Surveillance Valley
Page 24
I never got a good answer from the privacy community, but what I did get was a lot of smears and threats.
Journalists, experts, and technologists from groups like the ACLU, EFF, Freedom of the Press Foundation, and The Intercept and employees of the Tor Project joined in to attack my reporting. Unlike Lee, most did not attempt to engage my reporting but employed a range of familiar PR smear tactics—tactics you usually see used by corporate flacks, not principled privacy activists. They took to social media, telling anyone who showed interest in my articles that they should ignore them instead.83 Then, when that didn’t work, they tried to discredit my reporting with ridicule, misdirection, and crude insults.
A respected ACLU privacy expert who now works as a congressional staffer, called me “a conspiracy theorist who sees black helicopters everywhere” and compared my reporting about Tor to the Protocols of the Elders of Zion.84 As someone who escaped state-sponsored anti-Semitism in the Soviet Union, I found the comparison extremely offensive, especially coming from the ACLU. The Protocols were an anti-Semitic forgery disseminated by the Russian Tsar’s secret police that unleashed waves of deadly pogroms against Jews across the Russian Empire in the early twentieth century.85 Tor employees put forth a torrent of childish insults, calling me a “dumb Stalinist state-felcher” and a “fucktard’s fucktard.” They accused me of being funded by spies to undermine faith in cryptography. One of them claimed that I was a rapist, and hurled homophobic insults about the various ways in which I had supposedly performed sexual favors for a male colleague.86
In the way that these Internet hazing sessions go, the campaign evolved and spread. Strange people began threatening me and my colleagues on social media. Some accused me of having blood on my hands and of racking up an “activist body count”—that people were actually dying because my reporting undermined trust in Tor.87
The attacks widened to include regular readers and social media users, anyone who had the nerve to ask questions about Tor’s funding sources. An employee of the Tor Project went so far as to dox an anonymous Twitter user, exposing his real identity and contacting his employer in the hopes of getting him fired from his job as a junior pharmacist.88
It was bizarre. I watched all this unfold in real time but had no idea how to respond. Even more disconcerting was that the attacks soon expanded to include libelous stories placed in reputable media outlets. The Guardian published a story by a freelancer accusing me of running an online sexual harassment and bullying campaign.89 The Los Angeles Review of Books, generally a good journal of arts and culture, ran an essay by a freelancer alleging that my reporting was funded by the CIA.90 Paul Carr, my editor at Pando, lodged official complaints and demanded to know how these reporters came to their conclusions. Both publications ultimately retracted their statements and printed corrections. An editor at the Guardian apologized and described the article as a “fuck up.”91 But the online attacks continued.
I was no stranger to intimidation and threats. But I knew that this campaign wasn’t just meant to shut me up but was designed to shut down debate around the official Tor story. After the initial outbreak, I laid low and tried to understand why my reporting elicited such a vicious and weird reaction from the privacy community.
Military contractors hailed as privacy heroes? Edward Snowden promoting a Pentagon-funded tool as a solution to NSA surveillance? Google and Facebook backing privacy technology? And why were privacy activists so hostile to information that their most trusted app was funded by the military? It was a bizarro world. None of it quite made sense.
When the smears first started, I had thought they might have been driven by a petty defensive reflex. Many of those who attacked me either worked for Tor or were vocal supporters, recommending the tool to others as protection from government surveillance. They were supposed to be experts in the field; maybe my reporting on Tor’s ongoing ties to the Pentagon caught them off-guard or made them feel stupid. After all, no one likes being made to look like a sucker.
Turns out, it wasn’t that simple. As I pieced the story together, bit by bit, I realized there was something much deeper behind the attacks, something so spooky and startling that at first I didn’t believe it.
Chapter 7
Internet Privacy, Funded by Spies
This so-called Internet Freedom, is in nature, freedom under US control.
—China’s Global Times newspaper, 2010
December 2015. A few days after Christmas in Hamburg. The mercury hovers just above freezing. A gray fog hangs over the city.
In the town’s historic core, several thousand people have gathered inside a modernist cube of steel and glass known as Congress Center. The attendees, mostly geeky men, are here for the thirty-second annual meeting of the Chaos Computer Club, better known as 32c3. The conference atmosphere is loud and cheery, a counterpoint to the head-down foot traffic and dreary weather outside the center’s high glass walls.
32c3 is the Hacktivist Davos, an extravaganza put on by the oldest and most prestigious hacker collective in the world. Everyone who is anyone is here: cryptographers, Internet security experts, script kiddies, techno-libertarians, cypherpunks and cyberpunks, Bitcoin entrepreneurs, military contractors, open source enthusiasts, and privacy activists of all nationalities, genders, age groups, and intel classification levels. They descend on the event to network, code, dance to techno, smoke e-cigarettes, catch the latest crypto trends, and consume oceans of Club-Mate, Germany’s official hacker beverage.
Look this way and see Ryan Lackey, cofounder of HavenCo, the world’s first extralegal offshore hosting company, run out of an abandoned World War II cannon platform in the North Sea off England’s coast. Look that way and find Sarah Harrison, WikiLeaks member and Julian Assange confidante who helped Edward Snowden escape arrest in Hong Kong and find safety in Moscow. She’s laughing and having a good time. I wave as I pass her on an escalator. But not everyone here is so friendly. Indeed, my reputation as a Tor critic has preceded me. In the days leading up to the conference, social media had again lit up with threats.1 There was talk of assault and of spiking my drink with Rohypnol if I had the nerve to show my face at the event.2 Given my previous run-in with the privacy community, I can’t say I expected a particularly warm reception.
The Tor Project occupies a hallowed place in the mythology and social galaxy of the Chaos Computer Club. Every year, Tor’s annual presentation—“The State of the Onion”—is the most well-attended event in the program. An audience of several thousand packs a massive auditorium to watch Tor developers and celebrity supporters talk about their fights against Internet surveillance. Last year, the stage featured Laura Poitras, the Academy Award–winning director of the Edward Snowden documentary, Citizen Four. In her speech, she held up Tor as a powerful antidote to America’s surveillance state. “When I was communicating with Snowden for several months before I met him in Hong Kong, we talked often about the Tor network, and it is something that actually he feels is vital for online privacy and to defeat surveillance. It is our only tool to be able to do that,” she said to wild applause, Snowden’s face projected onto a giant screen behind her.3
This year, the presentation is a bit more formal. Tor has just hired a new executive director, Shari Steele, the former head of the Electronic Frontier Foundation. She takes the stage to introduce herself to the privacy activists assembled in the hall and pledges her allegiance to Tor’s core mission: to make the Internet safe from surveillance. Up there, emceeing the event, stands Jacob Appelbaum, “Jake,” as everyone calls him. He is the true star of the show, and he lavishes praise on the new director. “We found someone who will keep the Tor Project going long after all of us are dead and buried, hopefully not in shallow graves,” he says to cheers and applause.4
I catch a glimpse of him walking the halls after the event. He’s dressed in jeans and a black T-shirt, a tattoo peeking out from under one of the sleeves. His jet-black hair and thick-rimmed glasses frame a rectangular, fleshy face.
He is a familiar sight to people at 32c3. Indeed, he carries himself like a celebrity, glad-handing attendees while his fans cluster nearby to listen to him boast of daring exploits against oppressive governments all around the world.
He ducks into an auditorium where a speaker is talking about human rights in Ecuador and immediately hijacks the discussion. “I am of the eliminate-the-state crypto world. I want to get rid of the state. The state is dangerous, you know,” he says into a microphone. Then he cracks a devious grin, leading a few people in the audience to hoot and cheer. He transitions into a wild story that puts him at the center of a failed coup attempt hatched by Ecuador’s secret police against their president, Rafael Correa. Naturally, Appelbaum is the hero of the tale. President Correa is widely respected in the international hacker community for granting Julian Assange political asylum and for giving him refuge at the Ecuadorian embassy in London. Like a modern Smedley Butler, Appelbaum explains how he refused to go along. He did not want to use his righteous hacker skills to take down a good, honest man, so he helped foil the plot and saved the president instead. “They asked me to build a mass surveillance system to tap the entire country of Ecuador,” he said. “I told them to go fuck themselves, and I reported them to the presidency. I think you are proposing a coup. I have your names—you’re fucked.”
A few people on stage look embarrassed, not believing a word. But the audience laps it up. They love Jacob Appelbaum. Everyone at 32c3 loves Jacob Appelbaum.
Appelbaum is the most storied member of the Tor Project. After Edward Snowden and Julian Assange, he is arguably the most famous personality in the Internet privacy movement. He is also the most outrageous. For five years he’s played the role of a self-facilitating media node and counterculture Ethan Hunt, a celebrity hacker who constantly changes his appearance, travels the world to speak at conferences and conduct teach-ins, and fights injustice and censorship wherever they rear their ugly government heads. Appelbaum wields cultural power and influence. While Assange was stuck in a London embassy and Snowden was stranded in Moscow, Appelbaum was the face of the antisurveillance movement. He spoke for its heroes. He was their friend and collaborator. Like them, he lived on the edge, an inspiration to countless people—hundreds, if not thousands became privacy activists because of him. You’d hear it over and over: “Jake’s the reason I’m here.”
But that year’s Chaos Computer Club party represented the peak of his career. For years, rumors had spread inside the cliquish Internet privacy community about his history of sexual harassment, abuse, and bullying. Six months after the conference, the New York Times ran a story that brought these allegations to light, revealing a scandal that saw Appelbaum ejected from the Tor Project and that threatened to tear the organization apart from the inside.5
But all that was in the future. That evening in Hamburg, Appelbaum was still enjoying his fame and celebrity, feeling comfortable and secure. Yet he was carrying another dark secret. He was more than just a world-renowned Internet freedom fighter and confidant of Assange and Snowden. He was also an employee of a military contractor, earning $100,000 a year plus benefits working on one of the most disorienting government projects of the Internet Era: the weaponization of privacy.6
The Box
A few weeks after I glimpsed Jacob Appelbaum at 32c3, I arrived home in the United States to find a heavy brown box waiting for me on my doorstep. It was postmarked from the Broadcasting Board of Governors, a large federal agency that oversees America’s foreign broadcasting operations and one of the Tor Project’s main government funders.7 The box contained several thousand pages of internal documents on the agency’s dealings with Tor that I had obtained through the Freedom of Information Act. I had been impatiently waiting for months for it to arrive.
By then I had spent almost two years investigating the Tor Project. I knew that the organization had come out of Pentagon research. I also knew that even after it became a private nonprofit in 2004, it relied almost entirely on federal and Pentagon contracts. In the course of my reporting, representatives of Tor grudgingly conceded that they accepted government funding, but they remained adamant that they ran an independent organization that took orders from no one, especially not the dreaded federal government, which their anonymity tool was supposed to oppose.8 They repeatedly stressed that they would never put backdoors in the Tor network and told stories of how the US government had tried but failed to get Tor to tap its own network.9 They pointed to Tor’s open source code; if I was really worried about a backdoor, I was free to inspect the code for myself.
The open source argument appeared to nullify concerns in the privacy community. But backdoors or not, my reporting kept butting up against the same question: If Tor was truly the heart of the modern privacy movement and a real threat to the surveillance power of agencies like the NSA, why would the federal government—including the Pentagon, the parent of the NSA—continue to fund the organization? Why would the Pentagon support a technology that subverted its own power? It did not make any sense.
The documents in the box waiting on my doorstep contained the answer. Combined with other information unearthed during my investigation, they showed that Tor, as well as the larger app-obsessed privacy movement that rallied around it after Snowden’s NSA leaks, does not thwart the power of the US government. It enhances it.
The disclosures about Tor’s inner workings I obtained from the Broadcasting Board of Governors have never been made public before now. The story they tell is vital to our understanding of the Internet; they reveal that American military and intelligence interests are so deeply embedded in the fabric of the network that they dominate the very encryption tools and privacy organizations that are supposed to stand in opposition to them. There is no escape.
Spies Need Anonymity
The story of how a military contractor wound up at the heart of the privacy movement starts in 1995 at the Naval Research Laboratory inside the Anacostia-Bolling military base on the Potomac in southeast Washington, DC.10 There, Paul Syverson, an affable military mathematician with big hair and an interest in secure communication systems, set out to solve an unexpected problem brought on by the explosive success of the Internet.
Everything was being hooked up to the Internet: banks, phones, power plants, universities, military bases, corporations, and foreign governments, both hostile and friendly. In the 1990s, hackers, who some believed to be tied to Russia and China, were already using the Internet to probe America’s defense network and steal secrets.11 The United States was beginning to do the same to its adversaries: collecting intelligence, bugging and hacking targets, and intercepting communications. It was also using commercial Internet infrastructure for covert communication.
The problem was anonymity. The open nature of the Internet, where the origin of a traffic request and its destination were open to anyone monitoring the connection, made cloak-and-dagger work tricky business. Imagine a CIA agent in Lebanon under deep cover as a businessman trying to check his operative email. He couldn’t just type “mail.cia.gov” into his web browser from his suite in the Beirut Hilton. Simple traffic analysis would immediately blow his cover. Nor could a US Army officer infiltrate an Al-Qaeda recruiting forum without revealing the army base’s IP address. And what if the NSA needed to hack a Russian diplomat’s computer without leaving a trail that led right back to Fort Meade, Maryland? Forget about it. “As military grade communication devices increasingly depend on the public communications infrastructure, it is important to use that infrastructure in ways that are resistant to traffic analysis. It may also be useful to communicate anonymously, for example when gathering intelligence from public databases,” Syverson and colleagues explained in the pages of an in-house magazine put out by his research lab.12
American spies and soldiers needed a way to use the Internet while hiding their tracks and cloaking their identity. It was a problem that researchers at the US Navy, which has historically been at the forefront of communications technology resea
rch and signals intelligence, were determined to solve.
Syverson assembled a small team of military mathematicians and computer systems researchers. They came up with a solution: called “the onion router” or Tor. It was a clever system: the navy set up a bunch of servers and linked them together in a parallel network that sat atop the normal Internet. All covert traffic was redirected through this parallel network; once inside it was bounced around and scrambled in such a way as to obfuscate where it was going and from where it came. It used the same principle as money laundering: shifting information packets from one shell Tor node to another until it is impossible to figure out where the data came from. With onion routing, the only thing an Internet provider—or anyone else watching a connection—saw was that the user connected to a computer running Tor. No indication of where the communications were actually going was apparent. And when the data popped out of the parallel network and back onto the public Internet on the other side, no one there could see where the information had come from either.
Syverson’s team of Naval scientists worked on several iterations of this system. A few years later, they hired two fresh-faced programmers, Roger Dingledine and Nick Mathewson, from the Massachusetts Institute of Technology to help build a version of the router that could be used in the real world.13
Dingledine, who recieved his master’s in electrical engineering and computer science and who was interested in cryptography and secure communications, had interned at the National Security Agency. Mathewson had similar interests and had developed a truly anonymous email system that hid a sender’s identity and source. Mathewson and Dingledine had met as freshman at MIT and became fast friends, spending most of their days in their rooms reading Lord of the Rings and hacking away at stacks of computers. They, too, believed in the cypherpunk vision. “Network protocols are the unacknowledged legislators of cyberspace,” Mathewson bragged to journalist Andy Greenberg. “We believed that if we were going to change the world, it would be through code.” In college, the two saw themselves in romantic terms, hacker rebels taking on the system, using computer code to fight government authoritarianism. They were out there to fight The Man. But that did not stop them from going to work for the Pentagon after graduation. Like too many hacker rebels, they had a very limited conception of who “The Man” was and what it would mean in real political terms to fight “him.”