Slashdot Mirror
Super-Privacy-Protecting ISP In the Planning
h00manist writes "Nicholas Merrill ran a New York based ISP and got tired of federal 'information requests.' He is now planning an ISP which would be built from the ground up for privacy. Everything encrypted, maximum technical and legal resistance to information requests. Merrill has formed an advisory board with members including Sascha Meinrath from the New America Foundation; former NSA technical director Brian Snow; and Jacob Appelbaum from the Tor Project. Kickstarter-like IndieGoGo has a project page."
If he pulls this off, he will be very well off. I suspect it will take the dinosaur telcos eons before they understand how to adjust, and by then it just may be too late.
He's tired of fighting The Man, so he's going to set up a new ISP which will let him fight The Man even more? That doesn't even begin to approach making sense. Is this like Fight Club or something?
Welcome to the Panopticon. Used to be a prison, now it's your home.
Former or not, still sounds like a 5th column in the making.
Will people pay for supposed "privacy"? Sure, a few would but absolutely not everyone. Or even a majority of people.
The fact that the local police or FBI can subpoena records held by your ISP to find out what you have been doing online and that Google will disclose that you have been researching poisons if your spouse suddenly dies of some rare and obscure poison is irrelevent to most people. Most people more or less figure that if you have been researching poisons and your spouse dies from one that you probably did it and deserve what is coming.
The fact that it is possible - maybe a 0.001% chance - that an innocent person might be caught up in something like this is remote enough to most people to completely discount it happening. Not. Important. For. Them.
If you are downloading movies, music, software, ebooks and whatever else you can grab off BitTorrent today and after a huge legal effort you get caught, well, most people's attitude is (a) I wish I knew how to do that... and (b) sucks to be you. Again, the offender is 99% of the time the person getting nailed and while there is a possiblity of the wrong person getting stuck with the bill we have seen through history that it is rare enough that most people discount it ever possibly happening to them. So it isn't important.
So this can be planned and might attract a few geeky investors. But it is extremely unlikely to survive even one year and probably won't ever be launched. The reality is that almost nobody cares will sink in and doom the project.
Nice idea. Too bad nobody cares. I do not see it affecting mainstream cable companies in the slightest little bit.
Nothing particular poignant/pertinent to add... however I just want to stand up, clap and be joined in a resounding "ATTABOY"!! This sounds absolutely fantastic!
Seriously, while I love the idea, and really do wish them well, they are effectively just stinging a squad of ogres armed with flamethrowers.
The RSA, CIA, FBI, and DHS all have strongly vested interests in destroying private correspondence for anyone but themselves.
The MPAA, RIAA, and associated gaggle of goons act like they used a hornet's nest suppository at the mere mention that they are anything but "helpless victims" of intellectual property theft, and that the bad, bad, ISPs just wont beweeve dem! (While simultaneously arming a thermonuclear court case)
I don't see this startup ending well, for all the good it would bring to the world if they were.
I see them either being legally raped and blackballed by every major nation and media group, or becoming the victim of something akin to regulatory capture via last minute legislation if they somehow survive.
That is, unless it's filled with... bugs. ?? I don't get it.
sig: sauer
and it will wind up in the basement of the new NSA data center in Utah.
Harrison's Postulate - "For every action there is an equal and opposite criticism"
You could have an agreement with who you sold it to, but they would be under no obligation to have a similar agreement with whomever they in turn sold it to. I am not a lawyer, but I highly doubt there is any way to enforce something like that on down the line of future sales.
A clause in a sales contract that said all future sales had to include the following terms ... would be unlikely to be enforceable. So sure, you could put it in, but then what? If it isn't enforcible and auditable leave it out and make the agreement simpler. That rule goes for just about everything.
Given the rate at which prosecutions are happening, it would become obvious pretty immediately if this ISP were not doing what it promised.
"Who is the Journal of Quantum Physics going to believe?" --Stephen Hawking
Stop being so USA centric- there is a whole world to put your server- and not just in a dictatorship like america.
It will not work unfortunately for these reasons:
1. he is an american, everywhere you go now the US can get you
2. it is located in America
3. The us government owns the root name servers, hence the internet.
This sounds like the makings of a target-rich nailing list for the Feds. Sure, let them build it. We want to see who comes! Now we can concentrate our not inconsiderable assets on cracking this who's who list of the criminal underworld. Why, it's almost as if they had something to hide...
I have Comcast for high speed internet, or nothing! I don't care if you encrypt my information or send it to the cloud in China, having some competition is better than living in a monopolistic world where the monopolies even corrupt the government
God spoke to me
FTFA:
"The next products on the roadmap include hosted email and cloud storage/sync systems that utilize public key cryptography so that only the user possesses the key required to decrypt their email or files."
This means that the ISP will need a public key from you and encrypt every email they receive and unless you want spam, that encryption has to happen after it is filtered through spam filters, etc. Next, supposing that your email is stored encrypted, how is an IMAP or POP server going to work? How do they index the file and send you headers, etc? Or is it just the body that will be stored encrypted on their server(s)? At the very least there is a requirement here for custom software at both the email server/client and raising $1,000,000 doesn't buy a whole lot of programmer time once you take out management and all of the other overheads.
There are technical details and questions about the broad plans thus far proposed which make me question whether they've had someone truely proficient in these matters analyse and critique the business and technical plan.
If it ever makes it to where I live, I will definitely be a customer.
The service will probably be ridiculously expensive to cover staff and equipment costs, not to mention the federal, state, and local governments are going to give him a rough time at any chance possible.....but I wish him luck regardless. I just hope this doesn't result in more draconian measures taken by Congress if it does happen to be a success.
Not if they don't identify who they're prosecuting and redact any information that may link the case to the ISP
So are they going to keep enough logging to track down spammers and other abusers on their network?
You need legal advice. Talk to a lawyer.
But to try and stop this you could hamper your terms and conditions so that it has certain immutable clauses. Most services' T&Cs have a ambiguous little clause in them that essentially allows the owner to change any clause in the document without notification or permission. If you excluded certain clauses from this the people who bought the service from you would still have to follow those terms for them to be binding. That is to say they'd either not change them or if they did, they'd have to get people to re-agree to the new terms (allowing them to jump ship).
When you're selling the service, you're as much selling the userbase as the service itself. A user in sale terms is essentially this agreement with the user so that's why the terms matter so much. Much, much more than a promise between you and the buyer, pointedly because your users can see it! If they care, they'll be thankful for you taking this step.
Oh and you'll want to take into account how prospective buyers are going to view this hand-tying. It may lower the saleability of your product.
Either that, or erase the router logs every few seconds.
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
It's a trap!
Not if prosecution came with a gag order.
Right, because I'm sure subversiveantigovernmenttypes.com is going to just hand over their records to the FBI and CIA.
We may wind up getting laws against encryption and obfuscation techniques (TOR, ETC) because of this, congress is nothing if not petulant.
Congress: "Oh that's how you want to play it?" *blam* new laws.
"If any question why we died, Tell them because our fathers lied."
He will be obligated to comply with all the frivolous data requests, or he goes to prison.
Presumably even now, if a judge demands it, his choices are either comply or get jailed. The court takes a dim view on refusal of warrants.
---- Booth was a patriot ----
First, the claim that they will be protected from govt. subpoena is an advertising thing. Don't believe it! If the govt. comes in with a warrant or subpoena, and they'll roll over like a good dog, or get raided and shut down. It's as simple as that. Unless they put their servers somewhere beyond the physical and legal reach of the govt. (good luck with that!) and manage to make it feasible for customers to access it, and do both these feats at the same time, their claim to protecting you is a joke, or a lie.
Also, furthermore, why would anyone need an ISP to do this? If you're trying to protect your privacy, just use DuckDuckGo (SSL) instead of Google, and that's a good start right there. THEN, if you're really paranoid, use HTTPS Everywhere, (make sure when you surf the net that you're always looking at an encrypted site,) and use TOR.
I don't worry about eavesdropping by govt. or others on my electronic communications because I fully expect it. If I ever had something I wanted to say to someone and didn't want ANYONE else to overhear, I simply wouldn't use electronic communications.
If I were REALLY paranoid, I would get to some place where no one else can see what's going on, inside a Faraday cage, with the person I want to communicate with, in a sound-proofed booth, completely naked to ensure neither of us is bugged, etc., and communicate by drawing the messages in a box of sand. No words. No trace of the messages left behind after. Actually, that might still not be enough, since your govt. might have the ability to see through walls, etc.
(Of course, I am at least a little paranoid, which is why I stopped using my slashdot account, (I do have one) but would rather post anonymously instead, even though I know it means most likely no one will read it, since it will be score 0 at best, and most people are surfing at like +2 or +3. Oh well.)
To ensure messages are absolutely private, a method of tactile communication would have to be developed, a form of sign-language, but one in which the people would communicate purely by touch, with their hands wrapped in something that has the same thermal signature as the hands inside...
I guess we've passed into the realm of the über-paranoid... sorry. I do that sometimes.
Nothing to stop the government from coercing them into violating their own promises and then giving them immunity for it.
A) The first web site that decides to block traffic from this site. I can almost see the msg, "You have tried to access this content from an anonymous internet address." Please resubmit your request from a trackable source." Or something. B) The fact that, being the first of its kind, this ISP is a pretty juicy target for those who oppose such activity. I suspect the only way to deal with A & B is that multiple such ISP would have to both form and sign-up subscribers en mass. Without such, both A & B seem like barriers to success.
Wait. Stop scrolling for a sec. O.K. Thanks. - P
It's something to be preserved for it's own sake. It a way, it enables freedom and preserves the sanctity of the individual.
"Most people more or less figure that if you have been researching poisons and your spouse dies from one that you probably did it and deserve what is coming"
What you're saying that it's ok to have no privacy because someone who is researching *blank* and *blank* happened. probably did *blank* ... it isn't even an argument.
If the ISP uses NAT instead of real IP addresses for each customer, that would cover the vast majority of issues that currently impact customers. If IP addresses are shared, they can't trace back an IP address to a single account holder.
Short of that, you could set up a localized TOR network that only consists of local users on the same broadband connection, so that it has nearly the speed of a native connection while providing a good deal of privacy. If you had a broadband provider that included that by default in a provided router, that would be great.
I don't have a car.
This space available.
Simple. Tell them that you CAN'T guarantee that the service will stay the same if you sell the site. Because you CAN'T.
So, if you choose to sell the site, tell them you've sold it and that though their data was not stored and therefore not transferred to the new owner, you have no control over what the new owner does.
You'll lower the sale price by doing this, but if a high sale price is your goal then you wouldn't be doing this in the first place. You'd spend your time designing some stupid iPhone apps instead.
This space available.
And issue a gag order on the victim and his lawyers, friends, and family?
"Who is the Journal of Quantum Physics going to believe?" --Stephen Hawking
And the people who would use such an ISP are all going to be compliant, I take it?
"Who is the Journal of Quantum Physics going to believe?" --Stephen Hawking
Is this guy retaining logs matching IP addresses to customers? Its hard to tell from TFA if he is but if he is not it becomes very very difficult to link a visit to a web page or a download from a Torrent back to the human being that carried out the action.
Now you're getting it!
BTW, Its called a Fry-Hole, not Hawking-Hole
It is a very simple explanation:
Peering
If he intends to seriously run everything encrypted no Tier 1 provider will peer with him, its that simple.
Even if they wanted to peer with him you can be damn sure the NSA,FBI,CIA and every other 3 letter acronym intelligence agency will have a quiet meeting with some CEO's and that will be the end of it because whether you like it or not there are some people and groups we need to keep tabs on and you really want your government to catch before they do something really nasty and NO this is not about torrents or PB or any other crap like that the CIA and the NSA could care less about.
Hey KID! Yeah you, get the fuck off my lawn!
If they don't want to be dragged off to Guantanamo Bay, they will.
everything in me screams honeypot....
If they do need such numbers for budget time, I have not checked out enough books to know that :(
120 characters ought to be enough for anyone
Even if he builds this ISP it's very unlikely he will be able to build it in such a way that there is no FBI surveillance of the ISP itself or backdoors or moles etc. Basically there is nothing he can do if the FBI is determined to wiretap someone.
What this does is it makes it too expensive for the FBI to wiretap and monitor millions of people at a time. It does not prevent the FBI from wiretapping any specific person. If the FBI puts anyone under physical surveillance then none of that fancy encryption or privacy protecting ISP stuff is going to help.
Its actually quite ingenious... He's going to create an ISP where it is much-more-difficult to compromise a users privacy. They're designing it from the ground up to be PATRIOT-Act proof because it will literally be impossible for them to give the feds the data they want. It is fewer fights, but may amount to one HUGE fight with the biggest gorilla on earth, the U.S. Justice Department.
It is not without precedent. After the PATRIOT Act made it legal to for the feds to confiscate book borrowing records from libraries without even a warrant, most libraries switched over to lending software that deleted all records once a book was returned. So, at worst, the feds could find out what a patron currently had checked out, but no borrowing history was available to anyone.
As far as I know, the DOJ hasn't tried, at least in court, to make a library use a less privacy-preserving system.
Its actually quite ingenious... He's going to create an ISP where it is much-more-difficult to compromise a users privacy. They're designing it from the ground up to be PATRIOT-Act proof because it will literally be impossible for them to give the feds the data they want. It is fewer fights, but may amount to one HUGE fight with the biggest gorilla on earth, the U.S. Justice Department.
It is not without precedent. After the PATRIOT Act made it legal to for the feds to confiscate book borrowing records from libraries without even a warrant, most libraries switched over to lending software that deleted all records once a book was returned. So, at worst, the feds could find out what a patron currently had checked out, but no borrowing history was available to anyone.
As far as I know, the DOJ hasn't tried, at least in court, to make a library use a less privacy-preserving system.
What everyone fails to consider is the feds can just take the data they want whether you legally give it to them or not. The feds have all the technological and physical means to take any information from any ISP or entity.
They can do it the legal way and have guys in suits and ties walk in with the Patriot Act or National Security letter or whatever and politely ask for it, or they can send some blackhats in to steal or hack the information. This ISP is simply going to make the feds rely more on extrajudicial means to get what they want.
This sort of ISP is useless if only thousands of well known geeks use it. Basically the sort of people likely to use it are the sort of people the NSA and FBI already have under surveillance.
If you're the government wanting to spy on all the tin foil hat crazies, wouldn't the best way be to run the privacy/security/encryption/anonymizer yourself. How do you know this ISP is trustworthy?
Even if the ISP is trustworthy, if just one or two undercover government agents work there it's enough to make the ISP compromised.
Of course, it would be far more elegant if the three letter agencies are behind this company in the first place. No need for any accidents, and you get users' trust.
I'm not suggesting that's the case, just a "what if"...
No, of course, not the majority of people will be interested in this. But I know many non-techy people interested in keeping their data as secure and un-snooped as possible. What mechanisms do they have? Well, to prefer encrypted channels, to avoid storing any meaningful data on well-known big-brand providers as Google, Yahoo and the such. My friends are somewhat naÃve, I know â" But, using Tor for accessing some sensitive information (even with its limitations), handling their mail at a more "trustable" (for some definition of trust) organization such as Riseup, and having an introductory working knowledge of GPG... Shows their concern. Maybe not a concern deep enough to learn how to self-host, and maybe some of their attempts only get halfway there.
If such an ISP were to open in my country, I am sure many people would use it. In the USA, I know many privacy-minded people. Lets see what impact they manage to achieve - But many people will be happy to pay, if only, for the principle that they are doing the Right Thing. Think about it, that's the reason many of us (with our time) to learn and produce Free Software.
Somehow I don't think that's going to work out. Because people who choose such an ISP are obviously the compliant types.
"Who is the Journal of Quantum Physics going to believe?" --Stephen Hawking
When requested. What I'm saying is for everyday use, that is, joe conspiracy theorist who is looking into an ISP that is relatively private and safe, it turns out that the United States has no such law that prevents the ISP from just dumping logs into the null bin. Logs? We don't need no stinkin' logs.
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.