Andrew Lewman once had an ordinary American's concerns about privacy — magnified, to be sure, by the fact that he'd worked or played with computers since he was 12 and knew how easy it was to monitor and track people online.
He recognized the largely unstated trade-off on the Web: Companies offered free stuff — search results, news stories, armchair shopping, and more — in return for personal data usable for profit. And beyond unwanted marketing, he knew the risks he faced if companies shared or sold data about him and something went wrong, such as heightened exposure to identity theft.
But it was a discovery he made a decade ago as a network manager in China that made him see how data privacy loomed as an issue of huge global importance. And you can draw a line from that realization to the role Lewman has today: as chief executive officer for the nonprofit Tor Project, whose mission is to allow people anywhere in the world to access the Internet — to read, write and communicate as they wish — under the protection of reliable anonymity.
Like Tor itself, Lewman is concerned about all aspects of privacy.
"Everyone has a right to be left alone by default — you should be in control of your data," he says. "The first rule of privacy is you decide what's private. That goes for anonymity, too."
Lewman doesn't minimize the risks facing everyday computer users in places like the United States. Protecting people from online tracking was Tor's initial priority, he says, and he's acutely aware of the risks people face when they log in, say, at a coffee shop with open-WiFi.
"The coffee shop gets to see everything you did online — the sites you visit, the pages you view, your user name and password on Facebook or Gmail, your chats if they're not encrypted," he says. Chances may be reasonable that no one will steal all that — that the worst you'll encounter is behavioral advertising, with ads based on your online profile seeming to follow you around the Web.
But those risks pale beside the dangers in countries where censorship is the norm. "Some of those countries say it's a cyber-security problem if you criticize the king," says Greg Nojeim, senior counsel at the Center for Democracy and Technology and head of its Project on Freedom, Security and Technology.
And under the world's most authoritarian regimes, reading or writing the wrong things can land a person in jail — or get somebody killed.
Lewman says that's what drives Tor's volunteers, including hundreds of computer scientists and professionals, who recognize there's an "arms race" between efforts such as Tor and the security services in countries that fear them. Other anonymizer tools are available, and may be adequate for some uses. But people using less effective tools sometimes get arrested.
Lewman says he's heard about sources' disappearances from journalists covering drug wars in Latin American countries where traffickers are tied in with intelligence services. "They say they don't understand. 'All we were doing was e-mailing each other. I didn't use my real name. He didn't use his real name.' "
Lewman's first inkling of data privacy's role in human rights came when he noticed something odd while monitoring his company's network in China. Late at night, when traffic should have been light, it was inexplicably busy. Chinese users were accessing its "virtual private networks" — cyber-tunnels, essentially, to open Internet servers in Japan and South Korea — to participate in the broader, uncensored world.
Lewman joined the Tor Project as a volunteer when he returned to the United States, and is now one of its 15 paid employees. What began as a loose, open-source coding project became a full-fledged nonprofit organization in 2006.
The transition was partly spurred a year earlier by Voice of America, which offered what became the first of a series of grants: $200,000, enough to support two full-time employees.
"They said to us, 'We have tens of thousands of people using your software' " in countries with censorship, Lewman recalls. So the government-funded multimedia broadcaster offered a grant to improve the software and to translate it into more languages.
You may ask, as I did, whether there's a conflict between governments' legitimate interests in security and Tor's efforts to protect people who want anonymity online. Doesn't that include the bad guys?
It might. But Lewman says that concern is outweighed by the benefits — both abroad and at home — of speech and communications that are reliably secure. Undercover investigators, journalists and businesspeople are among its most avid users.
Lewman says law enforcement officials are even among the 3,000 volunteers who make their computers available for the complex, multifaceted software to work its anonymizing magic.
"They feel like they use Tor so much they should give something back," he says. "There are parts of the government that fund us and then there are parts of the government that wish everybody could be bar-coded and stamped 24 hours a day for their safety."
How does Tor work? The best metaphor may be the one it started with. It's built on software called an "onion routing protocol" that was developed in the 1990s by the U.S. Naval Research Lab to protect naval communications. You can peel back layer after layer, and still be hardly anywhere.
In the most basic terms, Tor routes encrypted communications through three different servers. Your e-mail from that coffee shop could go anywhere in the world — say, from Sweden to Argentina to Japan. And the encryption keys change every 10 minutes.
"Anyone watching the network, all they see is this encrypted traffic to these apparently random servers," Lewman says. "There's nothing else they could see."
You can find out more about Tor, and download its software, at www.TorProject.org.