The US. Government Funded Your Favorite ‘NSA-proof’ Software.
The Snowden revelations about the NSA’s spying programs have shocked the world. While there was earlier evidence of US government spying, few thought that the NSA would try to wire-tap the entire planet. Basically, our online communications were essentially sitting ducks for curious NSA employees. Soon after the Snowden leaks, software programs were being marketed as “NSA-proof” on websites like Prism-Break. Many people believed that these software programs would make them safer. The truth however is that many of these programs were actually funded by the US government. Recently, the Associated Press published a story on USAID’s plot to fund a twitter-like app named ZunZuneo to help foment unrest in Cuba. USAID is not the only US government agency financing technology projects.
For most software projects, there are no requirements to publish their funding sources. On many of the home-pages and download pages that were visited, there was no clear indication that any of the projects received US government funding. Perhaps the exception was the Tor Project which has a sponsors page, but even that was problematic. Most people would not have known that the Broadcasting Board of Governors, SRI International, or Radio Free Asia are either US government agencies or “quasi” US government agencies. The vast majority of Tor Project’s funding continues to be through US government funding. The Tor Project’s sponsors page also lists “An anonymous North American ISP” and “An anonymous North American NGO” which perhaps leads to even more questions. Even stranger, is a mysterious “Sponsor O” that is on Tor Project’s website. “Sponsor O” appears to be a US government agency (USG is a common abbreviation) that wants to finance a secure chat program. The Tor Project website states, “The contractor shall concentrate efforts on outreach to Iranian end users and potential supporters in the technology community; to include train the trainer sessions, advertising on social networks, and interviews on radio and television stations operated by and for the Iranian diaspora.” Despite numerous requests, Tor Project has refused to reveal the identity of “Sponsor O”.
Actual organizational chart from the Open Technology Fund website.
Another software program that has recently come into vogue with the NSA revelations is Cryptocat. There is no sponsors page on Cryptocat’s home page to be found. Buried deep in Cryptocat’s blog is an annual report which shows that it received over 95% of its funding from Radio Free Asia in 2012. While Radio Free Asia is listed as a private nonprofit, it largely functions as part of the US government. The US Congress established Radio Free Asia and funds Radio Free Asia under the supervision of the US government agency, the Broadcasting Board of Governors. In addition, the Broadcasting Board of Governors appoints the president of Radio Free Asia, and the US Secretary of State, John Kerry, also serves on Radio Free Asia’s corporate board. The Broadcasting Board of Governors is not a benign US government agency; it sees itself as a strategic part of the War on Terror and part of the US government’s soft power influence abroad. The Broadcasting Board of Governors even sees itself as combatting groups like Boko Haram and al Shabaab which the US government lists as terrorist organizations. The Broadcasting Board of Governor’s even stated in their 2014 Congressional budget request that, “the United States must retain a global information capacity as part of the country’s effective soft power projection.” Radio Free Asia funds many software projects through its Open Technology Fund including Cryptocat with received $184,000 between 2012 and 2013.
Cryptocat’s main developer, Nadim Kobessi tweeted:
This “Cuban Twitter” is completely believable and unsurprising to anyone who’s been in this field long enough: http://t.co/DNQr7vdPLr
— Nadim Kobeissi (@kaepora) April 3, 2014
Open Whisper Systems has built two apps that have gained considerable popularity after the NSA revelations. TextSecure, created by Open Whisper Systems, is a popular app for securing text chats. Open Whisper System’s other Android app called Redphone promises to encrypt phone calls. The RedPhone app actually runs on VoIP (voice over internet protocol), so it uses servers. After emailing Open Whisper System’s main developer, there were some interesting responses. Open Whisper System’s developer said that he does not use any server space provided by the Open Technology Fund, but refused to say who was actually hosting users’ data. When asked why the Open Technology Fund was not listed as a sponsor on Open Whisper System’s website, the developer replied, “RFA has no influence over what we do at all.” It is also important to point out that Open Whisper Systems’ developer sits on the Open Technology Fund’s advisory council. The developer also mentioned that Open Whisper Systems accepts funding from many organizations. So who else is funding Open Whisper Systems? No one knows; there’s still no sponsors listed on Open Whisper System’s home page. The Open Technology Fund listed Open Whisper Systems as accepting $455,000 in 2013.
Mailvelope promises to be an easy tool to help users encrypt their emails. Normally, email encryption programs are either built-in or additions to an email client. Mailvelope is different, because it is actually an extension for Google’s Chrome browser. Yes, that same Chrome browser which is notorious for tracking users and collecting data. Several people have warned not to use Mailvelope. They warned that it would be easy for Google to steal the encryption keys and thus rendering all the email encryption useless. In addition, Google, the maker of Chrome, knew about and participated in the NSA’s mass surveillance programs. Mailvelope does have a very tiny thank you to “Open Tecnology Fund(RFA)” at the bottom of its blog page for sponsoring a security audit. Mailvelope has received $140,320 from the Open Technology Fund.
In perhaps a bizarre coincidence, while the US government has been allegedly trying to extradite Julian Assange of Wikileaks, the US government also has been funding a similar project. Wikileaks and GlobalLeaks have similar sounding names, but they are completely different organizations. GlobalLeaks seeks to build a secure open source platform to make whistle-blowing easier. The GlobalLeaks website leads to Hermes Center for Transparency and Digital Human Rights. The Hermes Center lists USAID Serbia and Radio Free Asia as its sponsors. Seeing USAID Serbia show up as a sponsor is extremely unusual. Back in the late 1990s, USAID Serbia was involved in overthrowing the Milosevic regime by funding protesters and opposition candidates to the tune of several million dollars; perhaps, that will be a story for another day. GlobalLeaks received $108,400 from the Open Technology Fund in 2012.
GlobalLeaks is hoping for more Open Technology Funding this year.
Our proposal to @OpenTechFund is going to be reviewed in upcoming weeks by the Advisory Council. Cross Fingers!
— GlobaLeaks (@GlobaLeaks) March 18, 2014
The Open Technology Fund also financed GSM Map by SRLabs. The GSM Map’s purpose is to find security vulnerabilities in mobile phone networks around the world with the aim to make mobile networks more secure. Most of the world uses the GSM standard for mobile phone networks: hence, the GSM Map. The financing for the project is not displayed anywhere on the website that could be found. GSM Map even asks users to download software and upload their own data for the project. Several country reports have been published on GSM Maps which shows security vulnerabilities in GSM networks such as the ability to track users, impersonate a user, and the ability to intercept data.
Perhaps scariest of all is that the Open Technology Fund gave $1.1 million dollars to help build what is called a “Global Secure Cloud Infrastructure”. The Open Technology Fund’s website states that 10 internet freedom projects are now using this cloud. Which software projects are using the US government’s cloud? No one knows, because the Open Technology Fund refuses to tell anyone.
Security-In-A-Box seeks to train activists in the best methods for keeping safe online and their information secure. Security-In-A-Box is created by the Frontline Defenders(partially funded by Irish government) and the Tactical Tech Collective. Security-In-A-Box received $106,164 from the Open Technology Fund in 2013. Jillian C York, who works for the Electronics Frontier Foundation (EFF) and also sits on the Open Technology Fund’s Advisory Council, likes to recommend Security-In-A-Box to activists around the world including in the US. Cryptocat also promoted itself in the US through several hackathons(additional link). Tor Project also markets itself to activists in the US. Two Tor Project employees(additional link) even went to talk to Occupy Wall Street about how to use Tor.
When software projects receive funding from Radio Free Asia and market themselves to Americans, it might actually be illegal. The Smith-Mundt Act prohibited the US government from funding propaganda targeted at Americans. The NDAA 2013 (National Defense Authorization Act) repealed some of the language in the Smith-Mundt Act. Congress’ intent was to make news reports funded by the Broadcasting Board of Governors available on request to Americans. The partial repeal of the Smith-Mundt Act was never intended to fund and market software programs to Americans. In fact, the NDAA 2013 (HR 4310, Section 1078(c)) states, “No funds authorized to be appropriated to the Department of State or the Broadcasting Board of Governors shall be used to influence public opinion in the United States” (Smith-Mundt section).
Technology rights activist, Cory Doctorow, is a proud Open Technology Fund advisor.
OTF 2013 Annual Report | Open Technology Fund – Disclosure: I’m proud to be a volunteer OTF advisor http://t.co/21RvgoHna8
— Cory Doctorow (@doctorow) March 31, 2014
If the Open Technology Fund had never published the projects that they sponsor, their true funding sources may have never been known. The most commonly used open source license still does not require any financial disclosure at all. Which ultimately leads to a question: who else is the US government funding?