How Tor and Signal can maintain the fight for freedom in Trump’s America
After a season of stunning electoral upsets, the future of internet freedom technology is now deeply uncertain. Faced with possible existential threats to projects like the Tor anonymity network and encrypted messaging platform Signal, the people who develop these tools are searching for new ways to survive in the age of Donald Trump.
The president-elect will gain nearly direct control over the Broadcasting Board of Governors — as well as the agencies it oversees and the millions of dollars in annual internet-freedom funding — thanks to a provision etched deep in the 2017 National Defense Authorization Act cleared by Congress in early December.
The legislation will give the new president — whose few decipherable comments on cybersecurity include vocal opposition to strong encryption and a push to expand surveillance — more direct power over the federal funding that goes to projects like Tor and Signal, both of which have taken millions from the U.S. government in recent years. A host of smaller-profile tools, like privacy-first operating systems, rely even more heavily on federal support and their survival could be threatened.
In conversations with current and former employees of entities that make and maintain such products, there is a sense of profound uncertainty and anxiety about what will survive. Almost everyone who spoke with CyberScoop chose to do so under condition of anonymity or off the record, a decision made largely because their projects’ livelihoods — as well as their own — depend on what happens between the White House, the State Department and the BBG.
“I have no idea what the future looks like,” Shari Steele, Tor’s executive director, told CyberScoop.
With an annual budget of more than $700 million, the BBG is the U.S. government’s largest public-diplomacy program, reaching an audience of hundreds of millions through television, radio and websites meant to inject American-style, pro-democracy news into more closed societies. The agency’s history and the organizations it supervises — Voice of America, Radio Free Asia, Middle East Broadcast Networks and so on — extend back to World War II. It continues to be a major source of information in suppressive countries around the world.
In addition to its massive news operation, BBG is among the most important entities funding technology that allows users free and unfettered access to the internet. The initial big idea behind the funding — which had bipartisan support — was to open up countries where censorship in a problem, such as China. However, growing domestic worries over surveillance have seen growing numbers of Americans adopt the tools funded by their government.
Under the new defense bill, the Broadcasting Board of Governors will no longer be an independent agency. The bipartisan board previously in charge will be disbanded and replaced by a CEO, who will be appointed directly by Trump.
The Bannon era
Many expect Trump’s chief strategist and senior counselor Steve Bannon — the media executive behind the meteoric rise of right-wing Breitbart.com — to take close personal interest in the BBG’s new era. If that comes to pass, both Trump and Bannon could end up with their fingerprints on whatever the future of internet freedom may be.
Tor was developed by the U.S. Navy beginning in the 1990s and has since, as an independent nonprofit, received more than 90 percent of its funding from American government sources including organizations under the BBG. Tor has quietly played a role in several crucial historical moments during the new century — WikiLeaks was founded with documents intercepted over Tor, Edward Snowden used Tor to leak classified NSA documents to the press, global journalists increasingly rely on Tor to communicate with sources — and the technology aids dissidents and activists around the world. Since then, it has only continued to grow: The network’s total bandwidth has more than doubled in the last two years.
The organization has always been vocally anti-surveillance and pro-privacy, positions that increasingly took it into direct conflict with BBG as the full extent of American internet surveillance has come into clearer view and drawn more debate. Employees of Tor are not U.S. government employees.
On a stage in Hamburg in 2014, Tor developers said they would rather be murdered than add compromises or backdoors at the behest of a government. In certain key contexts, intelligence agencies and law enforcement see Tor developers as adversaries — and the feeling is largely mutual, especially as the encryption debate may rise yet again on Capitol Hill. As a result of the obvious tension, there have been sustained internal and external conversations about how to achieve financial independence from the American government, according to conversations with Tor employees and a review of the organization’s annual developer meetings.
So far, the search for independent funding has mostly failed. A winter 2016 fundraiser just recently passed the $50,000 raised mark — about one-third of one Tor employee’s annual pay, according to the organization’s public tax filings. Crowdfunding and private donations, including from anonymous corporations, have made only small dents in the overall budget.
Whose money?
Steele, the project’s executive director, has spent much of her first year on the job dealing with the fallout of a headline-grabbing sexual assault scandal and replacing the organization’s entire board of directors. The time and effort dedicated to those endeavors takes away from the considerable resources required to get new funding, secure new grants and pave the way for the technology’s future.
Inside Tor, new options are on the table. Private philanthropy is attractive but a tech knowledge gap exists, employees say, which poses a big obstacle to getting the kind of funding necessary to maintain high level software development that is and will continue to be under sustained attack by intelligence agencies around the world.
Shari Steele, pictured in 2007 (Scott Beale / Laughing Squid)
Possible funding from Silicon Valley tech giants raises eyebrows because of tensions inherent in such a deal: What happens when privacy technology is funded by companies that collect unprecedented amounts of information? Tor employees point directly to Facebook’s WhatsApp, which utilizes strong encryption but still collects a wide array of customer data.
While Tor employees and supporters consider every revenue-generating idea they can come up with — selling rights to anonymous .onion services, for instance — Steele has been dedicating time to searching for new grants and partnerships to help the operation survive. An award of $152,200 this past summer from the nonprofit Mozilla Foundation is held up as a significant win in some respects: Tor will use the money to better analyze the network, but funding for the day-to-day operations is hard to come by.
This is a deep problem at any software nonprofit: Grantors are happy to pay for new features, but no one wants to pay decidedly unsexy maintenance costs. That’s what happened with OpenSSL, the software used to secure a huge variety of internet communications. Only after the Heartbleed security vulnerability did money start pouring into the project’s core infrastructure.
At Tor, increasing amounts of energy are focused on diversifying funding with the hope that whatever happens under a Trump administration, it won’t catch the organization by surprise. Steele’s efforts have been received positively within Tor and around the security community after years of quiet criticism toward the previous director. But positivity and internal support doesn’t stand in place of dollars, so the search continues.
The Signal model
The other golden child of U.S. internet freedom funding is Signal, an app that offers encrypted multiplatform messaging to a wide audience and saw a 400 percent increase in downloads since November’s election. The tool, which has taken over $2 million in U.S. government funding, is considered by close observers to offer the best return on investment that American internet-freedom funding has ever seen. Based in San Francisco, Open Whisper Systems’ Signal code is implemented in different ways on WhatsApp, Facebook Messenger and Google Allo, a Silicon Valley triumvirate reaching well over a billion users and cementing Signal’s primacy in privacy. The app itself, aside from its rise in popularity, is more secure than its peers on several levels.
It’s now also being targeted — perhaps inevitably — by regimes around the world. Just last month, Egypt’s government blocked Signal as it spread across the country. The same has happened recently in the United Arab Emirates and Oman. Thus begins a tit-for-tat in which Signal will aim to circumvent the censorship and continue to protect users’ data. It’s an endless and expensive war to wage.
By now, Signal creator Moxie Marlinspike and the organization behind the technology have appeared in every major news organization on earth. Besides the glowing reviews and supportive explainers, news media — this reporter included — have described Open Whisper Systems as a nonprofit just like Tor.
Moxie Marlinspike (Knight Foundation)
But in trying to understand the future of internet-freedom funding, it’s important to note that OWS is not actually a registered nonprofit. Marlinspike has never claimed as much, but as far as we can tell, he’s also never corrected the dozens of media reports to that effect. He did not respond to CyberScoop’s request for comment.
While Signal is completely free and open-source, Marlinspike’s close work with Silicon Valley titans makes it a new animal, distinct in a few key ways from nonprofits like Tor. That immediate connection to the to the world’s biggest tech companies begs the question: How could Signal morph its funding model to survive a Trump presidency? And can Signal be a model for the other internet freedom tech searching for the future?
Not being a nonprofit means that Open Whisper Systems’ finances are obscured. The organization takes an unknown amount of funding from journalism nonprofit Freedom of the Press Foundation (who also didn’t respond to a request for comment) and individual donors, but not much is known beyond a few big grants. While every dollar going in and out of Tor can eventually be accounted for due to nonprofit transparency laws, no one is quite sure of the details between Signal and companies like Facebook and Google.
In the internet-freedom world, Marlinspike and his organization find a tremendous amount of respect and support for not just the cryptographic and security work they do, but in seemingly blazing new trails in diverse financing and wide adoption. He could walk into his choice of tech company — he notably was part of Twitter’s original security team — and instantly get a $500,000 salary, one prominent technologist noted, but he chooses not to.
Facebook didn’t pay a licensing fee for the Signal protocol on WhatsApp, that source explained. Instead, Moxie was paid as an onsite consultant as the encryption technology was integrated with one of the world’s most popular communications tools. The brackish mix of private and public funding flowing into Signal’s development makes it both intensely interesting and difficult to follow. But he’s increasingly becoming a role model to those internet-freedom developers who admire his inventiveness in creating and maintaining tools they view as essential to the public good.
Just weeks out from Trump’s inauguration, Republican control of Congress and the expected appointment of a conservative to fill the Supreme Court’s current vacancy, the future is is as unclear as it’s ever been. That makes planning a gargantuan and unknowable task. Across the board, the developers and staffers behind internet freedom tools that have received millions in U.S. funding are staying mostly quiet in public while they try, internally and mostly out of view, to forecast their future under the most unpredictable American head of state in the modern era.
“The tools ensuring Internet freedom,” Kate Krauss, Tor’s director of communications and public policy, tweeted to end 2016, “don’t protect themselves.”
