0

In Citizenfour, Edward Snowden says:

Because some of these documents are legitimately classified, in ways that could cause harm to people and methods... Um, I'm comfortable in my technical ability, uh, to protect them. I mean, you could literally shoot me or torture me, and I could not disclose the password if I wanted to. Um... You know, I... I have the sophistication to do that. There are some journalists that I think could do that, but there are a number of them that couldn't. But the question becomes, can an organization actually control that information in that manner without risking basically an uncontrolled disclosure?

What method would allow to achieve that? Specifically, how is it possible to control a piece of information but not be able to disclose the method to access it when tortured?

twowo
  • 103
  • 1
  • Do you have more context? My first thought is he's encrypted them with PGP, or some similar form of asymmetric encryption, using the recipients public key. – Dan Landberg Jul 25 '17 at 18:18
  • I am afraid that the movie does not give provide more context. I assumed that the quote implies that some more sophisticated method must have been used but maybe you are right. Thanks. – twowo Jul 25 '17 at 18:52
  • printable barcodes/qrcodes/ocr that can be burned can be a simple and revocable way to allow access without personally knowing the secret. – dandavis Jul 25 '17 at 21:53

2 Answers2

2

All encryption methods have a secret key that needs to be stored somewhere. The quote doesn't say that he can't "disclose the method to access it", it only says that there is no password involved. That's a much weaker statement.

This question basically comes down to whether there are encryption schemes that do not rely on a human brain for storing the secret. The answer is Yes. These two come to mind off the top of my head:

  • Public-key encryption: As suggested in comments, if he sent the data to a friend, encrypted with their public key and then deleted his copy, then Edward Snowden would legitimately no longer have access to the data (but the friend can give it back to him if needed).
  • Hardware based encryption: by this I mean any system where the encryption key is stored in hardware. An example would be a laptop with full disk encryption where the keys are stored on a smart card; unless you have the card, no amount of password-telling with decrypt the harddrive!
  • Low Tech It's also possible that he's using a lower-tech solution than you are imagining, for example generating a random 64 character password, writing it down on paper and giving the paper to a friend or storing it in a bank vault.

I'm not trying to imply that any of these are convenient, or even particularly good security measures, but they count as "passwordless encryption" enough to make his statement true. Or maybe he does have some magical encryption system whereby he, and only he, has access to the data regardless of how much information he gives you.

About journalists: I have helped a few journalists set up digital encryption systems, and I completely agree with that quote that technical ability and attitude towards protecting sensitive information varies wildly from journalist to journalist!

Mike Ounsworth
  • 57,707
  • 21
  • 150
  • 207
  • I assumed that "I could not disclose the password if I wanted to." implies that there is some password. Also Snowden clearly talks about some 'sophisticated' method and none of the method that you described seems to be particularly sophisticated. I will accept you answer anyway since it's probably pointless to discuss it further given that the movie does not provide more context. Thanks! – twowo Jul 25 '17 at 18:50
  • @twowo Yeah, without more info, it's impossible to know. But I'm willing to bet that "sophisticated" to the average viewer of the movie does not necessarily mean "advanced technology". Based on other things I know about him, it seems like Edward Snowden uses commonly available tools like GPG, Signal, single-session Linux OSes, etc. Nothing that you or I don't have access to, he just uses a lot of them together, and is very careful about how he does it. – Mike Ounsworth Jul 25 '17 at 20:28
0

He's probably talking about some form of key splitting. For high security keys, no one person has access to the key needed for access. If he implemented key splitting, his portion of the key would be unable to work by itself, so multiple people would have to be tortured for their portions before the data could be unlocked.

Alternately, there are some less reliable measures that use tamper resistant hardware to make it a technical gamble to try to access a key. These kinds of systems can be setup with a "duress" code that when entered will result in permanent destruction of the key. As long as the attacker wasn't able to overcome the anti-tamper mechanisms and preserve the data prior to entry of the duress input (or prevent the wipe it attempts), then the code would be wiped out and there would no longer be a way to retrieve it.

It's impossible to say for sure without more information, but both are on the high end of the security spectrum.

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110