UK lawmakers are currently closing in on their biggest expansion of government surveillance powers since the Snowden revelations—but one network engineer is determined to not let privacy go down without fight.
The Investigatory Powers bill—championed by former Home Secretary and current UK prime minister Theresa May and sometimes called the "Snooper's Charter"—would create an expansive new legal regime for government mass surveillance in the UK, effectively legitimizing many of the programs exposed by Snowden. Among other things, it controversially proposes requiring that all internet service providers in the UK keep tabs on their customers' internet activity, forcing them to retain so-called Internet Connection Records, or ICRs, for 12 months, and hand that data over to the authorities upon request.
But as the UK's upper house prepares to vote on final amendments to the bill, engineer Gareth Llewelyn is readying his own technical countermeasures. Earlier this year, Llewelyn started building his own non-profit internet service provider that runs on the Tor anonymity network. His goal: Design a system that will frustrate the new mass-surveillance regime by making it technically impossible to censor content or comply with government requests for subscribers' internet records.
"If you say 'Hi, I'd like a special internet connection that no one can spy on,' you're gonna get red-flagged."
Last month at the Hackers On Planet Earth (HOPE) conference in New York, Llewelyn presented OnionDSL, a Tor-based system designed for his one-man ISP, Brass Horn Communications. But unlike a normal ISP, Brass Horn's routing system prevents Llewelyn from keeping any logs whatsoever of a subscriber's web browsing.
To use the service, a subscriber would need to physically migrate their broadband connection over to Brass Horn Communications and then configure their home router or PC to connect with Llewelyn's Tor bridge, a type of private gateway that allows people to access the Tor network from countries where its publicly-listed entry points are normally blocked. The subscriber's traffic then bounces across the Tor network as normal, anonymizing their activity. This way, the only activity Llewelyn's system can actually see is the subscriber's router transiting his bridge to access to the Tor network.
That makes compliance with mandatory censorship and data retention schemes, like the kind being proposed in the Investigatory Powers bill, technically impossible—no matter what sites the user visits, the Tor network ensures the details of that activity are completely masked to the provider by default.
Llewelyn's system also subverts another recently-discovered legal loophole associated with using the Tor network itself.
In the US, three separate judges presiding over darkweb-related cases have ruled that Tor users have no expectation of privacy in their true IP address. Their reasoning is that in order to connect to Tor, a user must "expose" their IP publicly to a random third-party entry node—one of the volunteer-run gateways that provides the initial "hop" into the anonymity network.
That means despite the entire point of Tor being anonymity, the judges are saying that capturing a Tor user's true IP address when they connect to a site—in this case, using FBI malware called a Network Investigative Technique, or NIT—does not require a warrant. One court has taken that even further, explicitly ruling that the FBI doesn't need a warrant to hack someone's computer.
"At the moment the NIT is only being targeted at people who belong in jail, [but] as with everything it's a slippery slope, next they'll be targeting darknet markets then it'll be WikiLeaks, etc etc," Llewelyn told Motherboard in an email after his talk at HOPE.
But with Llewelyn's OnionDSL system, a subscriber never needs to share their IP "publicly" because all their connections are tunneled privately through the ISP's dedicated Tor bridge.
"The judges' argument is that a normal Tor relay is a third party and you as a normal Tor user have to expose your publicly identifiable/routable address to said third party by routing over the internet to connect to that relay," Llewelyn explains. "In the OnionDSL model no information about the user is exposed to third parties, and more importantly (as far as that judge's ruling is concerned) there is no identifiable address to expose."
Llewelyn's Tor-based ISP isn't for everyone, however, and it does have some significant limitations. For one, it can only r oute web browsing traffic using the TCP protocol, so playing online games and running applications that use other communications standards won't work. And since everything is routed through Tor, bandwidth limitations and all the other caveats associated with browsing anonymously would also apply.
"As a general use consumer 'broadband' product OnionDSL falls short on many counts, but if taken solely as a dedicated censorship / surveillance busting broadband product then it is pretty damn cool," Llewelyn told Motherboard. Specifically, he imagines the system being useful if deployed in communal locations like libraries, or locations that serve vulnerable populations, such as refugee shelters.
As such, Brass Horn Communications doesn't yet have any subscribers, and Llewelyn describes the project as more of a proof-of-concept to protest against surveillance laws. Still, he says that if the UK's IP bill is signed into law—and if he can raise enough money via crowdfunding—he'll go ahead and launch the service anyway.
"I'm not suggesting this is a good idea" for everyone, Llewelyn cautioned during his talk at HOPE. "If you say 'Hi, I'd like a special internet connection that no one can spy on,' you're gonna get red-flagged."
Clarification 8/4/2016: This story was updated to clarify that a user could not use the Brass Horn service over their current ISP's internet connection.