Governments Using, Also Fretting, Encrypted Communications App
from the you-can't-see-me dept
As Glyn recently wrote about, while governments around the world are busy diving further and further into their citizens personal communications over their cell phones and the internet, the implementation of cryptography has been slow to catch up. We could point to several reasons for this, but chief among them appears to be the difficulty in encryption for the average user. Now, an ex-Navy SEAL and security defense contractor is looking to change that.
Mike Janke is releasing a finished application, called Silent Circle, that is designed to provide encryption for communication and is supposedly easy to use. We've heard that promise before, so we'll have to see how close the reality matches the claims, but the goals are certainly lofty.
Named Silent Circle, it is in essence a series of applications that can be used on a mobile device to encrypt communications—text messages, plus voice and video calls. Currently, apps for the iPhone and iPad are available, with versions for Windows, Galaxy, Nexus, and Android in the works. An email service is also soon scheduled to launch.
The encryption is peer to peer, which means that Silent Circle doesn’t centrally hold a key that can be used to decrypt people’s messages or phone calls. Each phone generates a unique key every time a call is made, then deletes it straight after the call finishes. When sending text messages or images, there is even a “burn” function, which allows you to set a time limit on anything you send to another Silent Circle user—a bit like how “this tape will self destruct” goes down in Mission: Impossible, but without the smoke or fire.
Without the smoke or fire? What the hell is the point? Well, according to Janke, the point is civil liberties. He states that the idea for this service, which will be subscription based, came about during his time overseas. He noted the lack of an easy to use but still secure method for calling his family back home, while also recognizing the erosion of civil liberties from government snooping, and decided to develop Silent Circle. His development team includes some notable figures, such as Phil Zimmerman (who invented PGP encryption) and Jon Callas (responsible for Apple's whole-disk encryption). Silent Circle is reportedly light years easier to use than other encryption methods and already has several customers, including international news outlets and special forces military units.
Still, despite governments seeing the value in the application for their own military forces, you just had to know they wouldn't be pleased with it appearing for use by the general public. But Janke insists the company has its bases covered to protect its customers.
The very features that make Silent Circle so valuable from a civil liberties and privacy standpoint make law enforcement nervous. Telecom firms in the United States, for instance, have been handing over huge troves of data to authorities under a blanket of secrecy and with very little oversight. Silent Circle is attempting to counter this culture by limiting the data it retains in the first place. It will store only the email address, 10-digit Silent Circle phone number, username, and password of each customer. It won’t retain metadata (such as times and dates calls are made using Silent Circle). Its IP server logs showing who is visiting the Silent Circle website are currently held for seven days, which Janke says the company plans to reduce to just 24 hours once the system is running smoothly.
Now, to be fair, there have been promises of easy to use and secure encryption methods in the past, and they've failed to gain any steam. Likewise, the open source community is enormously important in validating the security and usability of this kind of thing, and there are some questions being posed about exactly how much Silent Circle will be available for testing.
Nadim Kobeissi, a Montreal-based security researcher and developer, took to his blog last week to pre-emptively accuse the company of “damaging the state of the cryptography community.” Kobeissi’s criticism was rooted in an assumption that Silent Circle would not be open source, a cornerstone of encrypted communication tools because it allows people to independently audit coding and make their own assessments of its safety (and to check for secret government backdoors). Christopher Soghoian, principal technologist at the ACLU's Speech Privacy and Technology Project, said he was excited to see a company like Silent Circle visibly competing on privacy and security but that he was waiting for it to go open source and be audited by independent security experts before he would feel comfortable using it for sensitive communications.
Janke has indicated that, to some extent at least, Silent Circle will be available for scrutiny, though exactly to what level remains to be seen. That said, he is housing his infrastructure outside of the United States for fear of laws that would require him to build in back doors for government snooping. As a start up, he's asking for a great deal of trust from his users, but all the right words appear to be there.
But what if, one day down the line, things change and Canada or another country where Silent Circle has servers tries to force them to build in a secret backdoor for spying? Janke has already thought about that—and his answer sums up the maverick ethos of his company.
“We won’t be held hostage,” he says, without a quiver of hesitation. “All of us would rather shut Silent Circle down than ever allow a backdoor or be bullied into an ‘or else’ position.”
The question I find more interesting is does something like Silent Circle initiate the first United States government outlawing of an otherwise legal application?