"We do not conceive our structure as an answer to state control, but more in general as the only decent thing coming to our mind that could guarantee freedom of expression and avoid uncontrolled profiling by companies and governments". These are the first words typed to us by one of the Autistici/Inventati fellows in a chat room of their network. A necessary clarification, especially after the fallout of the Snowden bombshell started to be felt also in Italy. In the early days of August, Lavabit and Silent Mail - two privacy-oriented US webmail providers - were forced to shut down because of NSA threats. Hundreds of thousands of users were suddenly left without tools for safe communication and many of them resorted to A/I looking for an alternative solution. Within a little while, the collective was flooded with subscription requests for its services. An event that marked a moment of difficulties for our local hacker crew, to a point when the opening of new accounts had to be temporarily suspended. This fueled a heated debate among those participating in the project on what next steps to undertake. It is difficult, for now, to say how datagate will change the self-managed communication projects. Autistici only knows that it will be able to face the new challenges on the horizon with a certainty maintained for more than 10 years: that of being not a mere webmail service but a community. A community that now needs the support of anyone feeling to become part of it.
IFF - After the closure of Lavabit you were flooded with subscription requests to your services which forced you to temporarily suspend the opening of new accounts. In the ten-year long history of AI such outcomes did only happen in front of repressive events of utmost seriousness (like the Aruba crackdown). Why did you deem this groundswell of requests as "worrisome"?
Joe - Let's start from this last point. What is worrisome is the fact that there are people that for their own needs do not have any alternative to Autistici/Inventati. If there is a single point of failure in your communication pattern, we are immediately facing a problem. That is, if there is a lone target to strike, it is easier to take aim at it. Actually, right now there are few or no "commercial" alternatives left that provide the means to enjoy privacy rights in addition to their services. To say it in another way, there are few business alternatives left that not willingly co-operate with American secret services.
Ginox - Yes. Besides this, it's worrisome that people who requested a service from us were trusting us only because they found our link somewhere on the web. These dynamics reproduce a mechanism of delegation that actually only relocates the problem of privacy on the technical side or on the immediate need of getting another mail service. But the issue we need to face is political: it concerns both the relationship between American citizens and their government, and the relationship between the rest of the world and the United States.
Pepsy - I would add to what Joe said that the onslaught was "potentially" worrisome because Lavabit, when it was about to close, declared 410.097 users.
IFF - But how many subscription requests did you receive during that period? How big numbers are we talking about?
Ginox - The range has varied according to the media press releases on the issue in which we were quoted in some way. If we want to be specific, immediately after Lavabit was closed, we received a ten-fold higher rate of requests than the ones we usually get. We recorded peaks of 200 requests - all within a few hours - mainly regarding the mail service. We had arrived at a cross-road: we could choose either to randomly accept everyone or take a moment to reflect on the meaning of what was happening. We chose the latter option.
Joe - I would like to add that technically we would not have had any particular problem in managing this abrupt flow of requests.
Ginox - Yes, getting other servers would have been enough, but we would have definitely been having some problems managing the help desk. Still, this kind of choice would have never been a solution.
Pepsy - And still we are always accustomed to debate when there is some problem, it is part of the A/I DNA. We do it both internally and through the statements on cavallette.noblogs.org, where we are looking for feedback from the community.
Ginox - We would like the contradiction produced by the closure of these commercial services stand out well. Since the very nature of our project is different, we took our time: the new users were relating to us as if they were clients, so we thought that a moment of clarification was appropriate. Our community is resisting repressive and censorship issues because it has affinities and knows how to unite when faced with difficulties. But now it seemed to us that many of the people requesting to use the services moved to us from Lavabit without blinking, exactly as they would have done if we had been facing a similar situation.
Joe - Actually, among the comments of the blog post in which we explained that activations were temporarily suspended you could also find people saying: "But I can pay you!". No, it does obviously not work that way. And we tried to state this once again.
IFF - Did this outburst of requests come after the closure of Lavabit (and then following the media exposure you had in the Washington Post and New York Times) or did it already begin with the "Datagate" outbreak?
Pepsy - Yes, something had already started immediately after the PRISM disclosure to the general public.
Joe - Yes, but there had been a steady increasing pattern of requests even before Datagate. Then, without doubt, there has been an increase in requests since the statements by Snowden. Especially after we were mentioned by the prism-break website as one of the potential free alternatives.
Ginox - In almost all cases, we are dealing with requests coming from American users.
IFF - AI is probably the most important self-managed network in Europe. It is a well-known fact that police services often ask for logs or information concerning the users of your platform. Were you subjected to harder pressure after the Datagate? Has something changed in the attitude of police services towards you?
Ginox - We cannot tell yet. Surely, the media exposure we had recently could have changed the perception that the "services" have of us. We'll see in the future if this will bring about any consequences or not. As for now, nothing new has happened, and we didn't notice any harsher pressure than usual. Every now and then, our servers are targeted for clamorous seizures. Usually, those carried out by the police services are matters of routine: they concern the acquisition of data we do not own. Normally, it all ends with us sending a fax in which we state that we do not own the information they request from us.
Joe - Our core strategy is that of never storing any information that could be useful in user profiling, which in our opinion is plain respect for individual freedom and good sense. However, we should also emphasize that in Italy investigations tend to directly revolve around the user rather than the service provider; also by resorting to malwares that damage the computer of the person under investigation and control her without her knowledge (our legislation calls them information collectors). Usually, the end user is the weak link and the police services prefer in 99% of the cases to seize the information they are after directly from that user. They do so out of two reasons: on one hand to collect evidence, and on the other to further supply intelligence activities with information in order to map the relational network of the subject under scrutiny. It is also for this reason that we periodically insist on the fact that the safeguarding of one's own privacy cannot be delegated to anyone. Not even to us.
Ginox - All the European police forces show a growing interest towards "information collectors". The procedure is akin to those for field interception, but with a lot more implications, because you have to to handle what may be later used as proof in case of a trial. This is a quite controversial practice. In the meantime, these things function akin to wiretapping but in such an ambiguous way making them a handy tool for the Police, and with very few guarantees for people under investigation.
Pepsy - There are many specialized companies in these kind of activities, also Italian ones.
Joe - For sure. There is a whole slew of consultants that do the dirty work for the prosecutors (but then wearing hacker t-shirts when they go to the community's meetings).
Ginox - The market of computer security in Italy took off around year 2000. Andrea Pompili, author of the book Le Tigri di Telecom (The Tigers of Telecom) and security manager of that company who was arrested during the Telecom-Sismi inquiry, explains well the mood at that time. From his reconstructions, it looks clear that the security market is hyped up and any crap can turn into plenty of money. Let's try to be clear: the "information collectors" are nothing new but the reorganization of ideas by the hacker scene long since developed. They do nothing different from, let's say, Dark Comet or the historic BackOrifice or other rats (a category of software made to remotely control a computer). The difference is that today the commerce of these interception knick-knacks is embellished with the "marketing of emergence". Just think about the buzzword of the cyberwar. The requests of these tools go hand in hand with the discovery of Stuxnet or Flame, two malwares used in intelligence operations in the Middle East. Ever since, all governments are trying to equip themselves. An interesting story concerning malware and police is the German case, exposed by the Chaos Computer Club.
Joe - That's its. The cyberwar is an undefined, rarefied, uncertain concept. A buzzword that doesn't provide any understanding and usually uttered by people who are using abstact words when they niether know its meaning nor what they are talking about.
IFF - After the closure of Lavabit and Silent Mail, also RiseUp made a public announcement. In a recent statement they affirmed that they were re-designing the architecture of their network in order to make it even more secure. The goal is to not find themselves in a situation akin to that of Lavabit, i.e. having to choose between two lesser evils, in other words, to cooperate with the NSA or being forced to shut down the infrastructure. Have you got something similar coming up as well or do you think that the Plan R* you implemented several years ago is enough for now?
Joe - Right now, RiseUp is working on a project that includes end-to-end cryptography and makes it impossible to know what passes through the servers, even for the manager of the service. Still, in order to do this it is necessary to offer new tools to the users. Without a doubt, we do not provide transparent end-to-end cryptography at this moment. If you want to encrypt your mail you are the one who has to do that. Let me explain myself better: today, if a user receives an unencrypted e-mail on one of our servers, I as an admin can access the contents of those mailboxes. If you on the other hand actively exchange only encrypted mail with GPG, then not even I can read it. In spite of all this, the mailboxes on our servers are located on encrypted drives - even in the case of a seizure, it would be very difficult to access that data. This is the reason for which we suggest to download your mail and not to leave it on the servers. And that is a generally effective move, not for our users only.
Ginox - We are examining and studying the available solutions to understand how to face these problems, knowing as a fact that we would not have a ready solution within two months. Yet, what Joe did expose is the matter RiseUp is facing: if not even the admin of a network has any access to the users' data, then no profiling can exist, nor anything useful that could be requested for that purpose.
Joe - And by doing this the wiretapping of data crossing the Internet (that we know well, and PRISM confirmed it, to be a big problem) is made even more difficult.
Ginox - We are talking about a project that is surely more advanced than the Plan R* we have running now and that was born in a different context. We, due to our own "repressive experience" in the past years, questioned ourselves on how to distribute servers, to decentralize the structure that is, and to darken things up a bit to keep the possibility low for a seizure to lead to the right server. RiseUp are now facing another piece of the problem.
IFF - As you were telling me before, some users declared their availability to submit an annual mandatory fee - unlike the current situation in which donations to the AI structure are volontary - to put you in the condition of keeping on providing services and maintaining your policy in terms of privacy. Don't you think that this option would make it easier when facing the emergency situation you are in right now?
Ginox - No, we do not want people to think they can buy freedom and rights. You have to sweat blood for that. This is the reason for our embarrassment during those days while replying to activation requests: we realized that we were facing this way of thinking, probably done in good faith, but nevertheless in another direction than the one we are moving towards. We are not interested in setting fixed charges or making Autistici our work: we would loose our credibility. If the Lavabit users are annoyed for the loss of a useful service and have the feeling of being deprived of a right of theirs... well, why don't they go to Maryland to throw stones at the NSA headquarters instead of just trying to buy a mail service somewhere else?
Joe - You'll have to be ready to act in first person, without proxies. In a world of spectators and voters this is often rather puzzling. Really, the problem behind it all is the tainted concept of democracy that people are imbued with: everything passes through delegation, while even the theorists of bourgeoise democracy would tell you that it is nonsensical. Then there is the capitalist attitude of the I-need-something-so-I'll-buy-it, which actually (just look at the world around) is a universal mechanism. Obviously, we oppose this vision. Moreover, I think it is more interesting to provide services to an Ukrainian activist for whom 15 euros is a considerable amount, rather than to the American middle-class, for whom 15 euros is easy to spend. There are practical and political reasons then for not accepting this way of thinking.
Pepsy - Let's say we have no sympathy for commodification in general.
IFF - Feasible as it was, someone seized the moment of the "Datagate". Last week, Kim Dotcom launched a marketing campaign to advertise a new secure mail service. By doing so, he chose to keep following the path that in January had brought about the opening of Mega, at whose core stands a simple idea: the internet users have no legal status. I think that these dynamics demonstrates ambivalences. On one hand, it is unquestionable that the affirmation of this corporate model definitively makes way to the privatization of privacy: the latter ceases to be a right and is guaranteed only as a scarce good, as a service supplied upon payment by private players. With a metaphor, we could say that also on the web the access to citizenship is pegged to income. Still, at the same time the flourishing of the privacy industry makes cryptography accessible for the masses and complicates the work for the police services. The case of Lavabit is paradigmatic: it makes you reflect on how, in spite of its technological supremacy, the biggest superpower in the world needed to resort to hefty threats in front of an encrypted layer. Moreover, all this without even being able to accomplish its goal. What do you think about it? Don't you think this phenomenon also may have positive consequences?
Joe - What we were saying before clearly shows that we do believe the problem of privacy to be more political than technical. So I do not think that privacy industry can solve these problems, since we are dealing with an antagonist with substantially infinite resources and against whom any "arms race" has little hopes of victory. The technical solution cannot be anything but part of the solution. And I strongly suspect that to be a pretty secondary part. I also expect that some people will create services to fill this gap in the market. There will be those with good intentions (like Lavabit) and those only interested in money, Kim Dotcom-style. In their specifics, the "mister Mega" initiatives share a fundamental goal: to protect his own ass while he counts our money. In front of an entity like the NSA, he does not care at all about his users' privacy: it is enough to take a look at mega.co.nz to understand that. And anyway, from the user's point of view it means to put your privacy in the hands of a private body which has different interests than you. Personally, I would never trust that :-)
Ginox - The use of mass cryptography has always been linked to the development of electronic commerce. In the nineties, cryptography was snatched from the NSA and the military because the market needed solutions to guarantee the security of transactions, otherwise it would never have begun. I think that this is an unresolvable ambiguity that still leaves the political focus of the question open, as Joe was also saying. That's how capitalism works: it destroys value to create profit, from the ruins of one thing it creates another one and opens up market spaces.
Joe - May I make a spontaneous comment? It is really funny to see how well the "free" market works. Many people in the world want to have a secure mail service... and their best option is a group of Italian anti-capitalist activists? Well, it does not look exactly like a model of efficiency to me.
Pepsy - I do agree on the market's deficiency while a bit less on the example made by Joe. After all, the tsunami of requests has not arrived yet: clearly we are not the only alternative. The need for secure mail services is after all directly managed also by private bodies and societies.
Ginox - Germany, for example, is trying from a different approach. I do not know whether to call it a joke, a spark of pride or something to throw on the plate of diplomacy. The proposal by the German government to offer to its own citizens some "made in Germany" services is a bit equivalent to say: "Do not allow NSA to spy on you! Let only our secret services spy on you!" We are thus talking about a solution that technically does not make any difference, but that still casts a different light on the question and marks a radical change of direction: moving from a private player to a return of the state in the management of communications.
IFF - In some way, could we say that Germany too is pursuing a balkanization of the Internet following the Russian and Chinese examples (obviously with the due differences)?
Ginox - Yes, something like that, yet developing different responses in comparison to Moscow and Beijing.
Joe - Also because a Chinese-style balkanization would never work in Europe, unless they want to create a dreadful recessive effect in one of the few thriving sectors of Western economy. Actually, I believe that the German government's move was about giving something to keep an enraged public opinion happy and a trick to have a negotiation topic against the United States at the same time.
Pepsy - From my perspective, I think that the web has always been balkanized. On the Internet there are still too many myths around, such as those of an "anarchic" web that brings freedom. A myth that conceals the Iranian, North Korean and Chinese internets and that at the same time makes us forget that not so long ago, even in Italy, documents were required in order to access a public wi-fi hotspot. A myth, in the end, that hides the fact that the web is ruled by its own bosses, all along.
Ginox - Internet reflects material power relations: the more it expands, the more it links itself to real life in comparison to when it was composed by some million users. In the real world, money counts and the companies swallow each other. It is capitalism, baby! The market is an important and aggressive part of the web: it was a precise choice to stop funding Internet with public money and let private parties parcel it off. Finance and politics go hand in hand, the web tends to polarize itself towards big players, like capital tends to concentrate itself in big monopolies or cartels, or to be the ground for bubbles and speculation. The dot com bubble made way for the real estate bubble which demonstrates the fragility of this construction. Privacy is a market like any other, where there is a need the market rushes in. The bit fluxes coincide with the financial fluxes. Follow the latter and you will know where power concentrates itself. Even if the mechanism looks tested and unstoppable, it actually ends up in crisis quite often and keeps going thanks to acts of force, and tooth and nail, with a certain tendency towards cannibalism. And when a contradiction is created, there is space to insert ourselves. This would paradoxically be a good moment to create new self-managed servers or similar projects. I do not know if there are subjects willing to do so.
IFF - Then, according to you, do Snowden's revelations represent a strong point for those who struggle for digital rights?
Ginox - Not only for digital rights. It is a moment of strong embarassment for the American government. If they emerge unscathed, they will walk out strenghtened from it. Otherwise, somebody will benefit from that and I think that on the horizon, also opportunities for self-managed communication projects may open up (provided the capacity of seizing these opportunities, obviously). Then, in general, it is interesting that an employee can undermine a structure of billions of dollars.
Pepsy - And it is always a good thing that the human factor screws the system up, in spite of technological nightmares. In this case, a little essential first step in the right direction has been made: some topics are starting to pour out of the underground scene.
IFF - How can users help you at this moment?
Pepsy - Let's say that we would like our users to learn not to delegate the protection of their privacy to us.
Joe - They can donate without a doubt, surely we are not picky about that!
Ginox - Yes, but they can do that any time. Right now, our problems are mainly concerning our relations with the world out there. Those who use our services and want to help us can do that by spreading a simple message, that is, that Autistici is a community before everything else, and not just a mailbox service. Then sure, a growth in technical awareness would be a desirable thing and an always welcome one. All the more in a moment when you realize that on the other side they are ready for anything.