Nick Merrill Takes Privacy Fight from National Security Letters to Networks
BY Sam Roudman | Friday, August 16 2013
The battle against the surveillance state is being waged from an art gallery in Tribeca. More exactly, from behind a wall at an art gallery, in the middle of a row of rented office desks. There, squeezed between a wine importer and a lawyer is the desk of Nick Merrill, a 40-something systems administrator in flip-flops and cargo shorts, wearing a t-shirt underneath an unbuttoned long sleeve.
“So yeah, this is the extent of it really,” he says, surveying his cramped dominion, “not too impressive, but it is what it is.”
He’s been in tight spaces before. Near the height of post 9-11 national paranoia in 2004, Merrill received a National Security Letter from the FBI demanding client information from his company Calyx Internet Access. Merrill defied the information request and took the FBI and Justice Department to court. He lived under a gag order for six years, but eventually won in court, twice, forcing changes to the Patriot Act. Since he was freed to speak about his case in 2010 (he still isn’t allowed to discuss its specifics) he has taken his story on the road, speaking to hackers, civil libertarians, students, tech conference attendees, and anyone else who will listen. He started the nonprofit Calyx Institute in part to educate the public about digital communication privacy.
“There’s a lot of people I work with who aren’t here on a day to day basis,” Merrill tells me, drawing our brief office tour to a close, “mainly because I don’t have enough money to rent more space.”
But what Merrill lacks in funds, he might make up for in ambition. Merrill doesn’t just plan to inform the public about digital surveillance, he wants to protect it from it, and he is taking steps to develop “building blocks” that would allow any internet service provider to easily provide secure encrypted communications for their clients. This is no easy task.
“When he said he was going to build a secure Internet Service Provider, I said that was incredibly difficult and the chances of success are so low,” says James Vasile, director of the Open Internet Tools Project, an organization that funds tools that stop surveillance and censorship (including some of Merrill’s projects).
“But this is the guy who fought off the National Security Letter, if anyone can do something like this and never give up he’s exactly that person.”
Edward Snowden’s leaks may have provided an unprecedented look into the vastness of America’s surveillance programs, but they have not made it any easier for casual internet users to guard themselves against such surveillance. It’s not just that privacy software is hard to use, although it certainly is; the difficulty is famously typified by the Guardian journalist Glenn Greenwald, who passed on communicating with Edward Snowden at first because he deemed setting up encryption to be too much of a hassle. But in the wake of Snowden’s leaks, secure communication providers have received a new wave of pressure from the government. Lavabit, Snowden’s secure email provider, shut down last week. In a blogpost, Lavabit’s owner Ladar Levison wrote “without congressional action or a strong judicial precedent, I would strongly recommend against anyone trusting their private data to a company with physical ties to the United States.” The post also details a court challenge to unspecified charges. Lavabit’s experience led another secure communication provider Silent Circle to shut down its secure email program, Silent Mail.
In an interview with GigaOm, Phil Zimmerman, a cofounder of Silent Circle and the inventor of email encryption software PGP, made a point similar to Levison: “I don’t think any of this can be fixed merely by the application of cryptography. It is going to require some push back in the policy space. We are going to have to have Congress react to this.”
But as these security providers close shop and appeal to the courts and Congress in order to battle the surveillance state, Merrill is looking in the opposite direction.
“I started to feel kind of burnt out on the litigative approach, and I started to also feel burnt out on the legislative approach,” explains Merrill from the gallery’s cluttered conference room, sitting next to some bubble wrapped paintings, a large painted metal elephant sculpture, and a book case holding two seven inch thick tomes of “Internet Law.” In conversation he is less dour, and more affable than in his speaking appearances. His eyes are prominently bagged, and he is prone to pick at his tidy blond red goatee when trying to remember some quirk of his six year court battle. To get at why he has rejected governmental remedies to what he sees as unconstitutional governmental intrusions, the court battle is the place to start.
Fighting Off Big Brother
In 2004, Merrill received a call from one, and then a visit from two FBI agents. They delivered him a letter asking for information related to his company Calyx Internet Access, which provided web services to a range of companies and organizations, from Ikea to Democracy Now. The letter cited a statute, and claimed that Merrill couldn’t disclose the letter to anyone lest he face an unspecified consequence.
Merrill had received a National Security Letter. NSL’s had been in use since 1978 to order the collection of information of data relevant to national security without the imposition of pesky judicial oversight. They were used sparingly. This changed in 2001.
“When the Patriot Act passed, it changed the whole standard from having to show probable cause, to what they called relevance,” says Merrill. He felt there was something off about a government letter demanding private information from his clients without a warrant, and with no suggestion of judicial recourse. Despite the letter’s warning to tell no one (or else), Merrill went to his lawyer and longtime friend Iliya Fridman (who also runs the gallery that houses Merrill’s office) for advice.
“I said that can’t possibly be true, that would be unconstitutional on its face, so let’s in complete confidence take a look,” says Fridman. After looking at the letter, Fridman, a business and technology attorney, made some calls to the NYCLU, who in turn contacted the ACLU. They met to discuss Merrill’s options. “When we got there together they looked at him and said ‘Nick, we’ve been waiting for you.’”
“Even that conversation, Nick was very nervous about having it,” says Jameel Jaffer, the ACLU attorney who represented Merrill. “When we filed the suit, we filed the suit entirely under seal. We didn’t tell anybody that we had filed a suit let alone what the suit was about or on whose behalf we’d filed.”
And so Nick Merrill began his six year sentence as John Doe.
His case made headway beginning in 2004. The Patriot Act statute Merrill was fighting was ruled unconstitutional, leading Congress to amend the law so that an NSL recipient would actually be allowed to challenge the records request in court.
“While creating the possibility of these legal challenges, it also ensured that these legal challenges would rarely be successful,” says Jaffer. New language in the law required that judges reviewing challenges to gag orders had to treat the FBI’s determinations that secrecy was necessary as conclusive, effectively determining the outcome of any challenge.
But while his case was making national news and establishing legal precedent Merrill couldn’t acknowledge any of it.
“It made me lie by omission to basically everyone I knew,” says Merrill, “all my friends, all my colleagues, everyone I knew in a professional sense.”
“When people would talk about it I just shut up.”
Six years is a long time, and Merrill maintained his silence through a series of girlfriends, and even as he cared for his father dying of cancer.
“I spent months with him in his hospice,” says Merrill, “I would think maybe I should tell him I’ve been lying to him by not explaining what’s going on in my life.” In the end he was worried his medicated father might let something slip “so I just never told him.”
In 2008, an appeals court found that the new language in the law was unconstitutional, and forced the FBI to make an argument for a national security letter’s secrecy if challenged in court. Merrill had another victory, but the decision didn’t address the constitutional elephant in the room, the fourth amendment’s protection against unreasonable searches and seizures.
“In our view [the law] is still unconstitutional,” says Jaffer.
After losing twice, the government withdrew the National Security Letter it had been fighting over for five years. With the letter dropped, Merrill no longer had legal standing to challenge what he still thinks was an illegal search.
“It seemed that that was a tactical move on their part,” says Merrill. “They didn’t want to go the Supreme Court and get a decision that would be permanent and final.”
Merrill was left frustrated with the courts for not addressing the law’s major constitutional problem, and with Congress for its insubstantial tweaking of it, “and that’s when I started to think about these technical approaches.” Though he was no longer fighting in court, Merrill couldn’t speak publicly until he negotiated a settlement with the FBI in August of 2010.
Is the Tide Turning?
Merrill has made himself a public voice on surveillance since he was released from his gag order.
“I’ve seen a big change in Nick,” says Fridman, Merrill’s friend and lawyer. “When he had Calyx Internet Access…I would say he maybe took a bit of a relaxed approach to running a company,” whereas now, “he’s really buttoned up and determined and driven.”
He published an op-ed in the Washington Post, was a PopTech social innovation fellow last year, and has made the rounds as a speaker. But speaking doesn’t pay for a full time staff, or buy the telecom infrastructure to build a secure internet service provider, or create a business case that will attract investors. A couple years after its founding the Calyx Institute operates on a shoestring. There's a network of 20 to 30 people who have contributed to projects, but mainly it's Merrill himself moving Calyx along.
“I’ve just been operating under the constraint of not having enough money, which I’m used to, it’s how my business always was,” says Merrill.
He admits to not always making the most out of opportunities. Last year after some attention in the press, Merrill followed what some supporters suggested and set up an Indiegogo crowdfunding campaign to the tune of one million dollars. People donated $69,650, by no means an insignificant amount, but far short of its goal.
“It was really disappointing, obviously,” says Merrill.
Merrill made a trip out to San Francisco to meet with venture capitalists, and instead was greeted by a culture clash. “I went out there with a somewhat convoluted idea of how it would work, and my idea was based on a non-profit organization that has for-profit subsidiaries.” According to Merrill the idea of a partially nonprofit business was anathema to a group of free-market investors who otherwise supported his stand for civil liberties.
“Virtually everyone I was talking to were not just libertarians but extremist libertarians,” he says. He met with people from Peter Thiel’s investment fund Clarium as well as with some of the founders of the Electronic Frontier Foundation. “They just heard non-profit and they flipped out.”
Merrill also ended up staying in a rented house containing a number of Thiel fellows, college age kids given no strings $100,000 grants to pursue their innovation dreams.
“They would all come and pitch me on their ideas,” says Merrill, “I think it was just that I was older than them that they thought I had money or was useful. These kids were all working on these Facebook plugins or social food ordering…all this crap that was just stupid.”
Back in New York, Merrill still had around $70,000 he couldn’t give back. “So what I did was cobble together something that was scaled back a lot from what I originally intended to do.” Rather than create a whole system, Merrill has been working on a couple projects piecemeal. There’s a prototype secure mobile service, as well as a privacy testbed, which is a suite of desktop software to make encryption easy. People who become members of Calyx will have access to all of the institute's experimental projects. Merrill says people will be able to start using them in a matter of weeks.
“Most of us working in this field are working on software solutions whenever we can, because software is relatively easy compared to the network,” says Vasile from OpenITP. “[Nick] is one of the few people trying to reengineer the pipes themselves.”
But just because his project is audacious doesn’t guarantee anyone will pick up on it. Despite the setbacks he’s experienced, Merrill thinks Snowden’s leaks make now the perfect time to push Calyx.
“It takes something like this NSA thing to shake everyone up,” he says. “I think that the market for cyber security is strong, it’s quite strong.”