Middle-School Dropout Codes Clever Chat Program That Foils NSA Spying

The National Security Agency has some of the brightest minds working on its sophisticated surveillance programs, including its metadata collection efforts. But a new chat program designed by a middle-school dropout in his spare time may turn out to be one of the best solutions to thwart those efforts.

Prompted by Edward Snowden’s revelations about the government’s intrusive surveillance activities, loosely knit citizen militias of technologists and security professionals have cropped up around the world to develop systems to protect us from government agencies out to identify us online and grab our communications.

John Brooks is now among them.

Brooks, who is just 22 and a self-taught coder who dropped out of school at 13, was always concerned about privacy and civil liberties. Four years ago he began work on a program for encrypted instant messaging that uses Tor hidden services for the protected transmission of communications. The program, which he dubbed Ricochet, began as a hobby. But by the time he finished, he had a full-fledged desktop client that was easy to use, offered anonymity and encryption, and even resolved the issue of metadata–the “to” and “from” headers and IP addresses spy agencies use to identify and track communications–long before the public was aware that the NSA was routinely collecting metadata in bulk for its spy programs. The only problem Brooks had with the program was that few people were interested in using it. Although he’d made Ricochet’s code open source, Brooks never had it formally audited for security and did nothing to promote it, so few people even knew about it.

“Ricochet is idiot-proof and anonymous.”

Then the Snowden leaks happened and metadata made headlines. Brooks realized he already had a solution that resolved a problem everyone else was suddenly scrambling to fix. Though ordinary encrypted email and instant messaging protect the contents of communications, metadata allows authorities to map relationships between communicants and subpoena service providers for subscriber information that can help unmask whistleblowers, journalists’s sources and others. It’s not just these kind of people whose privacy is harmed by metadata, however; in 2012 it was telltale email metadata that helped unmask former CIA director and war commander General David Petraeus and unravel his affair with Paula Broadwall.

With metadata suddenly in the spotlight, Brooks decided earlier this year to dust off his Ricochet program and tweak it to make it more elegant–he knew he’d still have a problem, however, getting anyone to adopt it. He wasn’t a known name in the security world and there was no reason anyone should trust him or his program.

Enter Invisible.im, a group formed by Australian security journalist Patrick Gray. Last July, Gray announced that he was working with HD Moore, developer of the Metasploit Framework tool used by security researchers to pen-test systems, and with another respected security professional who goes by his hacker handle The Grugq, to craft a secure, open-source encrypted chat program cobbled together from parts of existing anonymity and messaging systems–such as Prosody, Pidgin and Tor. They wanted a system that was highly secure, user friendly and metadata-free. Gray says his primary motivation was to protect the anonymity of sources who contact journalists.

Read more