Encrypted Phone Provider Calls It Quits After Failing To Persuade Middlemen To Roll Their Own Device Management Systems

from the passing-the-buck-means-having-no-more-bucks-to-pass dept

Over the past few years, international law enforcement has been cracking down on encrypted device purveyors. We’re not just talking about regular device encryption, which has been mainstream for several years now. These would be specialized manufacturers that appear to cater to those seeking more protection than the major providers offer — services that ensure almost no communications/data originating from these phones can be obtained from third-party services.

The insinuation is that specialized devices are only of interest to criminals. And there is indeed some evidence backing up that insinuation. But plenty of non-criminals have reason to protect themselves from government surveillance, a fact that often goes ignored as criminal crackdowns continue.

Even if there’s a honest market for something international law enforcement considers to be a racket (as in RICO), the market cannot seem to sustain the continuous scrutiny of law enforcement. Another purveyor of specialty phones catering to people who desire the utmost in security and privacy has decided resellers should bear the legal burden of offering its offerings. Here’s Joseph Cox reporting for Motherboard:

Encrypted phone firm Ciphr, a company in an industry that caters to serious organized criminals, has made a radical change to how its product can be used and sold, signaling an attempt by the company to distance themselves from, or perhaps cut off, their problematic customers.

How do you cut off perhaps your (previously) most valued customers? Well, in this market, you force the resellers to assume all legal liability.

Now, it is shifting that responsibility away from itself to individual resellers of the devices. The message says that for resellers to continue with new sales or renewals of customers’ subscriptions, they will need to run their own MDM solution. This essentially puts the management of customers much more in the hands of the resellers and not Ciphr. 

Offloading mobile device management (MDM) to third party resellers perhaps provides Ciphr with plausible deniability. If resellers want to have something to sell, they’ll need to take direct control of device management to ensure end users don’t install apps that might compromise security as well as controlling distribution of software updates and other necessities of cell phone service.

While this move may have ultimately provided Ciphr with plausible deniability when the feds came knocking, it immediately appears it won’t be profitable for Ciphr. The offloading of device management to resellers appears to have severely harmed reseller desire for Ciphr phones, as Joseph Cox notes in his follow-up article.

Ciphr will cease operations at the end of the month, according to the message. The reason was that not enough resellers took up Ciphr on its plan to shift the responsibility for Mobile Device Management (MDM) away from the company itself to individual resellers.

Resellers appeared to enjoy their previous relationship with Ciphr, which allowed them to profit heavily from a demanding, but limited market. That relationship allowed Ciphr to absorb the legal liability while third parties cashed checks. Check cashing is still an option, but cashing checks now means a possible increase in legal liability. Obviously, Ciphr’s biggest resellers aren’t on board with assuming additional legal risk.

Since there’s no interest from downstream retailers in running their own device management systems, Ciphr could either sell directly to customers it has always tried to distance itself from or call it a day. It chose the latter option, which will likely end up being far less harmful to its profits than dealing with the outcome of raids, arrests, and criminal charges that may have been the end result of its continued existence.

And while it may be easy to cheer on the demise of another company that apparently catered to criminals, let’s not forget every failure by device manufacturers like this one make it far easier for government entities to (falsely) claim secure devices and end-to-end encryption only benefit criminals. For that reason alone, we should be concerned about companies like these that shut down rather than offer products that could possibly fend off sustained attacks by state-sponsored hackers and make normal surveillance tools irrelevant.

Filed Under: , ,
Companies: ciphr

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Encrypted Phone Provider Calls It Quits After Failing To Persuade Middlemen To Roll Their Own Device Management Systems”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Pretty Good Phone Privacy

I’m not sure whether this has yet been mentioned on Techdirt, but a new provider, Pretty Good Phone Privacy (PGPP) started a beta service last month. It’s based on an academic paper of the same name, in turn named after the well known Pretty Good Privacy (PGP) software/protocols (that name being inspired by the fictional “Ralph’s Pretty Good Grocery” store).

It’s not quite the same thing as Ciphr etc.—it’s more about preventing location-tracking by carriers than protecting the data on the phone itself. But that’s kind of today’s big problem. Cops can only confiscate so many phones, and there’s at least the pretense of legal process (warrants), whereas everyone’s getting their location data collected and sold all the time. (Or so it seems, even if brokers equivocate about the details surrounding the word “sold”.)

Anonymous Coward says:

Re: Re:

I don’t know the details of the beta service. The paper did have an idea for that:

For many devices, the IMEI can be changed through software, often without root access. We envision a PGPP MVNO would allow for subscribers to present their unchanged device IMEI, giving the PGPP operator the opportunity to check against a EIR to verify the phone has not been reported as stolen. At that point, the IMEI could be reprogrammed to a single value, similar to our changes to the SUPI. [“the PGPP operator issues SIM cards with identical SUPIs to all of its subscribers.”]

For this check, the PGPP operator would presumably be contacted via an encrypted link, in some way that does not reveal the user’s location.

This comment has been flagged by the community. Click here to show it.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...