Imagine it’s the middle of the 1990s, and you’ve set up a system to allow for a free and open discussion on the “net”.
Your aim is to prove the statement by activist and Electronic Frontier Foundation founder John Gilmore that “The Net interprets censorship as damage and routes around it.”
The system, the Penet remailer, enabled users to send emails to recipients or a USENET discussion group anonymously so they could discuss sensitive topics without revealing who they really were.
Then imagine you somehow found yourself caught in the crosshairs of the Church of Scientology and forced by the Finnish legal system to reveal the names of the users who were using your system to post proprietary church documents.
What would you do?
Well, after being forced to hand over the names of those users to the Church of Scientology, Penet creator Johan “Julf” Helsingius — an early internet pioneer in an age when we still called it “the information superhighway’ — realized that a loophole in the Finnish law at the time could mean that he would have to reveal the names of his users in other situations.
As such, he could only think of one solution to this issue: shut the server down.
Techopedia sits down with Helsingius to learn more about what happened to the Penet remailer, and what lessons it gives us for today, as well as what he has been up to in the years since.
Key Takeaways
- The Penet remailer service was the catalyst for broad public awareness of the need for anonymity/pseudonymity.
- However, The Church of Scientology forced the shutdown of the Penet remailer service in 1996.
- Julf talks us through how — given enough time and resources — anyone can be tracked down.
- In security, it is always about judging the threats and countering them appropriately – balancing the right to privacy against law enforcement requirements.
About Johan “Julf” Helsingius
A native of Finland, Johan “Julf” Helsingius is a European Internet pioneer, serial entrepreneur, and privacy activist. Known as an “ethical hacker,” Helsingius has used his technical skills to further human rights. He is the chairman of the board of directors of BaseN, a provider of advanced digital twin and situational awareness technology.
Helsingius is also the founder of EUnet Finland, the first major commercial ISP in Finland. He was also one of the founders of the first pan-European ISP, EUnet International, and the CTO of the network operator KPNQwest.
Helsingius is one of the founders of the Finnish UNIX Users Group as well as a former board member of EUUG/EurOpen. He serves in the GNSO Council of the Internet Corporation for Assigned Names and Numbers (ICANN).
In 1997, Helsingius received the EFF (Electronic Frontier Foundation) Pioneer Award for implementing and operating one of the most widely-known and popular e-mail-based pseudonym servers, anon.penet.fi.
The Penet remailer and the Church of Scientology
Q: What was the Penet remailer you operated from 1993-1996? How did it work? Why did you launch it? Who were the users of this service? How many times was it compromised? What caused you to ultimately shut it down on Aug. 30, 1996?
A: The Penet remailer was a system that would receive emails and replace the sender’s name and address with a pseudonym, then forward the message to either the desired email recipient or a USENET discussion group. That way users could engage in a two-way conversation without revealing their identities, enabling them to discuss sensitive topics.
The service was used by political dissidents, minorities, the UK Samaritans suicide helpline, etc. But, of course, people also tried to use it for stuff like spam — so I had to implement strong anti-spam measures. And I am sure a lot of people used it for online relationships and dating.
I launched it to allow for a free and open discussion on the net, originally to prove the statement by John Gilmore that ‘The Net interprets censorship as damage and routes around it.’
There was a claimed compromise in 1994 that I have been unable to verify, but, as a result, the firewall system (both application level and network level) was further improved. Neither of the two confirmed compromises was done by hackers but by the Church of Scientology.
[The church claimed that someone had stolen proprietary documents from their servers and used Helsingius’ server to post those materials. In 1995, the church convinced the Finnish legal system to force Helsingius to reveal the name of the person who had made those anonymous postings.]In the second case, the Church of Scientology took advantage of the fact that the Finnish postal and telecommunications law hadn’t been updated at that time to accommodate the Internet. [And as such, Internet electronic mail didn’t enjoy the same privacy protections as postal mail or telephone calls.]
In both cases, I was forced to reveal the identity of users that had been publishing materials about/from the Church of Scientology.
The second Church of Scientology case showed that until the law was amended (never a quick process), the loophole could be used to force me to divulge information about the users, so I closed down the service. At the same time, safer cryptography-based services had emerged that at least partially replaced my service.
An Ethical Hacker for Human Rights
Q: You’re known as an ethical hacker. What is an ethical hacker? How did you come to be known as an ethical hacker?
A: Normally the term “ethical hacker” is used to describe white hats – hackers who help find (and thus fix) security issues. But it has also been used to describe people like me who use their technical skills to further human rights.
In my case, it was, of course, mostly by putting together the remailer, but there are other people working on things like secure messaging, etc.
Q: Do you use your expertise in cyber privacy and anonymity as a resource for businesses and individuals looking to protect their online privacy? If so, how do you do that?
A: Not anymore — my technical skills are pretty rusty, so I now focus on policy and Internet governance.
Q: Can you talk about your work with the Electronic Frontier Foundation (EFF)? Did you help them develop and promote technologies that protect online privacy and anonymity?
A: The only technology I can take credit for was the Penet service that helped to make the broad public aware of the need for anonymity/pseudonymity. EFF deemed that work valuable enough to award me the Pioneer Award, something I am very proud of and thankful for.
No Absolute Anonymity
Q: Is absolute anonymity even possible?
A: In security, it is always about judging the threats and countering them appropriately.
Nothing is ever absolute. Given enough time and resources, anyone can be tracked down.
If you are trying to hide your cross-dressing tendencies from your work colleagues, the level of anonymity protection you need is somewhat less than if you are a whistleblower exposing major government secrets.
Q: You were a member of Technologia Incognita, a hackerspace in Amsterdam. What is a hackerspace? What was your role in the association? Do hackerspaces still exist today?
A: Hackerspaces are basically club spaces/labs that not only provide working spaces with tools and supplies but also a community of (somewhat) like-minded people who help each other, organize workshops, etc.
My role was that of a volunteer board member, helping to run the administrative side of the space. Hackerspaces still exist, but they have faced some competition from commercial makerspaces.
Working with ICANN
Q: You’re chairperson of ICANN’s Noncommercial Stakeholder Group (NCSG). Can you explain the purpose of the NCSG as it relates to privacy issues. Can you talk about your role as chairperson?
A: The NCSG is a part of the ICANN Generic Names Supporting Organization (GNSO) that is responsible for policy related to generic top-level domains. NCSG represents civil society, promoting human rights, openness, and transparency in the ICANN policy processes.
The role of the NCSG chair is mostly administrative, but it also involves a fair bit of politics and diplomacy in liaising with the different ICANN constituencies.
I have held a number of (volunteer) positions in ICANN, and I am still co-chairing a RIPE working group that tries to encourage cooperation between governments and the private sector. And until recently I chaired an Internet society chapter, and I helped organize the EuroDIG meeting last year.
Even within the GNSO, there are constituencies represented that have very different goals and priorities (registrars and registries, intellectual property people, businesses, and ISPs) besides the non-commercial people, not to mention the [many] advisory bodies and the board, so any policies are always a result of negotiations and compromises.
Thus, I spend a lot of time discussing with the various parties and trying to understand their concerns and priorities.
Starting Finland’s First Commercial ISP
Q: You’re responsible for starting up the first commercial Internet service provider in Finland, and you’re also the founder of the Finnish Internet Exchange. Can you talk about your work in these areas?
A: In the 1980s I was involved in setting up the Finnish UNIX Users Group that became a member organization of the European UNIX Users Group (EUUG). One of the activities of the EUUG was running EUnet (European UNIX network), a computer network of UNIX computers running the UUCP communications software that transported email and USENET newsgroups over modem lines.
For a couple of years, I was running the EUnet backbone node for Finland. As the EUnet network was migrating to TCP/IP and full Internet connectivity, a few of us decided to turn the EUnet activities — until then, a non-profit — into a more commercial direction to enable more rapid growth.
We, therefore, created the first commercial Internet service providers in Finland and many other European countries.
Soon we decided to merge the independent national operations into a pan-European entity, EUnet International, based in Amsterdam, causing me to move there as well.
In the late 1990s, EUnet was acquired by Qwest Communications and merged into a joint venture with the Dutch telco KPN, creating the European carrier and service provider KPNQwest that unfortunately went bust in the dot-com crash in 2001/2002.
The Finnish Commercial Internet Exchange came about as a way to ensure connectivity between EUnet and the former state and local telephone monopolies that could have tried to exclude EUnet from connecting to their networks or charge for the connection. In the early days it was operated by EUnet.
On Client-Side Screening
Q: On X, you seem to agree that client-side screening (CSS) “by its nature creates serious security and privacy risks for all society, while the assistance it can provide for law enforcement is at best problematic. There are multiple ways in which CSS can fail, can be evaded, and can
be abused.”
What is client-side screening? What serious security and privacy risks does it present for society and why is the help it can give law enforcement problematic? How can CSS fail, be evaded, and abused?
A: Client-side scanning is an attempt to reconcile the law enforcement need to scan for illegal content with the increasing use of encryption to protect user communications and privacy. It is based on software running on the device of the user, scanning files and messages.
The best-known examples are probably antivirus software programs, but there are now a number of proposals to extend this model to scanning for signatures of illegal or objectionable content.
This could be misused both to enable mass surveillance and to provide a method for censorship and suppression of political dissent.