Total Pageviews

Tuesday, February 5, 2013

Security Pioneer Creates Service to Encrypt Phone Calls and Text Messages

SAN JUAN, PUERTO RICO- Attention, Snapchat: You have some very serious competition.

Phil Zimmermann, the creator of Pretty Good Privacy, is widely considered the godfather of encryption software. After making his software available for download in the 1990s, he was the subject of a criminal investigation that was eventually dropped in 1996. Today, his P.G.P. software is the most widely used e-mail encryption software in the world.

But these days, Mr. Zimmermann is busy with his new venture, Silent Circle, which provides encryption for smartphone users. At a security conference in San Juan, Puerto Rico, Mr. Zimmermann introduced the service, which is available for Android and iPhone. Silent Circle lets users make encrypted phone calls, send text messages and do  videoconferencing. Messages are scrubbed completely from the phone after a predetermined amount of time. Communications are secured using a new, peer-reviewed open-source encryption technology

Mr. Zimmermann’s business partnes include Jon Callas, who co-founded the PGP  Corporation, which now belongs to Symantec, and two former Navy SEALs, Mike Janke and Vic Hyder. His target market, Mr. Zimmerman said, is soldiers based overseas, business people who operate in known surveillance states, human rights activists, dissidents and (more recently) journalists. Since starting Silent Circle in October, Mr. Zimmermann, said, he has spent nearly all his time in Washington signing up government agencies and contractors.

He was adamant that the service be subscription-based. Individual users pay $20 a month, while businesses are charged per employee. He said he was often asked why people would pay to use the service when they could just as easily make free calls with Skype.

“I tell them go ahead and use Skype â€" I don’t even want to talk to you. This is for serious people interested in serious ! cryptography,” he said. “We are not Facebook. We are the opposite of Facebook.”

Silent Circle’s interface looks a lot like the native iOS and Android dialing and text messaging features, and the videoconference service closely resembles Skype. Users are given 10-digit “silent numbers” that work with other Silent Circle subscribers. For an additional $29 a month, the numbers can be used to dial outside Silent Circle. In those cases, the service encrypts phone calls between its users and its servers in Canada, so anyone looking to track users wouldn’t be able to trace them beyond Canada.

The company had its reasons for locating its servers in Canada, where they fall outside United States government control. Canada also has much stricter privacy laws than the United States or even the European Union. Mr. Zimmermann noted that law enforcement would not be able to eavesdrop on Silent Circle users and, for that matter, neither would Silent Circle.

“When wesay we don’t have the keys, we mean that,” Mr. Zimmermann said, referring to the electronic key that would be necessary to decrypt a message.

Mr. Zimmermann invented his own peer-to-peer encryption protocol to avoid the risk that Silent Circle’s communications could be intercepted by someone faking a certificate from  one of the authorities that guarantee communications are secure. In 2011, DigiNotar, a Dutch company that sells security certificates, was compromised by what many believe to have been Iran or hackers working on its behalf.

“There are thousands of Iranian dissidents in prison today because of that failure,” Mr. Zimmermann said.

In an analysis of the DigiNotar attack, the Electronic Frontier Foundation found the certificate authority system to be ! insecure.! “Until we have augmented or replaced the certificate authority system with something more secure,” the foundation said, “all of our fixes to the problem of HTTPS/TLS/SSL insecurity will be Band-Aids.”

There are now a number of apps that promise to secure communications. Wickr, a mobile app, performs a similar service that encrypts video, photos and text messages. Security researchers, however, complain that not enough is known about the app’s protocols.

Anticipating that criticism, Silent Circle has published its source code for review to prove that its encryption is secure and that there are no back doors.

“I’ve spent my whole career on the principal of no back doors,” Mr. Zimmermann said. “So we’re not about to start.”

While they are not exactly Silent Circle’s target market, teenagers are increasingly using Snapchat, a popular mobile app that allows them to take and send pictures and control how long messages are visible on the recipient’s phone. Faceboo recently unveiled a service called Poke that competes with Snapchat. Those services make no encryption promises, and researchers have pointed out that a security flaw makes it easy for recipients to save messages without senders knowing about it. It is also unclear whether data sent through the services is wiped completely, which would make it impossible for forensics investigators or law enforcement officials to reconstruct messages.

Asked whether Mr. Zimmermann considered Snapchat a competitor, he chuckled. “I’ve never heard of it.”