2016-douglas-ghostpost
findings extracted from this paper
-
A censor tracking which deleted posts are resurrected can apply Bayesian inference to identify content-preservation system users: for each resurrected post r observed by set O(r), each observer's suspicion score updates by factor (|O(r)|−1)/|O(r)|, while observers of non-resurrected deletions can be ruled out with certainty. The attack requires only that the censor join the preservation system with a few sock-puppet accounts spread across multiple followed-user lists.
-
A censor with platform-side control can definitively confirm a single suspected user by injecting a unique fake post visible only to that user, then querying the preservation system for resurrected posts attributed to that fabricated author. Presence of the fake post in the resurrection feed is binary confirmation of user membership. This targeted attack defeats automated post-alteration countermeasures when a human examines the result.
-
Simulation on a 1,000,000-user scale-free Weibo topology shows that at 1% GhostPost user adoption the system preserves over 70% of postviews against the daytime censor (2-hour median deletion) and nearly 90% against the nighttime censor (10-hour median deletion). Even a highly aggressive censor deleting posts within 30 minutes on average cannot prevent a 1.5% GhostPost deployment from resurrecting the majority of postviews. Steep coverage gains plateau around 0.5% adoption, after which marginal returns diminish.
-
GhostPost's client-server coordination channel transfers only metadata and small text payloads, making it neither bandwidth-intensive nor latency-sensitive. The paper explicitly concludes that 'practically any means of communication, including low-performance covert channels, are adequate' for the coordination channel, enabling operation over DNS tunnels, steganographic channels, or other constrained transports when the central server's HTTPS endpoint is blocked.
-
Sina Weibo's deletion workforce exhibits strong diurnal variation: posts published 3–9 AM have median lifetimes of 8–9 hours, while posts from 10 AM–midnight have median lifetimes around 2 hours. Over 90% of eventually-deleted posts are removed within 24 hours, but the nighttime slowdown creates a predictable window where post survival is 4–5× longer than daytime.