Encrypted Messaging Service Stops Answering 'Warrant Canary' Questions, Suggesting FBI, Others Are Seeking User Info

from the Golden-Key-Insertion-Team-now-onsite dept

It's beginning to look like a US-based encrypted communications platform may be headed for a Lavabit-esque future. As we're well aware, agencies like the FBI and NSA are firmly opposed to encrypted communications, which is something Surespot -- a text-messaging service -- offers.

Surespot has been in the news lately, thanks to terrorist groups utilizing encrypted services to keep their communications secret. UK's Channel Four looked into Surespot and found that 115 "ISIS-linked" people "appear" to have used the service in the "past six months." Because UK 4 wasn't able to get this information from Surespot directly (because Surespot doesn't store personally identifiable information or users' communications), it has only been able to infer this from messages on social media services that refer to Surespot.

What this means in terms of terrorists "flocking" to encrypted apps is still very vague, but there's no doubt any additional layers of secrecy are welcomed by those wishing to hide their communications. What 115 ISIS-linked users means in terms of an installed user base of at least 100,000 is also open for discussion, but it's quite obvious there are plenty of non-terrorists using the service as well.

But how long will the service stay afloat and uncompromised by national security agencies? The outlook isn't promising. George Maschke of Antipolygraph.org has been periodically sending emails to Surespot, unofficially acting as the service's warrant canary. For several months, his questions have been answered. But as of May 25th, he has still received no response to his canned questions.

In April 2015, I sent [service creator Adam] Patacchiola a similar set of questions but received no reply. I wrote again on 25 May 2015, asking:

1. Has 2fours received any governmental demand for information about any of its users?
2. Has 2fours received any governmental demand to modify the surespot client software?
3. Has 2fours received any governmental demand to modify the surespot server software?
4. Has 2fours received any other governmental demand to facilitate electronic eavesdropping of any kind?

If the answer to any of the above questions is yes, can you elaborate?

I have also attempted to contact [former co-owner Cherie] Berdovich and Patacchiola via the Surespot app itself but have received no reply. While its possible that they’ve simply tired of being pestered by me about government demands for information, I don’t think that’s the case and suspect they are under a gag order.
There's good reason to believe this is true. A recent plea agreement by a 17-year-old Virginia native charged with providing material support to ISIS (via instructions on how to use Bitcoin to provide anonymous donations) specifically mentions Surespot.
In or about late November or early December 2014, the defendant put RN [co-conspirator] in touch with an ISIL supporter located outside of the United States via Surespot in order to facilitate RN's travel to Syria to join and fight with ISIL.
I have sent the same questions to Surespot but am not expecting to receive any answers. It seems pretty clear that the government is seeking information about Surespot's users. Whether or not it will make an attempt to obtain this information en masse, as it did with Lavabit (by demanding the site's SSL key), remains to be seen. Surespot only retains usernames. [As pointed out by Antipolygraph.org's George Maschke, Surespot DOES store more than just usernames.] Surespot doesn't store much in terms of personal info, but does retain enough that frequent contacts could be outed and account holders could be identified through registration methods (email addresses, etc.) Everything else -- including encryption keys -- is stored by the users, either locally or at their chosen cloud service. Messages are end-to-end encrypted, meaning Surespot itself cannot see the contents.

What the government could do is try to force the company into creating a shared master key, which would allow agencies to decrypt messages. The FBI -- which has been most vocal about "going dark" -- may not be able to do this at present, but it is working towards being granted the legal power to do so.
FBI officials now want Congress to expand their authority to tap into messaging apps such as WhatsApp and Kik, as well as data-destroying apps such as Wickr and Surespot, that hundreds of millions of people — and apparently some militants — have embraced precisely because they guarantee security and anonymity.
At this point, Surespot has nothing to hand over to government agencies. But its silence suggests these agencies are asking all the same.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: encrypted messages, fbi, isis, warrant canary
Companies: lavabit, surespot


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    George Maschke, 11 Jun 2015 @ 1:09pm

    Surespot knows more than just user names

    Surespot has more details about its users than just user names. Among other things, it also has contact lists, public keys, and the ciphertext of messages (which are stored on the server). In addition, IP addresses accessing the server (whose address is server.surespot.me) could also be logged. Surespot documents the data stored on the server here:

    https://surespot.me/documents/threat.html

    link to this | view in thread ]

  2. identicon
    Capt ICE Enforcer, 11 Jun 2015 @ 1:12pm

    US Government

    If the government wants to see pictures of my dick they should ask me instead of my messenger service.

    link to this | view in thread ]

  3. identicon
    Anonymous Coward, 11 Jun 2015 @ 1:13pm

    Anything that make encryption easy to use can be taken down or compromised by a government. That does not mean that the encryption is necessarily compromised, as it includes forcing a service to close. Even GPG key repositories are vulnerable to this. People who need secure communications are going to have to learn to manage their own keys, and rely on channels that governments would find very difficult to close, because it has an association with on-line shopping, like , I hate to say it, Gmail.

    link to this | view in thread ]

  4. identicon
    Vic, 11 Jun 2015 @ 1:21pm

    Should have split those questions (and add some more) one per email and see which ones generate replies and which ones did not...

    link to this | view in thread ]

  5. icon
    Agonistes (profile), 11 Jun 2015 @ 1:35pm

    Ironic warrant canary is ironic.

    link to this | view in thread ]

  6. icon
    Capitalist Lion Tamer (profile), 11 Jun 2015 @ 1:42pm

    Re: Surespot knows more than just user names

    I've corrected the story to reflect this.

    link to this | view in thread ]

  7. icon
    flyinginn (profile), 11 Jun 2015 @ 8:28pm

    Re: Encryption

    What's sad is precisely that governments are systematically making encryption for ordinary purposes like commercial in-confidence so visibly risky that we either use a different media or a more complicated encryption technique. Book codes offer a good alternative for short communications, and the Gutenberg Project provides lots of e-books to use. An app to book-encode a message automatically using a specified e-book could be an almost uncrackable (and almost un-noticeable) encryption approach.

    link to this | view in thread ]

  8. icon
    Coyne Tibbets (profile), 11 Jun 2015 @ 10:47pm

    Self-justified warrants

    This reeks of warrant self-justification.

    I searched Google for "surespot isis". The first stores that come up are:

    (1) Revealed: How British jihadi brides are being groomed by ISIS using a phone messaging app after brainwashing them on Twitter, Daily Mail, February 23, 2015: Claims ISIS is training "British jihadi brides" to use Surespot. The story is, naturally, unsourced, but it has nice, horrifying summaries of how Surespot is being used for ISIS terrorism.

    (2) Intel fears as jihadis flock to encrypted apps like Surespot, www.channel4.com, May 26, 2015. The story is supposedly based on a "Channel 4 investigation". It's full of horror phrases as well: "ISIS...flocking to [Surespot]"; 115 ISIS-linked people (obviously "terrorists") involved; and etc. But it is more clear as to the real source: "Intel" (intelligence agenceies) and later, "police and security agencies". This has nice terrorist quotes:

    * "If anyone wishes to sponsor the mujahideen... Contact me on my Surespot for safeways,"
    * "If you want 2 ask questions about Islam, Hijrah [emigration], Jihad or Shaam [Syria]; Ask me on Surespot".
    * "Interested in Hijrah [emigration] to Islamic Lands don't know anyone need help. I was told to use Surespot."

    Now how would Channel 4 know quotes like that? Oh, right.

    (3) A nice post from Wilder's Security forums that is short and sweet: "Still testing. Just learnt Surespot is one of the favorite chat apps of ISIS people." Then it points to that first Daily Mail article.

    (4) A "Jara Crook" Twitter pointing in turn to this article by National Consortium for the Study of Terrorism and Responses to Terrorism titled Transcending Organization: Individuals and “The Islamic State” , June 2014. This is probably the document that started the campaign against Surespot and contains this nice qualification at the end, "The views and conclusions contained in this document are those of the authors and should not be interpreted as necessarily representing the official policies, either expressed or implied, of the U.S. Department of Homeland Security or START." DHS, sponsor. Evidence provided: None.

    Get the drift?

    This is what I think happened: DHS used its "consortium" to dump these stories into Daily Mail and Channel 4. And now that this important story made our oh-so-reliable and circumspect media...

    ...DHS used it to justify warrants against Surespot.

    Now wouldn't that be clever, creating a news story to be used as evidence to get a warrant?

    link to this | view in thread ]

  9. identicon
    Anonymous Coward, 12 Jun 2015 @ 1:47am

    Surespot appears to have no forward secrecy according to Wikipedia. Meaning if the encryption keys are stolen, all past messages sent can be decrypted.

    link to this | view in thread ]

  10. icon
    Sheogorath (profile), 12 Jun 2015 @ 6:05am

    * "Interested in Hijrah [emigration] to Islamic Lands don't know anyone need help. I was told to use Surespot."
    Boy, someone sure doesn't know their Hindi, do they? Hijrah isn't emigration, they're Indian trans women! :D

    link to this | view in thread ]

  11. identicon
    Anonymous Coward, 12 Jun 2015 @ 7:14am

    How to take down an encrypted message service

    1. Generate false stories about terrorists using the service.
    2. Work with gullible press to get these stories wide publicity.
    3. Service is forced to bend over or shut down.
    4. Rinse & repeat.

    link to this | view in thread ]

  12. icon
    nasch (profile), 12 Jun 2015 @ 8:26am

    Re:

    Meaning if the encryption keys are stolen, all past messages sent can be decrypted.

    At least the user keeps the keys, so compromising the service won't get them. They would have to obtain keys one by one. I guess the risk would be if they could force Surespot to change the client to send private keys, but I'm guessing they would close up shop before agreeing to do that.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.