Introducing Virtual Notary

We spend more and more of our lives online. A large fraction of our lives are digital now.

Yet there is hardly any witness to the digital trail we leave behind. Digital events are malleable and fragile. It is possible for someone to do things online that have significant consequences for others, and to later retroactively delete, modify or change the online record, in effect altering history. A digital, neutral, dispassionate witness is critical to recording online facts and conveying them to third parties in a trustworthy manner. Such witnesses are also useful when the party being witnessed is oneself. Take, for example, the case of an inventor with a discovery, a job applicant who'd like to prove her credentials, or a borrower who wants to demonstrate the last sale price of a house as collateral. At the moment, all such claims are based on one's say-so and reputation. Ideally, there'd be a trustworthy way to acquire meaningful certificates that electronically encode such facts and present them to others.

This prompted my group to develop a service called Virtual Notary that attests to online factoids. Virtual Notary can issue certificates on a wide range of topics, including document possession, job titles, weather conditions, and financial data, among others. A novel implementation issues independent certificates that can be verified by third-parties many years from now. The implementation also encrypts, embeds and publicizes the state of the notary on both Twitter and also in the public Bitcoin transaction chain. This ensures that the virtual notary cannot be subverted and the historical record altered, even if the website were to be compromised.

Those of you who can immediately see the value of such a service can check it out here. It's free and will remain so for the foreseeable future. For the rest, let me first describe some of the usage scenarios that we had in mind as we were developing this service, and then illustrate how the service uses X.509 certificates and the Bitcoin public record behind the scenes.

Document Possession

http://hackingdistributed.com/images/2013-06-19-virtual-notary/document.png

It is sometimes critical to show that you possessed a particular document at a particular time.

Imagine, for instance, that you just invented a new design for a quantum computer. The old adage was that you should write up your invention and mail it to yourself with certified mail, thereby using the postal service as a timestamping service. Having to go to the post office and waiting in line is an inefficient way of obtaining such a timestamp, not to mention how archaic it is to be dealing with stamps and certified mail slips to certify digital content. And a prolific inventor would face a logistical nightmare of unopened envelopes.

Or imagine that you're distributing open source software. You would like to make sure that no one tampers with your software, so you diligently publicize its hash right next to the tarball link. What is to keep a hacker, who has owned your server, from changing both your tarball and the publicized hash at the same time? What measures do you have in place so you'd even notice?

Virtual Notary provides a document attestation feature for these kinds of scenarios. In particular, Virtual Notary will issue a certificate that says, in essence, that you possessed a digital document (file, document, picture, audio recording, etc) that has a particular hash on that particular date. It issues you a certificate that you can later use to demonstrate that you had the corresponding file on that date. If one were to craft an altered document later, there would be no way to create a valid certificate with a backdated timestamp on it. So, for software distributions, a hash certificate issued for a modified version would plaintively contain a much later date than the original, making the tampering easy to check. And even better, Virtual Notary does not make or retain a copy of your document or embody it in the certificate. It provides the timestamping service while keeping the content private.

Web Page Contents

http://hackingdistributed.com/images/2013-06-19-virtual-notary/webpage.png

Lots of things get published on the web. And sometimes you need a trustworthy record.

Imagine that someone published a web page slandering you and your life's work. "Joe User drop-kicks babies and hates apple-pie" they said, whereas everyone knows you just love apple-pie. Or they went to a rating site for people in your profession (say, educating the wayward) and wrote "he's an excellent professor but uses comic sans on his slides", a clear falsehood (you decide which part is false), and did not click the "hot pepper" icon next to the review, a grievous slight. You'd naturally call your lawyer and make arrangements to sue them to smithereens, but how do you establish that they published false claims in the first place? Search engines would not have the page indexed if the site administrator turned indexing off in robots.txt. The Internet Archive, on its shoestring budget, is unlikely to have archived that page at the instant you care about. And to a tech-savvy judge, your website printout is worth about as much as those other pieces of paper that are hanging in the court's bathroom, as it's all too easy to download a page and edit it any way you like.

What you need is a third party that will download and attest to the contents of a web page. Virtual Notary can provide certificates that show the contents of a web page and thus serve as an online witness. The certificate is issued with a timestamp and contains the full contents, and is thus immutable even if the website is modified later.

Twitter Feed

http://hackingdistributed.com/images/2013-06-19-virtual-notary/twitter.png

People tweet questionable content fairly often, and later edit their tweet streams to excise material. The most notable example of this was the Weinergate scandal, which is too risqué for this workplace-friendly blog, but in essence, Congressman Anthony Weiner tweeted inappropriate pictures, quickly deleted the offending tweets, and then denied the entire episode using ever more creative excuses. He was ultimately forced to resign solely because some individuals had been monitoring and recording his tweets. While that worked in his case because of his position and the number of zealous eyes following his every move, what would be useful would be a dispassionate, neutral, trustworthy watchdog service that can work for everyone at all times.

Virtual Notary uses the Twitter API to fetch and attest to the tweet stream of any Twitter user. It creates a timeless certificate that captures solely authentic tweets, as seen from the notary's standpoint on the Internet. Virtual Notary does not operate with your permissions, does not know who you are, and does not have access to your followers list, so you can use it without revealing any information. On the flipside, the target user's tweet stream needs to be public, as the notary cannot certify private tweets it cannot see.

DNS Entries and WHOIS data

http://hackingdistributed.com/images/2013-06-19-virtual-notary/dnslookup.png

I once served as a technical expert in a very public lawsuit (yes, you've heard of it). The plaintiffs, let's call them Poor Forensic Data Association of America (*AA for short), had collected evidence that users at specific IP addresses had participated in some criminal activity and demanded astronomical fines. On the defendants' side, our first reaction was to look through the IP address evidence that the plaintiffs brought to the table. And it was full of problems.

Critical to legal proceedings is a notion of jurisdiction: if the users at those IP addresses were inside the US, they counted as an aggrieved party; outside, they were nobodies as far as that particular court case was concerned. And when I checked the IP addresses *AA had flagged as offenders, I found that a significant percentage were outside the US. Were the IP addresses reassigned during the court proceedings? That would bolster the plaintiff's case. Or was the data collection technique sloppy, placing *AA's entire argument on shaky footing? Those of you who know how often IP blocks are reassigned between RIRs will have a good grasp of the correct answer in this specific case. But the bigger point is that, had the people collecting IP data used a third-party like Virtual Notary to record the DNS information as of the moment of data collection, their case would have been much less flimsy, and they would look much more professional in court.

A more egregious example came from court proceedings in another trial that garnered much debate in Europe, where the Turkish government jailed a large percentage of its military high-brass. At stake was a claim that the military establishment had purchased a domain name and used that website to promote incendiary speech that sought to divide the country, a charge that carries up to a 25 year sentence (ok, before someone naively exclaims "but all speech should be free", let's take it as an axiom that laws on acceptable speech and conduct varies between countries). Critical to this claim was DNS data, WHOIS data and web contents. The defendants claimed that the website was one of many that was owned and abandoned, and that it had been picked up later and used by the government to frame them. Indeed, the government could not furnish evidence that tied the DNS information, WHOIS information and the web contents together at the same time to the defendants. (Interestingly, this did not keep the government from keeping the defendants in jail. Many experts believe that the government has also used backdated forgeries in this case, where the font of the document did not exist on the date placed on the document. Around 415 people are currently in jail).

Virtual Notary can provide certificates that show DNS mapping data as well as WHOIS data. If you need to tie a DNS name to an IP address, or an IP address to a DNS name, or a DNS name to its publicized owner, Virtual Notary can help. Keep in mind that Virtual Notary cannot provide information beyond what is available in public databases. We collect, retain and research absolutely no private information; instead, the notary acts as an impartial witness to publicly observable factoids.

Exchange Rates

http://hackingdistributed.com/images/2013-06-19-virtual-notary/exchangerates.png

Suppose you went to France and purchased a bottle of wine using your credit card. And let's imagine that your loving bank, which you voted to rescue from the brink of bankruptcy with your hard-earned taxes when it was in trouble, decided to use this opportunity to stiff you by using an exchange rate that was less like Euro to USD and more like Euro to the Kyrgyzistani Som. To launch a proper dispute, you need an official record of the exchange rate. Virtual Notary can furnish that. The certificate contains the full details of the currency service so the provenance of the data can be traced back to the original source.

Web Page Contents

http://hackingdistributed.com/images/2013-06-19-virtual-notary/stocks.png

You told your broker to sell Dangdang Enterprises (a real Chinese retailer) if the price drops 5% below your buy. Yet you find yourself with a stock portfolio full of Dangdang despite the stock having tanked this year, and all you can do is repeat the name of the company to yourself. Resolving the dispute with the broker will require some demonstration that the stock did indeed tank below 5% of your buy.

Virtual Notary provides a plugin that can attest to the near-real-time stock quotes provided by the Yahoo Finance Service. Now you can have a verified, dispassionate third party weigh in on the stock price.

Weather Conditions

http://hackingdistributed.com/images/2013-06-19-virtual-notary/weather.png

It can get cold in upstate New York. Not just cold enough that your eyes tear up, but cold enough that they tear up and freeze in your eyelashes, and leave you unable to see anything but a fuzzy white blob. You're left wondering what happened to your eyesight, whether it's physically possible for your cornea to get freeze-dried, and whether you'll see the world again. When I tell this story, some Minnesotan always counters with a story about how all four doors on their car froze shut so they had to crawl through the trunk, and all this happened in a heated garage. Well, we need a way to settle these disputes on who has the worst conditions.

More usefully, farmers making insurance claims may have to document the extent of their crop damage. They, as well as the many people who buy and sell derivatives based on weather events, may need tools to attest to weather.

Virtual Notary can provide an attestation to the current weather conditions at any zipcode. This plugin is limited to the US at the moment; if you know of a weather data source that extends beyond the US, please let us know.

Job Affiliation

http://hackingdistributed.com/images/2013-06-19-virtual-notary/universitysearch.png

We all get asked what we do for a living. While this is a critical question in certain settings (e.g. mortgage applications), I doubt that more than a few percent of these self-declared titles actually get checked. And while it's kind of fun to make up job titles (e.g. my favorite euphemism for any job where you're just hanging around, running out the clock is "chief eventual consistency engineer"), on occasion, someone needs a verified credential check. The main way people verify someone else's job title is by performing the check themselves. Not only is this tedious, but things get complicated if you were employed at time X but the check happens at a later time Y.

Virtual Notary can provide a job and title attestation for a handful of employers. This service is limited to Cornell, UIUC and MIT at the moment. We welcome code for a larger number of employers.

Housing

http://hackingdistributed.com/images/2013-06-19-virtual-notary/realestate.png

Sometimes, it is useful to ascertain that 1060 West Addison is indeed 3 bedroom property that is assessed at $650,000 and was last sold three years ago for $750,000. Virtual Notary can do this, based on data from Zillow.

Promissory Note

http://hackingdistributed.com/images/2013-06-19-virtual-notary/promissorynote.png

It's often useful to record certain statements and agreements. Whether it's a certain promise from a boss, friend, or co-worker, there is a need for a website where someone can say "if X were to happen, I will do Y."

Virtual Notary enables people to issue such promissory notes. The format of the promissory certificate is free-form English, which provides maximum flexibility on what can be expressed. And the identity of person X can be tied down to a specific email or IP address. Entered a bet about how you'll eat your shirt if some startup is still alive in a year? Sign it in (virtual) blood with a promissory note.

Officially Random

http://hackingdistributed.com/images/2013-06-19-virtual-notary/random.png

Many cryptographic protocols need an officially agreed-upon, public random number seed. Virtual Notary can serve this function, with the aid of random numbers provided by random.org. The randomness is derived from measured atmospheric variations that are difficult to predict or model, and considered trustworthy by many cryptographers.


Limitations

Virtual Notary is a technological proof-of-concept. It is not an official, legally-recognized notary, whose definition is provided by law, whose statements are court-recognized, and whose procedures are regulated. For operations that require legal standing, you should seek the help and services of an official, state-recognized notary. Please do not use Virtual Notary for something critical, like your will -- you should enlist the services of a lawyer and a certified notary public.

Truth vs. Notarization

A common misconception is that notaries stand for or attest to the absolute truth. That task is far too difficult and far beyond the scope of the well-defined, narrow task ascribed to notaries.

When you walk up to a notary, provide id for someone named X and make a statement S, and the notary issues you a certificate, that certificate does not say "X said S." Instead, it says "The notary says that someone presented two forms of ID bearing the name X, and made the statement S." The difference is subtle but critical. The first one requires that the notary establish true identity, a task that is impossible to do with total accuracy. The second one is much better-defined, 100% correct and defensible in court, and therefore it is much more useful in practice. We have all sorts of other mechanisms for establishing absolute truth; a virtual notary's statements serve as input to those processes. So, all statements made by Virtual Notary explicitly state the attestation, and point to the true authority on the topic. For instance, the exchange rates factoid says "According to Yahoo Finance Data, the exchange rate from Rimnimbi to USD was X," all entirely checkable statements.

Note that the world may look different from the notary's vantage point. So a web site might be served differently to a notary than to you, in which case you may have to resort to other mechanisms to establish its content.

Implementation

For the Virtual Notary's certificates to be useful, they need to be trustworthy. And we've designed the service to be resilient, compartmentalized and failure-isolated in the presence of attacks. In fact, the entire design is structured such that even a complete break-in of the Notary service confers no ability to attackers to affect statements issued in the past.

There are some neat tricks in the implementation that ensure this security property.

First of all, all statements made by the Virtual Notary form a hash chain. Every single certificate issued by the notary contains a serial number derived by hashing all past certificates. Thus, someone who breaks in and acquires the notary's keys (akin to a seal in real life) cannot go back in history and issue a backdated certificate, as there would be a discrepancy in the hashchain.

Second, any discrepancies in the hashchain would be immediately obvious and public. Virtual Notary tweets every single new addition to the hash chain. Further, twice a day, a transaction for a very small amount of money is recorded in the public Bitcoin transaction ledger, along with the state of the Virtual Notary public. This ensures that the state of the notary cannot be unwound or rolled back.

Finally, Virtual Notary keeps the master key for the notary off-site, and uses temporary signing keys that are routinely replaced for signatures. This ensures that the effects of an attacker who has compromised the site can be bounded in time once detected, as the attackers cannot forge new keys without the master key.

Internally, the system is modular and composed of various Python plugins for determining and attesting to different kinds of factoids. This makes it easy to extend it to attest to new kinds of online factoids as there is demand and as people develop plugins for extracting those factoids.

The certificates issued by Virtual Notary are X.509 attribute certificates. The X.509 standards are open. The certificates can be parsed by anyone with a standards-compliant parser, even if, for some reason, the virtual notary service were to be shut down. The attested certificates are available on the web at a private URL, so you can easily pass them around. Optionally, one can download the X.509 certificates for posterity and fault-tolerance.

Overall, Virtual Notary issues certificates that possess a level of inherent trustworthiness, verifiability and technical defensibility. We hope that they are useful for your needs.

What Next?

There are lots of interesting new services possible once people are equipped with the ability to pass attribute certificates. At the moment, online services are based either on direct evidence, where a website itself checks a fact (a laborious process that involves some work at least on behalf of the website, and perhaps yours -- you may be familiar with the various email account activations messages, for instance), or else they were based solely on hearsay (and sometimes, for instance when entering email addresses on web forms, the website makes you say the same thing twice just to make sure that it has a chance of being correct). Attribute certificates can obviate much of this and make the online experience much better. Imagine, for instance, that a user furnishes a certificate to show that they are over 18, but does not have to reveal her identity to anyone. Such abilities have far-reaching ramifications, and Virtual Notary is a first step in tackling some of these questions that happens to also use some cool technology under the covers.

The Virtual Notary service is currently in alpha. That means that there are many rough edges, but the general sketch of a useful service is taking shape and it may be useful to some people as is. So we're making the service public, and would like to enlist your help. This help can come in several different forms:

  • We'd be grateful to any and all early adopters who use the system and provide feedback and suggestions.

  • If you have suggestions for new online factoids that are of direct relevance to you and your company, please get in touch. We're looking to expand the universe of statements that Virtual Notary can issue.

  • If you notice bugs or rough edges, please get in touch. We're striving to improve the current factoid plugins and make them more robust.

  • If you would like to contribute new plugins, and are familiar with Python/Django, please get in touch.

  • If you are interested in the legal aspects of online notaries, have the requisite legal background, and would like to help make the current legal landscape more friendly for modern ways of attesting to online facts, please get in touch.

  • If you find some aspect of the system useful and would like to contribute, you can donate Bitcoin through the link below. We use 0.01 bitcoins per day to record the state of the notary.

The Virtual Notary service will remain a free service for the foreseeable future. And I hope it will grow, with community support. Many thanks in advance for your hand in making it better.

Related:


comments powered by Disqus