Murmeli - Questions and Answers

This page expands on the ideas of the forthcoming friend-to-friend system Murmeli, by posing some basic questions about its operation and attempting to answer them. If you have comments or suggestions on these ideas, please send them in by email.

One only has to search for "encrypted social network" or "encrypted email" to find lots of software projects with broadly similar aims. Some of those are active, some failed or died, and some remained just ideas. Currently Murmeli is just a prototype, so what is going to make it different? What's going to make it work, and how will users be able to trust it?

How can I trust that Murmeli's servers won't disappear, stopping everything from working?

There are no servers, it's just your computer talking (through the Tor network) to your friends' computers. And it seems unlikely that Tor will suddenly disappear.

How can I trust that my messages won't be monitored or seized?

While the messages are on their way from sender to recipient, or when they're stored on the trusted relays, they're in encrypted form, without the key. That means that even if someone can see the message, they can't read it or modify it. Only the recipient has the key to unlock and read it.

How can I trust that you won't suddenly start charging for using Murmeli?

Because there are no servers, there's no way to control who runs it and who doesn't.

How can I trust that you won't suddenly start charging for upgrades or premium versions?

Because it's open source, so anyone could create their own free fork in that case.

Will there be adverts, or will data be sold to advertisers?

No and no. There are definitely no plans to ever include adverts. And if anyone were foolish enough to modify the Murmeli code to insert adverts, there would immediately be a free fork of it without the adverts. Problem solved. As for the data, you only provide your data to your trusted friends, so nobody can sell data which you don't provide.

How can I trust that Murmeli doesn't contain backdoors or deliberate weaknesses?

You can look through the source code yourself or get someone else to look through it for you.

How can I trust that Murmeli doesn't contain mistakes or bugs leading to unintentional weaknesses?

There's no guarantee. But if the open source model works, and if problems are reported quickly and openly, then they can be fixed.

So if I post things in Murmeli, they'll be 100% safe?

No. If someone gets your private key and gets your messages, they can read them. If you don't protect your PC then somebody could read the unencrypted messages there. There is a lot more of this on the threats page. If you share your private things with friends, you're trusting them to keep it to themselves. Depending on how they secure their computers, passwords and backups, there may be ways for someone else to get access to whatever you sent, after it was successfully and securely transferred through the network. Plus of course there may be unknown bugs in the RSA implementation on either side, or weaknesses somewhere in the Tor network. But it is our sincere hope and ambition that Murmeli will prove to be a much more secure alternative to email, facebook, and co. It puts you back in control.

Why are you developing a tool for terrorists to communicate?

I really didn't think I needed to spell this out, but I've been asked this more than once so I guess it deserves an explanation.

This question is based on an assumption that only terrorists (or other criminals) could possibly benefit from secure communications, and that non-terrorists would have nothing to gain. I strongly disagree. If Murmeli can help protect the overwhelming majority of honest, law-abiding citizens in an important and meaningful way, then its help to other people would be a regrettable side-effect, not the main aim. Hammers are allowed to be manufactured and sold because they are useful to everybody, not only to those people who would do harm with them. Cars are not outlawed just because bad people use them too.

One possible area of concern, even for perfectly innocent and law-abiding citizens, is state-run mass surveillance. Note that here we are not talking about justified, targeted surveillance. Some people may be of the opinion that some of these indiscriminate, data-trawling and archiving schemes are illegal, unconstitutional and apparently being run completely without any kind of oversight. One could get the impression that they are completely out of control if so much is being kept secret from public debate, and lies are being told under oath. If the democratically-elected representatives, whose job it is to control these schemes, are either unwilling or unable to do so, then it may be in the public's interest to encrypt their personal communications, even if the communications being exchanged are completely banal.

Another point worth noting is that data is permanent, and governments change. Even if one is comfortable with the current government's indiscriminate collection of our data, because they are perhaps perceived as being trustworthy, one should also think about what might happen if the party from the opposite side gets into power and takes ownership of that data and the powers to similarly extend the schemes.

Secondly, it's not just about state-run mass surveillance. Ordinary, honest people who even completely trust the security services to behave responsibly and within the law, may still want to keep their communications private from other organisations. Many people love the convenience of Gmail, Facebook, Twitter, WhatsApp and the like, but not everybody is comfortable sharing personal or intimate information with these corporations. Maybe some people want to share messages or photos with their friends and family without those being scanned, indexed, analysed, tagged and archived by a profit-driven commercial entity. Think face recognition, mood recognition, location and timestamp extraction, friend network analysis, personality profiling and so on. Plus any additional analysis that spammers, scammers and identity thieves may wish to do to the data on the side. For many people, the simplicity and convenience of these "free" services are worth more than the misgivings, but Murmeli is intended to provide an alternative.

Thirdly, there is the question of unsolicited, malicious or offensive messages which can be a problem on some networks, including email. Murmeli checks the signature on each message it receives, and only accepts it if it is signed by a friend whom you have said that you trust. So even users who don't want to hide anything that they themselves say, may choose to protect their inbox from online harrassment and phishing schemes.

I believe that there is a huge number of (innocent, honest, law-abiding and excellent) people who could benefit from a tool like Murmeli, and if it could be of benefit to all those people, then it is something worth discussing and developing. This is the aim of Murmeli.

And what about internal terrorists?

Well, indeed, that has certainly become a much more worrying phenomenon during 2020 and 2021 than it was during the rest of Murmeli development. We've seen the big social media networks struggling with this propaganda, lies, incitement and hate speech and we've also seen rival networks spring up to welcome the people banned by the popular ones. And you can see people who are dedicated to promoting freedom, free speech, equal rights and democracy really struggling with the problems of how to effectively limit the destructive poison which is becoming such a threat.

Murmeli, by design, has no servers, so there's no possibility for an administrator to ban a user. It's up to the users to choose who to be friends with. If I want the possibility to send an unreadable, untraceable message to a friend of mine, then that automatically means that the absolute bilge that gets sent from these misguided fools to each other would be unreadable and untraceable too. And that is of course a problem, and one that I'm currently wrestling with.

Fortunately the kind of people engaging with this seem to be happy to video each other committing federal crimes and publish the videos online, generating hundreds of gigabytes of evidence for law enforcement to sift through.

The weird part for me is that many of today's terrorists have managed to delude themselves that they're actually patriots working to defend their country. Terrorists in the past, like those in the IRA or Al-Qaeda, would at least know what side they were on and who they were attacking. Today, the terrorists support attacks on the democracy in their own country, while grinning into the camera.

It's these people - educated, internet-savvy, savagely rejecting truth and facts, destroying debate, supporting voting restrictions and the overturning of elections, even conspiring to plot violent kidnappings of elected politicians - it's these people who are making Murmeli development really difficult right now.

What's a robot? What's a parrot?

A robot is an optional part of the Murmeli network. Murmeli has no server, so if you want to send a message to your friend, you both need to be online at the same time. Or you can relay the message via one of your friends, if possible. If either you or your friend wants to have a robot, you can setup an additional Murmeli client on some low-power device which is usually on and usually online. If you configure this to be your robot, then you and your friends can use it as an invisible relay.

You can't send regular messages to a robot, and you can't ask it to be your friend. A robot doesn't have any kind of gui to read or send messages either, it's only a relay. And importantly the robot doesn't have any ability to decrypt any of the messages it is relaying. It's also completely optional, so if the robot isn't online then messages can still be sent directly or via friends.

A parrot is a different kind of automatic Murmeli client - it appears like a regular person does, it automatically accepts any contact request sent to it, and you can even send it regular messages. If you send it a message, it will echo it back to you, which is useful for testing. And it also forwards a copy of the message to its owner, which will hopefully become useful in the future for contacting the Murmeli developers.

Both robots and parrots ignore status notifications, and they don't broadcast their availability. There's nothing interesting in their profiles so they're not interested in InformationRequests or InformationResponses either. And there's no way to become a trusted friend of a parrot so you can't check fingerprints.

You probably don't want a parrot. You might want a robot, maybe. And if you're interested in Murmeli you might want to send a message to the Murmeli developers' parrot, perhaps, once it's online.

How do I encourage development or register interest?

Ideally you would be able to do this via Murmeli, but we're not there yet. One idea was to create a parrot and keep it running on a Pi permanently, and then publish the address here so that anyone interested could send it an anonymous message. I haven't done this yet though, and it's not clear whether it's worth it. So currently the options are via email or via Github. If anyone thinks the parrot is a good idea, maybe they can get in contact somehow and let me know.

What's next?

Given the (complete) lack of response to the published version so far, it's not clear yet. The obvious next step is to allow sending attachments (think securely sending photographs, for example), but this contains several non-trivial problems to solve and a not inconsiderable amount of development effort. So it has kind of stalled.

It's partly the lack of feedback which is discouraging (I'm guessing that the inherent high latency could be a deal-breaker for many, as well as the lack of cellphone support), and partly the disturbing rise in anti-truth and anti-democracy conspiracies as discussed above.


Introduction // Development // Beschreibung // Threats // Questions & answers // Message types // Message sequences // Robot setup