An ISP That Wants Privacy to be a USP

Privacy. I like mine. You may have lost yours already. Once lost, privacy is not something you can easily recover. However, these days people keep finding that they lost it in unexpected ways. On the one hand, the rise of technology and networks means more and more information is collated and exploited for commercial reasons. If the security is slack, personal information can fall into the wrong hands. If we are ‘lucky’, we find out about security breaches via the kind of scandal that has plagued businesses like Sony and Facebook in recent years. If we are less lucky, our privacy is compromised but we will not know until we receive a nasty shock – like money disappearing from the bank account. On the other hand, there is a clear trend for governments to expand the reach of domestic surveillance to cover internet communications. Maybe you trust your government, but not everyone does. Governments generally want information to fight criminals, but – ahem – some governments are run by criminals. Where does that leave the average ISP? Most times, an ISP sits somewhere between a rock and a hard place, but now an American entrepreneur with a background in internet start-ups is proposing to solve the privacy challenge in a radically different way.

Any ISP must run their business in a way that supports the law, keeps information secure, and protects the customer’s privacy. On the other hand, they must also support the law by handing over information when requested by authorized government agencies. Also, it makes sense if they keep the costs of privacy to a level where they can still make a profit. To help with profits, it might help if the ISP peeks at the information they have, for their own purposes, so long as it does not violate the customer’s rights. But analysing customer data can easily raise questions about trust and integrity, because abuses of privacy may not be recognized by the abusers, they are difficult to detect and they are even less likely to result in enforcement action. In other words, managing customer privacy is a complicated burden and risk, with limited upside. In practice, customers only notice the downsides when their privacy is compromised. But now an American is proposing to launch a new kind of ISP that turns this thinking upside down, transforming superior privacy into a unique selling proposition, That is the goal that Nicholas Merrill and the Calyx Institute have set for themselves.

Nick Merrill previously ran a New York-based internet provider. In 2004, the FBI instructed him to hand over data about his customers, and he objected. Merrill spent the next 6 years fighting the legality of the FBI’s order – and he did so on principle. The FBI order also prevented Merrill from disclosing his identity, so we can rule out publicity or commercial gain as a motivation for Merrill’s stubborn resistance. It was only in 2010 that Merrill could reveal he was the ‘John Doe’ challenging the constitutionality of government snooping in the absence of a court order or judge’s signature (see here for the Washington Post story that followed soon after). Now he has assembled a group of heavyweight security and privacy experts to sit on the advisory board of the Calyx Institute, his not-for-profit organization. The plan is beguilingly straightforward: design and implement an ISP, a VoIP provider, and a mobile provider, where encryption is so thoroughly distributed and end-to-end, that nobody could snoop on the customers – not even the provider itself. This excellent Cnet article conveys Merrill’s story and plans, and you can find the Calyx Institute’s official website here.

Or course, neither life nor business is ever that simple. Whilst Merrill pitches an interesting proposition, setting up a new provider takes money. We shall have to see if the Calyx Institute can raise the capital needed. As might be expected of such an unconventional enterprise, their current approach incorporates the schmoozing of potential VC backers whilst also asking for donations from supporters. The target is to raise USD1M to finance the initial launch, though USD2M is also mentioned as a target, suggesting USD1M will only pay for the gritted teeth/bare bones version of their business model. At time of writing, their donation site reports that USD66k has been raised so far, meaning they still have a fair way to go. But as they point out themselves, even a small donation is indicative of a potential customer, which in turn improves the chances of further donations or other funding. As such, it is too soon to judge if the fund-raising will capture the imagination of a privacy-hungry public, and start to snowball. Whether Merrill succeeds or fails, other telcos should take note. This is a rare occasion where we will see some new data regarding how much value some customers place on their privacy. Best of all, the data is public, and free.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.