New Telecommunications Provider Aims to Enforce Privacy Rights against Government Surveillance through Consumer Autonomy
By Sofia Rahman
CNET reports that the first ISP executive to challenge the government’s demands for consumer information via national security letters is now in the process of creating what could be the most serious and consistent pushback to government surveillance: “a telecommunications provider designed from its inception to shield its customers from surveillance.”
Nicholas Merrill’s proposed telecommunications provider will provide budget-friendly national mobile and internet service which places consumers first by giving them substantial control over their data and collaborating with public interest organizations like the ACLU and EFF to presumptively challenge seemingly unconstitutional government demands for consumer records. The ISP would be run by Merrill’s non-profit, the Calyx Institute, whose primary goal is to “use every legal and technical means available to protect the privacy of customer data.” The key to Merrill’s approach is making it impossible for the ISP to comply with the FBI’s requests for data, such as stored communications, by allowing consumers to encrypt their information from Calyx itself:
“Through other partnerships, we are poised to offer Internet service in 70 markets in the US using wireless spectrum which we will bundle with end-to-end encrypted Virtual Private Network (VPN) technology in order to keep the customer’s data as private as possible. The next products on the roadmap include hosted email and cloud storage/sync systems that utilize public key cryptography so that only the user possesses the key required to decrypt their email or files. This means that the provider (Calyx) will not be able to read your email or files even if it wanted to. And if Calyx can’t read it, it can’t be targeted by unconstitutional surveillance tactics.”
Calyx would be able to avoid compliance with FBI demands this way because the Communications Assistance for Law Enforcement Act of 1994 (CALEA) states that ISPs cannot be forced to decrypt communications if they don’t actually possess the necessary information. While the FBI has expressed concern about this type of “Going Dark” obstacle inherent to an ISP, the ACLU has embraced Calyx as the rare exception to the major telecommunications providers like Verizon and AT&T which have been unwilling to publicly challenge the government’s demands and have instead handed over billions of consumer records.
Although the government could still evade Calyx’s encryption-based protections by other surveillance methods such as remote installation of spyware or keyloggers, Calyx could still address the government’s controversial ability to prohibit ISPs from providing notice to consumers whose information the government has requested, which renders it near impossible for consumers’ to establish standing in court to assert their privacy rights. With consumers in charge of their own data, the government may be unable to avoid notifying or alerting consumers in the course of surveillance.
Merrill was motivated by his unique experience as a former ISP-executive to confront the government’s ability to restructure the power dynamics of privacy, including the government’s ironic ability to force anonymity in order to acquire confidential information.
In 2004, the FBI sent Merrill a secret NSL (which at the time required no prior judicial review though Congress narrowly addressed this in 2005) demanding that he provide them with confidential customer data and forbidding him from disclosing the FBI’s demand to anyone. Merrill refused to comply and instead sued the FBI and Department of Justice. In order to file suit, Merrill violated the non-disclosure order by hiring the ACLU but litigated the case anonymously and the Washington Post made its first exception to its prohibition on anonymous op-eds in order to publish his piece decrying government secrecy and the usurpation and repression of his identity: “I resent being conscripted as a secret informer for the government and being made to mislead those who are close to me, especially because I have doubts about the legitimacy of the underlying investigation.”
Merrill was prohibited from revealing his identity for six years as the case (known in its most recent form as Doe v. Holder) made its way through the courts and various changes in the Bush and Obama administrations. But Merrill’s persistence led to the first legal victory against the gag orders, with the courts twice finding that they were unconstitutional under the First Amendment: in 2004, because they constituted prior restraints on content-based speech, and in 2008, because they wrongly burdened recipients with challenging the gag orders in the first instance rather than requiring the government to bear the burden of demonstrating the need for non-disclosure. In a 2010 settlement, the FBI allowed Merrill to reveal his identity but kept in place the gag order on the redacted contents of the NSL. In a follow-up Washington Post op-ed, Merrill wrote that the forced anonymity took a debilitating toll on his personal life because he was prohibited from confiding in family and friends.
Calyx may have the potential not only to restore agency of the right of anonymity to recipients of government surveillance demands, but also to assuage consumers who have resorted to anonymous remailers like Hushmail and Mailinator because they lack confidence in the privacy of their standard communications accounts. Calyx has received popular support in forums like Reddit and has a $2 million fundraising goal to start operating later this year.