Encrypted Messaging Service Stops Answering 'Warrant Canary' Questions, Suggesting FBI, Others Are Seeking User Info

from the Golden-Key-Insertion-Team-now-onsite dept

It's beginning to look like a US-based encrypted communications platform may be headed for a Lavabit-esque future. As we're well aware, agencies like the FBI and NSA are firmly opposed to encrypted communications, which is something Surespot -- a text-messaging service -- offers.

Surespot has been in the news lately, thanks to terrorist groups utilizing encrypted services to keep their communications secret. UK's Channel Four looked into Surespot and found that 115 "ISIS-linked" people "appear" to have used the service in the "past six months." Because UK 4 wasn't able to get this information from Surespot directly (because Surespot doesn't store personally identifiable information or users' communications), it has only been able to infer this from messages on social media services that refer to Surespot.

What this means in terms of terrorists "flocking" to encrypted apps is still very vague, but there's no doubt any additional layers of secrecy are welcomed by those wishing to hide their communications. What 115 ISIS-linked users means in terms of an installed user base of at least 100,000 is also open for discussion, but it's quite obvious there are plenty of non-terrorists using the service as well.

But how long will the service stay afloat and uncompromised by national security agencies? The outlook isn't promising. George Maschke of Antipolygraph.org has been periodically sending emails to Surespot, unofficially acting as the service's warrant canary. For several months, his questions have been answered. But as of May 25th, he has still received no response to his canned questions.

In April 2015, I sent [service creator Adam] Patacchiola a similar set of questions but received no reply. I wrote again on 25 May 2015, asking:

1. Has 2fours received any governmental demand for information about any of its users?
2. Has 2fours received any governmental demand to modify the surespot client software?
3. Has 2fours received any governmental demand to modify the surespot server software?
4. Has 2fours received any other governmental demand to facilitate electronic eavesdropping of any kind?

If the answer to any of the above questions is yes, can you elaborate?

I have also attempted to contact [former co-owner Cherie] Berdovich and Patacchiola via the Surespot app itself but have received no reply. While its possible that they’ve simply tired of being pestered by me about government demands for information, I don’t think that’s the case and suspect they are under a gag order.

There's good reason to believe this is true. A recent plea agreement by a 17-year-old Virginia native charged with providing material support to ISIS (via instructions on how to use Bitcoin to provide anonymous donations) specifically mentions Surespot.

In or about late November or early December 2014, the defendant put RN [co-conspirator] in touch with an ISIL supporter located outside of the United States via Surespot in order to facilitate RN's travel to Syria to join and fight with ISIL.

I have sent the same questions to Surespot but am not expecting to receive any answers. It seems pretty clear that the government is seeking information about Surespot's users. Whether or not it will make an attempt to obtain this information en masse, as it did with Lavabit (by demanding the site's SSL key), remains to be seen. Surespot only retains usernames. [As pointed out by Antipolygraph.org's George Maschke, Surespot DOES store more than just usernames.] Surespot doesn't store much in terms of personal info, but does retain enough that frequent contacts could be outed and account holders could be identified through registration methods (email addresses, etc.) Everything else -- including encryption keys -- is stored by the users, either locally or at their chosen cloud service. Messages are end-to-end encrypted, meaning Surespot itself cannot see the contents.

What the government could do is try to force the company into creating a shared master key, which would allow agencies to decrypt messages. The FBI -- which has been most vocal about "going dark" -- may not be able to do this at present, but it is working towards being granted the legal power to do so.

FBI officials now want Congress to expand their authority to tap into messaging apps such as WhatsApp and Kik, as well as data-destroying apps such as Wickr and Surespot, that hundreds of millions of people — and apparently some militants — have embraced precisely because they guarantee security and anonymity.

At this point, Surespot has nothing to hand over to government agencies. But its silence suggests these agencies are asking all the same.

Filed Under: encrypted messages, fbi, isis, warrant canary
Companies: lavabit, surespot