The Witness Angel Concept
Truth at the heart of the judicial system
Privacy at the heart of society
Table of Contents
- What is a Witness Angel?
- Why our judicial system is unsatisfactory
- The fundamental concepts of the Witness Angel
- Frequently Asked Questions and Reactions
- Functional and Technical Specifications
- Legal Framework Required
The information technology revolution has brought new means of investigation and evidence to justice: surveillance cameras in public spaces (streets, car parks, elevators, buses, etc.), smartphone videotaping by witnesses, wiretapping and geolocation of suspects, social network and email archive searches, etc.
But these new features have had very worrying side effects:
- They have led to unprecedented violations of privacy: uncontrolled proliferation of said surveillance tapes, illegal smartphone recordings ending up on the Internet, mass spying on Internet users, wiretaps in the name of the war against terrorism…
- At the same time, they have given a formidable arsenal to lies: almost indistinguishable retouching of videos and photos, massive spreading of fake news on social networks, new forms of fraud fuelled by web anonymity…
Meanwhile, the judicial system continues to be powerless in many cases (workplace harassment, assault, etc.) in terms of fact-finding. This results in complex “word-for-word” trials, serious miscarriages of justice on innocent people, and criminals left free because of lack of evidence.
So here’s the situation: states and giant corporations are intruding further and further into the private lives of citizens, these are finding it increasingly difficult to discern truth from lies and protect their privacy, and courts are still needing faster and stronger evidence to deal effectively and fairly with cases.
Our objective: giving judicial truth an arsenal worthy of its importance, while restoring citizens’ legitimate right to privacy.
Our resources: the unsuspected power of cryptographic algorithms and distributed systems, which make it possible to reconcile data confidentiality and protection of individuals.
Discover our innovation: the Witness Angel
What is a Witness Angel?
This is what we could also call a “write-only personal dashcam”.
Perhaps you know the “Car Dashcams”, these cameras hung on car dashboards, and recording what is happening around them; very popular in countries like Russia, they have made it possible to thwart countless insurance scams, blackmail, police extortion, hit-and-run crimes… The advantages of these general public “black boxes” are widely demonstrated on video sites.
The idea of the Witness Angel is to extend this concept to people. In the form of an application for smartphone, smartwatch, or any other connected accessory.
This device records, permanently or on demand, a multitude of surrounding information: video, audio, date and time, GPS position…
But be careful, to protect the privacy of all individuals involved (the carrier as well as the people he meets), this dashcam does NOT allow the individual to read the data he has recorded. This is the major innovation of the device: it is in “write-only” mode.
The data is encrypted, time-stamped, and signed with extremely powerful technologies; then the encryption keys (or even the data) are dispersed among several independent trusted entities.
These data can therefore only be used in the context of a judicial procedure, at the request of the carrier. This procedure involves the custodians of the various data and encryption keys pooling them under the supervision of sworn control bodies.
Thus, the Witness Angel is like a personal bailiff: an incorruptible memory, which allows the bearer, only IF and WHEN he wants to, to bring a truly reliable testimony; to defend himself, but also to defend his fellows; and without the costs and worries that would result from the presence of a real bailiff, 24/24, at his side. The “extended right to silence” guarantees the carrier that his Witness Angel will not be used to testify against him.
The Witness Angel is therefore a device that fits into the “White Mirror” philosophy: using the most advanced technologies available, but to give each person ever more responsibility and security, instead of gathering immense powers in the hands of a few entities (state, commercial…) and drifting towards a dystopic society.
Why our judicial system is unsatisfactory
Since the ordeal, since the preparatory question and the final question, since the testimony under oath as the main source of evidence, Justice has come a long way. Ballistics, forensic autopsy, graphological or psychological analysis, fingerprinting and DNA, exploitation of various recordings, have made it possible to remove a large part of the “human factor” in fact-finding. But significant gaps remain.
Why do individuals often not file complaints in cases of aggression, of lies, of moral or sexual harassment, of hazing? Because they know that, in addition to the slowness of the judicial system, they will have to face suspicions of affabulation, play their word against that of the wrongdoer (who has the presumption of innocence), and risk sinking if there is insufficient evidence.
Even willing legal initiatives to give a fine in case of street harassment are insufficient, due to the lack of a police officer on every street corner.
Even without dishonesty on the part of technical staff, how many children have been taken from innocent parents, or left in the hands of executioners, on the basis of poor analysis or clever lies? For children in the care of child welfare, the situation sometimes seems just as cruel.
Do you think that DNA analysis, fingerprints, are very convincing? They are not, and nothing is easier than to cleverly place the traces of an innocent man at a crime scene, or to tie drug bags under the car of a political opponent.
How can we differentiate between “traumatic amnesia” and “induced memory”, when therapists can so easily become gurus, and turn individuals against their loved ones? The obsession with alternative therapies, which are increasingly daring in their pseudoscientific claims (psychoanalytical numerology, transgenerational analysis, etc.), also creates fertile ground for distortions of reality.
Not to mention, as the Outreau Trial has demonstrated terribly, that in the testimonies of traumatized victims, truth and falsity can become inseparable.
And let’s not even talk about false testimonies born of resentment, blackmail, corruption, non-assumed sexual acts, psychological disorders…
“Numbers tell what people want to”, says popular wisdom. But some statistics are too severely explicit to lend themselves to the subtleties of interpretation.
Of the estimated 75,000 rapes committed each year in France, only 13% result in a complaint being filed, and only 2% result in a conviction during the trial. With a massive “de-qualification” of rape cases, which end up in correctional facilities instead of being judged, as they should be, during trials; when it is not the statute of limitations that strikes.
20% of working women have experienced sexual harassment during their working lives. In 69% of cases, sexual harassment is not brought to the attention of the employer, and for victims who dare to take the step, in 40% of cases it ends at their expense.
Three out of ten employees feel that they have already been subjected to moral harassing in their workplace.
Statistics on other gender-based violences are also not reassuring.
14% of French people were victims of abuse (physical, sexual or psychological) by an adult during their childhood. 60% have not told anyone about it.
Finally, let’s look at what happened with #metoo and other phenomena of big public unpacking. These mass testimonies, which are quick to turn into lynchings without evidence nor trial long after the events, are the tragic symptoms of a society in which entire populations of victims have been unable to obtain justice.
An area for improvement
If this small inventory seems satisfactory to you, then you can go your way. Otherwise, it means that solutions must be found for these serious problems.
The Witness Angel, a powerful source of fact-finding in judicial matters, is the solution we promote, in order to have a more efficient and secure justice system.
Like any recording device, it raises issues about privacy and data confidentiality; issues that are resolved through an unprecedented level of technical protection, as detailed below in this document.
The fundamental concepts of the Witness Angel
IMPORTANT — Write-Only for Judicial Purposes: the data written by a device cannot be read without an official, multipartite procedure, including at least the Carrier, a Judicial Authority, and a Trusted Third Party independent of the other two.
Subsidiarity: each citizen is the master of his data, and the power of legal persons (trusted third party, State…) is very limited.
Decentralization: no person should be assumed to be incorruptible, and no protection should be assumed to be inviolable; only the multiplication of third parties involved, as well as of algorithms involved, can make the device extremely resistant to human and technical deficiencies.
Auditability: only a device whose hardware and software can be freely audited by any competent citizen (e.g. open source code) deserves the trust of the rest of society.
Liberation by coercion: Witness Angel does not bring new recording technologies. All it does is managing and restricting, through strong rules, existing system; so that, freed from the risks that they usually bring, these systems can be widely and effectively used for justice.
Physical bridge: software can be elitist and misleading (obscure code, bugs, voluntary vulnerabilities…); the use of physical constraints (e.g. switch at the base of an antenna, shutter in front of a camera…) allows to give back guarantees even to the most simple citizen.
Discerning Progressism: not every technical innovation constitutes in itself constitutes; but if it improves the existing situation, even without being perfect or infallible, it deserves to be deployed (no fall into “ankylosing perfectionism” under the pretext of precautionary principle).
Respect for Privacy: this concept is opposed to widespread spying of citizens, but also to anonymity. Privacy is what happens when you walk down the street: people don’t know who you are, where you live, what you think of this or that. But in a number of cases (for example, if you commit a crime), the police will have the means to determine your identity. Thus, the concept of “privacy” guarantees the security and freedom of citizens, while anonymity grants impunity to criminals and stalkers, especially on the Internet. It should be noted that privacy is not opposed to security, both can be combined using appropriate technologies (mainly cryptographic).
Frequently Asked Questions and Reactions
How is the data protected?
The information related to the Witness Angel — encrypted records and key (de)encryption — faces a classic computer data issue: the simultaneous need for confidentiality and durability, i.e. protection against both data leaks and losses.
By default, these two properties seem antagonistic: to avoid being lost, data must be replicated in several geographical locations, but when data is disseminated, it is more likely to fall into illegitimate hands.
The Witness Angel solves this problem by using a threshold cryptosystem, or shared secret: some parts of the data are separated between N “trusted third parties”, and it is necessary to request at least a number M of them to reconstitute the initial data. Thus, decryption always involves the agreement of a significant number of independent entities (confidentiality), but several of them may disappear without leading to data losses (sustainability).
The system also incorporates exclusive secrets, for example to ensure that a State entity, as well as the carrier himself, is included in any decryption operation (while other trusted third parties may remain relatively interchangeable).
Each entity must follow strict procedures regarding the partial data it manages: over-encrypting them on input to prevent their theft by hijacking; destroying them after a few days if the Witness Angel carrier has so decided; and applying emergency actions if a security breach is detected (new encryption run with a corrected algorithm, or erasure of the data as a precaution). These procedures are mostly integrated “by default” into the Witness Angel’s software (client and server side).
Finally, it should be noted that the Witness Angel system does not require any particular disinterest or probity on the part of trusted third parties. The snippets of encrypted data that they hold are unusable in their current state, so their sole interest in finance (for companies) or reputation (for civic associations), as well as the fear of judicial repression, will naturally lead them to respect the security procedures of the system.
For how long are the records kept?
The retention period of the recordings is at the discretion of the carrier. He may decide to keep the data for a few days or weeks before automatic deletion, as is currently the case for “Car Dashcams”. But he can also opt for a higher level of legal protection, keeping the data for years or even indefinitely. Preserving data (if only to cope with their growing volume) will then require more consideration.
If a data set has been reported as important (e.g. if the recording was triggered by an event, or if the wearer subsequently marked it as such), it will escape automatic deletion.
If the carrier of the Witness Angel dies, we’ll never be able to decrypt the data then?
By default, if the carrier takes his (partial) decryption key with him to the grave, all the data he has recorded will become unusable, and will even legally have to be deleted.
This will be a problem in obtaining justice, for example in the event of the murder of the carrier. Hence the idea of allowing post-mortem testimony from the donor, but obviously within a very strict regulatory and technical framework: the carrier must have designated, for example in his will, one or more heirs of his Witness Angel, as well as delimited the data that they would be entitled to access. It will also be necessary for the carrier to have prepared the legacy of his part of decryption key, in an encrypted form which will again require the intervention of several trusted third parties, so that only the heir can obtain it, and only after the death of the carrier.
What if, despite all these precautions, one day hackers manage to steal data?
No human system can be guaranteed to be inviolable, especially in a very dynamic field such as computer sciences. Despite the unprecedented level of protection offered by the Witness Angel, one can always imagine a revolution (quantum computer, alien invasion…) that would expose the data of some users, before the purge systems takes effect to erase the others’.
But the Witness Angel does not need to be inviolable, it just needs to be the “strongest link in the chain”, the “best defended attack surface”. Indeed, what is the point of putting a triple armoured door on a house, if windows or walls can be easily drilled?
There is already a wide range of ways to spy on an individual’s privacy: surveillance, wiretaps, spywares (e.g. keyloggers), hacking into emails or personal assistants, spying on social networks, tracking online browsing with markers such as advertising cookies… as long as these ways remain incredibly simpler and more discreet to implement than retrieving a single slice of Witness Angel data, fears about the latter will remain mostly irrelevant.
As a reminder, hacking a Witness Angel will require recovering data potentially scattered in several countries, in entities of very different types (public services, companies, associations, personal servers…), then breaking several extremely powerful encryption algorithms which use very long keys. Challenges that are currently (2019) too important even for state agencies; hence the pressure to introduce backdoors into operating systems and cryptography software, and to stop software projects that refuse these pressures (it seems to have happened to the Truecrypt project).
How to ensure the accuracy of the recordings?
Through its write-only and time-stamping mechanism, the Witness Angel ensures that data is not altered once it is stored, and various systems (authentication, chaining of data with digital fingerprints) prevent false data from being inserted without the carrier’s knowledge.
On the other hand, like any recording device, it is vulnerable to falsification of the flows provided to it as input. However, several systems allow it to strongly limit the risks of fraud.
- Devices (cameras, microphones, etc.) from certified organizations can sign data flows as soon as they are captured, and thus testify their non-fraudulent origin (hacking into such hardware chips would be an extremely complex operation).
- Uncertified streams can be analyzed with the usual means of investigation, to ensure that they are not pre-created montages, or recordings tampered with using on-the-fly algorithms (e. g. adding artificial voices to the audio track).
- The spatio-temporal comparison of the data of several Witness Angels present on a scene can reveal incoherences, and thus manipulations.
That’s 1984 your thing!
On the contrary, it is an anti-1984; let us check why.
The dystopia of the book 1984 is already much established on the planet, with :
- The excessive multiplication of surveillance cameras, whose “saucy” recordings end up on the Internet (when it is not the entire camera that is publicly exposed to voyeurs, see https://www.insecam.org/).
- The extreme ease of recording people without their knowledge, on a smartphone or via small spy cameras available on the market at a ridiculous price.
- The looting of user data by websites (up to mouse movements and keyboard typing) and mobile applications (even by activating the microphone without your knowledge); a phenomenon aggravated by the economic model of social networks, where the user is the commercial product, and where data is diverted in all directions, as shown by the Cambridge Analytica scandal.
- Pinnacle of alienation, the Big Brothers to buy yourself, like Google Home or Amazon Echo, who record even the most harmless conversations inside your home, analyze them, and store them without much security, or even send them to contacts by mistake.
- The opacity, on the other hand, in which States and multinationals are bathed (defence secrecy, tax secrecy, business secrecy, etc.), an opacity that is only disturbed by a few whistleblowers and their data leaks.
- Software and algorithms that make it possible to counterfeit videos, to change their words or faces almost indistinguishably, and thus create an “alternative truth”.
- Automated recognition of biometric data, faces and walks, which is getting popularized, sometimes coupled with surveillance from the sky (e. g. China).
- The generalized scoring of citizens that is being implemented, in China again, etc. etc. etc.
On the contrary, the Witness Angel is proof that there is no contradiction between the right to security and the right to privacy, and that it is up to each human being to be guarantor of truth and guardian of their personal data, in full autonomy.
The unprecedented level of protection provided to the device (which can only be read in the context of an official court case, with the consent of its carrier, and cannot be “seized” by the authorities), and the freely auditable nature of its code, allow any competent citizen to verify for himself that this anti-1984 philosophy remains respected.
The Witness Angel is therefore a snub for those who use fear (of aggression, of terrorism…) to set up excessive spying of citizens; and a mocking of the GAFAM and others, who claim that the massive exploitation of personal data is necessary to offer new innovative services.
Won’t that reinforce mistrust in human relationships, security instincts, generalized paranoia?
“Paranoia” mainly arises from vulnerability, from insecurity. If many people go to work with fear in their stomachs, it is because they know that their superiors or colleagues hold them in their power, and can continue to harass or grope them with almost complete impunity.
A person allergic to bees will be much more anxious during field trips if he or she does not have an adrenaline syringe at hand. A violinist will be much more careful when travelling if his instrument is not insured. A buyer will be much more suspicious if he has to pay for his property by an unsecured means (Western Union…). An alpinist will be much more tense if he climbs a wall without being secured by a rope. And there’s nothing wrong with these reactions. “Fear is wisdom in the face of danger. It’s nothing to be ashamed of.” (Sherlock: The Abominable Bride).
Protective measures are the consequences of fears, not their causes. On the contrary, when they know that they are protected, humans can interact freely with their fellow human beings. The Witness Angel is a device that will strengthen trust in human relationships, since lies and manipulation will no longer pay as much as before, and victims will have the opportunity to testify without having their word immediately questioned.
And the right to the image? What about the consent of recorded people?
The Witness Angel is not concerned by the right to the image, since the recording can only be decrypted in a judicial context, where suspects and victims already have their personal lives thoroughly searched by prosecutors and lawyers.
On the contrary, by often allowing quick access to the truth, this device removes the endless unpacking of the protagonists’ intimacy and past, used by the prosecution or defence to undermine their testimony (unreliable demonstration if there ever was one).
The need for the consent of recorded persons, which derives from this right to the image, is therefore also rendered unnecessary by the system; unless the concept of “loyalty of proof” is pushed to the point of absurdity, and the consent of criminals becomes required before collecting evidence against them.
But legislative changes will obviously be necessary to take into account the specificities of this system, which is anything but “yet another surveillance camera”.
I find it uncomfortable to have a recorder on me!
Many people reacted the same way when seat belts or smoke detectors were introduced into society; before getting used to them very well. Since the Witness Angel protects victims of crime without harming the innocent in any way, since it simply adds privacy constraints to existing recording media, it can be assumed that it will eventually be cleared of prejudice, and become part of the landscape.
The difference with the seat belt and smoke detector is that in its very concept, the Witness Angel requires to never be mandatory.
Indeed, being only a consolidation of individual testimony — testimony to which the right to silence can always be opposed — the Witness Angel can only be set up with the explicit agreement of its carrier. The important thing will remain that those who want to protect themselves with the Witness Angel can do so.
Of course, nothing will prevent a state from massively violating the privacy of civilians (cf. the NSA’s global schemes, the growing totalitarianism of the Chinese Communist Party…), nor from forcing its nationals to wear recorders. But then it will be an initiative unrelated to the Witness Angel, because a despotic state will never be burdened with all the technical and legal protections that go with this device, and on the contrary will require direct and unlimited access to the data collected.
By its “write-only” design, the Witness Angel prevents voyeurism. What could happen, however, is that someone disguises a standard recorder to look like a Witness Angel. But first, it will be much easier and more discreet for him to use any hidden recorder (e. g. a spy pen, or an application that runs in the background of a smartphone…). And second, it is planned that a Witness Angel can be easily audited (including by any private citizen), so that its software and hardware can prove at any time that they comply with the fundamental principles of this system.
Since the Witness Angel is protected against misappropriation (blackmail, buzz videos, revenge porn…), an aversion against it will be more a matter of “taste and colour”, or even phobia, than of rationally justified fear. It is not impossible that, in its sovereignly democratic judgment, society may consider that this “moral discomfort” is more important than the protection of millions of victims and wrongly convicted persons; but a society that banishes the Witness Angel without proposing an alternative will no longer have any credibility to be outraged by the injustices and judicial fiascos that fill newspapers.
When accessing the recordings, is there not a risk of violating the privacy of others?
For example, if a person is stabbed in the street, the exploitation of the Witness Angel(s) present on the scene could indeed reveal sometimes embarrassing information about passers-by who are not involved in the case.
But the following points should be noted:
- The invasion of privacy is immeasurably greater when it comes to traditional surveillance cameras, or a traditional investigation that will dissect the schedules of all those involved in any way.
- The disclosure of Witness Angel’s recordings is made in a restricted circle, only with persons connected with the judicial proceedings and subject to the same level of secrecy as the latter.
- The same technologies which, today, allow web people to spy on private life, can be used to minimize the information disclosed. Thus, it is possible to entrust artificial intelligences with the search for relevant passages (scenes of argument, presence of some protagonists…) without having to visualize everything. And it is possible to stratify the information (e. g. automatically blur faces, nudity and license plates) as long as more details are not required by the investigation.
- The carrier will have the opportunity to filter finely what he wants to show or not to show in court, in the same way that he would carefully choose his words for oral testimony.
Thus, if the Witness Angel does not completely erase the intrusion of any judicial inquiry, it drastically limits it, which is an undeniable step forward compared to the current situation.
French/EU/other legislation is already lagging behind new technologies, it will never allow the Witness Angel.
Witness Angel requires filling legal gaps, for example to take into account the novelty of “write-only” recording. This will certainly require an effort of pedagogy and legislative proposal, especially in a society where historically any recording has been synonymous with a threat againts privacy.
But there are several positive things to note:
- Some awareness is already in place regarding the “privacy versus security” debate, and institutions such as the french CNIL, regulations such as the european GDPR, have been set up to address the problems posed by new technologies. So the Witness Angel will not arrive in a legal desert.
- Car dashcams have set a precedent, showing both their invaluable contribution and their dangerous limitations.
- The French police force was equipped in 2016 with pedestrian cameras; expensive devices, initially not secured against reading (contrary to what was required by the law introducing them), and unfair because civilians do not have them; but devices that are nevertheless generally well received; US police officers also use such cameras, again with the risks associated with the absence of write-only constraint.
- Our main objective is to theorize a system that simultaneously meets high requirements of justice and privacy; its implementation is another concern, it may find the most favourable reception in other countries than expected, or only for certain cases of use (police forces, victims of abuse…) initially.
Cryptography is the ally of mafia and terrorists
It is a fact, criminals are major consumers of anonymization and encryption systems: disposable phones, encrypted messaging and hard disks, encrypted networks such as “VPN”…
But these systems are just as useful to political opponents in despotic states, or to ordinary citizens who do not want their personal lives to end up in the wrong hands.
Banning them would therefore be similar to banning kitchen knives on the grounds that they can be used to commit murder.
The important idea is that the Witness Angel does not bring any innovation to the benefit of criminals. On the contrary, it sets a very strict regulatory framework, and technically prevents data from being decrypted without the public’s knowledge; constraints that no criminal has any interest in burdening himself with.
How much does all this cost?
The exact economic model of the Witness Angel system is a secondary issue, which may vary greatly from one country to another. It will be shaped by system constraints (such as respect for the independence of trusted third parties, auditability of hardware and software, etc.) and the decisions of carriers, both in the purchase of the device and in the choice of data and encryption key hosts.
The Witness Angel ecosystem will therefore be able to mix citizen associations, commercial companies, regulated professions (bailiffs, notaries…), and state agencies (including the Ministry of Justice of course).
What are the known limitations of the device?
By design, the Witness Angel does not aim to demonstrate the non-existence of a fact. Thus, if a criminal attaches a bag of drugs under a carrier’s car, the carrier will not be able to easily demonstrate that he has nothing to do with the trafficking. A thorough (preferably automated) search of the records available over a long period of time could partially exonerate him from involvement in a criminal network, but only the other elements of the investigation will provide tangible evidence of his innocence.
The Witness Angel prohibits forcing a carrier to reveal the contents of his recordings. This can be frustrating if the carrier is suspected of a crime and walls up in silence, or delivers only a few carefully chosen extracts (and is therefore suspected of bias); but it must be kept in mind that a single departure from this principle of the “extended right to silence” would massively discourage citizens from wearing the device, and this would have much more serious consequences on judicial truth in the longer term. Justice will therefore sometimes have to rely entirely on other means of establishing facts, even when active Witness Angels were present on the scene.
The Witness Angel will not be able to protect children in all cases: if their legal guardian is also their abuser, he will be able to obstruct the use of this device. But social services could take control of these cases, and impose protective measures, depending on what the law provides. Similarly, some vulnerable people (battered spouses) will have greater difficulty using the device without risking retaliation, but miniaturizing the device may help the State and associations to collect evidence anyway.
In a dictatorial state, where the police can at any time arrest and torture a citizen to force him to reveal his secret code, the Witness Angel will not be a useful device; it will then be better for human rights defenders to rely on hidden and unilaterally encrypted recording devices, to gather evidence on government crimes.
Another limitation is inherent in the deficiency of the recordings: depending on the periods of use of the device, and the archiving time chosen, some key records may be missing at the time of a decryption procedure; it is to be hoped that other witnesses of the scene had a Witness Angel activated and sufficient data storage.
A technical limitation concerns the size of the stored data: being encrypted, they will have a strong “entropy” of their binary content, which will prevent them from being compressed efficiently. And since they will be encrypted, it will not be possible to convert them into more powerful audio/video formats, or with less accuracy, as they will age (and will therefore be less likely to be requisitioned later).
Finally, the last known limitation, which is also technical, is that of the autonomy of the Witness Angel: recording, encrypting and transmitting data is an extremely energy-intensive process; some forms of this embedded device will therefore not be able, as science currently stands, to operate more than a few hours between each charge. But the use of chips dedicated to encryption, and alternative energy sources (skin heat, movement, wireless energy…), will eventually improve the autonomy of the portable device.
Some unknown assets of the system?
Fast gregarious immunity: even if a tiny minority of society embraces the Witness Angel concept, this will have a great psychological impact among criminals and stalkers, who will not know if their next victim can trap them at their own game; non-wearers will therefore benefit from this fall in crime. Compare this to gregarious immunity of vaccines, for example, which typically requires more than 90% of people vaccinated before the rest of the population is protected as a side effect.
Protective ergonomics: when a tragedy occurs, Witness Angel wearers will be able to react appropriately, instead of taking out their smartphone to film the scene (which sometimes amounts to non-assistance to person at risk); wide-angle or even front-back sensors would then compensate for the lack of manual framing. This will not prevent some people from using standard cameras anyway, to “make the buzz” or resell the images to sensational media, but that is another story.
Judicial optimization: by providing quick and meaningful access to evidence, the Witness Angel will speed up court proceedings, relieves court congestion, and saves significant amounts of court costs; while avoiding the “big privacy unpackages” that harm case actors, even innocent.
Simplification of human relations: many aberrant procedures have been born of lies and mistrust. Thus, if (in France) the joint guarantee of a tenant is obliged to copy a page of legal jargon at length by hand, it is to avoid that he later denies having been informed of what he was committing himself to. The Witness Angel, as a weapon against bad faith, will make this type of embarrassment largely unnecessary.
Functional and Technical Specifications
Reading this (quite complex) section is not necessary to understand the device.
- Witness Angel: by default, it refers to the portable device used to capture and encrypt information flows. By extension, it can refer to the entire Witness Angel ecosystem, including the legal framework and computer servers for data processing/storage.
- Carrier (or holder, bearer, wearer, owner…): physical person which owns and carries the Witness Angel device, and whose authorization is necessary to decrypt any data from it.
- Writing (or encryption, or public) key: used to transform raw records into encrypted data, it can be disclosed without great danger.
- Reading (or decryption, or private) key: used to decrypt the data during a legal procedure, it must remain secret.
- Master (or primary) key: generated after (re)configuration of the Witness Angel, it is used to indirectly protect all subsequent records.
- Derivative (or secondary) key: generated and used specifically for a time slot, it is itself made secret thanks to a Master key.
- Each key of the system is therefore either Master or Derivative, and it can be a Writing and/or Reading key.
- Threshold cryptosystem (or shared secret system): system of N entities that share a secret data, and which requires that at least M of them manifest themselves (with M ≤ N) for the secret to be revealed.
Invariants of the whole system
- Each Witness Angel has a unique identifier, allowing to find the pieces of keys and data dispersed between the entities.
- No entity shall have access, during its existence, to more than one “master” reading key of a Witness Angel configuration, even in encrypted form.
- By default, at the very least 3 independent entities must be involved to retrieve all the reading keys of a record. As far as the storage of encrypted records is concerned, no minimum limit for hosts is set.
- Master keys must be key pairs, respectively Writing and Reading (asymmetric encryption), to ensure Write-Only constraint. Derived keys, on the other hand, can be in Writing+Reading (symmetric encryption), for performance or autonomy reasons.
- A storage entity must always locally over-encrypt the data it receives (key or record fragments), to prevent it from being retrieved without going through the system software interface (interface that removes this local encryption before delivering the data).
- Each entity is responsible for the preservation of its key and data pieces, using generic technologies designed for this purpose (replicated databases, RAID disks, periodic backups, etc.).
- The procedures described below set the minimum safety threshold required by the device. These procedures may evolve, but only for greater confidentiality and ergonomics of the device, according to technological innovations (e. g. homomorphic encryption) and requests of citizens. They allow a wide freedom with regard to the implementations of the device: hardware, programming languages, network communication protocols (NFC, Bluetooth, Wifi, 4G)…
Manual configuration of the Witness Angel by its carrier
- Choice of entities used to store keys, and of those used to store records (entities that may overlap).
- Choice of sensors to use (audio, photo, video, GPS, pulse…).
- Choice of the recording activation mode (continuous, manual, on an event such as a stress peak…); the sensors can also be left permanently active, but only start saving the data from a few tens of seconds before an event (as is the case for car dashcams, which react to shocks).
- Choice of optional metadata to be added to the records (approximate location of the holder, number of people present…) to help in the search for relevant data during a legal procedure
- Choice of the duration of the time slots, and the duration of storage for the records.
- These parameters can be modified at any time by the carrier; this forces the regeneration of the keys, but only impacts subsequent records.
Cryptographic key generation
- The entities specifically required in case of decryption (the carrier, the server of the judicial system…) each generate an asymmetric primary key pair, provide the writing key to the Witness Angel, and keep the reading key secret.
- For entities that are part of a threshold cryptosystem, an independent temporary entity is responsible for generating the key pair, distributing the reading key fragments to trusted third parties, and providing the writing key to the Witness Angel; this temporary generator never knows the Witness Angel identifier (a temporary session identifier is used), and destroys its copy of the keys upon completion of the operation.
Data flow recording
- Active sensors deliver unencrypted data streams, which can be restricted to volatile memory (e. g. circular buffer) until data persistence has started.
- Once recording has begun, the data stream is segmented into time slots (e.g. 10 minutes of capture), which are sent to the encryption system.
- For each time slot, derived keys are generated from the master keys.
- The data slice is encrypted successively with each of the derived writing keys, using various algorithms among the most robust currently identified.
- Optionally, third parties can time-stamp and sign the encrypted data slice (but indirectly, through a blind signature).
- The derived decryption key is itself made unreadable by encrypting it with the master writing key.
- Different metadata (date, different trusted third parties and algorithms used, configuration parameters, optional information…) are encrypted only with the derived writing key of the carrier, and attached to the encrypted slice. A fingerprint from the previous data set can also be added to the metadata, to ensure that the record chain is not subsequently altered.
- All the data necessary for indexing and decrypting the time slot (excluding primary keys) is put in a container, ready for storage.
Remote archiving of encrypted containers
- Even for short data retention, remote archiving remains a useful option, as it prevents a criminal from destroying evidence by breaking the carrier’s Witness Angel.
- Containers are preferably fragmented into “shared secrets”, and sent to various storage entities (trusted third parties and/or personal servers).
- The carrier can also keep (or make someone else keep) complete copies of the containers, at the cost of reduced security.
- The entities carry out their maintenance tasks independently:
- Deleting expired containers
- Immediate purging, or emergency over-encryption of a user’s secrets by deriving his master writing key (public), if a cryptographic vulnerability is reported (action predetermined by the carrier)
- A software client allows the carrier, through user accounts and his master reading key, to search, view, verify, annotate, delete the containers that he has stored (this key is sufficient to decrypt the metadata of each container). The carrier can also configure storage entities via this interface (e. g. action to be taken in case of a cryptographic vulnerability alert).
- This action can only take place in the context of a legal action, and therefore publicly (even if the investigations and debates may be held in private).
- Many questions will have to be decided through legislation: at what level of seriousness of the offence can the Witness Angel be used to obtain evidence? What types of recordings and automatic analysis tools are allowed, and what confidentiality measures (selective blurring…) are imposed, depending on the severity of the case? Are courts of other nationalities than that of the carrier competent? Where to publish the decryption procedure (e.g. in a distributed blockchain registry), so that any entity can be informed of this rather sensitive event?
- The fundamental concept of the Witness Angel must be respected: recordings are only an extension of the wearer’s memory and speech, so he is solely responsible for the choice of the data he wishes to present to complete and support his statements. If the carrier does not allow full verification of the facts, by truncating the data submitted to the court (for reasons that may be legitimate or illegitimate), the court must treat it as any incomplete testimony (ask for more details, corroborate with other evidence…)
- The carrier can autonomously pre-select, typically via his software client, the groups of encrypted containers that interest him; even if it means including very large sets, if he is not sure of the relevant time slots.
- Fragments of encrypted data containers are repatriated to a dedicated terminal by any means (network, DVD or USB stick etc.)
- The derived reading keys specific to these containers are retrieved to the dedicated terminal
- This requires the prior agreement of trusted third parties and judicial authorities, with identity checks or even videoconference exchanges (the physical presence of entity representatives is not necessary).
- Each entity performs its own partial decryption on the encrypted derived keys presented to it; at no time does an entity recover the master reading keys of the other entities.
- For entities that are part of threshold cryptosystems, independent temporary entities are used to retrieve fragments of master reading keys, and conduct these partial decryptions of the encrypted derived keys.
- The respect of this procedure must be guaranteed by its various witnesses, and verifiable a posteriori, thanks to… their own Witness Angel devices.
- (optional) The terminal is physically disconnected from any network, to avoid any leakage of unencrypted data.
- Containers are reconstituted and then decrypted by the terminal (starting by processing container fragments that would have been over-encrypted by the trusted third party responsible for their maintenance).
- The records are made available to the carrier, who can read them, truncate them, analyze them with various pre-authorized software.
- The carrier may decide to be assisted in his selection task by lawyers, sworn experts, etc.
- The selected record parts are written on a medium that cannot be changed after the event (e.g. finalised DVD), which is made available to the judicial authority as evidence (and therefore controlled by law with regard to its distribution).
- The terminal is reset to ensure that all traces of keys and decrypted data have disappeared.
- Note that at no time is the Witness Angel portable device itself required for decryption; the carrier just needs to bring his (secret) master reading key.
- The software sources for the various Witness Angel implementations must be available on public repositories on the Internet, so that any expert can audit them and check their consistency with the specifications.
- Portable devices specifically created to host a Witness Angel must be able to be opened, to check the different hardware components that they contain (limitations: requiring that these components be open source seems too complex for the moment, however, and Witness Angels that are in the form of applications for existing smartphones/smartwatches cannot be physically audited).
- Anyone can connect to a portable device, and verify that the installed software has a fingerprint corresponding to one of the officially authorized versions on the market.
Legal Framework Required
Aspect to be reworked with legal experts
It is necessary to study current laws and jurisprudence, which have LAW VOIDS because they do not know devices in write-only mode.
There will be a need for a legal framework for the system: RIGHT for a citizen to have a Witness Angel (even hidden) and to activate it whenever he wishes, RIGHT to use it in legal proceedings of a certain gravity, RIGHT to stop using it at any time (and to destroy his own data), RIGHT to refuse to produce existing records (extension of the “right to silence”), RIGHT to audit all Witness Angel devices in circulation, NECESSITY to use only auditable software and hardware that complies with the fundamental principles of the Witness Angel… and finally, severe sanctions against anyone who tries to steal/sabotage another person’s Witness Angel, or to divert the device for illegal purposes.
The law will also have to define/refine certain aspects of the Witness Angel ecosystem: reporting obligations (or not) for carriers, bigger “minimum number of entities” to be involved in decryption, procedure for approving “trusted third parties”, updated list of cryptographic algorithms considered robust enough to be used, minimum length of keys, additional rules to be respected during a decryption procedure…
The contractual aspect with regard to Witness Angel device manufacturers, as well as data storage providers, will have to be normalized, so that users can keep control of their data at all times: no “vendor lock in” (thanks to standardised transfer procedures), firm guarantees on data durability,
prevention of unfair pricing practices…
It will be possible for the law to allow more flexible decryption procedures (e.g. need for only 2 reading keys, the carrier and the State), for certain specific use cases where access to data is almost systematically necessary (e.g. to replace police dashcams during demonstrations and riots). Similarly, an accelerated procedure could be provided for recordings in public areas (e.g. for demonstrators who fear police violence), with the right to broadcast the recording to alert public opinion of what is happening; but in this case, the Witness Angel must be clearly visible, signal its special mode of operation, and measures must be taken to avoid (so numerous currently) manipulation attempts. However, these specific procedures remain subject to complex debates, so they should not occupy people’s minds until the default functioning of the Witness Angel, which is ultra-secure and respects the “right to an image”, has become law.
Note that in its very principle, the Witness Angel requires that one cannot object to being registered by someone else’s Witness Angel. The great robustness of the system must therefore be understood and accepted by society as a whole.