Friday, May 04, 2012
BOB GARFIELD: If CISPA does pass, your service provider might well end up providing your information to the government. Nick Merrill has a possible solution. He was the first person ever to successfully challenge a National Security Letter. That’s a secret government demand for information, and if you get one you're not allowed to tell anyone. Merrill fought that gag order and won.
Now, his organization, Calyx, is building a different kind of Internet service provider. He’s enlisted privacy hawks and ex-National Security Agency executives as advisers and designed a system to make it nearly impossible for the government to extract customer information from him, even if he’s compelled to.
NICK MERRILL: The concept here is to use encryption, which scrambles the data, and then to leave the only set of keys that can unlock the data in the hands of the user. I mean, I would like to point out that the system that we’re building doesn’t preclude the government from getting people’s data if they really need it. But probably the best procedure for them to do that in this kind of a situation would be to go directly to that user and get their private key in order to unlock the data.
BOB GARFIELD: Won’t the encryption make it impossible for law enforcement to conduct an investigation without informing the subject that he’s under scrutiny?
NICK MERRILL: No. I can even give you a real-world example of where it was done, Nicky Scarfo. He was an alleged Mafia don, and he used encryption technology on his email. The authorities apparently got the right to tap his Internet but they weren’t able to read his emails. They broke into his house when he was away and they put a device called a key logger on his computer, which fits typically between the computer and the keyboard. The police thus obtained his password and then were able to unlock his emails. And he was none the wiser, until one day they kicked down his door and had all the evidence they needed to convict him. So I see no reason why it couldn’t be done again.
BOB GARFIELD: Why don’t existing ISPs encrypt their data? Is it only because they make money mining the data for behavioral and contextual information about the user?
NICK MERRILL: There’s probably quite a number of reasons why. And, first of all, the status quo is that everything is open. So you would have to have some kind of a reason to change that. I just happened to come up with this idea that this needs to be
reexamined, in part, due to, you know, my experiences with the National Security Letter’s provision of the Patriot Act. But it wasn’t just about that. It, it also touches on some greater issues that the country has in terms of cyber security.
I’m making an argument with this new service that I’m trying to set up that cyber security and privacy in a lot of ways are the same issue but with different framing. And to the extent that we can get a lot of people to use strong encryption on their data and on their communications, we can do something to address both of those issues at the same time.
BOB GARFIELD: It seems to me that there is at least one federal law requiring ISPs and other telecom providers to have a back door accessible to government who, with a search warrant or a subpoena, can get access to the very kinds of content we’re describing. If an encrypted ISP essentially welds that back door shut, would Calyx be in violation of federal law from day one?
NICK MERRILL: I’m assuming that you're speaking of the CALEA Law passed in 1994. It originally just applied to telephones, and when the telephone service went from analog to digital the authorities decided they needed a back door built in so that they could easily capture the communications. And over time it was expanded to cover also broadband Internet and Voice Over IP. So we’re going to have to have a back door, so that communications can be captured. The catch though is that whatever communications that we’ll be able to hand over will be encrypted. To the best of my knowledge, I think we found our niche, where we comply with everything but we stick to the principle that the user owns their data.
BOB GARFIELD: Nick, thank you once again for joining us.
NICK MERRILL: Thank you very much for having me on your show.
BOB GARFIELD: Nick Merrill is the founder of Calyx Internet Access and The Calyx Institute.