«

»

Code Red launches one of the world’s most ambitious anti surveillance projects

Code red diagrams

By Simon Davies

The new global privacy advocacy group Code Red has launched one of the most ambitious human rights projects in recent years.

After three years of planning, the group – which involves many of the world’s most renowned figures in the tech, whistleblower, legal, activist and policy communities – has commenced construction of a scheme to thwart government interception of online payment transactions. The possible implications – geopolitical and otherwise – for funding of activist and political reform groups, are significant.

Code Red’s challenge is focused on helping to protect not just the payer identities of contributions to human rights organisations, but also subscriptions to communications security providers and membership of political and trades union organisations as well as support for transparency groups such as Wikileaks.

The aim of the project is to remove the biggest roadblock to the funding of NGO’s, security companies and activist groups working in hostile territories such as Pakistan, Russia, China and the Middle East.

The plan, however, has far wider ramifications. Code Red’s challenge is focused on helping to protect not just the payer identities of contributions to human rights organisations, but also subscriptions to communications security providers and membership of political and trades union organisations as well as support for transparency groups such as Wikileaks.

Such groups are clearly of interest to Western intelligence authorities. A recent case brought by the rights group Privacy International revealed that Britain’s spy agency GCHQ is intercepting the communications of human rights groups.

Code Red is currently assembling a number of teams in the technical, policy and legal realms to build the new infrastructure, which goes by the working title of Scrambled X.

The scheme is vitally important to the viability of international human rights advocacy. Presently, governments are able to intercept almost all support for advocacy and security groups – drag netting the full lists of subscribers to such groups. This reality inhibits funding from people living in repressive regimes. For example, it is impossible for a person in Pakistan to support a local rights organisation without the government knowing that a contribution has been made. This could trigger dire consequences for the person giving such support.

Former MI5 intelligence officer and whistleblower Annie Machon, Code Red’s operations director, said the Scrambled X scheme aims to create a checkmate for government interception of payments to these entities. “We cannot continue to tolerate governments intimidating people who want to support their local rights organisations. This crucial project aims to bring such surveillance to an end”.

The project has already sparked excitement in the tech community. Speaking about the project this week at the Workshop on the Economics of Information Security at Delft Technical University, the renowned Cambridge University professor Ross Anderson raised the possibility that the scheme could inhibit government surveillance by establishing its own payment system – or even its own bank. This is not such a grand notion. Almost 7,000 community banks operate in the US alone (though the US is one of the last locations that Code Red would want to operate in).

Code Red’s founder and strategic director Simon Davies supported this option, arguing “If you strike an emperor, you strike to kill. We’ll never thwart government intrusion unless we become part of the financial system that government exploits”.

Code Red has already started reaching out to the governments which are likely to be sympathetic to the organisation’s cause. Discussions with these governments will take place over the summer.

A case study

At this point it could be helpful to describe a case scenario which Scrambled X could support.

Silent Circle (SC) is a communications platform for mobile or desktop that claims strong privacy protection – to a possibly even greater extent than competing services. Its co-founder is PGP creator Phil Zimmermann, one of the most trusted pioneers of the secure communications field. This organisation provides a solid case study to highlight the significance of the privacy challenge set out in Scrambled X.

For the moment, I’ll avoid discussing the merits or otherwise of SC’s most recent offering – the Blackphone – and instead will focus on Silent Circle’s core software, which is a paid-for Skype-type communications system between members. That software is the heart of Silent Circle.

 If you strike an emperor, you strike to kill. We’ll never thwart government intrusion unless we become part of the financial system that government exploits

The identity of SC users may well be of interest to law enforcement (LEA) and security services (particularly those in non-democratic and intolerant regimes). However, while the SC platform might well deliver extremely strong end-to-end privacy at the communications level, vulnerability appears to exist at the stage of online payment for the service.

In summary, all the personal and financial data that a subscriber enters at the SC card payment stage is likely to be fully exposed at the level of a third party card processor, so it’s quite possible that government has full access to the identities, bank details and addresses of nearly all Silent Circle customers. This will be equally true of many subscription services for secure products. Any claim to infallible end-to-end security is kind of blown apart unless suppliers can find a way to crack this weak-spot.

To use Silent Circle, you must pay online for membership and for a package. In this respect it’s like any other commercial product that doesn’t offer a “free” basic service requiring simple email verification. Instead, users must proceed through a payment gateway (or Merchant Account Provider). These are typically third party sites that process the card payment as a sort of virtual ATM.

Here lays the problem. Any organisation such as SC using a payment gateway will invariably be issued with a Merchant Number or similar dumb code that identifies the payee so a path can be established and the funds directed to the right destination.  The customer is linked via a unique purchase code to the supplying company via the payment gateway. The more focused the activity of the organisation, the greater the certainty that a snooping agency will know precisely what a customer has bought (if the product isn’t already identified in the transaction data, which it usually is).

So, now the web merchant provider has a record of precisely who is subscribing to SC – their full name, bank details and address. Because web merchants are part of the banking chain, they are bound to financial regulations that require the data to be stored – sometimes for years.

It’s important not to confuse the payment gateway company name that sometimes appears on a customer’s bank statement, with the more detailed data held by the payment gateway itself. An online contribution made to “Smash the War Machines” might be identified on the contributor’s personal bank statement as something like “Richards Global”, which is the payment gateway name – or payment processor name. However “Richards Global” – as the activist organisation’s payment gateway – will know the identity of everyone who has contributed to that cause.

At this point it’s irrelevant whether an organisation itself maintains a list of subscribers that could be grabbed by government. Presumably – at the very least – a commercial company will hold a file containing usernames, account status and possibly an email address. That information has relatively limited value to police and security agencies; it’s the bank details that could be the true goldmine – and those details are fully exposed through the payment gateway.

The threat and the challenge

It’s one thing in North America or Europe to dismiss this concern as peripheral, but quite another if you happen to live under dangerous and intolerant regimes where the use of such technology can lead to sometimes fatal action by the State.

The same level of risk occurs when anyone in such regions donates money to a controversial cause or subscribes to human rights organisations working in dangerous environments. It is possible, for example, that a government such as Egypt or Syria is able to secure the entire local membership list of campaigning NGO’s. This is particularly likely if the payment gateway or payment processor is local.

There are two clear threats, particularly to people living in hostile environments:

  1. The “fact” of visiting particular sites, and
  1. The “fact” that a payment has been made by that person to that cause (or the fact that a security product has been purchased).

Donations to organisations such as Wikileaks, contributions to civil and political rights defenders, purchase of trades union and political party membership and – in particular – payments made to and from people living in non-democratic parts of the world all need protection from hostile agencies that seek to identify who made payments for what.

In many countries, of course, even visiting a particular site can trigger grave consequences. Between the surveillance of web traffic and the exposure of payment transactions, more than half the planet is unable to safely contribute to rights organisations or proscribed political groups. Solutions such as ToR may help disguise the contributor’s precise location, but this means little if the transaction data is fully exposed.

There are three domains to this challenge:

Social and economic. How can a system be designed that fits the real life environment or human rights groups and rights defenders working under threat?

Legal. How can a system be designed that escapes money laundering and other requirements and yet enables safe transactions?

Mathematical. How can transaction pathways be developed securely in such a way that inspires confidence among stakeholders?

Banks and merchant providers don’t have the most celebrated history of transparency when it comes to their relationship with government. We’re only just now starting to learn about the scale of government capture of financial transaction records, but enough is known anecdotally to indicate a huge data grab.

Some of this activity is covert, as established by the 2007 SWIFT affair in which a global association of 9,000 banking institutions secretly and unlawfully handed customer data to the US government. Some of the grab is lawful, for example the Canadian government’s successful bid to force eBay to hand over financial data on its high volume sellers.

It’s for these reasons that in the current environment, security supplier companies and human rights groups should strive to avoid mainstream payment gateways that rely on the major credit and debit cards. But this is easier said than done. Stored value (pre-paid) cards are used in abundance, but they are of limited value to a global online provider. Systems such as Bitcoin have real potential, but – in the mind of many consumers – are arcane and clunky. One challenge would be to utilise Bitcoin so the consumer interface is as elegant and as universal as possible.

Organisations – whether security product providers or rights activists seeking support – are caught between the devil and the deep blue sea. Currently, they must either use mainstream merchant services to enable maximum cash flow, or they must stay true to the ideal of a fully secure ecosystem by adopting fringe payment methods that risk a) retarding the development of a fully evolved privacy market and b), attracting limited membership and financial support.

A third way is to devise a method whereby either mainstream financial services can be adopted in a privacy-resilient way, or that a system such as Bitcoin can be leveraged to protect such transactions. These challenges are outlined below.

Ambit and nature of the required evolution

The potential for government to access purchase data from payment gateways has relevance way beyond the supply of sensitive security products such as Silent Circle. Donations to organisations such as Wikileaks, contributions to civil and political rights defenders, purchase of trades union and political party membership and – in particular – payments made to and from people living in non-democratic parts of the world all need protection from hostile agencies that seek to identify who made payments for what.

Consider, for example, Russians who want to contribute money to a free speech organisation for gay rights in their own country. Such causes urgently need such financial support, but anyone using mainstream payment systems is exposed to the risk of prosecution.

In considering this challenge, it’s critically important to keep in mind that a primary aim of the exercise is to protect the intended destination of the payment. If, as a Pakistan business owner, I wish to contribute to the fighting fund for the defence of lawyers accused of treason, there must be no way that a link can be made between my payment, and the deposit that is subsequently made to the fighting fund’s account – or its proxy account.

I refer yet again – with regard to conventional payment methods – to the importance of focusing on the data that passes through the payment gateways.

It is possible to use a system such as Bitcoin to confuse government intervention. However it is critically important to reflect on the social and economic realities of this situation. Contributions via Bitcoin must have practical value to small groups working under threat. These groups often exist without legal or financial structure (often because they are banned entities). The challenge therefore is to discover how support can safely be provided that enables basic functioning of an organisation. Whatever solution is developed must help build an overall increase in the pool of resources for these organisations.

The typical current online payment model

As described earlier (just as one scenario), using most subscription services, requires paying online for a package.  This is the case for nearly all commercial products that don’t offer a “free” basic service requiring simple email verification. Instead, users must proceed through a payment gateway (or Merchant Account Provider). These are typically third party sites that process the card payment as a sort of virtual ATM. The same applies if you want to donate to Amnesty International, political groups, Wikileaks or thousands of other organisations.

Any entity using a payment gateway will invariably be issued with a Merchant Number or similar code that identifies the payee so a path can be established and the funds directed to the right destination.  The customer is linked via this number to the supplying company. The more focused the activity of the organisation, the greater the certainty that a snooping agency will know what a customer has bought (that is, if the product isn’t already identified in the transaction data, which it usually is).

In this conventional payment model the merchant provider potentially has a record of precisely who is subscribing to a privacy or security product and complete lists of contributors to a cause – their full name, bank details and address. Because web merchants are part of the banking chain, they are bound to financial regulations that require the data to be stored – sometimes for years.

Even if the vendor exercises a zero-data policy at an internal level, the customer identity and payment information will still be available on the third party site. Indeed such data retention and surveillance is mandatory in dozens of countries because of money laundering regulations.

The need for a solution

The aim of any privacy-centred payment alternative will be to put as much complexity as possible between the customer and the payment gateway or the payee.

What follows is the basis of some concepts, out of which there are several variants.

This model requires two key “tangible” components:

  1. A federated product and services site (perhaps best imagined as a “family” of suppliers) that contains not just sensitive security providers and rights defenders, but also a larger number of merchants of general goods and services ranging from clothing to image licencing. Each vendor is able to conduct secure communications with the others. This family of merchants – whether selling food, clothing or lifestyle subscriptions – have joined this federation a) because they support human rights and privacy and b) because the system is designed in such a way that it offers some advantages to merchants by exposing them to new markets and new branding opportunities.
  2. A (largely mathematical) Trusted Third Party entity that seeks to de-identify payments (a sort of transaction scrambler) and which ensures that payments are paid to the relevant vendors. The TTP as a legal entity also conducts oversight to ensure that merchants in the federation are legitimate. The TTP is responsible for a single merchant account for all sites in the federation, and this enables a payment gateway that all can use.

The best way to imagine the process is as a sort of “payment steganography” in which a single transaction for a sensitive service is hidden within a much larger ecosystem of product purchases among many suppliers.

Building the federated merchant site involves an element of crowdsourcing, in which individual sellers and general merchants who care about rights and freedoms join the system. Thus it’s possible to encompass many thousands of sellers, within which there is a smaller population of sensitive products and causes.

How does a federated system benefit from involving commercial merchants?

An argument has been raised that the involvement of commercial entities will create complexity and is an unnecessary element.

It is true that an exclusive federation of human rights, security and political reform organisations can be created in isolation. This task would indeed be much less complex, chiefly because the technical challenge would simply be to funnel all transactions through the federation’s single merchant account and payment gateway. However it is almost certain that such an entity would become a prime target for prohibition or attack by hostile governments. It is also likely that people in dangerous political environments would be targeted because of their transactions with an exclusively political and human rights structure.

Involving a substantially greater number of conventional merchants – hopefully including well known household brands – might complicate a such a response. Importantly, a mixed site may attract a critical mass of commercial users in hostile environments, thus becoming a barometer of public concern.

There are two additional benefits from a mixed federated system. The first is that it opens up the possibility in the medium term of a far more secure and anonymous transactions because of the opportunity presented by numerous site and payment systems. The second is that it offers opportunities to commercial entities and consumers to demonstrate their support for human and political rights in numerous ways.

These are just a few issues that will be addressed by Code Red in the coming weeks and months. Whatever the outcome, the organisation intends to change the entire funding environment for this sector.