Governments Using, Also Fretting, Encrypted Communications App
from the you-can't-see-me dept
As Glyn recently wrote about, while governments around the world are busy diving further and further into their citizens personal communications over their cell phones and the internet, the implementation of cryptography has been slow to catch up. We could point to several reasons for this, but chief among them appears to be the difficulty in encryption for the average user. Now, an ex-Navy SEAL and security defense contractor is looking to change that.Mike Janke is releasing a finished application, called Silent Circle, that is designed to provide encryption for communication and is supposedly easy to use. We've heard that promise before, so we'll have to see how close the reality matches the claims, but the goals are certainly lofty.
Named Silent Circle, it is in essence a series of applications that can be used on a mobile device to encrypt communications—text messages, plus voice and video calls. Currently, apps for the iPhone and iPad are available, with versions for Windows, Galaxy, Nexus, and Android in the works. An email service is also soon scheduled to launch.Without the smoke or fire? What the hell is the point? Well, according to Janke, the point is civil liberties. He states that the idea for this service, which will be subscription based, came about during his time overseas. He noted the lack of an easy to use but still secure method for calling his family back home, while also recognizing the erosion of civil liberties from government snooping, and decided to develop Silent Circle. His development team includes some notable figures, such as Phil Zimmerman (who invented PGP encryption) and Jon Callas (responsible for Apple's whole-disk encryption). Silent Circle is reportedly light years easier to use than other encryption methods and already has several customers, including international news outlets and special forces military units.
The encryption is peer to peer, which means that Silent Circle doesn’t centrally hold a key that can be used to decrypt people’s messages or phone calls. Each phone generates a unique key every time a call is made, then deletes it straight after the call finishes. When sending text messages or images, there is even a “burn” function, which allows you to set a time limit on anything you send to another Silent Circle user—a bit like how “this tape will self destruct” goes down in Mission: Impossible, but without the smoke or fire.
Still, despite governments seeing the value in the application for their own military forces, you just had to know they wouldn't be pleased with it appearing for use by the general public. But Janke insists the company has its bases covered to protect its customers.
The very features that make Silent Circle so valuable from a civil liberties and privacy standpoint make law enforcement nervous. Telecom firms in the United States, for instance, have been handing over huge troves of data to authorities under a blanket of secrecy and with very little oversight. Silent Circle is attempting to counter this culture by limiting the data it retains in the first place. It will store only the email address, 10-digit Silent Circle phone number, username, and password of each customer. It won’t retain metadata (such as times and dates calls are made using Silent Circle). Its IP server logs showing who is visiting the Silent Circle website are currently held for seven days, which Janke says the company plans to reduce to just 24 hours once the system is running smoothly.Now, to be fair, there have been promises of easy to use and secure encryption methods in the past, and they've failed to gain any steam. Likewise, the open source community is enormously important in validating the security and usability of this kind of thing, and there are some questions being posed about exactly how much Silent Circle will be available for testing.
Nadim Kobeissi, a Montreal-based security researcher and developer, took to his blog last week to pre-emptively accuse the company of “damaging the state of the cryptography community.” Kobeissi’s criticism was rooted in an assumption that Silent Circle would not be open source, a cornerstone of encrypted communication tools because it allows people to independently audit coding and make their own assessments of its safety (and to check for secret government backdoors). Christopher Soghoian, principal technologist at the ACLU's Speech Privacy and Technology Project, said he was excited to see a company like Silent Circle visibly competing on privacy and security but that he was waiting for it to go open source and be audited by independent security experts before he would feel comfortable using it for sensitive communications.Janke has indicated that, to some extent at least, Silent Circle will be available for scrutiny, though exactly to what level remains to be seen. That said, he is housing his infrastructure outside of the United States for fear of laws that would require him to build in back doors for government snooping. As a start up, he's asking for a great deal of trust from his users, but all the right words appear to be there.
But what if, one day down the line, things change and Canada or another country where Silent Circle has servers tries to force them to build in a secret backdoor for spying? Janke has already thought about that—and his answer sums up the maverick ethos of his company.The question I find more interesting is does something like Silent Circle initiate the first United States government outlawing of an otherwise legal application?
“We won’t be held hostage,” he says, without a quiver of hesitation. “All of us would rather shut Silent Circle down than ever allow a backdoor or be bullied into an ‘or else’ position.”
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: encryption, privacy
Reader Comments
Subscribe: RSS
View by: Time | Thread
Trying to hide something, and yelling "I AM HIDING HERE!" doesn't work out.
[ link to this | view in thread ]
done nothing wrong, have nothing to hide
I, personally, wouldn't spend single minute of my life on some "encrypted-p2p-whatever" app, for very simple reason. Since virtually all other mine (and of other people) communications are plain-text; using encryption of _some_ is like posting note for police - "here is stuff you want to look at".
Contrary to most people here, I (unfortunately) had an experience of living in totalitarian country - USSR. And you know what - KGB need not read everyone's mail or wiretap every single phone call. This stuff is as nice as painting your helicopter in black. Yea, that's cool too - but serve little function.
If for some reason, some intelligence agency (not necessary from US, mind you) will need to know contents of your mail/phone/sms - you _already_ in trouble. They won't bother to break encryption, they will break _you_.
[ link to this | view in thread ]
I'm confused; If this is an app that you download to a mobile device and it generates encryption keys on the fly, why does it need servers?
[ link to this | view in thread ]
Why is he even hosting it?
Now that would shake things up a little. "hosting servers", did Kim Dotcom teach nothing to anyone?
Yeah, the base tech may be a good idea, but as long as there are targetable points of failure, the system's not good enough.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: done nothing wrong, have nothing to hide
What if you innocently say something that taken out of context can be construed as a threat against someone? Who hasn't flippantly said "I'm gonna kill him" when talking about someone who has annoyed us? Or who hasn't uttered the words "This government are hopeless, I can't wait for the revolution"? Now, the vast majority of us have no intention of acting on those words but law enforcement does not have a sense of irony and those utterances could land a perfectly innocent person in some pretty hot water.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
yes, he taught us that he is a big mouth making money on other people's hard work.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re:
the interface uses the phones original look and feel,
so if you can call on an iphone, you can use this app.
i agree that if everyone is using it, why would they single out any one person for using the service,
to the people who confuse privacy with something to hide,
ARE THE WALLS ON YOUR TOILET GLASS, what do you have to hide,?
after all your doing nothing wrong
oh the internet, anyone using that must must be a criminal hacker.\sarcasm off
the i have done nothing wrong statement sends chills down my spine, are you aware on the internet there are identity thieves? that intellectual property is worth stealing?
or that private information "is private" i like talking dirty to my girl, (would prefer my sex life was between me and my girl).
i have heard that "most" of the details will be "open sourced" and the community will be able to get their hands on it as soon as the papers are finalised.
[ link to this | view in thread ]
Re: done nothing wrong, have nothing to hide
Privacy allows a society to exist and function without the fear of being crushed by the clumsy and heavy hands of those who wield political power. The people in power have to understand that there are certain lines they cannot cross.
If a government wants to break a person, they use torture, the courts, and the prisons. Abstract algebra and number theory, however, do not yield to such tools.
Perhaps you should refresh on your own Soviet history:
http://en.wikipedia.org/wiki/Alexander_Solzhenitsyn
[ link to this | view in thread ]
Re:
Trying to hide something, and yelling "I AM HIDING HERE!" doesn't work out.
Says the anonyomous coward...
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
FTFY
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
Why the middleware?
[ link to this | view in thread ]
Sorry america, NO one trusts you anymore
I have and make my own apps free of you....enjoy
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re: done nothing wrong, have nothing to hide
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Why the middleware?
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
Almost forgot I'll definitely be wearing my tin foil hat. (^.~)
[ link to this | view in thread ]
Re:
What it is is a response born out of paranoia that a government agency is attempting to track your every move. The problem here is ...they really are trying to track your every move. They basically admit to as much, what with all their domestic spying programs, willfully infringing people's Constitutional rights.
What people such as yourself fail to realize is that we're supposed to have privacy rights, like being able to communicate without the government snooping. That said, I don't think I would ever trust a closed encryption app with a central database such as this. For all we know it could be a government smokescreen to easy data-gathering. It's being fronted, after all, by an ex-Navy seal.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
[ link to this | view in thread ]
How people so easily forget.
After WWII and basically still in existence in some form until 2000 (after the signage of the Wassenaar Arrangement - which only allowed short key encryption) it was a criminal offence for a US citizen to distribute or sell in any way whatsoever encryption technology outside of the USA. In fact the military placed it on the United States Munitions List.
Now the USA has the U.S. Export Administration Regulations (EAR) which makes it an offence to export to certain countries (ie Cuba, Iran, North Korea, Sudan & Syria) or if to be used in the design, development or production of nuclear, chemical or biological weapons, or rocket systems, space launch vehicles, or sounding rockets, or unmanned air vehicle systems (drones) etc.. and the list goes on.. This is also for ANY software producer residing in the USA including Open Source programs.
Philip Zimmermann's was investigated by the FBI and Customs service in early 90's for his release of PGP onto the internet. RSA wanted it stopped, so did the US Govt.. The ONLY reason it was allowed was the outcry and the US discovering that they are NOT the only country who can create code.
Then luckily in 1999 David Bernstein pissed off the USG by winning Bernstein v. United States Dept. of Justice, 192 F.3d 1308 (9th Cir. 1999). Though the USG only loosened restrictions, and well...
the DMCA was born which criminalized all production, dissemination, and use of certain cryptanalytic techniques and technology (now known or later discovered) and IS STILL THE LAW, though not enforced.
So umm.. yeah back to your original question.
It's already outlawed, you just forgot about it.
[personally I wouldn't use this since it is still relying on a third party for routing and key generation/seeding. Give me a white noise/star generator anyday with one time pads.]
[ link to this | view in thread ]
Re:
You need to take encryption 101.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re:
Ah, what a lovely arrogance. Some people in US _still_ believe in modern version of "manifest destiny".
Yep, there are people on this planet capable to write encryption program and not living in US. What a surprise, really.
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: Re:
"Do unto others as you would have them do unto you." Words of wisdom. If you resent being spied on for any reason then don't spy on others. The people are supposed to have guaranteed rights, bought and paid for with blood. Therefore, to infringe upon those rights is to show utter contempt for the memories of those who sacrificed themselves.
This is not the same America I used to know.
[ link to this | view in thread ]
The saddest part
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re:
Steganography is the art/science of writing messages in such a way that, to the outside observer, it is not immediately obvious what the nature of the communication is.
For example, I could trivially disguise VoIP traffic as HTTP traffic. For anyone that is analysing Internet traffic, it will not be immediately obvious (as in, general purpose computer algorithms won't catch it) that I am using VoIP, and not surfing the web.
That, coupled with cryptography, would make the work of anyone trying to passively pick up "evil" conversations incredibly hard. You don't stand out in the crowd, because your communications are indistinguishable for the "background noise" of the network.
Plus, I believe that some day, all our communications will be encrypted. It just makes sense for security and integrity purposes, and the overhead is not all that great. Many sites already offer HTTPS. Things are already heading that way...
[ link to this | view in thread ]
Bringing it on themselves
[ link to this | view in thread ]
Re:
When I encrypt my communications, it is not to hide from the government. It is to hide from hackers. It is to hide from people sniffing the open WiFi hotspot I am using. It is to hide from a worm on a nearby machine intercepting and redirecting my communications. It is to hide from criminals which could use my information, no matter how insignificant it might seem, as a starting point for identity theft or worse.
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
Re: Re: Re: Re:
[ link to this | view in thread ]
Re: Re: Re: Re:
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
Re: done nothing wrong, have nothing to hide
The notion that you have nothing to hide is ridiculous! everyone has something to hide and there are things that the Government does not need to know! and this has nothing to do with national security.
Frankly the last organization I would want to see my private thoughts and conversations with family and friends is the Government. I've worked the better part of my life for Government organizations and I know first hand that they abuse their power and privileges. They snoop and read, share and spread and worst of all LAUGH at peoples private information. Just because someone applied to work for a government doesn't give them the right to snoop on our private information.
And remember they'll keep that information forever, not letting you know that it's there and will use it against you if you are ever in their sites for anything! Innocent or Guilty!
Don't be a fool.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Why is he even hosting it?
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
I'm down with a live in agent. Boy, won't someone be surprised when they break into my house, steal my stuff, and it turns out the government had RFID tags and wire taps in all the stuff they stole? MUAHAHAHA! Also, the dude would probably use my internet to pirate shit and we can watch free movies. Double Win! Even better, the government would have to PAY me for this. TRIPLE WIN!
"The saddest part of this is that an ex-Navy SEAL is hosting his app servers outside of the US for fear of what the government he used to work for will try to do. Does this fact scream out to anyone else besides me?"
It should scream out what everyone should already know. I don't care WHAT government you have, if you aren't at the least wary of it, you're just plain negligent.
[ link to this | view in thread ]
Re: Re:
A lot of our work is for companies whose data is privileged, and not encrypting it could get us into trouble. So why attract unscrupulous parties to the good stuff by only encrypting some of it?
As for this product, I can't imagine we'd use it simply because we (and security auditors we trust) can't see the code. And the "self-destructing" functionality sounds like something Microsoft would come up with, imagining a world where no one has virtual machines with which to take screenshots or headphone jacks with which to hook up a voice recorder. It intimates that they expect a level of control over my equipment that I'm not willing to give them without (at least) the same level of control over their code.
We'll stick with GPG and other open-source tools, thanks. For business, anyway. When most of the people I know outside of business are so comfortable talking about intimate things on Facebook or Twitter that it's comical, I don't have a lot of hope for getting them to run a special app just to talk to me privately.
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: done nothing wrong, have nothing to hide
The massive gathering of data can only be considered with the support of computer systems, and I doubt that the security services queries are any better than Google searches.
Note it can be very difficult to distinguish between a couple of people working an a work of fiction, or on a real assassination plot. In both cases there may be discussion of weapons characteristics and locations and site lines from buildings etc. The current government paranoia about terrorists only increases the risks to innocent people in such situations.
[ link to this | view in thread ]
Re: done nothing wrong, have nothing to hide
Except that it's factually incorrect. If you're doing something wrong, you certainly have something to hide. However, a 100% innocent person also has quite a lot to hide, from health status through financial data through sexting to their spouse and so on.
This is true -- and indeed, if you are engaging in actions that are of extreme interest to an intelligence or law enforcement agency, casual encryption like this is not a huge help to you (but can be helpful as part of a larger security strategy).
Casual encryption like this is helpful, however, in preventing fishing expeditions and widespread data mining. These sorts of operations are more of a threat to "innocent" people anyway, as they tend to have a higher rate of false positives and can get you wrongly sucked up into the security apparatus.
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
Re:
It's trickier than it sounds due to the fact that the IP address of the end points can and do change, especially with mobile devices. The simplest way around this is to have a directory server that tracks who is at what IP address at any given moment.
[ link to this | view in thread ]
Re: Re: done nothing wrong, have nothing to hide
[ link to this | view in thread ]
Re: Re:
AC, why are you hiding your communication in with all of the other innocent people? Got something to hide, eh?
[ link to this | view in thread ]
Re: Re: Why is he even hosting it?
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: done nothing wrong, have nothing to hide
Tell that to the Jews in Germany under Hitler.
[ link to this | view in thread ]
Re: Re: Re:
[ link to this | view in thread ]
Re: Re:
You don't need servers in different countries just to offer an app for download. As hard as it might be to believe, a user in one country can actually connect to and download from a server that's based in another country. Even more amazing, this works from any country to any other country (barring government censorship).
[ link to this | view in thread ]
Re: Re:
Naturally. How stupid of me to think that something beneficial would come without a leash attached...
[ link to this | view in thread ]
Re: The saddest part
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: The saddest part
...and yet we still have an endless supply of mercenaries!
(geez, wonder if it has anything to do with the fact that the military and prisons are about the only industries hiring...
i wonder...)
art guerrilla
aka ann archy
eof
[ link to this | view in thread ]
Re:
You log into Skype with your username and password. Skype's servers now know what machine you're using and its IP address. Your friend then logs in with their own account, Skype knows what machine they're on and their IP address. Your friend calls you, Skype's servers then tell his computer what your IP address is at the time, so he connects to you. From that point on, all the communication data goes between only your two computers, not Skype (or this app in this case).
[ link to this | view in thread ]
Re: Re: The saddest part
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
security through obfuscation...
*IF* even a small-ish proportion of regular folks did this, then it would make intercepting/reading emails based on these trigger words effectively useless...
BUT, why is it i have to defend myself against my 'own' (sic) gummint, again ? ? ?
(um, because it AIN'T my -or yours, unless you're a 1 percenter- gummint any more...)
art guerrilla
aka ann archy
eof
[ link to this | view in thread ]
Re:
Cryptanalytic, or cryptographic?
[ link to this | view in thread ]
Re: Re: Re:
I'm regularly asked to sign Draconian non-disclosure agreements for my business, yet the people who are so concerned for their secrets are quite happy to exchange drawings and sensitive business information by unencrypted email that can be snooped from any place on the planet. I've had PGP or its equivalent for twenty years and I always ask these NDA folk to exchange keys, but so far nobody has ever bothered.
[ link to this | view in thread ]
still waiting
In particular:
Shutting the company down is one thing; going to jail is something else. What if someone gets into legal trouble over taxes, or stands to lose child custody in a divorce, and a man from the Justice Department shows up and offers to help? Suppose the FBI spreads out some photos on the table and says "we're tracking a major [VILLAIN OF THE MONTH] and we can nail him if you help us". How many employees of this company have the ability to compromise Silent Circle? Which of them is the most naive? Which one loves money the most? Or just doesn't care much about flawless security protocols?
To put it another way: apart from embarrassment, what is the consequence of a leak for Janke & Friends? Is it nothing? I'll bet it's nothing.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
proprietary == untrustworthy
[ link to this | view in thread ]
Re: Re: Re:
And you are famous for making accusations without offering any proof, or even examples.
[ link to this | view in thread ]
Re: Re: Re:
It's not difficult to hide encrypted data completely, so that people searching don't even know it's there...
[ link to this | view in thread ]
Re: Re:
Mike, if you don't want anonymous posters, don't permit it.
Don't ridicule those who choose to use the options you offer, it makes you just look like a hateful prick.
[ link to this | view in thread ]