for a feminist anti-perv feature:

Add a realtime image processing function to Haven with nudity detection, which detects continuity of skin colors. Perhaps there is a free software variant of http://www.nudedetect.com/. When nudity is detected, Haven is hard-coded to shout out of the phone's loudspeaker:

"Eeeek! Put your clothes on please, this a G-rated app!"

Edit: perhaps Haven could just use the nudedetect.com API. This is on their site:

Find our API on Mashape, where you can integrate and test our Nude Detect API with up to 5,000 API calls per month for free

If Haven makes one API call per event, the 5k calls may be enough. OTOH, requiring users to trust that company with their image data is probably a nonstarter.

[deviantollam]

I may be the minority here, but i'd equate Haven with any other defensive tool... pepper spray, a firearm, etc. When something is available on the open market then both good and bad people may try to make use of it. Because there are far more good people out there in the world than bad people, having these tools available is a net positive effect.

What do we do to prevent malicious use from outweighing positive use? In my mind...

Make the tool as user-friendly as accessible as possible to the general, untrained public. As long as they have the best chance (or at least the same chance) as a motivated threat actor to use the tool properly and safely, then you've done as much as you possibly can to balance the results in the favor of society.