Cage & Mirror Publishing
Privacy
The Ephemeral Internet
Privacy Architecture for a Surveillance-Free Web
"Cannot read" beats "will not read."
Book Details
- Publisher
- Cage & Mirror Press
- ISBN
- 979-8-9940343-8-5
- Status
- Available Now
- eBook
- $9.99
- Paperback
- $19.99
- Hardcover
- $29.99
The question is not whether surveillance infrastructure can be reformed through policy, regulation, or corporate goodwill. It has been under reform pressure for over a decade, and the surveillance has intensified, not diminished.
The question is whether the underlying architecture can be replaced.
Privacy: The Ephemeral Internet presents six cryptographic components that, composed together, make mass surveillance architecturally infeasible — not prohibited by policy, not limited by regulation, but structurally impossible.
The Design Principle
Policies can be changed. Laws can be circumvented. Promises can be broken. But cryptographic architecture cannot be secretly reinterpreted by a court memo or quietly abandoned during an acquisition.
This book designs for the honest-but-curious operator: assume every server reads everything it can access, then remove access rather than trusting restraint. The result is infrastructure where operators provide service without the ability to surveil — not because they've promised not to, but because the architecture makes it computationally infeasible.
The Six Components
1. Anonymous Identity
Problem: Single Sign-On solved credential management while creating comprehensive surveillance. When you click "Sign in with Google," Google sees which site you're visiting, when, and your identity.
Architecture: Hash-derived, site-specific tokens. The same user gets cryptographically unlinkable identifiers at each site. Authentication works. Cross-site correlation does not. The provider cannot learn which sites the user visits.
2. Blind Database
Problem: "Encryption at rest" protects against offline theft of storage media — it does nothing against compromised applications, subpoenas, or insiders. Researchers have recovered 60–80% of encrypted medical data without any decryption key, using frequency analysis on preserved properties.
Architecture: The server stores opaque ciphertext indexed by keys it cannot derive. The client encrypts before upload. A breach yields noise.
3. Proof of Human
Problem: An online identity costs nothing to create. One operator can control thousands of accounts for spam, vote stuffing, and synthetic personas. CAPTCHAs train their own replacement. Biometrics are permanent credentials that can't be rotated. Reputation systems measure gaming success.
Architecture: Accumulated low-cost humanness signals — email verification, payment instruments, activity history — produce a logarithmic effort score. The score travels with the user. The raw behavioral data does not. Proves humanness and enforces one identity per person without biometric databases or wealth barriers.
4. Ephemeral Communication (HermesP2P)
Problem: Content encryption is solved. Metadata is not. The server that can't read your messages still knows who sent them, who received them, when, and how often. As former NSA Director Michael Hayden stated: "We kill people based on metadata."
Architecture: Peer-to-peer messaging with onion routing. Each relay knows only the previous hop and next hop. No central server accumulates relationship graphs. Once delivered, nothing persists.
5. Zero-Trust Collaboration (Cryptogram & Delegator)
Problem: Multi-party workflows inherently leak because coordination requires information to flow between participants. A simple purchase exposes your identity to the payment processor, your purchase to the store, your address to the carrier. The union of what all parties see is everything.
Architecture: The workflow description is encrypted into sections, each encrypted for only the recipient that needs it. The payment processor sees payment details but not the item. The carrier sees destination but not the buyer. A blind delegator routes fragments without reading them.
6. Censorship-Resistant Distribution (Chess)
Problem: The most cryptographically secure application provides no protection if the gatekeeper removes it from the app store. Apple removed all VPN applications from the China App Store in 2017. iOS users had no alternative.
Architecture: Software as self-validating executable documents. The artifact carries its own code, state, integrity proof, and cryptographic signature. Verification happens locally without certificate authorities or app stores. Security is intrinsic to the content, not dependent on the transport.
Composition
The six components close each other's gaps. Anonymous Identity alone leaves the User Service vulnerable — Blind Database encrypts it. HermesP2P eliminates metadata but creates spam risk — Proof of Human enforces cost. Each component provides value independently. Together, they form an architecture where mass surveillance requires breaking cryptographic primitives rather than filing a subpoena.
Four components are implementable today with existing cryptographic libraries. HermesP2P is prototypable. Chess requires ecosystem development.
What This Does Not Do
Every chapter includes an explicit "What This Does Not Protect Against" section. This book is honest about its scope:
- — Does not defeat a nation-state adversary with physical access to your device
- — Does not protect against a compromised client application
- — Does not make targeted investigation impossible — it makes mass surveillance infeasible
- — Does not eliminate metadata from all layers (physical transport still has some)
- — Does not require all six components — partial adoption has explicit, bounded gaps
The correct comparison is not against an imagined ideal but against the actual status quo. Does the architecture reduce the set of threats that succeed? Yes. Does it raise attack costs? Yes. Does it eliminate categories of vulnerability? Yes.
Who This Book Is For
Software architects building systems that handle personal data. Security engineers evaluating privacy architectures. Technical leaders making build-versus-buy decisions about identity, storage, and communication infrastructure. Anyone who wants to understand what a privacy-preserving internet would look like at the protocol level.
Assumes: Familiarity with basic cryptographic concepts (hashing, symmetric and asymmetric encryption, digital signatures). Comfort reading pseudocode. Understanding of client-server architecture.
From the Book
"Every property preserved is information leaked. This is not a flaw in any particular scheme. It is a mathematical consequence of what 'preserving a property' means."
"For most of human history, forgetting was the default. A conversation in a market square left no record. The digital age inverted this default. The effort now lies in forgetting."
"When the channel is disrupted, the trust is disrupted, even though the software itself has not changed."
"The most secure data is data that does not exist."
Sample Chapter: The Metadata Problem
Content encryption is a solved problem. AES-256, ChaCha20-Poly1305, Signal Protocol — the cryptographic community has produced ciphers that resist every known attack. When properly implemented, the content of a message is unreadable to anyone but the intended recipient.
This is the wrong problem.
When you send a message through a centralized service — any centralized service, encrypted or not — the server processes metadata: who sent it, who received it, when, how large, and how often. The server that cannot read the ciphertext still observes the envelope. And envelopes are sufficient.
In May 2017, Reality Winner, an NSA contractor, printed a classified document about Russian election interference and mailed it to a news organization. She was identified and arrested within days. The investigation did not require breaking any encryption. It used four layers of metadata.
First, the document contained printer microdots — invisible dots encoding the printer serial number, date, and time. The physical artifact identified the printer. Second, NSA internal audit logs recorded who had accessed the document. Six people had printed it. Cross-referencing with the printer identified by microdots narrowed the field. Third, email records showed that Winner had exchanged messages with the news organization from her work account. Not the content — the fact of communication. The metadata. Fourth, a postmark on the mailed envelope provided geographic and temporal correlation.
Content was never decrypted. Content decryption was never necessary. Metadata — who communicated with whom, when, from where, using what device — was sufficient to identify, locate, and prosecute.
This pattern generalizes. Intelligence agencies have stated explicitly that metadata is often more valuable than content. Content requires interpretation. Metadata is structural. Who talks to whom reveals organizational hierarchies. Communication frequency reveals operational tempo. Timing reveals coordination. Geographic patterns reveal physical location. None of this requires reading a single word.
The metadata problem is architectural. A centralized server is a natural collection point for communication metadata because the server routes messages. Every message that passes through the server reveals source, destination, timestamp, and size to the server operator. Encrypting the payload protects content but not metadata. The server learns the social graph — who knows whom, who talks to whom, how often, when — regardless of whether it can read what they say.
This is not a flaw in any particular messaging service. It is a consequence of centralized routing. Any architecture with a central routing point accumulates metadata at that point. The only way to eliminate metadata collection is to eliminate the central routing point.