Verizon Offers Encrypted Calling With NSA Backdoor At No Additional Charge
from the trust-us,-we're-the-phone-company dept
As a string of whistle blowers like former AT&T employee Mark Klein have made clear abundantly clear, the line purportedly separating intelligence operations from the nation's incumbent phone companies was all-but obliterated long ago. As such, it's relatively amusing to see Verizon announce this week that the company is offering up a new encrypted wireless voice service named Voice Cypher. Voice Cypher, Verizon states, offers "end-to-end" encryption for voice calls on iOS, Android, or BlackBerry devices equipped with a special app made by Cellcrypt.Verizon's marketing materials for the service feature young, hip, privacy-conscious users enjoying the "industry's most secure voice communication" platform:
Verizon says it's initially pitching the $45 per phone service to government agencies and corporations, but would ultimately love to offer it to consumers as a line item on your bill. Of course by "end-to-end encryption," Verizon means that the new $45 per phone service includes an embedded NSA backdoor free of charge. Apparently, in Verizon-land, "end-to-end encryption" means something entirely different than it does in the real world:
"Cellcrypt and Verizon both say that law enforcement agencies will be able to access communications that take place over Voice Cypher, so long as they're able to prove that there's a legitimate law enforcement reason for doing so. Seth Polansky, Cellcrypt's vice president for North America, disputes the idea that building technology to allow wiretapping is a security risk. "It's only creating a weakness for government agencies," he says. "Just because a government access option exists, it doesn't mean other companies can access it."Just because we put a backdoor in a product, doesn't mean those backdoors will be abused, right guys? Right? Of course this is the same Verizon that has mocked Internet companies for "grandstanding" when it comes to their latest encryption push. But while those companies have refreshingly started competing over who can respect your privacy more, Verizon's making it clear that privacy is an afterthought, even when pitching privacy services. Perhaps someday Verizon can see fit to offer "end-to-end encryption" that actually is.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: back doors, backdoors, encryption, end to end encryption, law enforcement, nsa, surveillance, voice cypher
Companies: cellcrypt, verizon
Reader Comments
Subscribe: RSS
View by: Time | Thread
Seems clear
[ link to this | view in thread ]
Oh, and Phil, tell the boys poker's been canceled this week. Meg's wife is coming, but of course you already knew that."
[ link to this | view in thread ]
Of course it's End-to-End encryption
[ link to this | view in thread ]
Not even an NSA backdoor, its an "Every LEO and Gov. Agency Backdoor."
[ link to this | view in thread ]
[ link to this | view in thread ]
The ending to this story I hope for...
Is that one of our grey-hats finds and publicizes the back door within a week, after which Verizon tries to sue him or prosecute him and gets laughed out of court. Preferably without any actual jail time for the poor grey-hat.
Backdoors and golden keys are serious vulnerabilities. Apparently we need someone to demonstrate this in a way that ridicules those who don't get it.
[ link to this | view in thread ]
Re: Not even an NSA backdoor, its an "Every LEO and Gov. Agency Backdoor."
This is pre-compromised at the factory.
[ link to this | view in thread ]
To be fair, they didn't say that the other end wasn't the NSA.
[ link to this | view in thread ]
Re: Re: Not even an NSA backdoor, its an "Every LEO and Gov. Agency Backdoor."
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Thank you, Mr. Schneier.
[ link to this | view in thread ]
Does this mean a warrant? If so, I'm okay with that. I thought we were against warrantless surveillance.
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: The ending to this story I hope for...
[ link to this | view in thread ]
Re: Re: Not even an NSA backdoor, its an "Every LEO and Gov. Agency Backdoor."
*Really, "lock" should be in quotes. A zip tie is more of a lock than those things that can be opened by universal keys that pretty much anyone and everyone has or can buy or make.
[ link to this | view in thread ]
Re: Re: Re: Not even an NSA backdoor, its an "Every LEO and Gov. Agency Backdoor."
[ link to this | view in thread ]
Excellent!
[ link to this | view in thread ]
Unintended consequence of giving the FCC authority
[ link to this | view in thread ]
[ link to this | view in thread ]
Notice here he doesn't say "warrant" - how interesting.
"Just because a government access option exists, it doesn't mean other companies can access it."
Yes, of course...because that's who we're afraid of exploiting government-mandated backdoors...companies.
Sounds like Verizon's marketing department needs a real enema if this is the best spin they can come up with.
[ link to this | view in thread ]
A company to avoid
That the VP of a company can make such a ludicrous statement tells me that the company is completely incompetent when it comes to security matters and their products and services cannot be trusted (even ignoring the presence of the backdoor).
[ link to this | view in thread ]
Re: Re: Re: Re: Not even an NSA backdoor, its an "Every LEO and Gov. Agency Backdoor."
[ link to this | view in thread ]
Re: Re: Not even an NSA backdoor, its an "Every LEO and Gov. Agency Backdoor."
For what it's worth, the FBI has links to all of the relevant lawful intercept technical standards here: http://askcalea.fbi.gov/standards.html
Many of them are freely available for download, although even the for-pay standards look to cap out at about $350 to purchase.
So, not only are they "pre-compromised" as you put it - the standards documents are readily available to anyone who's bored enough to read them.
[ link to this | view in thread ]
Re: Re: Re: Re: Not even an NSA backdoor, its an "Every LEO and Gov. Agency Backdoor."
AKA, why you must not purchase any "secure" communications platform from Verizon or any Telco - though with all the secret stuff the NSA and the Obama administration do, including lifetime gag orders, there's no way to know for sure if *any* closed source security app is actually secure. And open source apps are just begging for subtle, really hard to notice tweaks that make one minor change or error default or whatnot that transforms secure into interceptable. There is no panacea for security. :-p
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
[ link to this | view in thread ]
"legitimate law enforcement reason"
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Not even an NSA backdoor, its an "Every LEO and Gov. Agency Backdoor."
From Verizon's website (http://business.verizonwireless.com/content/b2b/en/solutions/technology/mobile-security/voice-cyphe r.html)
"Voice Cypher Conferencing protects conference calls from unauthorized access, provides total control over calls in progress and can provide government-grade, end-to-end encryption to prevent voice-call interception."
Very carefully worded but here's the rub - it all hinges on the word "authorized": Customers will assume that they get to determine who and what is "Authorized". This is an incorrect assumption based on wishful thinking, and utterly at odds with well-established US Law.
Ultimately, the software application, as configured by the carrier determines what's "Authorized" - and "Lawful Intercept" is by definition going to get authorized. Every time.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Not even an NSA backdoor, its an "Every LEO and Gov. Agency Backdoor."
[ link to this | view in thread ]
END TO END TO END
they should have some kind of government subsidy for the rate plan you know because the government is in on that end to end to end
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
Who is this for?
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: Not even an NSA backdoor, its an "Every LEO and Gov. Agency Backdoor."
The very nature of a backdoor is to circumvent normal access, which is typical kept hidden from others so that unauthorized access is not made easier. Which also follows the flawed logic of security by obscurity which has already been well proven to be a fucking stupid idea.
The Government is becoming the very thugs we are looking to be protected from, and for some have already BECOME!
[ link to this | view in thread ]
Re:
Easy identification of targets comes to mind...
[ link to this | view in thread ]
Re: END TO END TO END
You much remember... Government is essentially a LEGAL racket.
You pay them to protect you... from them!
This is the reason that Government is the greatest threat to mankind. I can more easily defend myself from an invading army than I can from government thugs.
[ link to this | view in thread ]
Re:
If companies were allowed to disclose what NSL's they are being served (perhaps after some period of time), I would be more comfortable with it.
[ link to this | view in thread ]
Re: Re:
To make everyone a criminal ripe for picking from the crop as needed you just tweak the rules so that it is not possible for them to make it from home to work without breaking some laws, no matter how benign.
As an officer will tell you... follow anyone long enough and they will make a mistake that justifies and excuse to pull you over. This way they can have their cake and then accuse everyone else using non-government friendly tools or encryption to begin with as we are now of being terrorists with something to hide. As I said... self fulfilling prophecy.
[ link to this | view in thread ]
Re: Re:
You have already failed... it has been well proven that people like you can be fooled too easily.
To get this passed by someone like you they will allow companies to disclose them for a day to secure your vote then rip the carpet out from under you.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: Not even an NSA backdoor, its an "Every LEO and Gov. Agency Backdoor."
[ link to this | view in thread ]
Re: Re: Re:
Indeed. It comes back to this oldie (but goodie):
"If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him."
Commonly attributed to Cardinal Richelieu (1585-1642) although I gather there might be some dispute there.
Smart guy. He would have _loved_ mobile devices.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Not even an NSA backdoor, its an "Every LEO and Gov. Agency Backdoor."
In all fairness, there's no way to know with 100% certainty that any security app or process is actually secure even regardless of all that secret stuff.
Any security plan that relies entirely on any single security mechanism is a terrible security plan. This isn't a new thing at all -- it has been this way for the whole history of mankind. This is also why I discourage people from thinking of crypto as some kind of final word in security. It isn't anything of the sort.
It's also, by the way, by PGP was named "pretty good privacy" -- to try to keep people from thinking of it as some kind of panacea.
[ link to this | view in thread ]
Re: Who is this for?
[ link to this | view in thread ]
Can you even call it encrypted when so many have the password?
[ link to this | view in thread ]
Ummm, law enforcement can access communications right now as long as they're able to prove that there's a legitimate law enforcement reason for doing so. Its called a warrant. If you sign up for this, can law enforcement just say "we have a good reason" or do they still have to get a warrant?
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: Not even an NSA backdoor, its an "Every LEO and Gov. Agency Backdoor."
But that's still thousands upon thousands of people. It only takes one to get the information out.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: Re: Not even an NSA backdoor, its an "Every LEO and Gov. Agency Backdoor."
If Verizon copies the encrypted stream as it's delivered from endpoint to endpoint and then decrypts the copy off-line using key escrow technology, it's still technically "end-to-end" encryption because there's no encrypt/decrypt/re-encrypt step in the interception. The endpoints can talk directly to each other, negotiate their own session keys, etc. Am I splitting hairs? Absolutely. Is that the same type of hair that a telco's lawyer would split? Absolutely. And that's just one way they'll monkey around with it.
It's a fun new game called "exploit the loophole", and everyone's playing - even the home game.
I haven't picked apart the marketing collateral, but it was written by lawyers specifically for the intent of being entirely true even if intentionally misleading. But at the end of the day, by all accounts, Verizon has stated that they've built in LI capabilities. So the way to ask the question is: "Now that they've said they're doing it, how are they doing so in a way that doesn't result in them losing a false-advertising lawsuit?"
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: Re: Not even an NSA backdoor, its an "Every LEO and Gov. Agency Backdoor."
It's hard to know who to trust when it comes to crypto right now, and the overall climate is one where it becomes easy to call into question the credentials of well-known crypto engineers, and a fools errand to trust anonymous contributors.
This is not a good spot to be in.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: Re: Re: Not even an NSA backdoor, its an "Every LEO and Gov. Agency Backdoor."
[ link to this | view in thread ]
Sounds rather like the scheme some years ago when the UK government arranged for an article / book to publicly suggest that terrorists didn't bother with life insurance when taking a plane trip. Needless to say, having suggested a way for terrorists to hide their tracks by signing up for life insurance, anyone who then signed up for life insurance when booking a plane trip promptly became someone of interest to the security services....
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Not even an NSA backdoor, its an "Every LEO and Gov. Agency Backdoor."
[ link to this | view in thread ]
Re:
If you can sue a house you can listen to a phone.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: Re: Re: Re: Re: Not even an NSA backdoor, its an "Every LEO and Gov. Agency Backdoor."
[ link to this | view in thread ]
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
http://spectrum.ieee.org/telecom/security/the-athens-affair
Hackers used Regin to infect Belgacom's cellphone networks in Belgium. Allowing hackers to issue GSM commands directly on Belacom's network infrastructure, redirect calls, and gather location information about customers.
http://securelist.com/blog/research/67741/regin-nation-state-ownage-of-gsm-networks/
Why anyone would use, let alone pay for security software with intentional weaknesses designed into it for hackers and other nation states to exploit. Is beyond me.
Especially when there's lower cost and more secure alternatives such as Silent Circle or free software solutions such as TextSecure and RedPhone.
If you're afraid about cellphone backdoors there's even devices that encrypt your voice before it ever touches the cellphone's microphone. In that case JackPair voice encryption might float your boat.
I believe Verizon's push for Crypto Wars v2.0 is somehow about trying to set a legal precedent for backdoors in telcom devices. Sounds like another Clipper chip to me.
I don't believe CALEA currently requires telcoms to modify their end-to-end encryption software on order to make it wiretap friendly. Which means Verizon chose to introduce the backdoors voluntarily on their own accord. That to me, speaks about their attitude towards the privacy of their customers. Or lack of.
I don't want hackers and foreign governments listening to my private, backdoored conversations.
[ link to this | view in thread ]
My hoodie-footie PJ's have a builtin backdoor
[ link to this | view in thread ]
The "Cypher" in "Voice Cypher" is just Rot13
[ link to this | view in thread ]
[ link to this | view in thread ]
Re: Re: Re: Not even an NSA backdoor, its an "Every LEO and Gov. Agency Backdoor."
I've had every one of my luggage locks cut; I've never had a zip tie cut.
[ link to this | view in thread ]
"Verizon Offers Encrypted Calling With NSA Backdoor"
[ link to this | view in thread ]
"End-to-end"
[ link to this | view in thread ]
Re: good guys and bad guys
[ link to this | view in thread ]
-Are somewhat lacking in tech literacy and/or knowledge of current events.
-Own a smartphone.
-And need to communicate sensitive information privately.
So, Sony employees, celebrities prone to taking nude photos, hopefully more than a few government employees...
When (not if) this "secure calling" feature gets hacked, it's surely going to unleash yet another blockbuster dramabomb. I can't wait. :)
[ link to this | view in thread ]
Oh, so it's a double-end-to-end encryption.
Sweet.
[ link to this | view in thread ]
Re: Of course it's End-to-End encryption
[ link to this | view in thread ]
Hmmm
And this guy works in encryption software. Wow.
[ link to this | view in thread ]
Re: Hmmm
[ link to this | view in thread ]
Re: The ending to this story I hope for...
[ link to this | view in thread ]
No, it just means GOVERNMENT can access it
You dip wad whose purpertrating that this is an okay thing
[ link to this | view in thread ]
[ link to this | view in thread ]
That old joke about an amercian and a russian diplomat
The american diplomat says: "our country is great, we can pick up the phone, dial a number and talk to the police."
The russian diplomat says: "we don't have to dial."
--
It looks like the americans have copied the red menace :-)
[ link to this | view in thread ]
Re: Re: Not even an NSA backdoor, its an "Every LEO and Gov. Agency Backdoor."
[ link to this | view in thread ]