certifying electronic communications between third parties?

[Colin Rowat]

If A and B are conversing on mobile phones (whether by Skype, Facetime, Viber, voice), is there any legal way that C (who is physically proximate to A) can certify the connection between A and B?  C has access to a rooted Android phone.

I'm happy to provide further details in private.  To allay any concerns that might arise from the lack of detail here, I stress that C's actions must be legal; further, C is not trying to eavesdrop on the content of the A - B connection.

Thanks,

Colin / espero

[Nick Johnson]

You're going to have to define what you mean by "certify" before you'll get any sensible answers.

-Nick

--
You received this message because you are subscribed to the Google Groups "London Hackspace" group.
To unsubscribe from this group and stop receiving emails from it, send an email to london-hack-sp...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[David Murphy]

If you mean certify to B that A is who A says he is with his cooperation: sure. C could take the form trusted 3rd party who verifies the identities of people and issues signed certs.

If you mean certify as in "witness" like witnessing the communication so that they could later testify that A and B communicated at such and such a time then not really: C can say nothing about whether B is even taking part in the conversation. B could really be X running through a virus running on [B]'s device or someone elsewhere in the network.

You'll need to be more clear about what you want though.

 

[Bacon Zombie]

Have a look at this.

http://risky.biz/news_and_opinion/patrick-gray/2014-09-18/why-i-started-invisibleim

BaconZombie

55:55:44:44:4C:52:4C:52:42:41

LOAD "*",8,1

[Colin Rowat]

Thanks all.

I'd meant "certify" in David's 2nd sense, of "witness".  Actually, I'd be happy with a weaker sense: can C later credibly testify that A and B were connected, regardless of on whose behalf?  I suspect that the answer to this must be "no": if A is on, for example, Skype, I can't see C being able to see with whom.

If so, I'll settle for an even weaker definition: can C later credibly testify that A was using Skype (for example)?

BaconZombie - I'm assuming that A and B aren't using invisible.im or the like.

[Nick Johnson]

Does C have any control over the software running on A or B's phone? If not, then no, C can't certify anything: being able to do so would be a massive compromise of A's privacy.

-Nick

On Thu, May 7, 2015 at 10:21 AM Colin Rowat <c.r...@espero.org.uk> wrote:

Thanks all.

I'd meant "certify" in David's 2nd sense, of "witness".  Actually, I'd be happy with a weaker sense: can C later credibly testify that A and B were connected, regardless of on whose behalf?  I suspect that the answer to this must be "no": if A is on, for example, Skype, I can't see C being able to see with whom.

If so, I'll settle for an even weaker definition: can C later credibly testify that A was using Skype (for example)?

On Wednesday, May 6, 2015 at 10:13:35 AM UTC+1, David wrote:

[Colin Rowat]

Thank you Nick.

C might be in a position, legally, to require the installation of certain software on A's phone; doing so would be contentious, so C prefers not to.

[Mark Steward]

I still think we need more information. What are you trying to prevent? A denying they had a conversation? B doing the same? A or B claiming they spoke to someone else, or said something else? Some third party D sitting between the two and potentially interfering with the conversation?

And how strong does the assurance need to be - against casual monkeying, to a legal standard acceptable in court, or for protection against corporate/state-level influence?

Mark

[invent_or]

There are various ways to tell if people are or have been on various programs.

Logs are kept on devices and servers. A channel such as IRC can be monitored easily, either publicly by simply joining the same forum, or more subtly by monitoring the device.

Also, depending what you know, you can look at, for example, the IP address connected to (by monitoring a router or controlling DNS for example) & then seeing what is at that port and address - if you get a handshake from a direct messaging chat client, they have connected, though the traffic may be encrypted. But if it is a server based chat, you can't tell where the message went after that.

Of course, if you control the network you could do a MITM or whatever.

Really, we need a lot more info before we can tell what we can tell.

[Colin Rowat]

Thanks Mark.

I'm trying to guard against B denying the conversation with A in court.  Thus, the standard is "to a legal standard acceptable in court".

invent_or: C doesn't have access to A's or B's phones, and doesn't control the network, so doesn't have access to anything other than what's passing through the air.

[Nigel Worsley]

Colin Rowat wrote:
> I'm trying to guard against B denying the conversation with A in court.

Assuming that C would recognise B's voice then A can use a headset with a splitter so that C can listen in, or perhaps record the
conversation.

If the above isn't technological enough then C could have a specially modified bluetooth headset that A pairs to their phone. This
could be used to initiate the call and thus verify the called number, as well as making better recordings. Hardware wise this device
could be another phone, but it is unlikely that an app could get the required level of access to the bluetooth hardware so may need
some fancy rooting and stuff.

Nigle

[invent_or]

If it is phone to phone, and for court, you can subpoena a copy of the phone records. If the call were more than a few seconds long it would be very hard to deny that a conversation took place.

Indeed, you could also bring an itemised copy of the other party's bill too, which would prove the call was made. Certainly to the degree needed for small claims court, & for anything beyond that you can use that as proof to get the subpoena in the other party's call logs.

[Nick Johnson]

If C doesn't have access to A or B's phones, and has no control over the network, then what you're asking is effectively "can a third-party spy on phone records of anyone at all"?

Any system that permits this certification would also permit being able to spy on conversation logs of anyone, anywhere.

-Nick

--

[Mark Steward]

I'm pretty sure there's an assumption that A is willing or at least coerced.

Mark

[Colin Rowat]

Thanks all.

Nick has put the question well: what metadata are publicly available when A and B have a conversation?  The answer seems to be that, without (i) the cooperation of A or B, or (ii) illegally compromising A or B, not enough is available to allow C to certify their conversation using purely technological means (e.g. not subsequent subpoenas).

I think that that runs the question to ground from my point of view.

Colin / espero