[cryptography] OTR and deniability

Ian G iang at iang.org
Tue Jul 19 17:09:52 EDT 2011

On 19/07/11 1:59 PM, James A. Donald wrote:
> On 2011-07-19 9:48 AM, Ian G wrote:
>> OTR makes the same error. It takes a very interesting mathematical
>> property, and extend it into the hard human world, as if the words carry
>> the same meaning. Perhaps, once upon a time, in some TV court room
>> drama, someone got away with lying about a document? From this, OTR
>> suggests that mathematics can help you deny a transcript? It can't. It
>> can certainly muddy the waters, it can certainly give you enough rope to
>> hang yourself, but what it can't do is give some veneer of "it didn't
>> happen." Not in court, not in the hard world of humans.
> OTR gives you the same deniability as a plaintext communicated person to
> person. "He said ... she said"

(I suspect a confusion here.  A plaintext is a document, whereas "he 
said, she said" is witnessed or hearsay.  They have wildly different 
effects in court, under interrogation.)

> No more, and no less.
> But that is quite a lot of deniability.

Actually, I suspect not.  I humbly submit to the court that a plaintext 
document plus the presence of OTR is somewhat less deniable than a 
plaintext document by itself, which are both less deniable than a 
non-existing document.

Perhaps we could lump this under the law of unexpected consequences?

Part of the problem I have semantically with OTR is that it isn't OTR. 
The presence of a record means it is on the record.  While 
OTR-the-product might be attempting to decrease the tamper-resistance 
qualities of the document, there is manifestly a document.  And such 
presence tends to outweigh in real life any advantage gained by tampering.

If it was truly OTR, it would turn off the record.  That's what it 
means, the tape stops rolling, the typist stops typing.

Probably we can't achieve precisly that, within the context of p2p 
communications without TCBs.  But we can come close.  There are 
possibilities:  Counterparties can contract to delete the record 
afterwards, exposing themselves to civil claims if this is not done. 
Further, it might be possible to make declarations under penalties of 
perjury that the record has been deleted.  Or, we could IPR it, or even 
invoke DMCA over it, and have the OTR application do the deed under a 
technological protection.

I'm not suggesting that this be done;  just that it seems to be evident 
that OTR doesn't take much in the way of steps to take something "off 
the record."  What it does achieve, IMHO, is make it easier for a court 
to rule against a false repudiation.  This is hard to see as an 
advantage to the users, who might be tempted to talk as if they can 
later deny the conversation.  E.g., wikipedia, that notably deniable 
authority, says:

"The primary motivation behind the protocol was providing deniability 
for the conversation participants while keeping conversations 
confidential, like a private conversation in real life, or off the 
record in journalism sourcing."


iang, the other other one

More information about the cryptography mailing list