Is What You Do Online Ever Really Safe From Prying Eyes?
Every day in our online lives, we share hundreds of intimate details: PIN numbers, political beliefs, photos of significant others, addresses, work history. But can we ever truly trust any Internet service to protect our information? This was the central question at a panel discussion on Internet privacy held last night at SubCulture, a subterranean venue on Manhattan’s Bleecker Street. The panel was organized to celebrate the launch of Tunnel X, a secure messaging service meant to ensure that people can have confidential online communications with friends, family and colleagues. As guests in the packed room nibbled on perfectly cut radishes and sipped on complimentary Blue Point ales, the conversation kept circling back to the same question: why should we believe your service is safer than any other?
Tunnel X, a Brooklyn-based startup, is the brainchild of web designer Eric Liftin, who moderated the panel. Joining him on the blue-lit stage were Harvard constitutional law professor Laurence Tribe, attorney Ian Samuel, Salon CEO Cindy Jeffers and Daniel Menaker, the former fiction editor of the New Yorker. Given the diversity of the panelists’ backgrounds, the conversation ranged from the abstract (what defines a private conversation) to the technical (how the government uses SSL keys to decode encrypted communications). The one thing all of the participants agreed on, however, was that digital privacy should be considered a basic human right.
Liftin designed Tunnel X with this exact concern in mind. After Edward Snowden’s revelations of mass government surveillance launched digital privacy into the public consciousness last summer, ordinary people became worried about who could access their online communications. Liftin wanted to make it easier for people—not just journalists, whistleblowers or others in possession of highly confidential information—to feel that their conversations with lovers and friends were safe from prying eyes. Though there are a number of existing email encryption services, like Proofpoint and Hushmail, Liftin designed Tunnel X with a user-friendly interface so that those unversed in the language of cryptology could have an easy, reliable way to keep their online exchanges private.
Yet skeptics, including several panelists, argue that these tech services are always only one step ahead of government regulation. Sophisticated encryption algorithms are all well and good, but what happens when the government asks for the encryption keys? As Ian Samuel, the attorney, put it, “If one wishes to have a private conversation, online or in person, there are no real reliable legal guarantees.” Given the Supreme Court’s willingness to defer to other government branches when it comes to matters of national security (that catchall term), it seems reasonable to expect that Tunnel X may eventually come under the same level of scrutiny other encryption services have.
There is a precedent for this sort of legal interference. In August 2013, Lavabit, an encrypted email service founded by tech entrepreneur Ladar Levison, suspended operations after a protracted legal battle in which the US government ordered Levison to turn over the master encryption keys for the site. The reason the FBI was so interested in gaining access to the service? One of Lavabit’s 410,000 users just so happened to be Edward Snowden. But this blanket request meant putting the private communications of all other Lavabit users in the hands of federal officials. Given the centrality of privacy to his company’s mission, Levison opted to shut down Lavabit, but still had to comply with the court’s order.
Ian Samuel, who represented Levison in court, recounted his client’s last stab at subversion: Levison printed the encryption code—an extraordinarily long string of numbers—in 4-point font on 8x11 computer paper, earning himself a $10,000 contempt of court fine. Still, Samuel remains in favor of a technological solution to the online privacy issue. Citing his former client, he said, “You can count on algorithms in a way you can’t count on judges.”
Other panelists, like Harvard professor Larry Tribe, had a more optimistic take on the protections the law can offer. Referring to the recent Riley v. California ruling, which held that the police cannot search the cell phone of an arrested individual without a warrant, Tribe pointed out that we are in uncharted legal territory and that the Supreme Court is only beginning to grapple with the intersection of technology and legislation. According to Tribe, the 9-0 ruling “inaugurated a new era in the digitalization of constitutional law.”
The Snowden disclosures were also a legal watershed. While the courts used to claim that organizations had no standing and could not prove that they were the victims of government surveillance (this happened to the ACLU just six years ago), the revelation of widespread NSA surveillance radically undermined this argument. For Tribe, the distinction between individual cases and dragnet surveillance is critical. “The difference is between looking as specific individuals versus a preventative posture, like Snowden revealing this huge program…once that is made public, the instinct to be deferential to government is much less strong.”
Despite these positive developments, it’s clear that Tunnel X is entering a murky and rapidly shifting legal landscape. The audience pressed Liftin on this point over and over, asking how he would respond if the feds came knocking and why he expects his story will end any differently than that of Lavabit’s founder. Liftin pointed to several features of the site aimed at ensuring privacy, like the fact that Tunnel X will not have the encryption keys or be able to access peoples’ messages (users log in and authenticate using a self-selected image rather than alphanumeric passwords). He promised that the code would be audited by an independent organization. But he kept hedging when it came to the specifics. “It’s all in motion right now,” Liftin said. “The software and security features are constantly improving.”
As audience members kept pushing the question, the atmosphere in the room grew tense. Tribe, Samuel and Liftin all resorted to the easy answer: we put our faith in technology in innumerable ways every day without any absolute guarantee of security. As Liftin said, “Ultimately there has to be some degree of trust if you’re using something that someone else built. It’s your decision whether you trust them or not. We're trying to be as straightforward as possible.”
Intentions aside, it remains to be seen if Tunnel X can live up to its slogan of offering online users “secure, private conversation.”