Encrypted Phone Provider Calls It Quits After Failing To Persuade Middlemen To Roll Their Own Device Management Systems
from the passing-the-buck-means-having-no-more-bucks-to-pass dept
Over the past few years, international law enforcement has been cracking down on encrypted device purveyors. We’re not just talking about regular device encryption, which has been mainstream for several years now. These would be specialized manufacturers that appear to cater to those seeking more protection than the major providers offer — services that ensure almost no communications/data originating from these phones can be obtained from third-party services.
The insinuation is that specialized devices are only of interest to criminals. And there is indeed some evidence backing up that insinuation. But plenty of non-criminals have reason to protect themselves from government surveillance, a fact that often goes ignored as criminal crackdowns continue.
Even if there’s a honest market for something international law enforcement considers to be a racket (as in RICO), the market cannot seem to sustain the continuous scrutiny of law enforcement. Another purveyor of specialty phones catering to people who desire the utmost in security and privacy has decided resellers should bear the legal burden of offering its offerings. Here’s Joseph Cox reporting for Motherboard:
Encrypted phone firm Ciphr, a company in an industry that caters to serious organized criminals, has made a radical change to how its product can be used and sold, signaling an attempt by the company to distance themselves from, or perhaps cut off, their problematic customers.
How do you cut off perhaps your (previously) most valued customers? Well, in this market, you force the resellers to assume all legal liability.
Now, it is shifting that responsibility away from itself to individual resellers of the devices. The message says that for resellers to continue with new sales or renewals of customers’ subscriptions, they will need to run their own MDM solution. This essentially puts the management of customers much more in the hands of the resellers and not Ciphr.
Offloading mobile device management (MDM) to third party resellers perhaps provides Ciphr with plausible deniability. If resellers want to have something to sell, they’ll need to take direct control of device management to ensure end users don’t install apps that might compromise security as well as controlling distribution of software updates and other necessities of cell phone service.
While this move may have ultimately provided Ciphr with plausible deniability when the feds came knocking, it immediately appears it won’t be profitable for Ciphr. The offloading of device management to resellers appears to have severely harmed reseller desire for Ciphr phones, as Joseph Cox notes in his follow-up article.
Ciphr will cease operations at the end of the month, according to the message. The reason was that not enough resellers took up Ciphr on its plan to shift the responsibility for Mobile Device Management (MDM) away from the company itself to individual resellers.
Resellers appeared to enjoy their previous relationship with Ciphr, which allowed them to profit heavily from a demanding, but limited market. That relationship allowed Ciphr to absorb the legal liability while third parties cashed checks. Check cashing is still an option, but cashing checks now means a possible increase in legal liability. Obviously, Ciphr’s biggest resellers aren’t on board with assuming additional legal risk.
Since there’s no interest from downstream retailers in running their own device management systems, Ciphr could either sell directly to customers it has always tried to distance itself from or call it a day. It chose the latter option, which will likely end up being far less harmful to its profits than dealing with the outcome of raids, arrests, and criminal charges that may have been the end result of its continued existence.
And while it may be easy to cheer on the demise of another company that apparently catered to criminals, let’s not forget every failure by device manufacturers like this one make it far easier for government entities to (falsely) claim secure devices and end-to-end encryption only benefit criminals. For that reason alone, we should be concerned about companies like these that shut down rather than offer products that could possibly fend off sustained attacks by state-sponsored hackers and make normal surveillance tools irrelevant.