If he were a spy

I looked for answers on Quora, a question-and-answer website.

Is Jacob Appelbaum a U.S. government employee?

He gets a huge salary from the Tor Project but mostly jets around the world, more lavishly than celebrities and movie stars. His home is chic, minimalist but opulent according to Rolling Stone. He posed with semi-automatic firearms in Iraq in 2008. He parties ALL the time, based on his flickr photographs. [These photos are no longer visible other than to logged-in flickr users with adult content viewing enabled. I embedded a few as part of my question on the Quora website and question comments.]

Martin StrohmeierThe question doesn’t really seem to follow from the details, Ellie?
Ellie KesselmanGranted, but maybe this will help to explain. Tor is a former US government project. Jacob works, or worked for Tor. I was trying to avoid asking directly whether Jacob were a spy. That would be indiscreet, so I said “US government employee” instead.
Jacob has more fans and cart blanche globally than, well, I don’t even know who to compare with him. He is like the Larry Ellison or Eric Schmidt of crypto fandom, but without any visible means of support. I don’t see his name on the cryptography research server IACR as an author, nor any ACM nor IEEE scholarly journals, not even the Financial Cryptography conference.

ioerror is, well, to make an analogy, like the subversive version of Google’s Jared Cohen. ioerror is the cool kids’ hero, so to speak.

Martin Strohmeier
I saw him speak in front of the cream of the crop of the world’s academic security researchers (and me) last fall at CCS in Berlin. I sure got the impression that he resonated there quite well. I don’t know that much more about him though. He partied like everyone else, just a tad bit more paranoid.
Ellie Kesselman
He speaks all over the world! If there’s a political uprising or controversy, ioerror is boots on the ground, at the scene, but never in the U.S.A. He is like the rock star of crypto, except he isn’t affiliated with a company, nor a university, nor the Berkman Center at Harvard or EFF.

He always has lots of trappings of material success, nice clothes, hordes of women etc. Look at this! “The Sheik, Emir Appelbaum, Doha fashion victim“. That is atypical, for security researchers, isn’t it?
Martin Strohmeier
As for academic papers, many of these independent researchers can’t be bothered to go through the long publishing processes in academia but prefer to present their work at hacker conferences such as Defcon, Black Hat, C3 etc. Looking through Google Scholar such an example would be “MD5 considered harmful today” presented at 25c3. The authors later published at CRYPTO 2009, a top tier security conference.

Besides those, he got his name on a USENIX Security Workshop paper and a Communications of the ACM article (Lest we remember), solid outlets.
Ellie Kesselman
Matthew Green, Mikko Hypponen and IBMer Craig Gentry, who figured out homomorphic encryption, aren’t feted like ioerror.
Martin Strohmeier
Hypponen had a talk at that same CCS last fall, he’s quite prolific, too. There are bigger security superstars still, Bruce Schneier comes to mind. It’s never totally clear to me what makes someone an Internet superstar in any field, to be honest. Especially those Social Media gurus.

One thing I know though: Appelbaum is an extremely good orator (haven’t really followed his Internet activity but if he’s everywhere that’s surely explaining his popularity). Speaking engagements are something that brings in quite some money for many people. At the very least you’re being paid the travel cost to quite often pretty amazing destinations…


Adrián Lamo responded to my question Quora. His answer puzzles me.

“Jacob Raven Appelbaum isn’t a USG employee, though I have no idea whether or not he may have technically been/contracted at some point in Tor’s early Naval Research Laboratory funding.

This question reads more like a love-letter-by-proxy to Appelbaum than a sincere desire for information, and I’m not the only person in the security community who sees this trend in public palaverous platitudes.

No political climate lasts forever. Jens Karney once believed Berlin would protect him indefinitely. I guess Jake figures he should have fun while the opportunity remains available.”

Adrián seems to infer that I am praising Jacob. That isn’t true at all though! The inline link to Jens Karney is a melancholy Der Spiegel Online news story about an American who became a spy for East Germany during the last decade of the Soviet Union.
In the end, I am left with more questions, but no answers.


Vestiges of Dutch Colonialism in the New World

Despite my best efforts at over-dramatization, and some inclination toward satire, I could not bring myself to title this post without any regard for accuracy. I did spin some sensationalist gems that I can’t resist sharing. I discarded these candidate titles due to their obvious discrepancy with reality:

  • Kingdom of the Netherlands: Autonomy or subjugation for vassal states Bonaire, Saba and Saint Eustatius?
  • Landscape of imperialism in the twenty-first century: Historically significant changes in sovereignty in the Netherlands Antilles.

Or most misleading and untruthful of all:

  • Turmoil revisits Dutch West Indies half a millennium after rout of Spanish Armada!

Birth of Nations

In fact, the Netherlands Antilles ceased to exist as of October 2010. Curacao and Saint Maarten are now autonomous nations, governing themselves. The three islands Bonaire, Saba, and Saint Eustatius became municipalities in the Kingdom of the Netherlands. Residents now have the same benefits and rights as Dutch citizens.

While browsing the GeoNames site a few days ago, I first learned of the transformation of the Netherlands Antilles.  It motivated today’s post, whose primary topic is privacy considerations for social networking. Location sharing (and associated geodata) is part of the privacy issue.

I was evaluating an alternative micro-blogging platform, It is a project. is like that mainstay of micro-blogging, Twitter. The two platforms even have a certain measure of cross-compatibility. In terms of branding, good choices were made: is a partner, or possibly a subsidiary, of is the perfect name for a communication medium restricted to 140 characters or less! is conceptually similar to the highly anticipated Facebook alternative, Diaspora. Both Diaspora and are open source projects. For the user, the relevant issue is that both assure a higher level of privacy. The design model for Facebook, and many other social networking applications, is that very little information will be retained on the client side. Most everything goes to a server-side repository. It is irrelevant whether user data resides in the cloud, or the Facebook data center. Neither is under the control of the user. and Diaspora are different in that they do not require users to relinquish all personal data. One way to do this is by running one’s social network on one’s own server, thus avoiding the concerns of information misappropriation, be it intentional or accidental. Running one’s own server does not sound very feasible for most people, and in fact, the shift to client side is probably more subtle e.g. greater reliance on the user’s browser.

Google Buzz provides an example of accidental over-sharing.  In the early days of Google Buzz, the full power of Open Social API was unleashed without forewarning users. This was accidental, and Google didn’t profit from the mishap. Google Buzz was irresponsible for not first offering opt-out to segregate some or all account contacts from participation.  The issue was promptly remedied. Unfortunately, despite the rapid redress and that there was no revenue stream associated with the disclosure of information (unlike the copious chronology charts of Facebook’s information peddling showcased in the Wall Street Journal), Google’s temporary disclosure of information about users to each other had a very negative impact on acceptance, usage and success of Google Buzz. includes a location identification option using GeoNames data.  Tie-in to the Dutch West Indies follows:

Flag of Curacao

Three new countries came into being after the dissolution of the Netherlands Antilles in October 2010… ISO assigned the code BQ to the three BES islands … Read More via GeoNames


Social Web Pathology Part 1

I’ve been pondering the theme of “Social Web 2.0 Pathology: Are We Connected Yet?”, and will introduce it with this mild example. Today’s post will then assess recent developments in our vanishing degrees of separation.

The date of this graphic was April 16, 2010 thus it does not contain the very consequence-laden “Like” button. Facebook announced the release of the Like button to the World Wide Web domains-at-large at the F8 conference on April 22.


Thoughts about Emotional Data in Wiredset Blog

The title of the article Data Driven Experiences: Emotional Data, by Mark Ghuneim is fascinating, however, I’m concerned about address-level sharing of geo-spatial information as part of social networks.