Kill Switch
Page 16
Angie ignored his response. “What happened with SparkleParty?”
“SparkleParty?” Carter gazed off into the distance. “Event based photo sharing social media site, right?”
Angie nodded.
“Well, what I heard via the grapevine,” Carter said, “is that they got hit with a court order to open up their data. So they encrypted everything on the client-side. But the court found them in contempt of the order, because it appeared they were encrypting specifically to circumvent the court order. Why?”
“Then what happened?” Angie asked.
“They didn’t comply, and were shut down for thirty days. They lost their user base. They moved to comply with the original court order, but by then it was too late. I think they were sold for pennies on the dollar, compared to what they were worth just a few months earlier.
Angie sat back and inspected her nails.
Amber cleared her throat. “Carter, please excuse us.”
Angie shook her head. “Not now. We’ll discuss it after the government leaves.”
Agent Haldor stayed long enough for one of his companions, a DHS lawyer, to go over the timeline and review the details surrounding the implementation. The third government agent was a software architect, who would be their liaison during the implementation.
Carter Schwartz packed his things shortly after the government folks left. “I’ll talk to Dad, but honestly my friends at EFF will know more. I’ll get in touch with them.”
“Let me walk you to the door,” Angie said.
When they reached the conference room door, Angie drew Carter close. “If it goes public that Tapestry is bound by a FISA court order, they’ll believe we released the information intentionally. If they determine that you’ve talked to anyone, they’ll go after you, specifically.”
“Everyone I talk to will be bound under a confidentially agreement.”
“Not good enough,” Angie said. “By all means, talk to your friends. The EFF are good people. But do it anonymously. They have channels for that. Your friends will appreciate plausible deniability. This might have originated in a FISA court, but the government will go to great lengths to protect their secrets. With everything that Snowden leaked, the government wants to avoid the limelight more than ever.”
Carter looked as if he might say more, but after a moment his shoulders drooped. “You’re right. We’re in dangerous territory.”
Then it was just Angie, Amber, and Maria.
“Matt, please bring lunch for us,” Angie sent by message. “Take care of the details.”
“You want to invite Igloo?” Amber asked. “Can we even include her? Or do we need to tell the government first?”
Angie frowned dismissively. “No, what I have to say needs to stay with just us. It’s on a need to know basis, and up until this morning, nobody besides me needed to know. Now you two need to know.”
“Fine. Then tell us what’s going on.” Amber said.
Angie looked back and forth between Maria and Amber. She’d put off telling anyone the whole picture because if the government knew what she was planning they’d stop her.
They’d stopped dozens, maybe hundreds, of lesser known projects from going public. A little leverage, at just the right time, the right threats or incentives. Then suddenly that new personal security kickstarter disappears. Not to mention the wi-fi router that disguised connections. Mesh networks that hid origination points. Encryption software. Secure email. All those projects, and countless others, disappeared from the net. What happened to them?
Angie shook her head. It was time to stop daydreaming. She needed Amber and Maria onboard.
“Give me a second.”
She pulled a boxy smartphone out of her bag. That clunky custom case wasn’t just a rugged layer of protection. It provided room for a few additional sensors: a wide spectrum programmable radio, and high fidelity acoustic sensors. She looked around the room. The government agents had just been here. It wasn’t even worth scanning it now. It would take too much time. She’d come back tonight and sanitize the room, maybe bring Igloo and teach her a few more tricks.
“Let’s go to my office. I don’t feel safe here.”
Maria gathered her stuff without complaint.
“Not this again,” Amber mumbled.
Angie ignored her. Amber had mostly been in the dark since two years ago. She didn’t know about Angie’s hacking activities, and mostly just thought Angie was paranoid. Of course, even the paranoid have enemies.
They trooped down the hall, entered Angie’s office. She triggered a scan from the room’s built in sensors. All clear. She switched on a white noise generator that put out an audible hiss and inaudible EMF noise. She pulled the double layer of copper-mesh-laced curtains closed. She opened a metal bin and gestured for everyone to put their devices inside.
Amber complied with a sigh. Maria looked puzzled at first but followed suit. Angie closed the lid, and they gathered around her conference table.
“What I’m going to tell you doesn’t leave this room. It doesn’t get talked about with anyone else. It definitely doesn’t get committed to any electronic trail. No emails or messages about it. I need your agreement before we go on.”
Maria tilted her head and stared at Angie, her eyes wide. “Are you going to tell me something illegal? I can’t agree to become your accomplice without knowing what I’m getting into.”
Amber waited for Angie’s response.
“I’m not sure,” Angie finally said. “Maybe. Look, I knew the FISA court order would come sooner or later. But privacy and user control over their data is a fundamental human right. I have a plan that keeps our users’ data private, that I believe conforms to the FISA court order and applicable laws, but the government isn’t going to like it. They’ll try to fight us.”
“Damn it,” Amber said, her voice choked up. “Tomo is about to topple. In another few months at the current rate, we’ll surpass them. We’ve worked day and night to achieve what seemed impossible two years ago. Do you really want to risk all that by pissing off the government? Tapestry is a good system, a really good system. You want perfect. Perfect is the enemy of good. We will lose everything because you want to pursue a pipe dream.”
“This is our only opportunity,” Angie said. “If we try it down the road, the government will view it as deliberate obstruction. It’ll never pass then. We have to do it now.”
“The Daily Journal,” Amber said. “Do you want to become like them?”
The President had had a vendetta against The Daily Journal. After he took office, the FBI coincidentally pursued an investigation, finding dozens of obscure federal regulation violations ultimately leading to a court order that suspended operations of the venerable paper until investigations were completed. Months later, with no advertising revenue, no subscription revenue, and an entire staff occupied with increasingly detailed subpoenas for additional data, the paper was near bankruptcy. Every attempt by a would-be white knight to rescue the company was blocked in one way or the other, until a media mogul bought the paper at a fraction of the original asking price and turned it into yet another puppet media outlet.
All true, all real. Still.
“All the more reason to see my plan through to completion. If we don’t do something, we’ll just be another tool at the government’s disposal. If we do this right, we’re going to lay down the groundwork for true internet privacy. We have to try. If anything goes wrong, I’ll take the brunt of the blame.” She stared at Amber. “You know that.”
Amber, arms crossed, reluctantly nodded. “True.”
“I want to know,” Maria said. “I won’t tell anyone without us agreeing on it first.”
Angie had known Maria six months. She was the new kid on the block, relatively speaking.
They’d spent a three-day weekend together before Angie hired her. One day, holed up in Tapestry’s offices, talking with employees, strategizing. Another with Igloo and Amber, ending with a dinner party
with their significant others. Finally, a day-long hike in the gorge, just the two of them. Not normally Angie’s style. She mostly liked to stick to where the Internet connection was good. But she’d wanted a day away from electronics and the world, to get in touch with who Maria really was.
Every employee hired in the beginning was scrutinized, measured for personal commitment to the company’s vision. The most technically competent person would be rejected in a heartbeat if they weren’t committed to Tapestry’s social mission. It was Igloo who had coined their hiring mantra that it was better to take one step in the right direction than five in the wrong direction.
If those early hires were essential, then it was even more important that someone in Maria’s position, who would handle day-to-day affairs so that Angie could work on big picture stuff, be absolutely in line with what the company wanted. Angie believed she fit the bill. While her interpersonal style differed from Angie’s—she was more hands-on—she’d continued to reinforce the original culture. It was all on the line today. Either she trusted Maria or she didn’t.
“Well, spit it out already,” Amber said.
“With the inevitability of the FISA court order,” Angie started, “and the lack of any legal recourse, I realized it was only a matter of time before we’d have to turn over our user data to the government. If the only government requests for data were legitimate ones, most people would not complain. If data collection stopped terrorists or caught criminals, that would be the moral thing to do. But as we’ve seen again and again, the reality is that governments abuse their access, the wrong people get the data. Security is weakened for everyone when there are backdoors. The right thing to do is find a way to keep everyone’s data private. The only way to do that, given that the government is uninterested in ensuring privacy, is a technical solution. An approach which ensures we have no information to turn over, while still offering Tapestry as a service.”
“We’re not newbies,” Amber said. “There’s always going to be something the government can read. We can’t serve up content to the end user without knowing what content we’re providing. Even if we encrypt over the wire so it can’t be spied on by third parties, we still have to know what the user wants and provide it to them.”
“Not always true.” Angie stood, and paced the length of the table. “We provide end-to-end user chat that is encrypted on one user’s computer, and decrypted on another, and even though it flows through our server, we don’t know what either user said.”
“Yes,” Amber said, “but we still know that user A talked to user B.”
“We can solve that a few ways,” Angie said. “We can either have user A talk directly to user B—”
“That’s no help,” Amber said. “Not if you’re trying to keep out the government. They’ll spy directly on the connection. Tapestry might not have the data, but someone does: an ISP, a backbone router.”
“Agreed,” Angie said, “which is why the better solution is onion routing: a network in which nodes forward data for other nodes. Then it’s not possible to be sure that the message A sends to be B is intended for B, or some other node.”
“You’re starting to lose me,” Maria said.
Angie spent a few minutes explaining onion routing to Maria, catching her up on the history of TOR and other onion routing networks.
“I think I follow you,” Maria said. “But if what you’re saying is true, if A sends a packet of data to B, and B doesn’t send the same exact packet of data to anyone else, isn’t that proof that the packet was intended for B?”
Angie held up her hand, one finger raised. “Yes, but there are techniques that, when used together, can protect against that attack. First, every client decrypts and re-encrypts the packet. This makes it so that an eavesdropper can’t be sure that two packets of the same length contain the same data.” She raised another finger. “Second, we pad the packets so they’re all the same length, which, in combination with encryption, makes it impossible to tell if any two packets might be related. Third, make sure lots and lots of packets are being forwarded. If all three things happen, then it’s impossible to say which packets got forwarded and which didn’t.”
“That’s all well and good if all you want to do is transfer bulk data,” Amber said. “But we’re running server-side web applications. We have to decide which feed elements to give to which people, and associate data with other data: likes, comments, comments on comments. We have to manage the visibility of data based on privacy settings. None of this can be solved simply by serving up static webpages. We can’t—” Amber looked horrified. “Good grief. Please don’t tell me you want to write all client-side apps.”
“Not exactly,” Angie said. “But—”
“Client-side apps are not feasible,” Amber said. “The average piece of Tapestry content flows through sixteen systems to get from originator to consumption. We have to account for every bit of that.”
“Wait,” Maria said. “We already have client apps.”
“Sure,” Amber said, “we have client apps, but basically all the heavy lifting is done on the server. Most of the reason for even having clients is that those apps are built on top of our transport library. That’s how we get IPFS and web torrent support. We improve content distribution by making all clients participate in an edge network.”
“Yep, I get it.” Maria said. “The IPFS content network brings so many content providers onto Tapestry because they save money by not having to host the content themselves.”
“Right,” Angie said. “Now let me finish. The client apps present the user interface and cache content. But what’s chosen to be presented is done in the cloud, on our servers and the servers of our partners. Those servers cost money. In the same way that we benefit from moving content from the cloud to the edge, we also want to move the application logic to the edge.”
“That’s where I have to disagree,” Amber said. “There’s a reason everyone moved to the cloud. Data, metrics, deployment, control over the environment. Client software is a mess.”
Angie held up her hand. Her phantom hand too, but then no one could see that.
“We’re not going to run client-side software, Amber. We’re going to run our regular web stack, in containers, and we’re going to run those containers client-side,” Angie said. “That’s the part you don’t know.”
Amber rocked back in her chair, eyes narrowed in suspicion. “Full stack? RDS? Message queues?”
“Yep, everything. The biggest change to running everything client-side was how to manage accounting, analytics, and data references. How do we figure out the most popular stories? How do we calculate affinity? How do we attribute comments to the right user without invoking a central authority all while keeping as much confidential as possible? The answer is blockchain and validators.”
“Not you, too.” Maria rubbed her forehead. “I hear about blockchain every third news story, but no one can ever explain how to do anything useful with blockchain. I’m sick of hearing about it.”
“I know, I know” Angie said. “I’ll explain the details later, but the big picture is that blockchain lets us store confidential data without requiring Tapestry to be a central authority. Independent third parties, what blockchain calls auditors, are built into the client apps. The end result is that if the government, or anyone else, asks us if User A is commenting on User B’s stories, we won’t know. Not centrally. Only people granted visibility to User B’s story would know.”
“I’m totally lost,” Maria said to Amber. “You’re getting this?”
“Yeah, I think so,” Amber said. She turned to Angie. “Walk us through a use case.”
Angie took them through the steps, one by one, explaining distributed ledger systems to Maria, who had never heard of them, and how they could be used to create a tamperproof distributed database.
“Let me see if I have this straight,” Maria said. “Tapestry 1.0, what everyone has been using these last couple of years, is a federated social
network in which each piece of functionality is potentially delivered by a different provider. Centralized servers run the code and store user data. Those servers, plus the connections between the clients, servers, users, and content are all vulnerable to FISA court requests, which force companies to provide their data to the government.”
“Right,” Angie said. “Don’t forget about content originating outside the Tapestry ecosystem, like news articles stored on web servers. Who connects to that server is essentially public, as is what the user accessed while on the server. It’s generally tracked through cookies and log files. But in Tapestry 1.0, with IPFS, that content gets stored within a distributed content network.”
“Fine,” Maria said. “Now, in your proposed Tapestry 2.0, we still have all those same federated components. But the code runs in containers on the user’s computer, so there’s no centralized code. The user’s data resides in distributed ledgers, which are visible only to preselected users. They are tamperproof, so they can’t be altered maliciously, or read by unauthorized parties.”
Angie nodded, and Maria continued.
“The connections between these containers use the onion routing techniques you talked about, so no one can see who is talking to whom. The content is distributed and protected via IPFS, also routed over the onion network, so we can’t see who is reading what.”
“You’ve got it,” Angie said, with a big smile.
“How do we account for anything? We still need micro-transactional accounting for payments.”
“Part of the distributed ledgers,” Angie said. “The relevant parties expose only the transactional part to us. We don’t need to know what content was sent, merely that everyone agrees that the content was sent, and that they participated in sending it. We get to see aggregate data, not individual data.”
Amber shook her head. “You’re crazy, you know that? How long have you been working on this?”
Angie let herself smile. “I’ve had people working on parts of it for months. Nobody knows what anyone else is doing. Nobody has the bigger picture because I didn’t want word getting out. But the components can be combined now. We have a month of integration work to do. We can beat the FISA deadline.”