Briefing Jacob Appelbaum

Home , Jacob Appelbaum, The Tor Project

Briefing

for Jacob Appelbaum

Speaker for WikiLeaks, Member of Tor, and Independent Hacker

28 October 2012

Prepared By

Kristen Faulkner | Nolan Kamitaki | Chandan Lodha | Tommy Mullaney | Amy Robinson

- 1 -

Brief Summary of the Issue

Congress is debating a bill requiring all instant messaging (through all kinds of electronic devices) and chat programs to include a mechanism whereby law enforcement authorities can monitor and record the interchange of messages passed through those programs. The bill does not specify whether such monitoring requires a court order, a warrant, or neither.

Brief Reaction to the Issue

In line with your previous positions, you must 1) oppose this bill; 2) advocate for the repeal of all current wiretapping laws; and 3) encourage individuals to use systems (such as Tor) that enable online anonymity.

The Right Approach

This bill is a blatant government infringement on individual’s privacy. Therefore, opposing it is critical. However, that is not enough. You must stop the government’s momentum of overstepping privacy rights gained by recent wiretapping laws. To do this you must oppose all current wiretapping laws, with a specific eye toward the ECPA and CALEA, and advocate for their repeal. While repealing all past laws concerning wiretapping may not be feasible, your high profile stand is of the utmost importance in curbing dangerous anti-privacy momentum. In the meantime, you must encourage individuals to use systems like Tor that enable online anonymity and empower citizens to take privacy matters into their own hands and sidestep government over-regulation.

Examining the bill with respect to constitutional rights, its infeasibility, society’s best interest, and individuals’ best interests, further supports the proposed approach.

Justification for the Right Approach

- 2 -

A. The legal history

Previous rulings have extended the government’s hand in overseeing private communications. Due to the unforeseen increase in digital and electronic communications the

Electronic Communications Privacy Act (ECPA) was enacted in 1986 to update the Federal

Wiretap Act of 1968.1 The ECPA was an attempt to protect communications (emails, telephone conversations, and data stored electronically) from being intercepted while in transit. It also provided procedures for government officials to obtain warrants to intercept communications. In

1994, the Communication Assistance for Law Enforcement Act (CALEA) significantly amended the

ECPA by enabling officials to tap content of new digital technologies. The legislation was extended once more in 2004 when the FCC extended CALEA to apply to broadband networks.2

Legislation has become more and more invasive with respect to privacy, in turn opening gateways for government abuse. The Bush administration admitted to abusing the system by performing warrantless domestic wiretapping.3 This type of abuse is a direct violation of the Fourth

Amendment, which protects individuals from warrantless searches, and encroaches on the First

Amendment’s freedom of speech. The implementation of the proposed bill would only make such constitutional rights easier to breach.

This encroaching momentum of the government is exactly why you must advocate the repeal of all current and invasive wiretapping laws. Rather than implementing systems of scrutiny on its citizens, the government should restore basic, fundamental rights, such as the right to privacy.

B. The proposed law is infeasible

2 CNET News McCullagh, Declan. “FBI: We Need Wiretap-ready Web Sites - Now.” . CBS Interactive, 04 May 2012. Web. 21 Oct. 2012.

- 3 -

The proposed legislation simply will not work. First, the law would be a regulatory disaster, requiring vast resources for futile attempts to prevent the unpreventable. Second, the law would in fact be self-contradicting as it would legally require the addition of large-scale vulnerabilities into instant messaging and chat software.

The proposed legislation would be a regulatory disaster for three reasons: 1) it will not prevent the creation of chat sites that do not conform to the wiretapping mechanism requirement; 2) it will crowd out legitimate uses of anonymous communication so that only more nefarious options will exist; and 3) it deals with multinational cyber issues where the United States has a poor track record.

First, it is practically guaranteed that the enactment of this bill will cause non-compliant chat programs to pop up all over the place. For example, when the music industry and Digital Rights

Management created laws to crack down on copyright-infringing file sharing, a staggering abundance of sites were created as direct violations. The NPD Group, a North American market research company, found that “only 37 percent of music acquired by U.S. consumers in 2009 was paid for.”4

As we can see from the preponderance of illegal music downloading sites, general software piracy sites, and pornography sites, the realm of cyberspace simply cannot be regulated to the degree necessary for enforcing this legislation, and regulation may even exacerbate the situation.

Moreover, trying to enforce the proposed legislation will only serve to prevent and crowd out legitimate uses of anonymous communication (like reporting human rights violations from “danger zones”5) by law-abiding citizens. Citizens less inclined to follow the law -- presumably citizens also less likely to use anonymous communication for legitimate purposes -- will be the ones who end up with the ability to communicate anonymously through the illegal services that will inevitably arise.

4 “FAQ,” Recording Industry Association of America, accessed 26 Oct. 2012.

5 “Users of Tor,” Tor Project, accessed 26 Oct. 2012.

- 4 -

Finally, even if we assume that government officials can ensure that wiretapping mechanisms are installed in all chat software, the use of this wiretapping capability will be dubious given the often international nature of Internet chat traffic. The United States is historically ineffective when it comes to complying with international law and cyber “crime.” One particularly recent example is the American government’s handling of the Kim Dotcom MegaUpload illegal file-sharing case. In this case, the source of the debacle was the excessively-vague warrant used by American authorities to raid Dotcom’s New Zealand residence, a warrant subsequently found “invalid” by New Zealand

High Court Judge Helen Winkelmann.6 The bottom line is that foreign laws on search and seizure may not line up one-for-one with American laws, and given the often international nature of online chat programs, it is far from clear how effectively the new wiretapping capabilities of the proposed law would be used.

On top of the fact that the proposed law would not work, the law itself is contradictory: in the name of “security,” it requires the insertion of vulnerabilities into secure software, and these vulnerabilities could be exploited either by outside hackers or by the chat software developers themselves. Requiring all chat and instant messaging programs to include backdoors and vulnerabilities enabling government officials to monitor conversations is tantamount to inviting hackers to participate in the conversation. We would essentially be slapping a bright, “U.S.

Government” target on every legal chat program, identifying it as inherently vulnerable to attack.

And as we know from Wikileaks, the U.S. government is not particularly good at protecting its “secret” intelligence.7, 8 Moreover, consider a scenario where Company X implements the

6 Ars Technica “Mega-victory: Kim Dotcom search warrants ‘invalid,’ mansion raid ‘illegal,’” , June 28, 2012. Accessed 26 Oct. 2012.

7 “WikiLeaks.”

8 International Federation of Library Associates and “What is the effect of WikiLeaks for Freedom of Information?” Institutions.

- 5 - government-mandated wiretapping backdoor into its public chat software; what is to stop Company

X from monitoring what or whom government officials monitor? This would undermine any covert intelligence obtained under the proposed law because unscrupulous companies and developers could monitor who the FBI, for instance, is watching. Between hackers and developers, this contradictory law -- intended to combat threats to national security -- would create software vulnerabilities that are threats to national security.

C. The Right Approach with respect to individual rights

Online anonymity is critical for all individuals. People from all professions rely on online anonymity today. Wiretapping laws would effectively eliminate the possibility of online anonymity and impair many individual’s Internet uses.9

Perhaps most important, everyday normal citizens use online anonymity for a variety of reasons. Individuals use anonymity to protect themselves from identity theft, protect their communications, protect their children, and research sensitive topics. People who do not want

Internet Service Providers (ISPs) selling their private browsing records, who do not want their IP addresses broadcasting their locations, or who do not want anyone to know when they

Google “sexually transmitted diseases” find solace in online anonymity.

In addition, many professions rely on online anonymity. Online anonymity is critical for journalists, law enforcement officials, and business executives to name a few. For instance,

Reporters without Borders uses anonymity to communicate with journalists around the world.

Anonymity also enables the media and intelligence officials to communicate, ensuring accuracy of information, and provides the media with “off-the-record” sources. Online anonymity enables citizens around the world to access global media and has played a crucial part in social and political revolutions around the world.

9 “Users of Tor,” Tor Project, accessed 26 Oct. 2012.

- 6 -

With respect to law enforcement, officers use online anonymity to undergo undercover operations by communicating with suspects as well as receive and encourage anonymous tips.

Similarly, online anonymity allows individuals to serve as activists and whistleblowers while still protecting their privacy and, even more importantly, their safety. They can report human rights violations and foster more government transparency. Business executives use online anonymity in order to establish security and keep strategies confidential.

All individuals benefit from online anonymity, from the people who do not want to be fired for their blog posts to the celebrities who do not want their political positions to be known. Yet the proposed bill threatens this need for anonymity. If passed, the bill will greatly impact individual’s critical online interactions.

D. The Right Approach with respect to society

The proposed bill will negatively impact society by stifling private sector growth and threatening social media websites. Implementing software updates to comply with the proposed legislation would be time intensive and extremely costly for small businesses, non-profit organizations, and large corporations alike. Additionally, the barriers to entry in the social media market would sharply increase as security costs increased, and the social media industry would become dominated by larger corporations.

Many social media sites that specialize in privacy and anonymous communication, such as

Silent Circle and Tor, would shut down because they are designed specifically to support anonymous communication. If the government demands access to all instant messaging, companies that specialize in anonymous communication will become illegal and obsolete. People will be less likely to share private information through social networking tools such as Google chat, Facebook chat,

LinkedIn, MSN, and blog posts, because many people are currently drawn by the private nature of their conversations online. Social media use would decrease if this bill is passed, perhaps putting

- 7 - some online networking sites out of business. Furthermore, advertising revenues on these sites would decrease as users leave, causing further distress for the advertising industry.

Moreover, the proposed bill will stifle innovation and reduce online sharing of ideas. When people worry about government surveillance or security holes in their online communication, they are less likely to discuss valuable ideas such as scientific research, business proposals, or corporate trends. Entities that valued privacy would be forced to move their conversations from online communication to in-person interactions. Face-to-face conversations, which are more private and secure than online communication, are more expensive and time-consuming. This switch to in-person communication would waste time and resources that could be spent on research, development, or product implementation. Furthermore, long-distance communication among people in different countries or rural areas would decline. Innovation is crucial to United States economic growth and security, and passing this bill would slow economic and scientific progress.

The proposed bill also negatively impacts society by reducing government transparency.

If the government is monitoring instant messaging conversation people will be afraid to speak out against the government in online settings. This will detract from our fundamental right to be critical of our own government. People will be less likely to discuss information regarding government fraud, waste, or corruption, and other information that would be of the public’s interest.

Unrestricted flow of opinions and ideas is crucial to maintaining not just an informed electorate, but also government transparency.

What You Have Done Consistent with This View

As both an advocate of Tor and volunteer for WikiLeaks, your past positions as a computer security expert have always sided with increased individual privacy and greater government

- 8 - transparency. Perhaps your viewpoint can be best summarized with your quotation regarding

Tor, “What’s important to me is that people have communication free from surveillance …

Everyone everywhere should be able to speak and read and form their own beliefs without being monitored. It should get to a point where Tor is not a threat but is relied upon by all levels of society.”10 Incorporating any sort of mechanism allowing law enforcement to watch communication of users would stand in direct contrast to these beliefs of freedom from surveillance. In order to support your views on personal security, the best path of action is to not only oppose this bill, but any instances of government monitoring such as wiretaps.

Your work on Tor as a means for open communication stands directly opposed to incorporating any form of government backdoor vulnerability into chat programs. To begin with, the Tor website overview states that, “Tor provides the foundation for a range of applications that allow organizations and individuals to share information over public networks without compromising their privacy.”11 Tor is designed to manage data pathways by creating random, dynamic routes which prevent those who may be watching from following your path. As an advocate for this project, you regularly speak to the public at a wide range of events to convince others that personal privacy through methods such as Tor is not just an ideal for the average citizen, but of great necessity for many. As discussed above, a wide range of people use Tor, including civilians, activists, journalists, and military, who may need to avoid not just governments, but also malicious individuals who may the jeopardize safety of many others. Having designed some of the features for this project, you are already heavily invested in overseeing the future of the Internet as a tool of open communication rather than of government oppression.

10 Rollingstone.com Rich, Nathaniel. “The American Wikileaks Hacker.” . Rolling Stone, 1 Dec. 2010. Web. 27 Oct. 2012. .

11 Tor Project: Anonymity Online “Tor.” . The Tor Project, Inc., Web. 27 Oct. 2012. .

- 9 -

Wikileaks has focused on being able to provide relevant information and news to the public, even as many targeted governments and corporations would rather their secrets be not brought to light. Your advocacy of this transparent journalism was most widely recognized when you spoke on behalf of Julian Assange, editor-in-chief and founder, at 2010 HOPE hacker conference, stating that, “I fight for the user.”12 Tor and other anonymizing programs form a key facet of allowing sources to submit information to WikiLeaks without fear of further repercussions. Once again, any form of government observation, especially one invasively built into the technology, would prevent many of these stories from reaching the rest of the world, whether through government cover-up or fear from an opposing organization. As noted on the WikiLeaks website, “Publishing improves transparency … better scrutiny leads to reduced corruption and stronger democracies in all society’s institutions …”13 Adding this sort of security flaw would not only prevent new stories from emerging, but would also reduce such transparency. Now, more than ever, you need to continue to “fight for the user.”

Finally, your membership in an Internet cult group, Cult of the Dead Cow (cDc), and history of other related hacker activities is also in line with support for personal privacy. The mission statement of Hacktivismo, a group within cDc focused on developing information access as a human right, contains excerpts from Article 19 of the International Covenant on Civil and

Political Rights (ICCPR), “everyone shall have the right to hold opinions without interference,” and “everyone shall have the right to freedom of expression; this right shall include freedom to seek, receive, and impart information and ideas of all kinds…”14 Allowing the government to monitor forms of electronic messages attacks the freedom of speech for all members of society reliant on

12 Rollingstone.com Rich, Nathaniel. "The American Wikileaks Hacker." . Rolling Stone, 1 Dec. 2010. Web. 27 Oct. 2012. .

13 “About.” WikiLeaks. n.d. Web. 27 Oct. 2012. .

14 Hacktivismo Hactivismo. “The Hacktivismo Declaration." . Hacktivismo and cDc, 4 July 2001. Web. 27 Oct. 2012. .

- 10 - such technology by decreasing governmental transparency. In an interview on technology website

Slashdot, cDc commented that, “The whole point of cDc is to communicate.”15 These forms of surveillance stand diametrically opposed to not just your interests in promoting uninhibited communication, but also to the general hacker ethic of decentralization.

Questions & Answers

Q: How would you address national security concerns such as terrorism?

A: There is no denying that national security is an important priority to keep in mind. We must, however, always ask ourselves “At what price?” Balancing privacy and national security is critical for society, because national security without privacy is meaningless (simply devolves into a Big

Brother oppression from your own government instead of a foreign one). Instituting this legislation will not however lead to less terrorism. Instead, this legislation will drive down legitimate uses of instant messaging online through anonymous networks. Regardless of whether or not anonymous electronic communication is legal, services will exist which allow it to occur. Those plotting terrorism will simply turn to these “black market” systems, and it will drive down the use and innovation of compliant systems. On the other hand, allowing anonymous communication to occur will aid counter-terrorism efforts through sting operations.16 Additionally, terrorists will be able to undermine counterterrorism efforts if this bill is in place, by tracking what law enforcements agencies are tracking, taking advantage of government backdoors and security loopholes, and planting false information through instant messaging efforts.

Q: How would you address illegal pornography issues?

15 Bizzare Answers from Cult of the Dead Cow - Roblimo. “Bizzare Answers from Cult of the Dead Cow - Slashdot.” Slashdot. N.p., 22 Oct. 1999. Web. 27 Oct. 2012. .

16 “Who uses Tor?” Tor.

- 11 -

A: There are two main issues regarding illegal pornography instant messaging: access by minors and child pornography. The access problem is not one which this bill will fix without extensive and blatant spying of all U.S. citizens. In this case, any detection of pornorgaphy related instant messaging would have to be analyzed to determine if it were the behavior of a minor, as most minors will be accessing the Internet through a household with other family members. As such, countless civilians will have their IM conversations monitored without any reasonable expectation of illegal communication. This is an enormous breach of privacy. In the second case of child pornography, removing anonymity would actually make it more difficult to stop the problem. By having anonymity, officers of the law could perform undercover operations to rescue minors who are victims of child pornography or sex-trafficking.

Q: How would you catch child predators without being able to monitor Internet communication?

A: Similar to dealing with victims of sex trafficking, it is a common misconception that allowing a backdoor will help stop child predators. In fact, allowing anonymous communication will lead to significantly less Internet-related predator activity. By protecting innocent and unknowing children from accidentally leaking their IP address or other identifiable information to online predators, completely anonymous services such as Tor prevent child predators from being able to track children.17 Of course, this would not stop children from voluntarily revealing information about themselves -- something which government surveillance could not prevent either -- but it would help law enforcement carry out undercover missions to take down child predators.

Q: In case this law is passed, what action should be taken to mitigate its effects?

A: Under no circumstances should this law be passed. It is a blatant violation of the Fourth

Amendment, privacy rights, and will have severely negative repercussions. If Congress dares to

17 “What’s My IP?”

- 12 - put their meddling hands in to carrying out the injustice of preventing the right to anonymous communication, then The Cult of the Dead Cow will strike back.18 And we will expose the security vulnerabilities that this bill creates. We are anonymous. We are legion. We do not forgive. We do not forget. Expect us.

Talking Points

● Accessing online communication such as email is already easily done with subpoenas (which

is already unbelievable and should be illegal)

● This bill is completely infeasible and it will create far more backdoor security threats than

prevent security threats

● Intercepting “anonymous” communication will undermine significant populations that

currently legitimately use free services like Tor

18 “cDc communications.”

- 13 -