- Michael Tonn
Brian O'Donnell says he's never organized political rallies, attended protests or joined social justice movements. As he puts it, "It's not really my style."
But in recent months, the 38-year-old information technology professional and Burlington resident realized that his cybersecurity skills might be useful to activists who are trying to make the world a better place. That's especially true, he notes, for those who are unaware of how vulnerable their online activities are to surveillance, tampering and theft.
That point was driven home during last year's election season, O'Donnell recalls, by a conversation with a friend about an activist they both know. When that friend asked the activist which tools his group used to organize online, the answer was a surprise: a Facebook group that's accessible to virtually anyone. "They had no idea what they were getting into," he says.
O'Donnell, who works as a systems administrator at the University of Vermont, got together with several friends to brainstorm how they could help the activist's organization, and others like it, to protect their digital privacy without breaking the bank.
The result was Gibberfish, a nonprofit tech startup that launched in January. Its goal is to provide free online services to political activists, nongovernmental organizations and social-justice groups. Its software tools, which are still in the beta testing phase, include a "privacy-focused cloud platform" similar to services available through Dropbox, Google Drive and iCloud.
Gibberfish stores its data in an encrypted format, which is inaccessible to those who aren't authorized to see it. That includes the software creators themselves — Gibberfish operates as a "zero-knowledge service." In the event that police, lawyers or other investigators knock on their door seeking information, Gibberfish staff cannot decrypt the stored data.
"If they said, 'You need to turn over everything you've got,' we'd turn it over," O'Donnell says, "but it would probably be fairly useless to them."
Hence the name Gibberfish, a portmanteau of "gibberish" and "Babel fish." The latter is a fictitious creature in Douglas Adams' The Hitchhiker's Guide to the Galaxy that provides instant translations from any language.
"We're kind of doing the opposite," O'Donnell says. "Intelligent stuff goes in, and nonsense comes out."
Even before Edward Snowden's 2013 revelations about the National Security Agency's global surveillance programs, it was common knowledge that governments and others routinely spy on activists, journalists, lawyers, NGOs and human-rights workers. Last year, the Digital Freedom Alliance launched a project to chronicle such government hacks.
But only in recent years could average citizens access tools to prevent, or at least minimize, such threats. Gibberfish is just the latest addition to that toolbox. O'Donnell, who is Gibberfish's unpaid executive director, acknowledges that other services, such as SpiderOak, already provide online encryption. But Gibberfish is unique, he says, in that all the services it plans to offer — file-sharing, video conferencing, chat and collaborative editing — will be free of charge to "qualifying nonprofits, NGOs and civil-rights defenders." Grants and other fundraising will cover the annual cost of storing and maintaining that data — $300 to $500 per client.
How will Gibberfish decide which groups qualify for the service? Because the company is registered with the Internal Revenue Service as a 501(c)(3), O'Donnell says, it cannot discriminate based on users' political affiliation. Because Gibberfish's resources are limited and its mission is to promote nondiscrimination and nonviolence, the group will still vet potential clients to weed out potential criminal actors and known hate groups.
O'Donnell concedes that, by its very nature, Gibberfish can't know what its users are up to. But he believes most who seek it out will use it for constitutionally protected activities.
"Surveillance can create an atmosphere of intimidation and deter people from exercising their legal rights and doing completely legitimate forms of expression, because they fear exposure or reprisal," he says. "So, in some ways, having this kind of privacy enables people to better exercise their rights."
Gibberfish's general counsel, New York City-based Rob Rickner, who grew up in Burlington, isn't concerned that the nonprofit could be held liable if one of its clients were accused of civil disobedience or plotting a terrorist attack.
"That's obviously a risk, but we wouldn't have any more liability than a company like Dropbox or Google or anyone else who stores documents for the general public," Rickner says. "The body of law that protects them also protects us."
Many activists and NGO workers around the world seek the kinds of services Gibberfish can provide. Last month, O'Donnell got an email from Oswaldo Saumet, an IT engineer and telecom expert based in Bogotá, Colombia. Saumet has spent eight years working for a medical relief organization, primarily in West Africa and the Middle East.
During his deployments, Saumet explains, it was critical for his NGO to use encryption technology to maintain patients' privacy and protect them from arrests and human-rights abuses. In one case in Niger, he recalls, he set up a secure telemedicine conference call involving doctors in Senegal, Kenya and Spain to treat a badly burned 6-year-old boy.
"That was really gratifying for me, and that's the reason why I support initiatives like Gibberfish," writes Saumet, who's now helping the company field-test its product.
But not everyone is enamored of the nonprofit's model for safeguarding online privacy. Eva Galperin is director of cybersecurity at the San Francisco-based nonprofit Electronic Frontier Foundation, whose mission is defending civil liberties in the digital realm. She readily acknowledges that government agencies routinely spy on activists and NGOs. But she's unconvinced that Gibberfish is the right solution.
"Frequently, people get the feeling that the world needs a special set of tools that will keep activists safe," Galperin says. "This is a terrible idea. It creates a honeypot. All you have to do is break this one tool, and you have all the activists."
In many countries, she explains, simply having encryption software installed on one's digital devices serves as a red flag to authorities that one is an activist, providing a justification for one's arrest.
Many of those who propose building a special tool for activists from scratch, Galperin adds, do it poorly or without knowledge of the tools already on the market. She notes that other online services provide encrypted phone calls free of charge — such as Signal, which doesn't endanger activists or journalists because it's not aimed specifically at them. Maintained to reasonably high standards, Galperin says, Signal has full-time security staff to ensure that vulnerable populations remain secure.
"So I'm not sure what these guys are bringing to the table that doesn't already exist," she says of Gibberfish.
Cybersecurity expert Jesse Krembs, founding member and director of Laboratory B, Burlington's community hackerspace, largely agrees with Galperin's assessment. While he doesn't want to pooh-pooh Gibberfish's good intentions, he suggests the nonprofit faces considerable technical and logistical hurdles.
"What they want to do is a worthwhile endeavor, but encryption is freaking hard," Krembs says. "There are a lot of places where you can screw up."
He agrees with the "honeypot" argument — that creating a single repository of activists' data makes it a likelier target for government espionage. The group could be targeted through legal means, Krembs notes, such as a national security letter, or by subpoenas or warrants. Or, he suggests, the government might go after Gibberfish's financial base or even lean on its employees individually.
Finally, Krembs notes that Gibberfish is swimming in a sea that's already populated by bigger fish; he points to services such as Wicker, Signal and Threema, the last of which is an encrypted instant-messaging app based in Germany. After quickly reviewing Gibberfish's website, Krembs suggests it closely resembles Montréal-based Caisleán, which offers free, open-source tools for secure communications and information exchange.
Others who work in the digital realm, however, express support for Gibberfish. Josh Levy works on digital security, advocacy and digital rights issues for a New York City-based advocacy group called Access Now.
"Do I think that Gibberfish shouldn't be developing their software? No. We need more infrastructure like it," Levy says. "The infrastructure providers that are serving social-justice groups and activists, like RiseUp, May First/People Link and others, need all the help they can get."
For his part, O'Donnell suggests his group's approach makes it easier for activists to hide from the authorities than other services do.
"Gibberfish is a web-browser-based application. You do not need to install anything on your computer to use it," he argues. "Signal, in contrast, requires you to install specific software as a browser extension or on your phone. If the authorities see this application, you may become a target."
The Trump administration recently targeted Signal, and started searching staffers' phones, in an effort to stop the pervasive leaks from the White House, he notes.
O'Donnell recognizes that services similar to Gibberfish exist, but he suggests that most require serious technical know-how — something many activists lack.
"Gibberfish will be ready to go with just a login and password," he says. "The best way to get people to use a secure service is to create a familiar, convenient and powerful platform that people will love using."
Of course, no software or system alone can make every user invulnerable to attack. As Rickner puts it, "It's an arms race ... We're just giving you the best we can do with the technology that's available."Correction, May 4, 2017: Dropbox, Google Drive and iCloud encrypt data. A previous version of this story contained an error.