Software tools that bypass censorship and surveillance, also known as circumvention technology, are used in variety of contexts. Chinese citizens get around the Great Firewall to access censored sites and popular international social media platforms. Activists in Iran bypass government surveillance to post photos and video of anti-government demonstrations. Journalists in Mexico circumvent cartel surveillance to report on local drug-related violence.
While circumvention tools have become more popular in recent years, many are shipped with little or no security review. This is precarious since any error could place end-users who are located in high-risk areas in danger.
Take the example of a journalist covering a war in a country that, as part of their research, interviews dissidents and then encrypts the collected sensitive information. If individuals can by pass the encryption and access the sensitive information, this can potentially put the dissidents in danger. The problem lies in that even though development teams understand the need for more secure practices they lack the resources, means and/or knowledge to procure a thorough software review.
Seeing this gap, the Open IT Tools Project launched the Peer Review Board (PRB), a project to help facilitate tools' access to high-quality commercial security audits and services ranging from audit planning to remediation testing and mitigation services. The launch was marked by the audit of Chatsecure, an iOS secure instant messaging client, which was done by hand-selected security firm Quarkslab SAS. In addition, the PRB is currently accepting recommendations for evaluation from both developers and user communities. Individuals and projects interested in getting involved are encouraged to join the PRB mailing list.
Improving secure development standards in the community
A secondary goal of OpenITP's PRB is to increase the knowledge and security standards within the circumvention tech community.
"Circumvention tools like Tor are created by volunteers throughout the world who are passionate about providing everyone, everywhere, with the ability to protect their privacy and to communicate freely without fear of repercussion. This effort will provide the free software humanitarian community with the resources and support they need to confidently stand behind the safety and security their products offer," says James Vasile, OpenITP Executive Director.
This will be done by helping teams improve their entire secure software development lifecycle, from initial requirements through documentation and response practices. This includes encouraging teams to improve threat modeling, security-related usability, and integrating security across their software development lifecycles.
Most importantly, however, audit results will be shared with the projects as well as the general public once issues are fixed. This will ensure that not only are specific issues are addressed, but that the developer community can use the knowledge acquired during the audits to avoid identified security issues in the future. In addition, the PRB will create learning and design aids to encourage best practices and provide helpful customized information about security development for humanitarian tools.