A Smarter Phone for a Smarter World
This Internet provider pledges to put your privacy first. Always.
Step aside, AT&T and Verizon. A new privacy-protecting Internet service and telephone provider still in the planning stages could become the ACLU's dream and the FBI's worst nightmare.
Nick Merrill, who challenged a demand from the FBI for user data, wants to create the world's first Internet provider designed to be surveillance-resistant.
(Credit: Sarah Tew/CNET)Nicholas Merrill is planning to revolutionize online privacy with a concept as simple as it is ingenious: a telecommunications provider designed from its inception to shield its customers from surveillance.
Merrill, 39, who previously ran a New York-based Internet provider, told CNET that he's raising funds to launch a national "non-profit telecommunications provider dedicated to privacy, using ubiquitous encryption" that will sell mobile phone service and, for as little as $20 a month, Internet connectivity.
The ISP would not merely employ every technological means at its disposal, including encryption and limited logging, to protect its customers. It would also -- and in practice this is likely more important -- challenge government surveillance demands of dubious legality or constitutionality.
A decade of revelations has underlined the intimate relationship between many telecommunications companies and Washington officialdom. Leading providers including AT&T and Verizon handed billions of customer telephone records to the National Security Agency; only Qwest refused to participate. Verizon turned over customer data to the FBI without court orders. An AT&T whistleblower accused the company of illegally opening its network to the NSA, a practice that the U.S. Congress retroactively made legal in 2008.
By contrast, Merrill says his ISP, to be run by a non-profit called the Calyx Institute with for-profit subsidiaries, will put customers first. "Calyx will use all legal and technical means available to protect the privacy and integrity of user data," he says.
Merrill is in the unique position of being the first ISP exec to fight back against the Patriot Act's expanded police powers -- and win.
Nick Merrill says that "we will use all legal and technical means to resist having to hand over information, and aspire to be the partner in the telecommunications industry that ACLU and EFF have always needed but never had."
(Credit: Sarah Tew/CNET)In February 2004, the FBI sent Merrill a secret "national security letter" (not an actual court order signed by a judge) asking for confidential information about his customers and forbidding him from disclosing the letter's existence. He enlisted the ACLU to fight the gag order, and won. A federal judge barred the FBI from invoking that portion of the law, ruling it was "an "unconstitutional prior restraint of speech in violation of the First Amendment."
Merrill's identity was kept confidential for years as the litigation continued. In 2007, the Washington Post published his anonymous op-ed which said: "I resent being conscripted as a secret informer for the government," especially because "I have doubts about the legitimacy of the underlying investigation." He wasn't able to discuss his case publicly until 2010.
His recipe for Calyx was inspired by those six years of interminable legal wrangling with the Feds: Take wireless service like that offered by Clear, which began selling 4G WiMAX broadband in 2009. Inject end-to-end encryption for Web browsing. Add e-mail that's stored in encrypted form, so even Calyx can't read it after it arrives. Wrap all of this up into an easy-to-use package and sell it for competitive prices, ideally around $20 a month without data caps, though perhaps prepaid for a full year.
"The idea that we are working on is to not be capable of complying" with requests from the FBI for stored e-mail and similar demands, Merrill says.
A 1994 federal law called the Communications Assistance for Law Enforcement Act was highly controversial when it was enacted because it required telecommunications carriers to configure their networks for easy wiretappability by the FBI. But even CALEA says that ISPs "shall not be responsible for decrypting" communications if they don't possess "the information necessary to decrypt."
Translation: make sure your customers own their data and only they can decrypt it.
Merrill has formed an advisory board with members including Sascha Meinrath from the New America Foundation; former NSA technical director Brian Snow; and Jacob Appelbaum from the Tor Project.
"I have no doubt that such an organization would be extremely useful," ACLU deputy legal director Jameel Jaffer wrote in a letter last month. "Our ability to protect individual privacy in the realm of telecommunications depends on the availability of phone companies and ISPs willing to work with us, and unfortunately the number of companies willing to publicly challenge the government is exceedingly small."
The next step for Merrill is to raise about $2 million and then, if all goes well, launch the service later this year. Right now Calyx is largely self-funded. Thanks to a travel grant from the Ford Foundation, Merrill is heading to the San Francisco Bay Area later this month to meet with venture capitalists and individual angel investors.
"I am getting a lot of stuff for free since everyone I've talked to is crazy about the idea," Merrill says. "I am getting all the back-end software written for free by Riseup using a grant they just got."
While the intimacy of the relationship between Washington and telecommunications companies varies over time, it's existed in one form or another for decades. In his 2006 book titled "State of War," New York Times reporter James Risen wrote: "The NSA has extremely close relationships with both the telecommunications and computer industries, according to several government officials. Only a very few top executives in each corporation are aware of such relationships."
Louis Tordella, the longest-serving deputy director of the NSA, acknowledged overseeing a project to intercept telegrams in the 1970s. Called Project Shamrock, it relied on the major telegraph companies including Western Union secretly turning over copies of all messages sent to or from the United States.
"All of the big international carriers were involved, but none of 'em ever got a nickel for what they did," Tordella said before his death in 1996, according to a history written by L. Britt Snider, a Senate aide who became the CIA's inspector general.
Like the eavesdropping system that President George W. Bush secretly authorized, Project Shamrock had a "watch list" of people whose conversations would be identified and plucked out of the ether by NSA computers. It was initially intended to be used for foreign intelligence purposes, but at its peak, 600 American citizens appeared on the list, including singer Joan Baez, pediatrician Benjamin Spock, actress Jane Fonda and the Rev. Martin Luther King Jr.
Nick Merrill says that "if we were given any orders that were questionable, we wouldn't hesitate to challenge them in court."
(Credit: Sarah Tew/CNET)Even if Calyx encrypts everything, the surveillance arms of the FBI and the bureau's lesser-known counterparts will still have other legal means to eavesdrop on Americans, of course. Police can remotely install spyware on a suspect's computer. Or install keyloggers by breaking into a home or office. Or, as the Secret Service outlined at last year's RSA conference, they can try to guess passwords and conduct physical surveillance.
That prospect doesn't exactly please the FBI. Last year, CNET was the first to report that the FBI warned Congress about what it dubbed the "Going Dark" problem, meaning when police are thwarted in conducting court-authorized eavesdropping because Internet companies aren't required to build in back doors in advance, or because the technology doesn't permit it. FBI general counsel Valerie Caproni said at the time that agents armed with wiretap orders need to be able to conduct surveillance of "Web-based e-mail, social networking sites, and peer-to-peer communications technology."
But until Congress changes the law, a privacy-first ISP like Calyx will remain perfectly legal.
"It's a really urgent problem that is crying out for a solution," Merrill says.
Update 12:05 p.m. PT: This article sparked a lengthy Reddit thread, complete with repeated suggestions that Nick Merrill should turn to Kickstarter to raise money. Merrill told me this morning that Kickstarter "wouldn't accept Calyx as a campaign because it's not a physical product, or arts-related." But he has set up a contribution page, with a $1 million target, on IndieGogo.com, a self-described crowdfunding platform. "There has been a ton of interest in the idea," Merrill told me. "Due to popular demand I have decided to try crowd-sourced funding the idea in order to prove that the demand exists." If he makes the $1 million target, IndieGogo takes a smaller percentage. Internet privacy aficionados, what say you?
I'll bet the FBI started this telco so all the crooks who have something to hide will join them and will be caught but the snooping FBI.
/tinfoilhat
But I've been hearing about Merrill for over a decade now, even during the 'gag order' he wasn't hard to find out about, he's definitely no government tool. Not mentioned in the article, but he spent a lot of out of pocket money fighting the government over this. The ACLU helped but only so much.
" out of luck with me and most generally decent people "
Out of luck or not, who wants them having those inroads for free, and what will they demand, and/or take by force or legal chicanery next? ime to put a stop to their criminal insanity.
"Decent people"???
Sadly, you represent one of the most frightening groups of people in the country. Those that believe that "if you're not doing anything wrong, you have nothing to worry about" are not just ignorant, they are a huge part of the problem. You obviously don't understand why we have protections such as constitutional rights, but any and all who make comments such as yours are actively and insidiously helping strip the rights of free people everywhere.
You simply don't know what is going to be "wrong" tomorrow, opening everyone up to horrendous invasions of privacy by our "government", constant monitoring ala Big Brother, illegal spying on legal citizens, etc.
Why it is that you just "don't get it" is beyond me, but it's not too late to educate yourself and lose what demonstrably is an incredibly naive set of beliefs. Educate yourself before it really is too late; it's getting worse every day.
The idea of activism or fighting for a cause, is too scary for most people, they would rather just bend over and comply.
All blue5ft said was (paraphrase) "i don't do much on the internet that would warrant attention from law enforcement."
From that, you have decided that he is a, uneducated, weak minded sheeple who a gov't conspirator to the problem and too scared to stand up for his own rights and is "actively and insidiously helping strip the rights of free people everywhere."
You aren't neccesarily wrong regarding privacy, privacy concerns and government encroachment is a serious concern, but unless you are actually the one doing the spying into people's brains, don't act like you have a monopoly on understanding everything about a person from one 4 line comment.
Ravers like you make it hard for people to take serious privacy rights advocates seriously.
Actually it is possible to infer on blue5ft3's poor education from his/her four lines. The comment doesn't even make sense past "...do nothing illegal". No need to go "spying into people's brains" to make comments on other people's poor level of education when they can be so revealing about themselves in so few poorly written down words.
You have to remember, not all of us are running servers..
True enough. A lot of tech didn't exist and a lot of folks argue that, that means the constituation doesn't apply. Yet, the idea of freedom and liberty built into the constituation does apply to the nation and should flow into everthing it touches. It should be built into the fiber of the sytem. Should be...
Now, they CAN make it so that it is legal from then forward and prosecutors do have the right to say "We will not file charges for this because it is now legal!"
Make something retroactively legal, no.
If you want to assert that it's not, try providing some legal authority.
This was going in the other direction, making things legal that were previously unlawful.
Last time I checked not only is it legal to protect my own IP, it's actually a requirment.
I like the idea of the FBI and its ilk actually working to do their jobs rather than using the net as their personal playground. Frankly, they have become more of a threat to the "American Way" than the motley lineup of crooks and dirtbags that seem to frighten you so much.
Every day, I read news of their online actions that simply appalls me. I welcome this curb.
Obviously, you are a random nut.
Isn't that special?
All open season for everyone on the Internet, eh?
Fool of a Took.
Terrorists typically don't bother with encryption, it draws too much attention, they generally use plain talk in unlikely locations, such as porn forums, using subsitution operative terms with sexual terms.
This new network would use the same backbones, so you don't even understand technology.
"If you have nothing to hide" has been the rallying cry for brutal governments who then slaughtered millions, so its nice of you to tell us what you really believe in...
@blue5ft3
He can "mean" whatever he likes, but the government hires lawyers by the boatload to twist whatever you "think" you mean, into what ever they want it to be. You, obviously, are among the sheep.
Then Dehugger makes some great points. Lastly just because you don't care about your privacy, and aren't doing anything wrong doesn't mean that the rest of the people using your internet don't.
Fool yourself. Credit card, ss#, all that other stuff is can be stolen from databases. Whether BruinGuy is on this ISP or not has no effect on his information being stored and stolen from other sources. Being on a secure ISP only means that the information that passes to and from your computer is secure. Once it is out on the net and stored on servers that connect to non-secure ISPs, the security risk is identicaly. So, unless you are sending lots of emails with your SS# and CC#s (which you shouldn't be), this won't have a dramatic effect.
Browsing history though, yes, that will be helped, but most of the info will be just as vulnerable.
My only big concern is that one of those NSA or CIA front companies will be a VC funder, thus giving the government a back door into the network, without Merrill's knowledge.
Let's face it, NSA, and FBI are not interested in your private conversations. They're interested in protecting our country. They'll just skip over the calls where you talk about what plans you have for the weekend, and instead listen in. It's not like the directors of NSA and FBI are going to come to Obama's desk and be like, "OMG, did you hear Ralph's not making his pancakes this weekend." And Obama be like, "Oh my, this is horrible, call a news conference and get a squad ready for extraction of everyone in the house."
I think all the carriers are very nice and open about their privacy and it's not like just having the FBI listen in on you make it suddenly like they'll release it for all to hear.
If or when you and yours are on the wrong side of a defense table (if you are lucky enough to get that close to a courtroom), then let us know how your way of "thinking" is doing for you.
But then why did Joan Baez, pediatrician Benjamin Spock, actress Jane Fonda and the Rev. Martin Luther King Jr. appear on the NSA's list of to-be-monitored Americans?
------------------------------------
No, of course not. That's not why they are building that monstrous facility under a mountain in Colorado to be able to correlate virtually every iota of data sent around the US networks and abroad. Oh wait...that IS what its for; the Dept. of "Homeland Security" actually told us so.
We are now mired in more stupid regulations and laws that make "felonies" out of minutae and victimless "crimes" than any nation on earth ...foisted on the country by special interests and fanatics. The Feds use the Net to have a field day prosecuting these so-called crimes and condemning decent folks to a lovely stay at a facility run by our out-of-control "corrections industry." Hey it's a big win for everyone involved - except regular Janes and Joes whose rights are trampled in the holy name of Law N'Order.
So...can you guess which groups will be fighting this new privacy oriented tooth and nail? Just follow the money.
Secondly, sure they might not be generally interested, but...
Suppose you decide to protest or oppose an administration's (any administration down the road, not just this one) policies, or, a congressional bill being proposed. Suppose then, public opposition is making it hard to railroad the bill or carry out policies. The unelected bureaucrats, most of whom did not take an oath to defend the Constitution BTW, would become very interested in your conversations. While, yet, they cannot simply arrest people, they could use elements from your PRIVATE internet activities, emails, or even phone calls, to disrupt your personal life. Things you wrote on newssites, blogs, your mails would be twisted to be used against you. Especially if you were trying to keep a low profile. Your employer receives 'disparaging information' about you, you get fired, voila, one activist down, on to the next one.
It's a stretch, but not that much of one. The Constitution exists to keep government intrusion to a minimum.
For years before there was an internet the FBI under Hoover kept files on EVERYONE they chose to and used them to pressure legislators and others to do his bidding. Just because he could.
There will always be a tug of war between the institutions meant to ensure our freedom, and the erosion of those freedoms by the same institutions. That's why the controls on their behaviour have to be strict and enforced.
For those so sold on the concept of "if you have nothing to hide blah blah blah", you had better pray that the rest of us can save you.
We are their "mental slaves" and in many cases even physical slaves!
I hope, that the people fully recognize their total situation.