On January 28, 2011, the news was everywhere: just after midnight in Egypt, the Mubarak regime had cut off most Internet and cell phone service to 82 million citizens, and tens of thousands of them were already moving toward Cairo’s Tahrir Square for what would become a decisive “Friday of Anger.”
“Damn, this is a pretty extreme form of censorship,” was Yahel Ben-David’s first reaction. A Ph.D. candidate in electrical engineering and computer sciences, Ben-David is an expert in citizen access to communications. When a government that controls the infrastructure decides to shut it down, what kind of “dissent network” would it take for people to stay in touch?
Ben-David’s research had turned up “many papers, but nothing practical.” Much theoretical work focuses on wireless mesh networks, with multiple WiFi nodes that can reroute around local failures by means of overlapping coverage. From his own experience, Ben-David knew that “mesh networks that try to maintain full Internet connectivity don’t scale well—the more nodes, the less capacity in each.” Even legally permissible cell phone towers or rooftop antennas could attract unwelcome attention to dissenters.
However, says Ben-David, “if a system is delay-tolerant”—if messages can wait a while before they are passed along—“some things, like smartphones, can work,” by functioning as nodes on the move. “Mobility is both a challenge and an advantage.”
Anonymity is essential in a dissent network, as Ben-David had also learned from experience. Not mere pseudonymity;
phony IDs are easy to crack when a government controls the infrastructure and has access to what’s known in cybersecurity lingo as “out-of-band” information—knowledge gained, in essence, by the government spying on its citizens.
Knowing what wouldn’t work, Ben-David set out to recruit fellow students and faculty in the College of Engineering to help him create a system that could function discreetly when networks are down, reach as many people as necessary and protect the identity of its users.
Learning from the real world
Yahel Ben-David is not your usual doctoral student. Now in his mid-40s, he served in the Intelligence Corps of the Israel Defense Forces (IDF), co-founded a successful Internet security and services company with headquarters in Silicon Valley and built an innovative WiFi mesh network that brought the Internet to rural northern India. Before all that, he was one of Israel’s most notorious hackers—although, because he was a teenager, his name wasn’t made public until long after the authorities had tracked him down.
Growing up the son of schoolteachers in the village of Tiv’on in northern Israel, Ben-David says he was not a good student and was later diagnosed as dyslexic. “I was math-challenged and still am. But I found if I could teach myself, I could flourish.”
Socially active, a community volunteer, a motorcycle racer from the tender age of 13 and a rock climber by 18, he was far from a stereotypical nerd, and in fact calls himself an “adrenaline junkie.” Yet computers were his passion. He built his own modem, which meant sleeping on the floor: the circuitry took up the entire surface of his bed. In 1984, as a high-school junior, he gained anonymous infamy when he used his Commodore 64 (all 64k RAM) to hack into Israel’s biggest newspaper and plant a front-page article lambasting an unpopular teacher, using the byline of one of the paper’s leading journalists.
Like most young Israelis, Ben-David went straight from high school into the IDF, where—not least because they were aware of his hacking adventures—the Intelligence Corps already had its eye on him. He spent over four years in intelligence, in cybersecurity and on the ground in Lebanon.
In 1993, after active service, Ben-David joined two IDF friends to co-found the Xpert Group, a networking and security consultancy firm. They soon scored a business coup by winning the contract to establish Morocco’s government-owned Internet service, the country’s first. The 40-page request-for-proposal, mostly verses from the Koran, reflected a concern “to protect youth from the horrors of the Internet,” Ben-David says, “but their core needs were straightforward, and our four-page proposal beat out major international players.”
When the Xpert Group moved its headquarters to Silicon Valley, Ben-David kept an apartment in San Francisco but never unpacked his boxes. “I was always on a plane somewhere. Life was about making money.” Then a friend called from Dharamsala, India, home of the Dalai Lama. “He said, ‘We’re getting hammered, and we need help.’”
Having visited Indian cities on business, Ben-David wasn’t eager. “But I fell in love with rural India.” He says, “I had never considered myself a philanthropist—some considered me ruthless. India wholly shaped my awareness of social issues.” In 1999, he sold his holdings in the Xpert Group.
The Tibetans’ security problems were formidable, and opened his eyes to issues of privacy and anonymity that had never before concerned him. He knew from his security work that existing technological solutions were inadequate. “I was supposed to teach the technology, and I did. But I also told them not to over-trust it. I had little faith in technology up against ‘rubber-hose cryptography.’”
Meanwhile, he introduced the Internet to the Himalayan foothills. The company he founded, AirJaldi, has extended broadband coverage outward from Dharamsala with a series of low-power WiFi nodes on short masts planted on mountain peaks and hilltops.
During his travels to and from Dharamsala, Ben-David met Yael Perez, a triathlon competitor trained in architecture, committed to using design to address the needs of underserved communities. They married and, in 2004, moved to Dharamsala.
By 2006, however, Ben-David was commuting again, now to Berkeley, where Perez was enrolled in a doctoral program in the College of Environmental Design. Ben-David joined Technology and Infrastructure for Emerging Regions (TIER), the research group founded by EECS professor Eric Brewer, whom he’d met at an AirJaldi conference. Commuting ended when Ben-David told Brewer, “I guess I’ll be here a while. I’m going to be a daddy.”
Building a dissent network
When Egypt shut down the Internet, Ben-David went into high gear. Clandestine restoration of instantaneous Internet access was clearly impractical, but a delay-tolerant network, in which information would be exchanged on a scale of hours or days instead of seconds, might work. In this scheme, users’ phones would automatically exchange stored messages directly, via an app using the smartphones’ built-in WiFi or Bluetooth wireless capacity, whenever they came within range of one another.
The name was easy: Rangzen is the Tibetan word for freedom, liberty or independence. What wasn’t easy was protecting Rangzen’s users while achieving good message propagation—a tolerably fast rate of spreading the word.
“The core problem was how to prioritize what messages should be passed on—while maintaining anonymity,” Ben-David says. “I would not start work on anything else until I could solve this.”
Giulia Fanti, a Ph.D. candidate studying censorship and privacy, volunteered to join the team. She provided the key, based on her familiarity with “trust graphs”—a message’s trust score determines whether it is sent. “The algorithm trusts a message if the sender and receiver share many mutual friends,” Fanti explains. “The basic assumption is that government agents have fewer friends.”
Ben-David had meanwhile joined forces with Brewer to found the De Novo Group, a nonprofit corporation affiliated with the Center for Information Technology Research in the Interest of Society (CITRIS) through their data and democracy initiative. Ben-David describes De Novo’s purpose as “making sure dissertations don’t stay on the shelf but help people.” Through De Novo, Rangzen is supported by a grant from the U.S. State Department’s Bureau of Democracy, Human Rights and Labor.
To build a Rangzen trust graph, users must first establish authentic, “out-of-band” trust relationships, best done by meeting friends face-to-face. Thereafter all identities—including other contacts in the face-to-face friends’ lists—are mathematically scrambled and can’t be recovered from what Rangzen stores on a phone.
In exchanging messages, the Rangzen algorithm recognizes links, not identities. The more links shared between the contact lists of two users, the more trusted the message and the higher its priority when it is passed along. Less trusted messages are transmitted last and deleted first.
Fanti worked with Barath Raghavan, De Novo’s vice president and a senior researcher in networking and security at the International Computer Science Institute at Berkeley (ICSI), to validate the algorithm’s security. “Giulia’s idea is a refinement of existing algorithms, but really new in the sense that it has never been used in this way,” says Raghavan. “We had to validate that there existed crypto primitives to do the friendship intersection in this specific context.” That is, they had to verify there were cryptographic tools to compute the number of mutual friends in a way that didn’t reveal the names of either party’s friends to the other. If that worked, they had to verify that Rangzen could weed out messages from the adversary.
To code Rangzen’s phone app and design its interface, Fanti and Raghavan were joined by Adam Lerner, a Ph.D. student in computer science at the University of Washington and De Novo’s systems security researcher, and Jesus Garcia, a Berkeley undergrad majoring in computer science.
Teachers invited Rangzen team representatives to make short presentations to a number of College of Engineering classes, during which they asked for volunteers to download the app to their phones. While they had to understand caveats such as battery drain from having their phones almost always on, the volunteers didn’t need to give their names.
Says Raghavan, “We didn’t care who they were by name, because the first test was to establish that the system works for communication. On top of Rangzen’s normal version we built a measurement layer, reporting to a server that all users could access. It shows where you were when you encountered another user and exchanged messages.”
Rangzen began preliminary testing in July 2014. Tests, simulations and analysis indicate that during an Internet blackout Rangzen can spread “honest” messages (time and place of a rally, say) to over 80 percent of the user population in less than two days, with “adversarial” messages (a false time and place, say) considerably fewer and later.
“In a nutshell,” says Ben-David, “we have shown that Rangzen can work and that we can solve the remaining problems.”
Some are technical. “From a commercial perspective, what we’re doing is unusual,” says Lerner. “Androids and iPhones require you to respond that you want to connect. Rangzen needs opportunistic, automatic connections. We can enable that, but we’re trying to find simpler ways in newer smartphone systems.”
A more basic obstacle, says Fanti, is that “we don’t yet understand how our approach will work in practical dissent settings. We can’t know ahead of time how a powerful, government-level adversary will react.” In all Rangzen-like systems there may be a fundamental trade-off between how fast messages can propagate and the anonymity of their senders.
“It’s like there’s a big knob,” Ben-David says. “You can turn it one way for blanket anonymity with slow propagation, or the other way to fast propagation but more risk. Where is it realistic to set that knob?”
The team has already been approached by dissent groups, he says. “We’re reluctant to work with them until we’re comfortable that anonymity is secure. This is a dangerous business. We’re not going to make claims we can’t substantiate.”
While adversarial gaming could help determine where to set the propagation-versus-anonymity knob, with some users playing dissenters and others playing agents trying to foil their plans, Ben-David has no illusions: “Eventually we’ll have to dive into cold water and get Rangzen to the people who need it.”