Private Hierarchical Governance for Encrypted Messaging

End-to-end encrypted messaging platforms face challenges due to rising online abuse. To mitigate such abuse, current approaches include metadata analysis, client-side content scanning, and user-driven content reporting. A proposed approach involves users setting policies for community behavior, fostering private hierarchical governance within a secure E2EE framework compatible with existing moderation strategies.

• Encrypted Messaging
• E2EE Platforms
• Online Abuse
• Governance
• Security

birkett_r Follow

Uploaded on Mar 06, 2025 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

Presentation Transcript

1. Private Hierarchical Governance for Encrypted Messaging Armin Namavari, Barry Wang, Sanketh Menda, Ben Nassi, Nirvan Tyagi, James Grimmelmann, Amy Zhang, and Tom Ristenpart RWC 2024 1

2. End-to-end encrypted (E2EE) messaging envelope icon Messaging platform envelope icon envelope icon ~1 bn users ~40 m users ~ 2bn users 2

3. End-to-end encrypted (E2EE) messaging envelope icon Messaging platform envelope icon envelope icon Malicious insiders Hackers Law-enforcement overreach Mass surveillance 3

4. End-to-end encrypted (E2EE) messaging envelope icon Messaging platform envelope icon envelope icon envelope icon envelope icon E2EE doesn t prevent abuse: Hate and harassment Dis/mis-information Spam CSAM/NCII 4

5. Online abuse is on the rise [TAB+ Oakland 21] 48% of people report experiencing hate/harassment online 1.3x increase year-over-year E2EE platforms are not immune to this abuse 5

6. How can E2EE platforms currently mitigate abuse? Metadata analysis [Jones Enigma 17] Limitations: can t see content envelope icon Messaging platform envelope icon envelope icon envelope icon envelope icon Client-side content scanning that triggers report to platform [KM USENIX 21, BBMTT Apple 21] Limitations: potential backdoor (?), transparency Platform moderators User-driven content reporting [GLR CRYPTO 17, TGLMR CRYPTO 19] Limitations: reactive only, moderation is one-size-fits-all 6

7. Our approach: Users set rich policies for allowed behavior within community (e.g., selecting community-level moderators, word filters, reporting flows) Community governance is E2EE, private unless escalated private hierarchical governance Compatible with existing platform moderation approaches. Users can escalate by reporting community members/content to platform 7

8. 1. 2. 3. 4. A harasses B via direct message B reports to community mod Mod adds word filter for community Mod can escalate if warranted Example: Who is mod kept private Filter Mod Messaging platform A said envelope icon Community reporting is private Filter A envelope icon B Can t forge reports, all Filter Can t forge reports messages reportable Clients have consistent view of filter & other governance actions Platform moderators Accountability Governance privacy Governance integrity 8

9. Why private hierarchical governance? Empowers communities with tools Helps governance speak to diverse community needs Plaintext platforms Reddit, Discord benefit from community governance Privacy from platforms by default Example: might be dangerous to reveal moderator within government-targeted activist group But: Does not address fully abusive communities (CSAM trading groups) Abusive communities can set bad policies (escalation can help) 9

10. Private Hierarchical Governance: How? Filter Mod Messaging platform envelope icon Filter A envelope icon B Filter Basic approach: Community-level governance logic at the client side Platform moderators Challenges: Lots of applications, need custom governance logic approach for each? Malicious client software that deviates from governance policies? Retaining performance and scalability of current E2EE messaging? 10

11. We take a layered, extensible approach Governance layer that sits between application & E2EE Clients generate signed E2EE governance messages Used to distribute updates to client-side governance state Application Layer Governance layer provides: Expressive role-based access control (RBAC) Framework for developer-defined policies-as-code inspired by PolicyKit system for plaintext settings [ZHB UIST 20] Governance Layer Messaging Layer E2EE layer can be any API-compatible protocol We give simple extension to MLS API [RFC 9420] Key insight: simple MLS API extension sufficient for rich governance while retaining performance 11

12. Messaging Layer Security E2EE messaging protocol, IETF standard Group key agreement + encrypting messages to a group No ordering guarantees <- important for efficiency Does not support managing arbitrary shared E2EE state Extend API to two kinds of messages: Ordered (slower, consensus) -> governance Unordered (fast, no consensus) -> messages Application Layer X Governance Layer Messaging Layer But: handshake message protocol for shared cryptographic state Consensus mechanism 12

13. Governance layer Governance state: RBAC privileges (e.g., who is moderator) Generalizes [CPZ CCS 20, BCV USENIX 23] Current word filters, user reputations, All messages (governance + text/attachment) digitally signed for accountable reporting Governance state updates (ordered MLS) Text/attachment messages (unordered MLS) Application Layer Governance Layer X Messaging Layer Limits policies, but necessary for efficiency User reputation scores based on message content sent Voting to elect community moderators Only moderators can kick users from group Setting a word filter 13

14. Governance layer Application Layer X Clients run all messages through PolicyKit-style logic pipeline to: Run programmable policy mechanisms Framework to: Define what policies apply to which actions Determine when actions can be approved Governance Layer X Messaging Layer pass Governance & unordered messages check filter init fail 14

15. Security analysis Security goal Property Derives from Governance integrity Honest clients have same view of governance, even if other client(s) using malicious software MLS transcript hash, client checks Privacy Governance and content messages private from malicious platform MLS confidentiality Accountability All sent (governance) messages can be reported, no forged messages can be reported Digital signature unforgeability See paper for discussion Limitations: Do not yet analyze feasibility of traffic analysis attacks by platform Deniability not considered (could use asymmetric message franking [TGLMR CRYPTO 19]) No comprehensive formal analysis yet, technique development ongoing 15

16. MLSGov: prototype implementation Built E2EE messaging application with private, hierarchical governance Implementation in Rust on top of OpenMLS library MLS changes small (~200 lines of code) ~4000 lines of code for governance layer Experiments indicate governance introduces small overhead, even for complex policies involving voting (2.08s vote in a group of 1024 simultaneously casting votes) 16

17. Conclusion New approach to abuse mitigation: private hierarchical governance Why: diverse moderation needs, respect user privacy How: Community governance logic at clients with shared E2EE state Implementation on top of MLS Future work: MLS safe extensions work, fed/interop platforms, metadata privacy, beyond messaging Contact: armin@cs.cornell.edu 17