In the wake of the PRISM Internet surveillance scandal, a site called PRISM Break appeared containing a list of tools which could be used as alternatives to the proprietary services under surveillance. Inspired, software engineer Laurent Eschenauer decided to stage his own escape from PRISM to see how difficult it would be to unplug from Google, Dropbox, Facebook and the rest. He reclaimed his identity, created a cloud, and installed alternative apps. FastCo.Labs sat down with Eschenauer to find out what happened next.
Why did you decide to create PRISM Break?
I’m a long-time open source enthusiast and have been working for many years now on the topics of decentralized social networks. I am one of these people who believes that social communication is too important to be in the hands of a single corporation in a country far away from here (Eschenauer is based in Belgium). Recently I am involved with the Indieweb, which is going back to the roots of blogging, people having their own sites and communicating with each other in a decentralized way, that you should own your identity and not delegate it to an external company. You should own your content and your data.
I was recently disappointed by Google closing Google Reader so I thought I could host my own RSS reader. Then Google dropped federation in Google Talk. Google Talk used to be able to connect to other services from other providers but they stopped that when they moved to Google Hangouts. So I decided to host my own XMPP servers and chat server. This is all pre-Snowdon. Then this PRISM story came up and I found PRISM Break and thought I already installed two of these, let's see if I can decouple myself from all of these third-party services in the cloud. What would it cost me? What are the challenges? Is it going to be inconvenient? And also can we automate that? (Eschenauer is the founder of ComodIT, which automates the provisioning and management of IT infrastructure.) It was a big experiment.
Was it easier or more difficult than you expected?
It went much smoother than I expected. I was really impressed by the software I installed which I knew about, but never took the time to try (See the full software installation list in the blog post). OwnCloud is a Dropbox open source equivalent and it works flawlessly. It has a desktop service that is synchronized. It's a great product. I replaced Google analytics with Piwik, which provides me with more data than I had in Google and it has a beautiful interface. On the software side the key weakness is email. I am a big fan of Gmail. There is nothing equivalent in the open source world. So I had to go back to a good old desktop client. But from a software point of view I am really happy with what I installed.
I decided not to go into the cloud, which is in fact really expensive compared to dedicated servers. I am paying 50 EUR ($67) a month for a pretty big machine. The equivalent at Amazon would be the smallest instance with one tenth of the memory. You could even host it in your basement. The reason I didn't do it is an issue of bandwidth. The upload bandwidth in Belgium is terrible.
It took about a week to set up. To do the setup you have to understand the software you are installing. What are the requirements? How does it work? It's all new pieces of enterprise software which are all different. Every individual in the world who is going to try to do the same thing will himself have to become an expert in these things and that's where the waste of time is. That's where the time is—in the understanding. Once you know, it's a question of writing a few scripts.
The challenge is on the operational side. How do I update these machines? How do I keep on applying security patches at the right time? Becoming your own system administrator on your own infrastructure can become a big burden. I did a good job I think from an architecture and security point of view but it's not trivial. If my RSS feed has a security flaw I don't want people to be able to access the content of my Owncloud. Making the segmentations of these different services was really critical.
I pushed the logic all the way to using DuckDuckGo for a search engine and things like that. There is some inconvenience and then you start living with them and doing things differently.
What were the obstacles apart from the need for technical skills?
Developers don't talk enough to operational people. There are so many open source projects I have seen which have three pages of installation instructions. It's like developers make it really hard for us people to use their software. For developers writing software, think about the end user. Think about making it easy for people to install and upgrade. Upgrading should be one click not another three pages.
What's your advice for other developers who want to do this?
For the everyday dev who wants to install his own infrastructure, take the time to think through security. Take the time to learn about operations. There is no point leaving Google to end up in a situation where it is much easier for everyone to access your data because your system is so insecure. I am not even sure that I am there yet.
There was some negative feedback to the blog post. The tone was "You are putting yourself much more at risk by doing this than if you stay with the big guys." One group of developers believe that because it is Google it has more security. Google has awesome engineers who are pretty good at doing security but they are also a much bigger target. I don't see myself with my little server as a huge target. I own and control my data. It's a balance. Everyone has to figure out where he puts his line.
Apart from developers, who might want to PRISM break?
For my Mum and the man on the street, I do not think they will be deploying their own server. That's a step too far. But if we can provide a well-standardized stack, it's a new business for mid-sized managed service providers if they can automate it enough. They have the infrastructure. They have the skills. It's amazing the number of SMEs here in Belgium who are sharing all their data on Google apps and Dropbox. They have their trade secrets in there. What happened is making them conscious of the risks and some of them will want to get back control of their own infrastructure. That's where the local managed service providers have a role to play where it's in their country, under the law of the country. I believe that some companies will leave the U.S. GigaOm recently tried to estimate the cost to the U.S. cloud industry of the NSA leaks.
Europeans have to realize how much they depend on the United States for Facebook, Google apps and all these services. We don't have a major European cloud provider. I do not think we will compete at a commercial level anytime soon but people should understand that there are alternatives in the open source world. If you don't want to depend on U.S. corporate silos there are ways to do it. There is a cost of convenience but it's possible.
There are enough good open source tools that you can have smaller players. A university can offer this to students. That's one of the key ideas behind federated social networks. Let's have communities and small groups doing things and being able to talk to each other.
We ran a story last week on why you should be your own platform. Is your PRISM Break relevant to that?
I have seen so many services over the years where people people put in energy and effort and build their brand, their page and their content, and then it’s all gone. This Tumblr acquisition by Yahoo! or Posterous by Twitter and now Posterous is closing. Five years ago I launched a project called Storytlr, which is an open source platform which aggregates all your content hosted on external sites so Twitter, Flickr photos, etc. Now I’m working on making Storytlr Indieweb compatible so your Storytlr instance can communicate with other people.
[Image: Flickr user Evan Cooper]