It seems like given a public link including the decryption key, they could still be given a takedown request, since as soon as a rights holder sends them the link, they are no longer blind to the content. It does, however, preempt a Content ID like system.
It also makes it terribly un-fun wackamole for the rights holder.
If they had the files unencrypted, the rights holder could demand that every copy of file `foo` be removed.
With this design, multiple uploads of the same file are not identifiably the same by MEGA, so that case can't happen.
It's interesting that they decided the benefit of encryption (lessened responsibility, marketing) outweighed the cost of wasted storage space for dedupe-able content.
Oh, certainly -- they still have to comply with takedowns, just as normal. But they don't have the ability to be forced to broadly remove content, and they have (arguably) plausible deniability about knowing that it's there.
They got caught, big time, last time over the fact that they were doing de-duplication on upload of content, and then when they received a DMCA for only one of the URLs, only taking /that/ one down -- even though they know it's actually also available in a bunch of other places.
Does manufactured plausible deniability provide as much protection? They could obtain all the keys used to decrypt files with a single logging statement, if they so chose.
Having no cleartext to hand over in individual cases is one form of plausable deniability. Cleverly, it also appears to offer plausable deniability of your service's "primary purpose", since there are few conclusions that can be drawn from the encrypted data in aggregate. So some protection, yes, but there are certainly other ways to get yourself indicted, or your customers blocked, under such general tests.
The example in the article shows the decryption key as a URL fragment, which never hits the wire. A subpoena on Mega's own servers is one thing, but a court compelling them to collect keys from client machines? I would hope not.
It feels likely they could claim that any court order to transmit and log the keys would be "unduly burdensome" and would in fact fly in the face of their carefully considered business practices.
We've seen court orders that caused Hushmail to create malformed Java apps which were then silenty delivered to target machines in order to break encryption.
People pretty much have no option but to comply with court orders. Most people are not going to go to jail so that other people can continue distributing stuff.
This should be a worry with Mega and its current owners.
They were talking about making offline & alternative OSS clients (via an open API) so that if they were legally forced to change the Javascript (which currently does the encryption) that it wouldn't affect the integrity of the service for those users.
That's why I said one logging statement could grab the key. Just log the fragment to a service that you run somewhere, and all of the sudden you have the key.
"You" being the people who wrote the client side script. Yes, the fragment is not normally transmitted to the server, but since the user is running code on their browser which was provided to them by mega, all mega needs to do is log the fragment back to their servers with a simple ajax call.
The point wasn't that mega can deny ever getting the key - the point was that this "security" system in place is very obviously designed to workaround the problem of mega knowing what files they were trading. This would probably be viewed as willful blindness and not actually protect them in court:
> A famous example of such a defense being denied occurred in In re Aimster Copyright Litigation, 334 F.3d 643 (7th Cir. 2003), in which the defendants argued that the file-swapping technology was designed in such a way that they had no way of monitoring the content of swapped files. They suggested that their inability to monitor the activities of users meant that they could not be contributing to copyright infringement by the users. The court held that this was willful blindness on the defendant's part and would not constitute a defense to a claim of contributory infringement.
MEGA could have made byte-identical content de-dupable yet still unreadable to MEGA.. which would save storage space but might still retain the whack-a-mole quality: if your upload gets taken down, you may simply change any one byte in the file and re-upload. does MEGA do this? and if not, I wonder why not?
ah so they weren't even asked to ID content in a smarter way, like YouTube does? if their goal was really to enable piracy, did they think pirates would really give up without finding out that they could simply insert random bytes to evade takedown? Though I guess that would end up killing their de-duping rate anyway..
Note that MEGA is compromised: The NZ govt now owns a controlling portion of shares. Kim issued a statement saying not to use it, and to look out for an open source not for profit MEGA 3.0 when his non-compete expires late this year
"those shares were then seized by the New Zealand government -- Dotcom alleges"
Massive emphasis on alleges. If a person is thrown out of their own company, why would it be surprising if they then try to burn its reputation to the ground accordingly by claiming it's fully compromised. Not to mention Kim is planning a competing product, which casts further doubt on his credibility about the MEGA claim. His word is not good enough on this, more proof is necessary for such dramatic allegations.
And:
"In addition Hollywood has seized all the Megashares in the family trust that was setup for my children"
Uh what? Hollywood seized the shares? None of what he's claiming makes any sense.
Freenet has a similar model, in a p2p context. Anyone with a link can access the file, but the person hosting it plausibly isn't aware of its contents.
Having hosts not know the contents they perform services for has been desired for a very long time. Research on homomorphic encryption predates mega by quite a while. And I am sure there must be backup services that already encrypted client-side long before mega.
The only reason why there wasn't something exactly like mega earlier was because browsers didn't have the capability. And it seems mostly like revenge for having megaupload shutdown. The profits aren't very good when you can't de-duplicate files (because the content is encrypted) or do anything else clever with the data. You just become a dumb provider of hard drive space and bandwidth. Anyone can clone client-side encryption.
Avoiding spam could be made less frustrating for users (report = frustration): require proof-of-work. The server presents some nonce and the client is expected to perform the old "hash until X zero bytes" POW and then add some extra entropy. This makes spamming computationally expensive.
In addition, because there may be multiple possible solutions for the problem, if the POW+entropy key is used with AES CTR, this could provide an additional layer of plausible deniability.
Regarding the discussion about deduplication ability (deduplibility?): Would it be possible to do some cryptography tricks to allow MEGA access to the data while still preserving deniability? I am thinking about the Dual_EC_DRBG backdoor [1] or the weak-key-generation in Debian [2].
Edit: I should clarify. I mean a purposeful installed vulnerability at the point MEGA was build, not something that can be used after the fact.
30 comments
[ 10.3 ms ] story [ 86.0 ms ] threadIf they had the files unencrypted, the rights holder could demand that every copy of file `foo` be removed. With this design, multiple uploads of the same file are not identifiably the same by MEGA, so that case can't happen.
It's interesting that they decided the benefit of encryption (lessened responsibility, marketing) outweighed the cost of wasted storage space for dedupe-able content.
They got caught, big time, last time over the fact that they were doing de-duplication on upload of content, and then when they received a DMCA for only one of the URLs, only taking /that/ one down -- even though they know it's actually also available in a bunch of other places.
This link[0] explained it reasonably well to me, though I'm still not sure on the security implications of pinning JS through it.
[0] https://github.com/slightlyoff/ServiceWorker/blob/master/exp...
The example in the article shows the decryption key as a URL fragment, which never hits the wire. A subpoena on Mega's own servers is one thing, but a court compelling them to collect keys from client machines? I would hope not.
http://www.wired.com/2007/11/hushmail-to-war/
People pretty much have no option but to comply with court orders. Most people are not going to go to jail so that other people can continue distributing stuff.
This should be a worry with Mega and its current owners.
Notice the format of the URL
example.com/fileA#encryption-key
All MEGA has logged is: example.com/fileA
encryption-key
is generated client side and only sent to recipients, not the provider.
The fragment is only ever transmitted by the uploaded to the recipient. I'm not familiar with Mega but presumably this transmission is also encrypted.
So your chance of getting it is low.
And certainly Mega can deny ever receiving it.
The point wasn't that mega can deny ever getting the key - the point was that this "security" system in place is very obviously designed to workaround the problem of mega knowing what files they were trading. This would probably be viewed as willful blindness and not actually protect them in court:
see: https://news.ycombinator.com/item?id=10415535
https://en.m.wikipedia.org/wiki/Willful_blindness
> A famous example of such a defense being denied occurred in In re Aimster Copyright Litigation, 334 F.3d 643 (7th Cir. 2003), in which the defendants argued that the file-swapping technology was designed in such a way that they had no way of monitoring the content of swapped files. They suggested that their inability to monitor the activities of users meant that they could not be contributing to copyright infringement by the users. The court held that this was willful blindness on the defendant's part and would not constitute a defense to a claim of contributory infringement.
http://www.wired.co.uk/news/archive/2015-07/31/kim-dotcom-me...
Massive emphasis on alleges. If a person is thrown out of their own company, why would it be surprising if they then try to burn its reputation to the ground accordingly by claiming it's fully compromised. Not to mention Kim is planning a competing product, which casts further doubt on his credibility about the MEGA claim. His word is not good enough on this, more proof is necessary for such dramatic allegations.
And:
"In addition Hollywood has seized all the Megashares in the family trust that was setup for my children"
Uh what? Hollywood seized the shares? None of what he's claiming makes any sense.
Having hosts not know the contents they perform services for has been desired for a very long time. Research on homomorphic encryption predates mega by quite a while. And I am sure there must be backup services that already encrypted client-side long before mega.
The only reason why there wasn't something exactly like mega earlier was because browsers didn't have the capability. And it seems mostly like revenge for having megaupload shutdown. The profits aren't very good when you can't de-duplicate files (because the content is encrypted) or do anything else clever with the data. You just become a dumb provider of hard drive space and bandwidth. Anyone can clone client-side encryption.
In addition, because there may be multiple possible solutions for the problem, if the POW+entropy key is used with AES CTR, this could provide an additional layer of plausible deniability.
Edit: I should clarify. I mean a purposeful installed vulnerability at the point MEGA was build, not something that can be used after the fact.
[1](https://en.wikipedia.org/wiki/Dual_EC_DRBG) [2](https://en.wikipedia.org/wiki/Random_number_generator_attack)