The CryptoRights Foundation:

Mission    |    Donate    |    Podcast    |    News    |    Help
   
 

Services
Research
* Overview
* HighFire
* HuRiCANE
* VoteSecure
* HighWire


About CRF
Join/Participate

 

About CRF's R&D Philosophy

Be Open

We always submit our security solutions to public review. Period. If it came from CryptoRights, you can see how it works. Just ask. CRF is very committed to the exclusive use of openly-reviewable security software that can be checked and reasonably confirmed to be reliable and safe for humanitarian use.

Use Open Source Software

Our R&D Group is committed to building on academic and other "open source" security research and development efforts. We strongly support the rights of academics and other public security professionals to do security research in the public domain because that's the only kind of security that is trustworthy. What CRF will not do is trust anyone who won't openly explain exactly how their security technology protects people: this is known among responsible security professionals as "snake-oil".

Listen to Your Users

The biggest problem with most security solutions is that no-one first asked the people who will be protected what they need and want. CRF starts each project by listening to people who will be using the technology. Our goal is to produce user-friendly solutions, a significant challenge for designers of security technologies. This is one reason why CRF hosts open, public (and numerous private) forums like the PGP-USERS List, where Users can discuss their experiences with security technologies.

Use the Technology

Be wary of technology, but don't be afraid of it: when you can simplify a process or a solution by applying a technology, do all you can to leverage it into the overall solution without jepoardizing the security envelope.

Use What You Recommend to Others

If we can't trust a security solution to protect us, we won't ask you to trust it either. Simple as that. And we have pretty rigorous standards.

Keys Are Cheap but Lives Are Valuable

Because we rely on the openness of any particular security technology, we concentrate on the Keys used in the system to provide the "privacy" for the users. Nearly all of our security solutions use very strong Public Key Cryptography and we apply the "two-person rule" (two users sharing a key to prevent abuse).

Use Freeware

CRF always prefers to use freeware public domain security software and protocols. Non-proprietary security technologies do not cost our NGO clients large amounts of money to acquire and maintain, and they are as a rule not constrained by intellectual property disputes or by commercial pressures that compromise a true committment to security and encourage cost-cutting that introduces vulnerabilities and even backdoor attacks.

Don't Reinvent the Wheel

Using tried-and-true technologies is extremely practical, but it's also more secure when creating high-assurance information security solutions for fieldworkers. Security system components should be thoroughly tested over as many years as possible, and by as many different people as can possibly review it. CRF is not trying to "reinvent the wheel," only to "get it rolling" under real world conditions where security constraints are extreme. We therefore prefer to integrate and extend existing free security technologies rather than invent new ones. In most cases, custom development work is required to integrate freeware technologies with each other, but we keep that to a minimum.

Adhere to Standards

CRF supports the responsible development of security protocols with input from many sources and in full view of the public. Any security policy, protocol or technology developed behind closed doors is probably not one that's intended to protect you, but is more likely somone's attempt to protect their profits or other motivations from inspection.

The OpenPGP standard is a good example of a security protocol that has been designed in public and refined over more than ten years by being subjected to frequent public review and challenge. The majority of the basic technical work is performed by the volunteers of the OpenPGP Working Group under the auspices of the IETF (Internet Engineering Task Force), which has no commercial affiliation. The public can send feedback through one of many forums, including CRF's PGP-USERS mailing list, where many PGP engineers from around the world listen to bug reports, feature requests and other user experiences. There are also various newsgroups and other related technical lists for more specific input.

Remember That Reputation Is Critical

CRF is building anonymizing technology into several of its solutions in order to provide humanitarians with limited identity protection when it's necessary to protect witnesses, ballots or evidence, etc. In situations where anonymity isn't required, we use Persistent Pseudonymity to add Reputation to the system: this helps us prevent abuse of our security solutions.

Be Honourable

People who violate the Golden Rule or basic security principles or who deceive others cannot be relied upon to develop security services for humanitarians. And anyone who tries to convince you to select a security solution because it's "unbreakable" is almost certainly a "scam artist" who is neither qualified to be doing security work nor worthy of your trust. CRF vets it's core staff and uses upon lengthy reputation checks to place people in sensitive positions.

Return to the Research Homepage

Send Us Your Feedback About Our Philosophy:

Our R&D Philosophy only improves when more people get involved, so we appreciate any constructive input you might want to offer us about it — positive, negative or otherwise. You can send us feedback using our handy Feedback Form, setting the form's "To:" popup menu to direct your feedback to the "Research Management" team. Thank you!

Please visit our Policy Page for information on our other policies, philosophies and operating principles.

 

Feedback        |         Policy    © 1998-2008 CryptoRights Foundation, Inc. — a 501(c)(3) nonprofit human rights NGO.