The Calyx Institute: Getting to Know their Work and Tools that Make Privacy and Security Accessible to Everyone
The Community Series features stories of the people and projects behind the digital rights community.
Nicholas Merrill is a technologist and a well known privacy advocate - he refused to hand over his customer’s data when requested by the Federal Bureau of Investigation (FBI), and spent twelve years taking them on.
He is also the founder and president of the Calyx Institute, a unique New York-based organization whose mission is to make privacy and security accessible to everyone. Exemplary community players, Calyx achieves this through public education initiatives and developing accessible tools - the majority free to the public - that embrace “privacy by design.” This includes the much celebrated open source, Android-based mobile operating system, CalyxOS.
“For Calyx, accessibility has been central to what we do because it translates to equality - allowing as many people as possible to have access to information, services, and technology by removing as many barriers as possible,” says Merrill.
How The Calyx Institute Started
In 2004, Merrill was the owner of a small Internet Service Provider (ISP) for diverse civil society organizations. In February of that year, he received a National Security Letter (NSL) from the FBI, that demanded private details of his company’s clients, such as email details, screen names, cellphone towers etc, and also imposed a non-disclosure agreement or gag order, blocking Merrill from sharing it with others. This request - part of a growing trend - was one of nearly 57,000 NSLs issued that year.
USA Patriot Act Expands the NSL
The USA Patriot Act statute was passed in response to September 11, 2001 attacks, and expanded the scope of what an NSL could be applied to: it permitted U.S. law enforcement officials, for the purpose of an anti-terrorism investigation, to search property and records without the owner's consent or knowledge.
He explains “the reason they came to me wasn’t about me and my company, it was about the organizations and people who were our customers.” He knew that giving FBI access to the list of his clients would put them at risk. “I came out of school wanting to do stuff to make change and I thought that the Internet would enable global change. We worked for a lot of activist organizations, and some of them were kind of radical… I still don’t understand all their politics, but I wanted to put people online that were outside the mainstream views.”
Making History by Fighting the USA Patriot Act and Establishing Calyx
When he was approached, Merrill remembered the law classes that he took in university and knew that talking with his lawyer was his right. "I couldn't just let this happen and be quiet", he says. This led him to be the first person to file a Constitutional challenge against the USA Patriot Act statute, to stress the importance of cyber privacy and security. He is also the first person to have a NSL gag order completely lifted.
This experience inspired him to found The Calyx Institute in 2010 to increase awareness about online privacy, surveillance and accessibility. The organization has become an important community node in New York, where they are based, and beyond, with a growing network of members, in the thousands.
Popular Products and Initiatives Designed for the People
Currently, Calyx has an impressive list of services, some that are free to the public and others that are provided to members, such as unlimited 5g internet via a hotspot, a VPN developed by them, and a diversity of educational programs.
In addition, some of their offerings are designed to support the broader Internet Freedom ecosystem: microgrants, privacy research benefiting software development, and SeedVault, a backup of open source data backup applications for Android.
CalyxOS: Reclaiming People’s Phone Privacy
One of their most celebrated products is CalyxOS, an Android mobile operating system that puts privacy and security into the hands of everyday users, without having to think about it. As he shares, “our phone is the only version of Android which comes out of the box with all these circumvention tools…we wanted to do things more private and in a way that is more automatic and simpler for people.”
CalyxOS prioritizes encrypted communication, allows users to browse the Internet without censorship by including Tor Browser, and two free, trusted VPNs from Calyx and Riseup respectively. However, it also allows more advanced users to have more control. As Merrill shares, “you can make your own version of the OS.”
Designed for Diverse Threat Models, Including Journalists and Activists
Calyx conducted extensive UX research with diverse users throughout the world, including high-risk profiles like activists and journalists. This led to the development of functions like a panic button, which users can trigger to erase data on their phone that may put them in danger.
He recapitulates that one of the first things they looked at was how to facilitate backups and restoration, so if a user loses their phone, they can still access data. He explains that “in a normal Android people’s data goes into Google Cloud. The problem is that your government could go to Google and request your data without you ever knowing. We thought about how to do it in the right way, which according to our point of view is to encrypt the data before you put it outside to the cloud.”
Merrill also shares that they managed to address this problem by still staying true to their support of open source. “We looked at all the different standards on how to store information. There is a package called Nextcloud, which is similar to the Google Suite. It has functionalities like Google Drive and Google Docs, but you can host it yourself in a computer that you control and own. So, our cellphone can backup to Nextcloud”.
Becoming a CalyxOS User
Individuals that take advantage of the CalyxOS Membership receive a new Pixel phone, with CalyxOS already loaded. In addition, you can check out the CalyxOS repository, if you would like to download the operating system to your existing android.
“We collaborate with diverse organizations and technologists to either improve the technology itself, or improve it for specific needs on the ground. The code is on Gitlab, and anyone can submit a ticket! At the GG, we will be looking for translation support, among other things,” says
The Future of Tool Development that is Secure and Private
The Calyx Institute is well loved because of their community first approach - both by privacy toolmakers, and the numerous partners they work with and support throughout the world. For many technology focused groups like Calyx, the landscape has gotten difficult in recent years. Merrill share the following advice:
"My advice for technologists is to join the community of people doing this work. Listen to people who are on the ground. Learn about threat modeling. Try to solicit feedback from actual people that are at risk every step of the way. Also, learn from folks that have been doing this work for some time. Right now, for example, I'm seeing a trend towards decentralization. The direction we are heading towards should reflect real needs of real people - not just making tech for tech sake."