Ergonomics are a security issue: some notes on Briar
This blog was written with the help of my friend Shash from Trans Aid Cymru and Trans Safety Network.
Following a dispute on Twitter about the potential merits of Briar — a secure messaging chat application with Bluetooth mesh networking features for purported resilience to network outages — I decided to give it a test drive and make some notes.
Technical security will be out of scope for this blog. I understand that Briar has been audited a number of times, and as an infosec person I know that no amount of audits will prevent a surprising collection of minor bugs somewhere being chained and exploited at large. My concerns here are going to focus entirely on the app in terms of its ergonomics for activists.
I also want to be clear that while I’m largely focusing on pain points here the idea of a privacy oriented application that is resilient to network outages is a great thing to be working towards in principle regardless of everything else I have to say so kudos to the developers for taking the problem on.
Sign up, contact
Signing up to the application is relatively quick and easy. The only difficulty here is in connecting to other Briar users. In lieu of a telephone at your unique identifier, Briar has you exchange Briar links which are effectively your public keys for the purpose of linking with other users.
The application does not easily allow you to run multiple aliases or accounts (which might be an important and useful feature for people eg trying to work with journalists without revealing their identities) and there’s no way to change your user handle which is transmitted to others after you have set it on registration. Consequently you ought to set up an account that is relatively nondescript in name and have friendly users who you connect with set a screen name in their device so they recognise you.
Private groups and Forums
The first possibly confusing feature here is the use of “Private Groups" and “Forums". It wasn’t automatically clear what these are and what their security properties are. This is something that would be easy for an activist group to potentially invest in recruiting users into for organising purposes only to end up getting bitten in the arse.
A big problem for both Private Groups and Forums is that you can not delete messages from either. Once it goes up, it doesn’t come down. This is not forgiving for accidental pasting of sensitive information.
Similarly there is no disappearing messages feature for Private Groups or Forums. As these are the only group communication feature on the app, this app is potentially harmful for very sensitive information where you phone might be seized by opposition groups of any kind able to access the app at a later date — they will have a long running log of everything you have done before. With that said, writing down anything that is potentially incriminating or harmful in a digital device can be risky for later forensics. It’s a matter of degree though, and Briar falls significantly short of the ergonomics of Signal on this issue.
Private groups are essentially monolithic admin groups. Only the creator of a private group can invite users to join it. That creator can also “dissolve" the private group — leaving the other members of the group (but not the admin!) with access to the message history within it, but no access to send messages to the group anymore.
Forums are zero admin groups. Once a forum is created you can leave it and it will continue being open. Any member of the forum is able to send an invite to any Briar contact they are paired with. There is no way to control access granting privileges in a forum and users should be aware that every new user invited significantly widens Briar in this way seems very much designed to work on transitive ad hoc trust models which can work in a pinch but which may be quite risky in terms of later needs to withdraw access in case of compromise.
This transitive trust design also extends to the fact that you have no way to remove or ban users from either a Private Group or a Forum. Once you get compromised they have your full undeletable message history going back previously and there’s nothing you can do to wipe the group however fast you respond.
Private messages do in fact have a simple 7 day disappearing messages feature. This isn’t ideal — it’s comforting knowing if you risk arrest while on a protest, that you can run your timer at 1hr so that you are able to have transient communications which will nevertheless disappear before it becomes evidence which can be used to make your life hard at protests or involved in other activity. But 7 days nevertheless means that you are not building a huge backlog of potentially incriminating evidence against you or your friends about your involvement in activism over time so it’s better than nothing.
The blog feature works like microblogging a la Tumblr, with users able to reblog you adding comments along the way. Also it has a cute RSS reader which is neat. I wouldn’t rely on the platform around the blogging feature as a “secure" way to disseminate information and like with groups and forums there’s no way to destroy previously published info.
The screenshot ban
Like a growing number of “secure" apps briar bans you from taking screenshots. Unfortunately this won’t actually protect you from users with access to a usb cable doing screen sharing or anything like that. I don’t really know what value this feature has in terms of serious opsec risks. People in your group who want to leak info are absolutely capable of leaking info and the screenshot prevention just creates a false sense of security.