Yes, they scan

Post Edward Snowden?s revelations, small privacy services tech firms are shutting shop instead of surrendering user data to governments

Written by Pratik Kanjilal

August 15, 2013 03:42 IST

When the Prism data mining project of the US National Security Agency was exposed by Edward Snowden in June, the technology press predicted a privacy boom in IT and communications. Ironically, the very first privacy brand name quoted in a Slashdot article was Silent Circle, which silently, unilaterally shut down its encrypted Silent Mail service last week. It committed pre-emptive sepukku to avoid being served with a notice requiring it to divulge user data to the government. It was one of three popular privacy services which winked out in quick succession. Only one, Tormail, was uncomfortably close to criminal activity.

Privacy, which was looking up so nicely, is suddenly a high risk industry. The first service to shut down was Lavabit, whose owner Ladar Levison chose to ?walk away from 10 years of hard work? rather than ?become complicit in crimes against the American people?, according to an open letter to his 4.1 lakh users. Levison explained that under national security legislation, he is restricted even from talking about the legal arm-twisting he has suffered. Lavabit?s closure grabbed media attention nevertheless because many journalists had received mail from one edsnowden@lavabit.com, then marooned in Sheremetyevo Airport, Moscow.

That was on August 8, and Lavabit is probably the first technology company ever to close a service to block government access to private data. The next day, Silent Circle closed its encrypted mail service, retaining only peer-to-peer text, audio and video services which use encryption keys stored on client computers. The host cannot be forced to decrypt those conversations for lack of keys. CEO Michael Janke revealed that the US government was interested in high-value clients.

The third popular service to vanish was Tormail, and it was read as part of a pattern. It was. At the same time, it wasn?t. But the apparent hat-trick highlighted an uncomfortable contrast. Giants like Google, Microsoft and Yahoo could be coerced into surrendering user data to government, whereas small technology firms were willing to shut down rather than comply.

However, the erasure of Tormail differs from other cases of forced digital disappearance in an important respect: it was not itself coerced by a government. It went down after the arrest in Ireland of Eric Eoin Marques, owner of Freedom Hosting, on which a number of Tor products and services including Tormail were hosted, for running a server containing child pornography. It was collateral damage following real criminal activity which even the hacker community, which loves Tor, has hated. Child porn groups within Tor have been repeatedly attacked by the hacktivist group Anonymous.

Tormail?s case differs in another important way?like everything else on Tor, it was set apart from the rest of the Internet. It was in the ?deep web?, the part of the Net which cannot be reached by search engines and normal addressing. The mail service was actually part of the ?deepest? web, which exists only inside the ?onion routing? of the Tor network?three layers of addressing obfuscation, like layers of an onion, which ensure a fairly high degree of anonymity.

Tor was compromised by a Javascript injection attributed to the FBI, which silently dialled home when a Firefox browser run inside the onion was brought back to the regular Internet. The exploit targets only Firefox running on Windows. If you have used the same copy of Firefox in normal and Torified modes recently, and accessed Tormail from a Windows machine, you may have been identified as a person of interest. If you use the Tor-Firefox bundle anonymously and regular Firefox routinely, or do not use Windows, you’re safe.

What makes this case particularly interesting is that services within the Tor network are dual use. The technology was created to help dissidents, NGOs and journalists living dangerously to communicate without being identified by mad monarchs and secret police. However, drug dealers, credit card skimmers, money launderers, gun-runners, identity thieves, forgers and even freelance assassins use the same technology to market their services. The closure of such dual-use systems has ethically mixed consequences.

On the Net, such consequences are global. When Prism was exposed, everyone wanted to know if only Americans were under the scanner. Actually, everyone is being watched since, for historical reasons, perhaps 80% of the world?s communications run through switches and servers located in the US and are subject to its laws and policies. All of Internet traffic used to run through the US but international transit flows have been falling in response to the passage of the Patriot Act.

Consider a contrast: Iceland has positioned itself as a safe haven for server farms with strong laws for the protection of data, journalists and whistleblowers. Nations like it, which are not technology majors today, nevertheless stand a good chance of incubating the next generation of digital media and communications enterprises.

pratik.kanjilal@expressindia.com

This article was first uploaded on August fifteen, twenty thirteen, at forty-two minutes past three in the night.