The Fight for Control: Andrew Lee on Open-Sourcing PIA

When I learned that our new sister company, Private InternetAccess (PIA), was opening its source code, I immediately wanted toknow the backstory, especially since privacy is the theme of this month'sLinux Journal. So I contacted Andrew Lee, who founded PIA, and an interviewensued. Here it is.

DS: What made you start PIA in the first place? Did you have a particularpopulation or use case—or set of use cases—in mind?

AL: Primarily PIA was rooted in my humble beginnings on IRC where it hadquickly become important to protect one's IP from exposure using an IRCbouncer. However, due to jumping around in various industries thereafter, Ilearned a lot and came to an understanding that it was time for privacy togo mainstream, not in the "hide yourself" type of sense, but simplyin the "don't watch me" sense.

DS: Had you wanted to open-source the code base all along? If not, why now?

AL: We always wanted to open-source the code base, and we finally gotaround to it. It's late, but late is better than never. We were incrediblybusy, and we didn't prioritize it enough, but by analyzing our philosophiesdeeply, we've been able to re-prioritize things internally. Along withopen-sourcing our software, there are a lot of great things to come.

DS: People always wonder if open-sourcing a code base affects a businessmodel. Our readers have long known that it doesn't, and that open-sourcingin fact opens more possibilities than leaving code closed. But it would begood to hear your position on the topic, since I'm sure you've thoughtabout it.

AL: Since Private Internet Access is a service, havingopen-source codedoes not affect the business' ability to generate revenue as a companyaiming for sustainable activism. Instead, I do believe we're going to endup with better and stronger software as an outcome.

DS: Speaking of activism, back in March, you made a very strong statement,directly to President Trump and Congress, with a two-page ad inThe NewYork Times, urging them to kill off SESTA-FOSTA. I'mcurious to know if we'll be seeing more of that and to hear what theresponse was at the time.

AL: Absolutely! We ran a few newspaper campaigns, including one for theInternet Defense League. It's a very strong place to mobilize people forimportant issues for society. As a result of the campaign, many tweets fromconcerned Americans were received by President Trump. I would say it was asuccess, but from here it's up to our President. Let's hope he does theright thing and vetoes it. That said, if the bill is signed in its currentform [which it was after this interview was conducted], the internet isrouting, and the cypherpunks have the power of thecrypto. We will decentralize and route around bad policy.

DS: Our readers have always cared a lot about licenses, so here's aquestion for them: why the MIT license?

AL: Our internal open-source task force was given the mission of choosingthe least restrictive open-source license possible, and they landed on MIT.I hope that anyone and everyone can benefit from our code however theysee fit.

DS: Why release code repositories gradually instead of all at once? Whatkind of work do you need to do to make the code ready?

AL: In order to release our code properly, we're makingsure we'redistributing everything properly and with clean, readable code.

DS: Is the code on GitHub?

AL: Yes, athttps://pia-foss.github.io.

DS: Tell us more about the VPN industry. How has it changed since youstarted PIA? And do you expect that open-sourcing PIA's code will help thecompany lead the market in new ways?

AL: I think a lot more companies have entered the VPN industry. For us,open-sourcing our code is part of a multi-part strategy to create what wecall the "next VPN". We're not intending to lead the market, butinstead to create a new market that will essentially put the existingmarket, in its current form, into extinction immediately. This strategyincludes a heap of technology stacks we are building internally as well assimple feature additions. While we've definitely earned the reputation asthe most-trusted VPN in the space, the primary goal of the our "nextVPN" project is to remove trust from the equation. After all, we'restrong believers in the words "in crypto we trust".

DS: I know PIA always has been adamant about not logging its customers. In2015, the company had a chance to show why when a court subpoenaed customerusage records—and it was unable to provide any. I'd like to hear moreabout your philosophy there.

AL: Simply put, everyone has a right to privacy, but there are alsochoices. That's why I think it is imperative for people in the VPN consumermarket to do research beyond simple reviews. Instead, find forums and lookfor dirt on companies. That's the best way to verify any company—in ourspace or any others. Do searches that fill in the blanks on who sucks, whomonitors their users, who logs their users and so on.

DS: Make the connection, if you don't mind, between open source andprivacy.

AL: For us, open-sourcing is vital given that, in order to protect one'sprivacy, it is important for people to know exactly what it is theirsoftware is doing. Having the source code available makes this possible. Ialso believe that it further enhances security, in addition to ourthird-party audits that we already performed, since more eyes will be able toreview the code.

DS: What's next?

AL: With PIA we're really building the "next VPN", and it will bemore private than the way current providers look, on an order of magnitude.However, I really don't want to talk about it. We prefer to deliver, ratherthan talking about what we'll deliver.

DS: Today we're seeing the pendulum swinging toward decentralization, andgreater individual autonomy and control. I'd love to hear about how you seethat playing out, in what sequence and with what likely populations.

AL: Everyone has a different threat model, and everyone needs clear choicesabout trade-offs. To start, we're providing Tor to provide people with oneof the most essential choices. I don't like talking about stuff in thepipeline, but I will say we're launching full Tor support in all of ourclients on desktop and mobile. This is going to allow our end users toroute through Tor, which effectively allows them to mask their identityfurther. I believe that this will be used by a smaller set of users thanour overall customer base, because the Tor network is still small. However,by educating people about Tor while the network grows, so will Tor'sefficiency.

DS: I assume crypto will be involved. Can you say more about how?

AL: Everything we do uses crypto, from the algorithms used to even some ofthe accepted payment methods, such as cryptocurrencies. In launching our"next VPN" solution, we are relying heavily on cryptography and theunique applications to which it can be applied. It's pretty crazy thatnature, and brilliant people, have given us a gift, weapon andprotection in the form of cryptography, and we're damn sure going to bebetting everything we've got on it.

DS: How do you see VPN usage, and the whole VPN market, evolving andchanging, especially in different settings?

AL: I believe the VPN market and usage will continue to increase, as italready has, given the political and social climate. Many countries andcompanies are totally abusing their citizens and users, and people arelearning that they need to take matters into their own hands to protectthemselves.

DS: With all the bad news around Facebook and the approach of the GDPR andother privacy regulations, what changes do you see coming, from yourperspective as a provider of privacy tech?

AL: I'm guessing privacy will continue to be an important value to people.That being said, the government is constantly in a never-ending battle toremove our privacy. This is pretty bad, because privacy is more than justour right to disclose information to whomever we want, when we want; it'sactually a tool that allows us to be unique. Without privacy, we will allbecome conformists and do whatever it is "the man" deemsappropriate. Screw that world. Seriously. We have to blend into the crowdand become anonymous, believe it or not, in order to become different andcharacteristically unique. But this fight won't be easy. It's a fight forcontrol.

DS: So you see a conflict coming—or already here and headed into someshowdowns?

AL: Yes. My perspective is that the Crypto War is heading to the mainevent. We'll all need to work together to fight for the sake ofcryptography and, even more broadly, the internet.

Doc Searls is editor-in-chief of Linux Journal, where he has been on the masthead since 1996. He is also co-author of The Cluetrain Manifesto (Basic Books, 2000, 2010), author of The Intention Economy: When Customers Take Charge (Harvard Business Review Press, 2012), a fellow of the Center for Information Technology & Society (CITS) at the University of California, Santa Barbara, and an alumnus fellow of the Berkman Klien Center for Internet & Society at Harvard University. He continues to run ProjectVRM, which he launched at the BKC in 2006, and is a co-founder and board member of its nonprofit spinoff, Customer Commons. Contact Doc throughljeditor@linuxjournal.com.