This internet provider pledges to always put your privacy first

A new privacy-protecting, US-based internet service and telephone provider still in the planning stages could become the FBI's worst nightmare.

Nick Merrill, who challenged a demand from the FBI for user data, wants to create the world's first internet provider designed to be surveillance-resistant.
(Credit: Sarah Tew/CNET)

Nicholas Merrill is planning to revolutionise online privacy in the US with a concept as simple as it is ingenious: a telecommunications provider designed from its inception to shield its customers from surveillance.

Merrill, 39, who previously ran a New York-based ISP, told CNET that he's raising funds to launch a national "non-profit telecommunications provider dedicated to privacy, using ubiquitous encryption" that will sell mobile phone services, and, for as little as US$20 per month, internet connectivity.

The ISP would not merely employ every technological means at its disposal, including encryption and limited logging, to protect its customers; it would also — and in practice this is likely more important — challenge government surveillance demands of dubious legality or constitutionality.

A decade of revelations has underlined the intimate relationship between many telecommunications companies and Washington officialdom. Leading providers, including AT&T and Verizon handed billions of customer telephone records to the National Security Agency; only Qwest refused to participate. Verizon turned over customer data to the FBI without court orders. An AT&T whistleblower accused the company of illegally opening its network to the US National Security Agency (NSA), a practice that the US Congress retroactively made legal in 2008.

By contrast, Merrill says that his ISP, to be run by a non-profit organisation called the Calyx Institute with for-profit subsidiaries, will put customers first. "Calyx will use all legal and technical means available to protect the privacy and integrity of user data," he says.

Merrill is in the unique position of being the first ISP exec to fight back against the US Patriot Act's expanded police powers — and win.

Merrill says, "We will use all legal and technical means to resist having to hand over information, and aspire to be the partner in the telecommunications industry that ACLU and EFF have always needed but never had."
(Credit: Sarah Tew/CNET)

In February 2004, the FBI sent Merrill a secret "national security letter" (not an actual court order signed by a judge) asking for confidential information about his customers and forbidding him from disclosing the letter's existence. He enlisted the American Civil Liberties Union (ACLU) to fight the gag order, and won. A federal judge barred the FBI from invoking that portion of the law, ruling that it was "an unconstitutional prior restraint of speech in violation of the First Amendment".

Merrill's identity was kept confidential for years as the litigation continued. In 2007, The Washington Post published his anonymous op-ed, which said: "I resent being conscripted as a secret informer for the government," especially because "I have doubts about the legitimacy of the underlying investigation". He wasn't able to discuss his case publicly until 2010.

His recipe for Calyx was inspired by those six years of interminable legal wrangling with the feds: take wireless service like that offered by Clear, which began selling 4G WiMAX broadband in 2009; inject end-to-end encryption for web browsing; add email that's stored in encrypted form, so that even Calyx can't read it after it arrives; wrap all of this up into an easy-to-use package, and sell it for competitive prices, ideally around US$20 per month without data caps, though perhaps prepaid for a full year.

"The idea that we are working on is to not be capable of complying" with requests from the FBI for stored email and similar demands, Merrill says.

A 1994 federal law called the Communications Assistance for Law Enforcement Act was highly controversial when it was enacted, because it required telecommunications carriers to configure their networks for "easy wiretappability" by the FBI. But even CALEA says that ISPs "shall not be responsible for decrypting" communications if they don't possess "the information necessary to decrypt".

Translation: make sure your customers own their data, and only they can decrypt it.

Merrill has formed an advisory board with members, including Sascha Meinrath from the New America Foundation; former NSA technical director Brian Snow; and Jacob Appelbaum from the Tor Project.

"I have no doubt that such an organisation would be extremely useful," ACLU deputy legal director Jameel Jaffer wrote in a letter last month. "Our ability to protect individual privacy in the realm of telecommunications depends on the availability of phone companies and ISPs willing to work with us, and, unfortunately, the number of companies willing to publicly challenge the government is exceedingly small."

The next step for Merrill is to raise about US$2 million, and then, if all goes well, launch the service later this year. Right now, Calyx is largely self-funded. Thanks to a travel grant from the Ford Foundation, Merrill is heading to the San Francisco Bay Area later this month to meet with venture capitalists and individual angel investors.

"I am getting a lot of stuff for free, since everyone I've talked to is crazy about the idea," Merrill said. "I am getting all the back-end software written for free by Riseup, using a grant they just got."

While the intimacy of the relationship between Washington and telecommunications companies varies over time, it has existed in one form or another for decades. In his 2006 book titled State of War, New York Times reporter James Risen wrote: "The NSA has extremely close relationships with both the telecommunications and computer industries, according to several government officials. Only a very few top executives in each corporation are aware of such relationships."

Louis Tordella, the longest-serving deputy director of the NSA, acknowledged overseeing a project to intercept telegrams in the 1970s. Called Project Shamrock, it relied on the major telegraph companies, including Western Union, secretly turning over copies of all messages sent to or from the United States.

"All of the big international carriers were involved, but none of 'em ever got a nickel for what they did," Tordella said before his death in 1996, according to a history written by L Britt Snider, a Senate aide who became the CIA's inspector general.

Like the eavesdropping system that President George W Bush secretly authorised, Project Shamrock had a "watch list" of people whose conversations would be identified and plucked out of the ether by NSA computers. It was initially intended to be used for foreign intelligence purposes, but, at its peak, 600 American citizens appeared on the list, including singer Joan Baez, paediatrician Benjamin Spock, actress Jane Fonda and the Reverend Martin Luther King Jr.

Merrill said, "if we were given any orders that were questionable, we wouldn't hesitate to challenge them in court."
(Credit: Sarah Tew/CNET)

Even if Calyx encrypts everything, the surveillance arms of the FBI and the bureau's lesser-known counterparts will still have other legal means to eavesdrop on Americans, of course. Police can remotely install spyware on a suspect's computer; or install keyloggers by breaking into a home or office; or, as the Secret Service outlined at last year's RSA conference, can try to guess passwords and conduct physical surveillance.

That prospect doesn't exactly please the FBI. Last year, CNET was the first to report that the FBI warned Congress about what it dubbed the "Going Dark" problem, meaning when police are thwarted in conducting court-authorised eavesdropping because internet companies aren't required to build back doors in advance, or because the technology doesn't permit it. FBI general counsel Valerie Caproni said at the time that agents armed with wiretap orders need to be able to conduct surveillance of "web-based email, social networking sites and peer-to-peer communications technology".

But until Congress changes the law, a privacy-first ISP like Calyx will remain perfectly legal.

"It's a really urgent problem that is crying out for a solution," Merrill said.

What do you think? Does Australia need a solution like Calyx, too?


Add Your Comment 4

Post comment as

Dragonmeister posted a comment   

Here's a metaphor:
If you don't want to be caught speeding, don't keep upgrading to a better radar detector ............. Just don't speed.

The government can have all my details and files, I have nothing to hide.


The.Womp posted a reply   

And the Government has nothing to hide either so it lets us have its files too.... Oh no, wait, Julian Assange is still to be extradited on trumped up charges and the USA has convened a secret Grand Jury to charge him in absentia.

Strange how that nothing to hide argument only seems to be applied in one direction, and against the people footing the bill, the tax payers.


Dragonmeister posted a reply   

On the contrary. Governments are supposed to be accountable and transparent. If they are not, you vote them out. At least in a democracy.

There is info that is critical to a nation's security. If you breach that Act then you are a criminal, and should be punished to the fullest extent of the law.

I want the government that I have voted in to look after my family's security any way it deems necessary. And if they don't, I'll vote them out.

You have deemd yourself an expert on the Assange case and have decided the charges are trumped up? ..... How?

History is replete with the saying ..... "Where there's smoke, there's fire"..... And "Jails are full of innocent people", right?


Will1505 posted a comment   

pedo's will have a field day with this

Sponsored Links

Recently Viewed Products