I don't think too much about whether this endeavor would be successful. It's more important to me that someone makes a stand and is able to convince other like-minded people to join him for a principle.
I'm just glad to see that he decided to be more courageous than most of us and believed that he should be doing the right thing instead of the easy thing by refusing to hand over his client's information.
Though the odds are stacked against him, I hope it at least sets a precedent for other companies to follow. I'd pay for an ISP that promised this with reasonable speeds - though I doubt his project will be able to gain traction outside of the launching market.
I like the idea, and I especially like the idea of a 501c3 (which subsidizes the added costs over commercial baseline) coupled with a commercial company (which charges normal rates for service.
You can go a reasonably long way with just best practice privacy policy (requiring court orders, keeping minimal records, locking down configs, obfuscating IPs, not intentionally compromising privacy), but there are a couple issues. One, a lot of big ISPs (from what I've read) are only profitable due to selling clickstreams or other privacy-invading things. So a privacy-protecting ISP will cost more for the same service (or, will offer crappier bandwidth).
Second, once you move beyond this level of security, you're trying to defeat traffic analysis, and then targeted attacks. Targeted attacks are probably out of scope (and really expensive to defend against), but defending against traffic analysis usually requires burning a lot of bandwidth, or scheduling or routing communications in strange ways (which adds latency in various ways). This makes things REALLY expensive, and especially for wireless systems, uses up the finite spectrum capacity.
Ultimately the best way to really protect privacy is to structure applications to be message based, tolerant of latency on the order of hours, and basically non-interactive. This is the opposite of how ~everything is done on the web -- email is probably the only widely deployed application which works like this, and that's why email has the best anti-traffic-analysis systems out there (mixmaster/mixminion remailers).
Plus, there's a big problem with declaring yourself "the ISP for people who want to be anonymous" -- it self-selects, especially if it's a small pool of users due to higher cost, into a great target. Either the organization itself is evil and secretly monitoring, or just becomes a hacker/government target (which could involve monitoring on the perimeter/upstream). The best model is some combination of making privacy protection a default feature of protocols, having a bunch of different vendors (which may advertise better privacy) to choose from, and having technical systems which can provably protect your secrets against various kinds of threats.
It's a bunch of medium and hard problems. The biggest problem is that 99.99% of users totally don't care, though.
I would love to see this as a Kickstarter project. This is the kind of movement that I feel could really benefit from having a community behind it, and I for one would love to be a part of that community. Shoot, I'd even offer to donate my services to help see it become a reality.
I would love to see this guy succeed, but can anyone enlighten me as to why Kickstarter won't allow his project to be funded?
His pseudo-kickstart page is unlikely to generate anywhere near the amount of funding it would on the KS site. I'm wondering why they wouldn't allow it to be funded there.
Is there something dubious about this project that the typical tech blog cheerleaders are ignoring, or is there some reason this kind of project is not allowed on Kickstarter in general?
> This project’s goal is to raise funds for my nonprofit organization, Calyx Institute, which will launch a privacy-focused Internet Service Provider and mobile phone service using end-to-end encryption technology.
I don't really see it that way. The startup cost for a new business is a one-time, finite "project" (in my mind) that would adhere to the concept of Kickstarter well.
The problem Kickstarter has with this project (and, similarly, when I tried to do the same thing) is that it's not an "artistic" endeavor. That is to say, they don't allow small business projects, unless you plan on producing a short story or documentary about the process as you do it. (Here's an entrepreneur who used this exact loophole: http://kck.st/rtglLo)
Totally agree. Also worth a mention is the JOBS act. Though controversial, the crowdsourcing part would help Merrill's ISP start-up grow much quicker and would be, IMO, more effective than Kickstarter, since your average Joe would be investing into something that could potentially be big.
I, for one, will be keeping my eye out for this guy and will definitely invest into his idea for customer privacy.
The authorities will simply obtain details from credit card companies and other financial institutions to get lists of all of Calyx's customers. All of their customers will be treated with suspicion. Being a customer of Calyx may even become probable cause.
I don't like this, but this is what I think will happen.
Isn't a large problem with ISP's the last mile, fiber or cable, which is very expensive? This is purely wireless? I have a 15Mb cable connection for $50 month (after taxes). FIOS is $30 more. Will he partner with these physical carriers or purely go wireless?
> "Merrill has formed an advisory board with members including Sascha Meinrath from the New America Foundation; former NSA technical director Brian Snow; and Jacob Appelbaum from the Tor Project."
I find that interesting. Indication of dissension in the ranks of the NSA over how far to take domestic surveillance?
The fundraising site allows one to contribute any amount, so you could contribute $1 and would then be "a contributor" and presumably would receive status updates.
So? They still have your credit card details to pay for the service, your cell phone ___location, the recipient of each email and the web pages you visited.
The actual contents of the emails is pretty much irrelevant- I'm pretty sure that international terrorists probably use code.
I'm also pretty sure that having one of these accounts and a series of logs showing your access to online gambling or movie sharing sites or banks in the Caymans is going to trip the same alarm bells.
But you said it: there's still too much identifying information left on the table.
There's another angle that threatens Calyx, too: they're just one rider on a "must-pass" bill away from being shut down and tied up in court. Or worse, made to _silently_ monitor your traffic after all their publicity about their privacy.
National Security Letters make it clear: the gag orders mean even if Nick Merrill wanted to tell you his company had been compromised, he wouldn't be able to.
There does seem to be a technical workaround, known as a "canary," where Nick Merrill posts a daily message far and wide signed from an air-gapped physically-secure private key that basically says, "Today is 11/Apr/2012. Under penalty of perjury, I have not been served with any legal threats."
Thus, the day the "canary" stops appearing, it becomes obvious what has happened; it seems that our current legal climate probably cannot compel him to _commit_ perjury, and his _inaction_ in posting his "canary" does not constitute a violation of any gag order; ironically, he conforms to it and by so doing alerts his customers to the problem.
Problems with this approach include:
• All the sites he has been using for the canary could get shut down simultaneously a la Megaupload
• Compromise of his private key
• Dwindling interest by his customers in checking multiple sits every day, even if the process can be mostly automated
"Today is 11/Apr/2012. Under penalty of perjury, I have not been served with any legal threats."
Under penalty of perjury is a meaningless phrase unless a court or other authorized body is requiring that statement of you. Look: under penalty of perjury, I am Chief Justice John Roberts of the United States Supreme Court.
Well, I'm not Chief Justice John Roberts. I lied about that. Am I in danger of going to jail for contempt of court? No, because nobody with judicial or administrative power required me to make a truthful declaration. Rather I made a statement I wanted you to believe and attached a common legal incantation to it - little different from a religious expression, such as 'God strike me dead if I lie.' In earlier times when people had little understanding of science, the sheer randomness of the world was attributed to mysterious divine provenance, and of course every so often these beliefs are validated in such dramatic fashion that the story is repeated (http://members.tm.net/lapointe/Lawyers3.htm for example, from 1988).
An awful lot of hackers I've met seem to think that law is strictly a matter of form, that if you say certain words in a certain order legal validity (and thus, truth-value of some sort) automatically attaches to them. This is not how law works, this is how magic works - and it's a good example of Arthur C. Clarke's comment that 'any sufficiently advanced form of technology is indistinguishable from magic.' Legal conventions are a form of social technology, and can not be taken at face value this way, any more than nontechnologists can foretell the future from blinkenlights.
It's the same notion that compels people to write "I don't own this song" under the youtube uploads of albums, as if mentioning copyright issues absolves you from them.
That being said, there are magic words that you can say that have very strong legal weight. For example, attaching a GPL licence to a piece of code you wrote has significant legal ramifications.
It's clear that "Under penalty of perjury" doesn't accomplish the intention of giving a canary message greater legal weight. I am, however, curious if there are some other "magic words" that could exist in a canary message which would help to signify its validity. For example, making it illegal for someone to fake the canary message.
I actually don't know if the government could require you to falsely affirm the nonexistence of a legal investigation as part of a gag order - in other words, if you simply stopped publishing your canary message, whether you could be required to do so. Perhaps the failure to comply with such a request would qualify as an obstruction of justice if therre were a colorable risk of it impeding a lawful investigation by tipping off the subject of the investigation; law enforcement officers with an appropriate warrant or authority could require an explanation of how the canary mechanism worked, in the same way that they could require you hand over keys to one's safe, say. There's no right to silence for non-defendants such as material witnesses.
First, thanks for adding good insights into what would (and would not) stand in court.
Would a 5th Amendment right (not witnessing against herself / self-incrimination) protect the owner of the ISP against a charge of obstruction of justice?
i.e. Owner of ISP refuses to post the canary after a gag order. She is not named as a defendant in the investigation. But she can defend herself against obstruction of justice charges: plead the 5th, and thus she is not compelled to falsely affirm the canary.
It's not clear this would work, either, but there might be some pretty solid precedents that could be used in this way.
Subornation of perjury is the crime of persuading a person to commit perjury; and also describes the circumstance wherein an attorney causes or allows another party to lie.
It's pretty clear this, not magic, is the end goal of the original statement.
You've misunderstood the Wikipedia article, which is not surprising because it is poorly written. The government can establish mechanisms for people to provide statements "under penalty of perjury", such as IRS forms. But the mere words "under penalty of perjury" aren't a magic incantation; they have force only when specifically given it by the government.
"Under penalty of perjury" is just a mechanism for substituting a written declaration for an in-person swearing.
If you look at the statute, the governing condition is (paraphrased) "under laws or circumstances requiring or permitting a sworn statement".
>>National Security Letters make it clear: the gag orders mean even if Nick Merrill wanted to tell you his company had been compromised, he wouldn't be able to.<<
Wouldn't be able to legally. If he feels strongly enough about this to start a company, he may feel strongly enough to defy the law.
When your opposition can legally order predator strikes on you, imprison you indefinately without charge, torture you in it's own military prisons and secretly ship you off to 3rd world prisons for more torture - then I don't think little legal tricks like reverse canaries are really going to work.
I agree that it's not much of a surprise, but tell me why wouldn't it work?
I don't have to reveal the hidden ___location and password to my air-gapped private key unless I am in court.
I agree that spending the rest of my life at Hotel Guantanamo isn't my favorite, but if he defies the Federal Gov't's established secret wiretapping, surely he has assessed the possibility of this happening already and he's not afraid?
Who knows the secret key/has access to the system?
Just him - in which case what happens to my data if he walks under a bus?
Or all the admins/the board/the lawyers?
So a three-letter-agency guy turns up with a SWAT team, you only need one of them to decide to reveal the key with a gun at their head - or with the threat that child porn would be found on his laptop/20kg of heroin would be found in his apartment. Chain = weakest link.
The "weakest link" problem can be ameliorated to some extent by using secret sharing cryptography, so that at least x% of participants must cooperate to reveal the secret key.
You're being too dismissive and you didn't read carefully. Their goal is to be unable to turn over information, and to that end, they say they'll discard the logs you refer to. So in theory, they won't have your cell phone ___location, what pages you visited, etc, or at least not for long. Your credit card is small potatoes by comparison; plenty of restaurants have that.
If they're also a telecom provider who can't comply with wiretaps, that's also huge.
Personally I think this is very exciting. Governments' game has been to make secret deals for surveillance; by announcing openly that they won't cooperate, this company will either succeed or may force the government to state openly the level of surveillance they demand. Citizens should know how out-of-control it's gotten.
The importance of your credit card is that it links the account with you.
Unless they are going to spend a gazzilion $ putting their own cell towers across the country with their own backbone then their partner telcos have your ___location = so does the NSA.
And unless you are only emailing people/visiting sites in their system then the other telcos have the end points of those links. Calyx could hide the originator of these packets, but in that case they are no different from any other VPN - and I have a lot more security from PATRIOT (or MPAA) requests using a VPN owned by a Liberian company run from a rack in Estonia than I do with one run out of the USA. Ironically your best 'security' at the moment from US wiretaps is to use a VPN owned by the Chinese government.
You're saying that this isn't worth doing because they still have to keep some minimal amount of information about their customers in order to do business? You're saying everyday people should contract with a company in Liberia to route their traffic through Estonia?
That's ridiculous. The point of this is not make it easy to evade justice. Remember, we do want the police to be able to gather evidence against criminals when it's warranted. It's to prevent mass surveillance of the population by the state. Having communications companies that minimize the data they gather about their customers and refuse to hand it over to the state without a warrant is a huge step forward in protecting the civil liberties of ordinary citizens. That's the point.
The point of this is not make it easy to evade justice. It's to prevent mass surveillance of the population by the state.
It's not clear to me that we can prevent mass surveillance without making it easier for criminals to evade justice.
I still think we should work to prevent mass surveillance, not because making things tough for law enforcement is not a problem, but because mass surveillance is a much bigger problem.
The point is that the government has the ability with the cooperation of the telcos to track everything.
This telco is claiming that they have the technical means to prevent that - while in fact they have no technical difference (other than storing your email encrypted) than any other.
If all they are claiming is that they are good guys and wouldn't hand over your data if ordered then you have no more security than all the other telcos who also said that - either because they were lying or they were ordered to say so.
If your risk model is that the telco will cooperate with the US government then the solution is a telco who has no reason to do so.
This telco is claiming that they have the technical means to prevent that - while in fact they have no technical difference (other than storing your email encrypted) than any other.
That isn't my interpretation.
They seem to be saying that they will do everything technically and legally possible to prevent tracking.
That's a significant difference from the current situation where telcos hand over information whenever the government asks, even if not ordered to do so.
> The importance of your credit card is that it links the account with you.
What if you pay with a prepaid Visa/Mastercard, since those aren't linked to your name? Or in cash (yes, that still exists!), or via money order (since sending cash in the mail is illegal, and money orders can't be reliably linked to an individual).
Its a 1st, necessary step. The rest requires some end-to-end encryption of even the destination - and maybe a secure, anonymous DNS query reflector or some such.
Or I'm talking nonsense. But a secure ISP that is not capable of eavesdropping is a start.
I'm just glad to see that he decided to be more courageous than most of us and believed that he should be doing the right thing instead of the easy thing by refusing to hand over his client's information.