Living in the age of snoops can be difficult. It’s hard enough to escape garden variety profiling, let alone become a whistleblower. Living up to the expectations of Edward Snowden and a high profile team building tech to help the free press is without a doubt harder. One misstep and it could cost jobs or even lives of people.
“We have bad information security for whistleblowers in India. They routinely get compromised by accident,” says Kiran Jonnalagadda, the co-founder of Bengaluru based HasGeek, a community for geeks.
Helping Snowden and dozens of news organisations — which includes the likes of The Guardian, Associated Press and The Intercept — build a top grade system that facilitates whistleblowers send documents securely to journalists is West Bengal born Kushal Das, an open source programmer, known little outside of the tight-knit community.
Now a developer at Freedom of The Press Foundation, Das is part of the team responsible for SecureDrop, the submission system that media organisations and NGOs can use to accept documents from anonymous sources and whistleblowers. Last week, Das was in Bengaluru to conduct a workshop on digital security.
Freedom of The Press Foundation, for the uninitiated, is an organisation founded in 2012 by Snowden, John Cusack, Daniel Ellsberg, Glenn Greenwald, Micah Lee, Laura Poitras, Rainey Reitman, Trevor Timm, and the late John Perry Barlow. Call them “The Avengers” of cyberspace, if you will.
“I never thought I’d get to work with them. Just a year before I was just watching them on documentaries,” recalls Das, 35, who joined the foundation in December 2017. By then, the programmer had already worked on several open source projects. But he wasn’t very hopeful if he’d be hired since he was based in Pune.
“I never thought I’d get to work with them. Just a year before I was just watching them on documentaries.”
Still, one day, filled with as much curiosity as hope, he applied for a job at the foundation. To his surprise, he soon found himself in the thick of things. “The whole team jumped in on the conference call and I got the job,” Das told FactorDaily on last Thursday.
Born to Kaveri Das, a school teacher and Kalyan Das, who was employed in the accounts department of state-owned coal producer Eastern Coalfields Ltd, Das was raised in Ukhra, a town of about 25,000 people. Most townfolk worked at the coalfields and dust almost never settled in the town.
Growing up, young Das listened to stories of his grandfather Bimalendu Das, one of the many who took part in India’s freedom struggle. Netaji Subhas Chandra Bose and his tales of valour was yet another influence on the family.
“A lot of my life was based on those stories,” says Das, who now calls Pune home. He lives there with his lawyer wife Anwesha Das. As part of union activities, his father Kalyan was there for everyone, even those across party lines. “My dad tried to help everyone,” recalls Das, who tries to do the same in his life through the Durgapur Linux Users’ Group he started back in 2004.
Starting the Durgapur Linux User Group, with the motto “শেখ এবং শেখাও,” which translates to ‘learn yourself and teach others,’ was a turning point in Das’ life. In Durgapur, where he studied computer engineering, there weren’t many people to learn Linux from.
The online group, which runs mostly on an Internet Relay Chat (IRC), is one of the oldest tech communities in India now. Knowledge sharing and helping others is at the core of the group.
“Someday if they are asked by their company to do something unethical, we want them to question it.”
In 2008, Das kick-started summer training on the group. It started with only about a dozen or so people attending the training. But nowadays, sessions are attended by over 150 people from across the world. Top programmers including Guido van Rossum (the author of Python) have been guest lecturers on the group which comprises journalists, teachers, refugees, students, and others.
The summer training starts with basics like communication skills and even tries to teach attendees critical thinking. “Someday if they are asked by their company to do something unethical, we want them to question it,” says Das.
He moved to Bengaluru in 2005 to work at a back office but soon he found his tribe — Bengaluru’s thriving open source community. “The open source communities were very welcoming and helped me learn. They’re happy to help if I ask nicely. Suddenly I started meeting more and more interesting people. For me, those things were really big,” says Das.“I met so many people I’d only met on the chat group.”
After a stint at Comat Technologies, where he worked with Jonnalagadda, Das joined Red Hat and moved to Pune. In 2014, he also became an active contributor to Python, one of the fastest growing programming languages of our times. The same year, he became one of the 13 directors of the Python Software Foundation, tasked with the development of the language and its community. Das is the first person and only to become a director at the foundation from India.
One night in 2015, father Kalyan called Das and asked him if he’s been careful about saying things on social media. “He said he got to know from some friends that they’d made a list of people even in the district level who says what on Facebook and Twitter and try to monitor them.” He was referring to the central government at the time.
From then onwards, it became an everyday affair for the senior Das to enquire after his son’s online behaviour. “As Indians, we don’t understand concepts like privacy as we grow up. Speaking truth to the power was always big though,” says Das who counts the work of John Perry Barlow at the Electronic Frontier Foundation, Dan Ellsberg with the Pentagon Papers, the late Aaron Swartz, Chelsea Manning, and, of course, Snowden as his influences. “They all cared about other people.”
“They all cared about other people.”
Now he hopes to use his networks to connect to different parts of the country and help drive the thinking that privacy is a fundamental right. In 2017, India’s apex court ruled in a landmark judgement that the right to privacy is a fundamental right. “The problem is that now you have to defend it. I hope to get the help of everyone to change this,” says Das.
In the 2018 World Press Freedom Index by Reporters Without Borders, India fell further behind in rankings as compared to the previous year. Ranked 138, it is in the bottom quartile of 180 countries judged on the basis of aspects such as media independence, transparency, support infrastructure, and legal framework.
The rankings dropped mostly due to the liberal use of sedition law to silence dissent, increasing violence against journalists, and a growing number of media owners with large cross-holdings in various sectors. “Recently we’ve also seen Income Tax raids being used as a tool against media outlets,” says Jonnalagadda. In October 2018, for instance, tax officials and the police raided the residence of publisher Raghav Bahl along with the offices of news websites The Quint and The NewsMinute. Bahl and family have stakes in these ventures. While officials said the raids were to investigate tax evasion, Bahl and many organisations including The Editors Guild of India, Amnesty International and the Committee for Protection of Journalists have raised concerns around source protection and government heavy-handedness.
“I have just spoken to the officer on my premises, one Mr Yadav, and requested him, strongly, to not try and pick up or see any other mail/document which is likely to contain very serious/sensitive journalistic material,” Bahl said in a written statement then.
But in most such cases, just asking doesn’t work.
“A journalist who does not protect his source won’t have a choice but to give up their source. This is where you need to make sure your software is good enough and you leave no trace.”
“A journalist who does not protect his source won’t have a choice but to give up their source. This is where you need to make sure your software is good enough and you leave no trace,” says Jonnalagadda.
With SecureDrop, the idea was to create such a software. “The whole idea was to create something that helps sources stay anonymous and at the same time also safeguard the journalists,” says Das. More than 75 organisations across the world use SecureDrop now.
SecureDrop was originally created by the late Aaron Swartz and Kevin Poulsen along with James Dolan. It was taken over by the foundation and since then, has undergone several refinements. Das and the SecureDrop team led by Jennifer Helsby are working on a new release of the system due for launch later this month.
The system is designed to be deployed inside a media organisation and uses air-gapped computers to isolate and anonymise the source of a drop (see dataflow here).
“We try to focus a lot on the documentation and how anonymity can be protected,” says Das. The foundation only helps organisations set up the system. “We have zero access to it. So we don’t know who is doing what in what instance.”
Besides SecureDrop, the foundation also works on projects such as Haven, an Android app which can be used to convert an old phone into a surveillance device for your defence. The app, released by Snowden in December 2017, uses the phone’s sensors to alert you of changes in its environment so you’d know if someone has entered your personal space.
“I can’t get it wrong… Somebody might lose their life.”
Das and others are also working on using an operating system called Qubes to try and make it easier for journalists to use SecureDrop. The Qubes OS helps create multiple virtual machines within a computer to help users isolate and secure their work.
“I used to think that I’m being paranoid about security. But now I realise I was right to take it seriously. I can’t get it wrong… Somebody might lose their life.”
Subscribe to FactorDaily
Our daily brief keeps thousands of readers ahead of the curve. More signals, less noise.
Updated at 10:31 am on February 20, 2019 to update the following
Kalyan Das was referring to the central government at the time and not the state government as mentioned earlier in the copy.
Kushal Das started summer training in 2008, not in 2005. He moved to Bengaluru in 2005, not in 2007.
To correct typos: Hasgeek as HasGeek, Redhat as Red Hat and Python Foundation as Python Software Foundation.