Encrypted Messaging Service Stops Answering 'Warrant Canary' Questions, Suggesting FBI, Others Are Seeking User Info
from the Golden-Key-Insertion-Team-now-onsite dept
It's beginning to look like a US-based encrypted communications platform may be headed for a Lavabit-esque future. As we're well aware, agencies like the FBI and NSA are firmly opposed to encrypted communications, which is something Surespot -- a text-messaging service -- offers.
Surespot has been in the news lately, thanks to terrorist groups utilizing encrypted services to keep their communications secret. UK's Channel Four looked into Surespot and found that 115 "ISIS-linked" people "appear" to have used the service in the "past six months." Because UK 4 wasn't able to get this information from Surespot directly (because Surespot doesn't store personally identifiable information or users' communications), it has only been able to infer this from messages on social media services that refer to Surespot.
What this means in terms of terrorists "flocking" to encrypted apps is still very vague, but there's no doubt any additional layers of secrecy are welcomed by those wishing to hide their communications. What 115 ISIS-linked users means in terms of an installed user base of at least 100,000 is also open for discussion, but it's quite obvious there are plenty of non-terrorists using the service as well.
But how long will the service stay afloat and uncompromised by national security agencies? The outlook isn't promising. George Maschke of Antipolygraph.org has been periodically sending emails to Surespot, unofficially acting as the service's warrant canary. For several months, his questions have been answered. But as of May 25th, he has still received no response to his canned questions.
In April 2015, I sent [service creator Adam] Patacchiola a similar set of questions but received no reply. I wrote again on 25 May 2015, asking:There's good reason to believe this is true. A recent plea agreement by a 17-year-old Virginia native charged with providing material support to ISIS (via instructions on how to use Bitcoin to provide anonymous donations) specifically mentions Surespot.
1. Has 2fours received any governmental demand for information about any of its users?
2. Has 2fours received any governmental demand to modify the surespot client software?
3. Has 2fours received any governmental demand to modify the surespot server software?
4. Has 2fours received any other governmental demand to facilitate electronic eavesdropping of any kind?
If the answer to any of the above questions is yes, can you elaborate?
I have also attempted to contact [former co-owner Cherie] Berdovich and Patacchiola via the Surespot app itself but have received no reply. While its possible that they’ve simply tired of being pestered by me about government demands for information, I don’t think that’s the case and suspect they are under a gag order.
In or about late November or early December 2014, the defendant put RN [co-conspirator] in touch with an ISIL supporter located outside of the United States via Surespot in order to facilitate RN's travel to Syria to join and fight with ISIL.I have sent the same questions to Surespot but am not expecting to receive any answers. It seems pretty clear that the government is seeking information about Surespot's users. Whether or not it will make an attempt to obtain this information en masse, as it did with Lavabit (by demanding the site's SSL key), remains to be seen.
What the government could do is try to force the company into creating a shared master key, which would allow agencies to decrypt messages. The FBI -- which has been most vocal about "going dark" -- may not be able to do this at present, but it is working towards being granted the legal power to do so.
FBI officials now want Congress to expand their authority to tap into messaging apps such as WhatsApp and Kik, as well as data-destroying apps such as Wickr and Surespot, that hundreds of millions of people — and apparently some militants — have embraced precisely because they guarantee security and anonymity.At this point, Surespot has nothing to hand over to government agencies. But its silence suggests these agencies are asking all the same.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: encrypted messages, fbi, isis, warrant canary
Companies: lavabit, surespot
Reader Comments
Subscribe: RSS
View by: Time | Thread
Surespot knows more than just user names
https://surespot.me/documents/threat.html
[ link to this | view in chronology ]
Re: Surespot knows more than just user names
[ link to this | view in chronology ]
US Government
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re: Encryption
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Self-justified warrants
I searched Google for "surespot isis". The first stores that come up are:
(1) Revealed: How British jihadi brides are being groomed by ISIS using a phone messaging app after brainwashing them on Twitter, Daily Mail, February 23, 2015: Claims ISIS is training "British jihadi brides" to use Surespot. The story is, naturally, unsourced, but it has nice, horrifying summaries of how Surespot is being used for ISIS terrorism.
(2) Intel fears as jihadis flock to encrypted apps like Surespot, www.channel4.com, May 26, 2015. The story is supposedly based on a "Channel 4 investigation". It's full of horror phrases as well: "ISIS...flocking to [Surespot]"; 115 ISIS-linked people (obviously "terrorists") involved; and etc. But it is more clear as to the real source: "Intel" (intelligence agenceies) and later, "police and security agencies". This has nice terrorist quotes:
* "If anyone wishes to sponsor the mujahideen... Contact me on my Surespot for safeways,"
* "If you want 2 ask questions about Islam, Hijrah [emigration], Jihad or Shaam [Syria]; Ask me on Surespot".
* "Interested in Hijrah [emigration] to Islamic Lands don't know anyone need help. I was told to use Surespot."
Now how would Channel 4 know quotes like that? Oh, right.
(3) A nice post from Wilder's Security forums that is short and sweet: "Still testing. Just learnt Surespot is one of the favorite chat apps of ISIS people." Then it points to that first Daily Mail article.
(4) A "Jara Crook" Twitter pointing in turn to this article by National Consortium for the Study of Terrorism and Responses to Terrorism titled Transcending Organization: Individuals and “The Islamic State” , June 2014. This is probably the document that started the campaign against Surespot and contains this nice qualification at the end, "The views and conclusions contained in this document are those of the authors and should not be interpreted as necessarily representing the official policies, either expressed or implied, of the U.S. Department of Homeland Security or START." DHS, sponsor. Evidence provided: None.
Get the drift?
This is what I think happened: DHS used its "consortium" to dump these stories into Daily Mail and Channel 4. And now that this important story made our oh-so-reliable and circumspect media...
...DHS used it to justify warrants against Surespot.
Now wouldn't that be clever, creating a news story to be used as evidence to get a warrant?
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
At least the user keeps the keys, so compromising the service won't get them. They would have to obtain keys one by one. I guess the risk would be if they could force Surespot to change the client to send private keys, but I'm guessing they would close up shop before agreeing to do that.
[ link to this | view in chronology ]
Boy, someone sure doesn't know their Hindi, do they? Hijrah isn't emigration, they're Indian trans women! :D
[ link to this | view in chronology ]
How to take down an encrypted message service
2. Work with gullible press to get these stories wide publicity.
3. Service is forced to bend over or shut down.
4. Rinse & repeat.
[ link to this | view in chronology ]