👋 Dear NGI-er:
Do you see the transformative potential of open-source solutions to safeguard our digital interactions and protect sensitive information?
If yes, you’re about to discover an inspiring journey into the world of Blueprint for FreeSpeech and the Applications Team Lead at the Tor Project.
This is a must-read for anyone passionate about open-source technology, privacy, and the fight for digital rights.
Fasten your belts, we are launching in 3, 2, 1…🚀
Can you introduce yourself and your project?
My name is Morgan, and I’m a developer working with Blueprint for FreeSpeech. I am also the Applications Team Lead at the Tor Project, where I manage a team of eight developers working on Tor Browser, Tor Browser for Android, and Mullvad Browser web browsers.
My work with Blueprint focuses on secure and anonymous peer-to-peer communication protocols and applications. Our primary real-world use case is protecting the anonymity and privacy of whistleblowers and journalistic sources. Our two NLnet-funded projects are the Ricochet-Refresh instant messaging client and the Gosling peer-to-peer communications library.
What are the key issues you see with the state of the Internet today?
One of the main problems we face on the internet today is the trend of treating users and their data as raw material to be exploited rather than as people with sensitive information to be served and protected.
The significant consequence of this is that applications and services are built not to provide benefits to users but instead exist primarily to collect data and serve advertisements. This incentive structure encourages capturing users’ attention above all else, resulting in click-bait articles. These algorithmic feeds encourage ‘doom-scrolling’, radicalisation, and various anti-features designed to trap and exploit users.
The primary goal of application and service providers is ultimately to extract value from users rather than to provide value to users.
As platforms grow and dominate their respective niches, the user experience degrades once they achieve a quasi-monopolistic status. Users depend wholly on these services without viable alternatives: Amazon for online shopping, Reddit for forums-based Internet communities, Discord for group chat, or Facebook for keeping in touch with friends and family.
The natural consequence is that user data is now available and waiting to be accessed and used by the state, law enforcement, and other malicious actors. This has some obvious downsides regarding guaranteeing people’s safety, civil liberties, and freedom.
How does your project contribute to correcting some of those issues?
Ricochet-Refresh is an anonymous, end-to-end encrypted, peer-to-peer, and metadata-resistant instant messaging client. There are no servers to seize and no organisations to subpoena. Users control their data entirely:
📌 Chats.
📌 Contact lists.
📌 Private keys.
Our primary use case is journalists and whistleblower communications, where such strong guarantees are essential to protect the anonymity and security of sources.
Gosling is a tor-based network protocol and reference implementation library written in Rust that encapsulates Ricochet-Refresh’s properties and makes building peer-to-peer applications with them as easy as possible.
One of the more charitable reasons developers do not build their applications and services with such strong privacy and security guarantees is that it is pretty challenging to do so correctly. We hope that Gosling will allow developers to build other peer-to-peer applications that provide value while respecting their users.
What do you like most about (working on) your project?
For me, the best part of working on these projects is talking to real users. Unfortunately, Ricochet-Refresh’s strong anonymity guarantees to prevent us from knowing who our users are or how many we have without them telling us.
This can be a little disheartening at times, but more often than I would expect, I meet people at conferences or meet-ups who say they are Ricochet-Refresh users and use it all the time.
We also train journalists and civil society groups on how to use Ricochet-Refresh.
Despite our primary use-case of journalist and source communications, we do seem to have a lot of privacy-conscious users out there who just like knowing their communications are not being mined or spied on.
Where will you take your project next?
💫We have an approximate 5-year plan.💫
We are finishing the final features, documentation, and general polish on Gosling this summer before formally announcing it to the Tor developer community. We are also beginning the requirements-gathering phase for the next major version of Ricochet-Refresh based on Gosling.
This next version (v4) will inherit the various privacy and security improvements Gosling provides over Ricochet-Refresh v3 at the protocol level.
We are also taking feedback from the community around desired features and existing usability problems and drafting UI designs and user flows to ensure Ricochet-Refresh v4 meets our users’ needs. Finally, we want to bring Ricochet-Refresh to Android.
How did NGI Assure help you reach your goals for your project?
NGI Assure has helped us with two significant phases of our projects. First, they helped us modernise Ricochet-Refresh and update its protocol and backend to version 3 Tor onion services. Version 2 Tor onion services were deprecated and scheduled for removal from the Tor Network at the end of 2021. Without this round of funding, Ricochet-Refresh would have gone dark.
Second, has supported initial and the next phase of building the Gosling protocol and library. This first phase included drafting and iterating on the protocol specification, consulting security and privacy experts for feedback, and creating an initial prototype implementation.
This second phase has finalised the protocol and significantly improved the quality of the implementation and developer experience by:
📌 Improvement and iteration of the library’s API design
📌 Development of unit, functional, and fuzz tests
📌 GitHub CI/CD, which builds and runs the libraries and tests
📌 Writing documentation and developing example toy applications
📌 Linux Debian source package, Windows MSYS2 package build, and macOS Homebrew flask generation
📌 Gosling bindings for C/C++, Python, and Java
We hope that when developers consider using Gosling for their application’s peer-to-peer connectivity, the available feature set, documentation, and tests will inspire confidence and make them think, ‘Yes, this is quality software I can depend on.‘
Do you have advice for people who are considering applying for NGI funding?
From my perspective, the most important thing is to propose work that ultimately provides users with value. The goal here is to somehow leave the world a better place through the software we develop and our work, so it’s important to keep that in mind when drafting a grant application.
Secondly, having a solid and achievable project plan and roadmap is essential. You want to inspire confidence that not only is the work you want to do good but also that you can complete it. It is also helpful if, in some sense, nobody else out there is more suited to doing the work than yourself.
Finally, once your project has been approved, deliver on the roadmap and proactively communicate if your plan has to change.
Do you have any recommendations to improve future NGI programs or the wider NGI initiative?
In the general non-profit grant proposal world of funding, there needs to be more opportunities available for long-term maintenance and continuous security updates.
Ricochet-Refresh has a monthly release cadence because of several upstream dependencies which frequently provide security updates and critical bug fixes:
📌 OpenSSL
📌 Tor
📌 Qt
We also follow the monthly release cadence of the ‘tor-expert-bundle’ package provided by the Tor Project. This package provides the functionality that allows users to connect to the from perpetually censored regions such as Russia, Belarus, and China. They also enable free communication during censorship events in other parts of the world during .
In the longer term, Gosling will also require periodic security updates when security issues are discovered in upstream projects (or in Gosling itself).
These kinds of ‘keeping the lights on’ engineering work (which needs to happen) are typically challenging to get funding for. The choices are to either squeeze the work between funded projects or neglect this maintenance. Much of the modern tech in the ecosystem depends on this maintenance work happening, and the consequences of it not being sufficiently funded are very real.
We very nearly had a situation where all the OpenSSH servers running on Debian were backdoored because a stressed volunteer developer was singularly responsible for a foundational software package used everywhere. We got lucky in this case, but who knows what other over-worked volunteers are currently in a similar situation because society does not recognise the value of their labour.
It would be wonderful to see a proliferation of small, low-expectation grants made available to fund work in the boring part of software development: updating dependencies, reviewing merge requests, cutting releases, maintaining translations, fixing broken tests, engaging users and fostering a community, etc. It may be boring, but it’s essential!
