Activity Workshop

Murmeli - Questions and Answers

This page expands on the ideas of the forthcoming friend-to-friend system Murmeli, by posing some basic questions about its operation and attempting to answer them. If you have comments or suggestions on these ideas, please send them in by email.

One only has to search for "encrypted social network" or "encrypted email" to find lots of software projects with broadly similar aims. Some of those are active, some failed or died, and some remained just ideas. Currently Murmeli is just a prototype, so what is going to make it different? What's going to make it work, and how will users be able to trust it?

How can I trust that Murmeli's servers won't disappear, stopping everything from working?

There are no servers, it's just your computer talking (through the Tor network) to your friends' computers. And it seems unlikely that Tor will suddenly disappear.

How can I trust that my messages won't be monitored or seized?

While the messages are on their way from sender to recipient, or when they're stored on the trusted relays, they're in encrypted form, without the key. That means that even if someone can see the message, they can't read it or modify it. Only the recipient has the key to unlock and read it.

How can I trust that you won't suddenly start charging for using Murmeli?

Because there are no servers, there's no way to control who runs it and who doesn't.

How can I trust that you won't suddenly start charging for upgrades or premium versions?

Because it's open source, so anyone could create their own free fork in that case.

Will there be adverts, or will data be sold to advertisers?

No and no. There are definitely no plans to ever include adverts. And if anyone were foolish enough to modify the Murmeli code to insert adverts, there would immediately be a free fork of it without the adverts. Problem solved. As for the data, you only provide your data to your trusted friends, so nobody can sell data which you don't provide.

How can I trust that Murmeli doesn't contain backdoors or deliberate weaknesses?

You can look through the source code yourself or get someone else to look through it for you.

How can I trust that Murmeli doesn't contain mistakes or bugs leading to unintentional weaknesses?

There's no guarantee. But if the open source model works, and if problems are reported quickly and openly, then they can be fixed.

So if I post things in Murmeli, they'll be 100% safe?

No. If someone gets your private key and gets your messages, they can read them. If you don't protect your PC then somebody could read the unencrypted messages there. There is a lot more of this on the threats page. If you share your private things with friends, you're trusting them to keep it to themselves. Depending on how they secure their computers, passwords and backups, there may be ways for someone else to get access to whatever you sent, after it was successfully and securely transferred through the network. Plus of course there may be unknown bugs in the RSA implementation on either side, or weaknesses somewhere in the Tor network. But it is our sincere hope and ambition that Murmeli will prove to be a much more secure alternative to email, facebook, and co. It puts you back in control.

Why are you developing a tool for terrorists to communicate?

I really didn't think I needed to spell this out, but I've been asked this more than once so I guess it deserves an explanation.

This question is based on an assumption that only terrorists (or other criminals) could possibly benefit from secure communications, and that non-terrorists would have nothing to gain. I strongly disagree. If Murmeli can help protect the overwhelming majority of honest, law-abiding citizens in an important and meaningful way, then its help to other people would be a regrettable side-effect, not the main aim. Hammers are allowed to be manufactured and sold because they are useful to everybody, not only to those people who would do harm with them. Cars are not outlawed just because bad people use them too.

One possible area of concern, even for perfectly innocent and law-abiding citizens, is state-run mass surveillance. Note that here we are not talking about justified, targeted surveillance. Some people may be of the opinion that some of these indiscriminate, data-trawling and archiving schemes are illegal, unconstitutional and apparently being run completely without any kind of oversight. One could get the impression that they are completely out of control if so much is being kept secret from public debate, and lies are being told under oath. If the democratically-elected representatives, whose job it is to control these schemes, are either unwilling or unable to do so, then it may be in the public's interest to encrypt their personal communications, even if the communications being exchanged are completely banal.

Another point worth noting is that data is permanent, and governments change. Even if one is comfortable with the current government's indiscriminate collection of our data, because they are perhaps perceived as being trustworthy, one should also think about what might happen if the party from the opposite side gets into power and takes ownership of that data and the powers to similarly extend the schemes.

Secondly, it's not just about state-run mass surveillance. Ordinary, honest people who even completely trust the security services to behave responsibly and within the law, may still want to keep their communications private from other organisations. Many people love the convenience of Gmail, Facebook, Twitter, WhatsApp and the like, but not everybody is comfortable sharing personal or intimate information with these corporations. Maybe some people want to share messages or photos with their friends and family without those being scanned, indexed, analysed, tagged and archived by a profit-driven commercial entity. Think face recognition, mood recognition, location and timestamp extraction, friend network analysis, personality profiling and so on. Plus any additional analysis that spammers, scammers and identity thieves may wish to do to the data on the side. For many people, the simplicity and convenience of these "free" services are worth more than the misgivings, but Murmeli is intended to provide an alternative.

Thirdly, there is the question of unsolicited, malicious or offensive messages which can be a problem on some networks, including email. Murmeli checks the signature on each message it receives, and only accepts it if it is signed by a friend whom you have said that you trust. So even users who don't want to hide anything that they themselves say, may choose to protect their inbox from online harrassment and phishing schemes.

I believe that there is a huge number of (innocent, honest, law-abiding and excellent) people who could benefit from a tool like Murmeli, and if it could be of benefit to all those people, then it is something worth discussing and developing. This is the aim of Murmeli.