The recent disclosure that the Obama administration has secretly been collecting the phone records of millions of Americans is a reminder just how much of a digital trail people leave in modern communications.
Some have turned to web-based programs in their search for communications that can’t be easily intercepted. For many U.S. businesspeople overseas, including contractors in Afghanistan and Iraq, Skype has been the approved standard for VOIP and instant messaging for years. It’s practically free, it’s encrypted, and so easy to use that a grandmother with her desktop can use it to chat with her wunderkind on his tablet.
Now a new company, Silent Circle, is upping the security bar for web-based communications. For $20 a month, the company offers encrypted, high-quality communications for mobile devices and computers. CEO Mike Janke draws a distinction between Silent Circle and Skype.
“I would not say they are a competitor,” he said. “We are in the business of secure communications. They are in the business of cheap long distance.”
His point is that Silent Circle’s products are built completely around security and privacy. They meet the NSA’s “Suite B” standards. Emails are encrypted using the PGP protocol designed 20 years ago by Phil Zimmermann, the longtime security expert and privacy rights advocate who serves as the company’s president. Voice and video communications are encrypted by ZRTP, another Zimmermann invention.
Janke says the company has three customer bases: individual subscribers, enterprise clients, and governments. In the federal government, he said, there’s even been a surprising market coming from the Bring Your Own Device phenomenon: agencies, he says, buy Silent Circle for their workers to manage their personal smart phones.
The firm says U.S. Special Operations Command approved it as a commercial secure communications provider earlier this year.
Privacy Vs. Security
Silent Circle’s business model is something of a hot-button right now. The Federal Bureau of Investigation has complained that new encryption and communications technologies are making interception difficult or impossible. But privacy rights experts and companies like Silent Circle say trying to legislate a solution would bring major problems.
Here’s the issue: Since 1994, the Communications Assistance for Law Enforcement Act has required telephone companies to build in mechanisms so that calls can be intercepted. In 2005, the FCC extended that law to VOIP services that allow calls to and from other phone services.
But there is still a gap. Peer-to-peer networks that don’t get connected to the phone networks are still not covered, and law enforcement can’t get real time intercepts. In the case of companies like Silent Circle, the FBI couldn’t intercept anything at all. The firm says even if it were served a subpoena for subscribers’ communications, it wouldn’t be able to comply if it wanted to.
“We could give them a bunch of encrypted conversation,” shrugs Jon Callas, a computer security expert who is the company’s chief technical officer. “There is nothing we can turn over.”
The FBI has framed the debate in a law-enforcement context. “The government is increasingly unable to collect valuable evidence in cases ranging from child exploitation and pornography to organized crime and drug trafficking to terrorism and espionage,” Valerei Caproni, the FBI’s general counsel, testified in 2011.
The Obama administration is reportedly considering pushing for changes to the law, to require that web services and digital devices have built-in intercept “backdoors” to allow interception in real time.
But Silent Circle has joined with security experts and privacy advocates to argue that a backdoor would be a disaster for cybersecurity generally.
“The FBI constantly comes out and says ‘We’re going dark!’” says Janke. “It’s very dangerous to try to implement what they are asking for. If you try to introduce a wiretap into a technology like Silent Circle, you are now introducing a vulnerability.”
Silent Circle’s Zimmermann was one of the 20 technologists who prepared a report outlining how adversaries could easily exploit built-in backdoors if they were required by law. “We conclude that deployment of an intercept capability in endpoint communications services, systems and applications,” wrote the security experts, “poses serious security risks.”
Meanwhile, Silent Circle is growing fast. It emphasizes that it’s not a cure to another major problem with mobile devices: hackers and foreign governments who can use “exploits” to take over smartphones.
“We are not trying to solve the malware issue,” Janke said. “If a nation-state wants to own your device, they will do that.”
For true security, that’s a serious issue, because even encrypted communications are potentially vulnerable once a hacker exploits a smartphone at the operating level.