Surveillance Proof

As government agencies in the United States, the United Kingdom, Canada, and Australia push for increased surveillance powers, one pioneering American is pushing back.

New York-based entrepreneur Nicholas Merrill is making progress on a project he revealed in April: an encryption-based telecommunications provider designed to be “untappable.” After crowd-funding almost $70,000 in donations, Merrill says that he has held talks with a host of interested venture capitalists and a few “really big companies” apparently interested in partnering up or helping with financial support. Now the “surveillance-proof” software is in development, and he is on track to begin operating a limited service by the end of the year.

Merrill’s ultimate aim is to create a telecommunications infrastructure that inhibits mass surveillance. First, he is building an Internet provider that will use end-to-end encryption for Web browsing and email. Then he plans to roll out a mobile phone service that will enable users to encrypt calls, making them difficult to intercept. The key to decrypt the communications would be held by each individual customer, not Merrill’s company. Because the telecom firm would be unable to access the communications, law enforcement agencies that want to read or listen to communications would be forced to serve warrants or court orders on individuals directly. “This would make it impossible to do blanket, dragnet surveillance of all the customers of a telecommunications carrier,” Merrill says.

The idea for the project is not to help bad guys evade detection, though undoubtedly that’s how some critics will see it. Rather, Merrill is particularly keen to develop the technology to help journalists and human rights organizations—groups, he says, “whose right to confidentiality is more or less accepted under the law.”

Merrill has a strong record of defending user privacy. In 2004, he became the first ISP executive to successfully challenge a secret FBI “national security letter” demanding he hand over customer information. His willingness to question the constitutionality of the secret letter at the time put him at odds with most major telecoms providers, which have a poor track record when it comes to protecting customer privacy. In 2005 and 2006, a number of companies were revealed to have handed over troves of customer data and opened up wiretaps to the National Security Agency, sometimes without a warrant.

Today, Merrill admits prospective funders of his latest project have expressed concerns that it could lead to a confrontation with powerful actors (“It’s challenging to go up against some of the forces that are trying to open up all communications to wiretapping,” he says). But he is trying to address this by showing that government and law enforcement agencies could themselves benefit from his technology. Cybersecurity and privacy are part of the same problem but framed differently, he believes. Both could be addressed at once by ubiquitous encryption of communications and data transfer—protecting user privacy while also helping prevent malicious hackers from stealing information.

Some establishment figures have already been won over by Merrill’s argument. The advisory board of his nonprofit research institute, Calyx, which is developing the technology, includes a former NSA technical director and a former federal prosecutor who is also ex-CIA. Whether he can get the backing of current members of the U.S. law enforcement community, though, is another matter altogether. Merrill’s technology could be seen as creating extra barriers for law enforcement and the authorities would likely oppose it for that reason. Existing U.S. wiretapping law, called CALEA, states that telecom providers "shall not be responsible for decrypting" communications if they don't possess "the information necessary to decrypt.” But that may change under reforms proposed by the FBI, which is actively seeking more surveillance powers.

As governments increasingly move toward expanding their power to conduct electronic surveillance, it is inevitable that innovative technologists, software developers, and cryptographers will work to help people protect the privacy of their personal communications. Earlier this week the NSA’s chief tried to quell concerns over allegations that it is building a huge domestic surveillance center in Utah, dismissing whistle-blowers’ claims as “baloney.” Given the NSA’s recent history, however, it is likely many Americans will remain skeptical about the spy agency’s reassurances—and some will turn to encryption.

Merrill aims to launch his telecommunications firm first in the United States before tackling the international market, where there are also mounting concerns about government surveillance schemes. “We’re not trying to force people to use our service,” Merrill says. “What we’re trying to do is re-envision how the telecommunications industry could work if privacy and encryption technology was built in from the beginning.”

This article first appeared at Slate.com

Mass Surveillance in Former Soviet Republics

Western firms that sold dictatorships in the Middle East mass-surveillance technology have been subject to intense scrutiny over the past year. But now a new exposé by journalists in Sweden has shed light on how the same tools are being used closer to home — in ex-Soviet republics across Europe and Central Asia, whose leaders were seemingly shaken by the revolutions of the Arab Spring.

Last week an investigative documentary shown on Swedish public service broadcaster SVT revealed in fascinating depth the extent to which Stockholm-based telecommunications firm Teliasonera is linked to spy agencies in Azerbaijan, Kazakhstan, Uzbekistan, Tajikistan, and Georgia, facilitating crackdowns on dissident politicians and independent journalists.

Citing a multitude of sources — including official government documents and whistle-blower testimony — SVT’s reporters documented how companies owned by Teliasonera had allowed “black box” probes to be fitted within their telecommunications networks. The black boxes allow security services and police to monitor, in real-time and without any judicial oversight, all communications passing through, including texts, Internet traffic and phone calls. (Similar so-called “monitoring centers” were set up in Muammar Gaddafi’s Libya and Bashar al-Assad’s Syria with the help of European companies.)

SVT found some citizens who said they had been targeted for the strangest, most banal reasons. Several Azerbaijanis, for instance, said they had been summoned by police and subject to interrogation after phone records showed they had voted for a country other than their own during the televised Eurovision Song Contest in 2009. One man said he was told by officials working for Azerbaijan’s security agency that he was a “traitor” because he had voted for a song performed by musicians from Armenia, a neighbor with whom Azerbaijan has historically had tense relations.

Other cases were far more serious and sinister. Documents obtained by SVT showed an Azerbaijani reporter had his phone tapped after he published a piece about being beaten at the hands of government security agents while covering a story. He was subsequently stabbed in a savage attack and had to flee to France, where he has since taken up a case against the security agency and Teliasonera-owned Azercell in the European Court of Justice.

SVT also reported that the black-box surveillance was used in Belarus to track down, arrest, and prosecute protesters who attended an anti-government protest rally following the 2010 Belarusian presidential election.

Similar stories were reported in relation to Kazakhstan, Uzbekistan, Tajikistan, and Georgia. In Azerbaijan and Uzbekistan, sources said security agencies had even been given their own offices within the telecom providers’ headquarters to snoop on communications. One whistle-blower who worked for Teliasonera told the reporters, “The Arab Spring prompted the regimes to tighten their surveillance... There’s no limit to how much wiretapping is done, none at all.”

In response to the documentary, a spokeswoman for Teliasonera said that “police tap into information from telecom networks to fight crime” and “the rules for how far their authority goes are different from country to country.” When pressed about complicity in human rights violations, she looked shaky, refusing to comment on why security agencies were being given access to telecom buildings in Azerbaijan and Uzbekistan.

This article first appeared at: slate.com