OFF THE WIRE
Two Navy SEALs are bringing world-class encryption to the iPhone, for everything from state secrets to celebrity selfies. But that means it can be used by criminals as well.
The first rule, former Navy SEAL Mike Janke tells me, is that you have to assume the worst: "Everything you do and say — email, text, phone — is monitored on some level."
He's talking about paramilitary operations — spy stuff — but it applies just as much to a gossipy text message. A Wi-Fi sniffer can pluck emails right out of the air. Old texts linger on phones for years, waiting to be smuggled out with malware. Your cell signal is encrypted, but researchers have cracked it in as little as two hours. It rarely occurs to us as we blast out emoji, but for security professionals — a military contractor carrying sensitive information through a hotel in Hong Kong, for instance — that paranoia is a way of life.
It's what professionals call an "austere communications environment," something Janke has been navigating for upwards of 10 years, first as a member of an elite SEAL team and then as a private-sector consultant. Without Pentagon-approved tech, a phone call felt too risky. Anyone at all could be listening.
In short, there's a security hole — a big one. So Janke got together with a few cryptographers and built something to fix it. The result is an app called Silent Circle that offers on-board military-level encryption for phone calls, texts, email and video. When it hits the App Store next week, anyone with an iPhone and $20 a month will have a secure line at their disposal. So when Janke's paramilitary friends are traveling through hostile territories, they can call home without worrying who they're tipping off.
It's not just for spies either. One of the first beta testers was Vern Abila, another ex-soldier who now splits his time between government contracts and protecting the Scarlett Johanssons of the world from embarrassing data leaks. All the recent leaks of celebrity selfies could have been stopped by an app like Silent Circle, and phone calls are even more vulnerable. "The general rule has always been, don't say something on a phone that you wouldn't say in a crowded room," Abila told me. "Silent Circle will change that."
For the military half of the company, security isn't just for
electronics. Vic Hyder, COO of Silent Circle and also an ex-SEAL, told
me about his morning commute to the Special Forces' Southern Command in
Homestead, Florida. He'd show ID to get onto the base, enter a code to
get into the building, then swipe a card, enter another code, walk past a
guard and swipe a card again to get into the safe room at the center of
it all. There, three password-protected computers let him talk to just
three other computers in the entire world, coordinating all Special
Forces activity in South America.
"You can see the steps, the layering to get to that level, to be able to talk to so few people about so little stuff," said Hyder.
It's a model for the nested cryptography of Silent Circle. The "safe room" is the iPhone processor, where all the encryption happens. By the time your text leaves the phone, it's been completely encrypted, unrecoverable without the key. To keep the key safe, Silent Circle uses the ZRTP protocol, a dance of data drops and verifications that's every bit as intricate as the Southern Command's network of swipes and codes. At the end of each call, the keys are erased, so nothing can be decrypted after the fact. The result is an airtight secure line, available to anyone with an iPhone for $20 a month — roughly the cost of an unlimited texting plan.
The guts of the program come from legendary cryptographer Phil Zimmermann, who released the groundbreaking PGP (Pretty Good Privacy) tool in 1991. It was the first open-source encryption tool, designed to let anti-nuclear activists plan actions without being surveilled. (It's still around, in case you need to, say, encrypt your hard drive.) But where PGP eventually became unwieldy, Silent Circle uses the app software model to streamline the program, and keep the complex protocols nearly invisible.
The other secret weapon is the iPhone itself. The portable processing power lets Silent Circle encrypt everything locally, and confine all the insecure data to a single device that most iPhone users will keep on their person at all times. The simple UI conventions make Silent Circle a lot easier to use than its predecessors, almost seamless mimics of the native iPhone calling tools. If it weren't for the new icon, you might not even know the difference.
One of the coolest tricks is a feature called Burn Notice that sends self-destructing texts and pictures. The relevant picture appears on your friend's phone — anything from a classified blueprint to something more Weineresque — and five minutes later, the picture burns up. There have been self-deleting message apps before (TigerText, for instance), but Silent Circle combines the service with the kind of airtight encryption protocols that are rarely been seen in the mobile world. Thanks to the closed platform and near-total data control, they can pull off a trick that's increasingly unthinkable in the modern day: unsending data. They can, in other words, un-ring the bell.
"You can see the steps, the layering to get to that level, to be able to talk to so few people about so little stuff," said Hyder.
It's a model for the nested cryptography of Silent Circle. The "safe room" is the iPhone processor, where all the encryption happens. By the time your text leaves the phone, it's been completely encrypted, unrecoverable without the key. To keep the key safe, Silent Circle uses the ZRTP protocol, a dance of data drops and verifications that's every bit as intricate as the Southern Command's network of swipes and codes. At the end of each call, the keys are erased, so nothing can be decrypted after the fact. The result is an airtight secure line, available to anyone with an iPhone for $20 a month — roughly the cost of an unlimited texting plan.
The guts of the program come from legendary cryptographer Phil Zimmermann, who released the groundbreaking PGP (Pretty Good Privacy) tool in 1991. It was the first open-source encryption tool, designed to let anti-nuclear activists plan actions without being surveilled. (It's still around, in case you need to, say, encrypt your hard drive.) But where PGP eventually became unwieldy, Silent Circle uses the app software model to streamline the program, and keep the complex protocols nearly invisible.
The other secret weapon is the iPhone itself. The portable processing power lets Silent Circle encrypt everything locally, and confine all the insecure data to a single device that most iPhone users will keep on their person at all times. The simple UI conventions make Silent Circle a lot easier to use than its predecessors, almost seamless mimics of the native iPhone calling tools. If it weren't for the new icon, you might not even know the difference.
One of the coolest tricks is a feature called Burn Notice that sends self-destructing texts and pictures. The relevant picture appears on your friend's phone — anything from a classified blueprint to something more Weineresque — and five minutes later, the picture burns up. There have been self-deleting message apps before (TigerText, for instance), but Silent Circle combines the service with the kind of airtight encryption protocols that are rarely been seen in the mobile world. Thanks to the closed platform and near-total data control, they can pull off a trick that's increasingly unthinkable in the modern day: unsending data. They can, in other words, un-ring the bell.
But here's a question: Who exactly is listening in?
The answer is always delicate. Janke will tell you, if you're making a call from a Russian hotel, it could be secret police or identity thieves or would-be blackmailers who have paid off the concierge. But he's careful to never name the most obvious culprit: the U.S. Government.
Warrantless domestic wiretapping is a matter of record by now, one of the few things both the Obama and Bush administrations can agree on. Last year, 1.3 million cell records were pulled by law enforcement, covering anything from stored text messages to location-tracking data. Many analysts believe the NSA caches all domestic data traffic — in other words, everything anyone sends to anyone. The legal barrier for eavesdropping has never been lower. We've learned to be comfortable with it because, for the most part, we've never had any means of escape, but Silent Circle could change that.
Even pulling basic use logs from Silent Circle would be difficult, as they're stashed in privacy-friendly districts in Canada and Switzerland, with only the bare minimum of stored user data. If you're worried about court-ordered surveillance, that's essential. If you're worried about paparazzi and would-be blackmailers . . . not so much. Still, as co-founder Jon Callas put it, "We try very hard to stay away from the domestic wiretapping issue," because it can make them sound like conspiracy theorists.
It also leads to dangerous places. Once you've established a secure line of communication, there's no telling who's going to use it — from cheating husbands to drug dealers and terrorists. Skeptics have been using this argument against cryptographers since the days of the telegraph — but they're not wrong. Silent Circle is just as effective at protecting the Avon Barksdales of the world as it is protecting corporate whistleblowers (like this recent case). That's a fact most cryptographers have accepted, but as they reach farther into the mainstream, it's an increasingly inconvenient one.
The answer is always delicate. Janke will tell you, if you're making a call from a Russian hotel, it could be secret police or identity thieves or would-be blackmailers who have paid off the concierge. But he's careful to never name the most obvious culprit: the U.S. Government.
Warrantless domestic wiretapping is a matter of record by now, one of the few things both the Obama and Bush administrations can agree on. Last year, 1.3 million cell records were pulled by law enforcement, covering anything from stored text messages to location-tracking data. Many analysts believe the NSA caches all domestic data traffic — in other words, everything anyone sends to anyone. The legal barrier for eavesdropping has never been lower. We've learned to be comfortable with it because, for the most part, we've never had any means of escape, but Silent Circle could change that.
Even pulling basic use logs from Silent Circle would be difficult, as they're stashed in privacy-friendly districts in Canada and Switzerland, with only the bare minimum of stored user data. If you're worried about court-ordered surveillance, that's essential. If you're worried about paparazzi and would-be blackmailers . . . not so much. Still, as co-founder Jon Callas put it, "We try very hard to stay away from the domestic wiretapping issue," because it can make them sound like conspiracy theorists.
It also leads to dangerous places. Once you've established a secure line of communication, there's no telling who's going to use it — from cheating husbands to drug dealers and terrorists. Skeptics have been using this argument against cryptographers since the days of the telegraph — but they're not wrong. Silent Circle is just as effective at protecting the Avon Barksdales of the world as it is protecting corporate whistleblowers (like this recent case). That's a fact most cryptographers have accepted, but as they reach farther into the mainstream, it's an increasingly inconvenient one.
The project also arrives at a moment when technology has mostly
outpaced wiretapping laws. CALEA, the most recent wiretapping law, was
written in 1994 and wasn't written to apply to VOIP services like Skype.
Law enforcement agencies have been lobbying for an update all year,
but so far it's stalled in the White House. In the meantime, most VOIP
companies are happy to provide transcripts related to active
investigations rather than make waves.
Silent Circle won't do that, and it could set up the project for a massive court battle when the law is changed. The "portable code room" model means that all the encryption happens on the iPhone, rather than leaving it to be done on an outside server. By the time the data leaves your phone it's indecipherable, and that garbled data is the only thing Silent Circle or anyone else besides your intended recipient could ever see. Because the keys to unscramble the data are deleted after every call is completed, there's no way to decode the call after the fact. All Silent Circle can do is hand over the encrypted data.
That might be good enough or it might not — it depends on how the laws are written. It's a reason for Silent Circle to stay on Washington's good side, and downplay the more controversial aspects of the app. And if the company is ever called before Congress to explain exactly what they're doing, it will be two Navy SEALs talking about military contractors, instead of two cryptographers talking about anti-corporate activists. That could make all the difference in the world.
Silent Circle won't do that, and it could set up the project for a massive court battle when the law is changed. The "portable code room" model means that all the encryption happens on the iPhone, rather than leaving it to be done on an outside server. By the time the data leaves your phone it's indecipherable, and that garbled data is the only thing Silent Circle or anyone else besides your intended recipient could ever see. Because the keys to unscramble the data are deleted after every call is completed, there's no way to decode the call after the fact. All Silent Circle can do is hand over the encrypted data.
That might be good enough or it might not — it depends on how the laws are written. It's a reason for Silent Circle to stay on Washington's good side, and downplay the more controversial aspects of the app. And if the company is ever called before Congress to explain exactly what they're doing, it will be two Navy SEALs talking about military contractors, instead of two cryptographers talking about anti-corporate activists. That could make all the difference in the world.
Zimmermann, in particular, has been through this before. When he
released PGP, he made it open-source for ideological reasons, thinking
of secure communication as a basic human right. The government did not
agree. Just two years after PGP's release, Zimmermann found himself
under investigation by U.S. Customs, who saw the global spread of PGP as
a form of arms exporting. After three years, the charges were dropped,
but the government's hostility to open cryptography couldn't have been
clearer. Zimmermann now refers to those years as "my criminal defense
period."
It was a lesson in the politics of cryptography. At the time, encryption was seen an anti-establishment tool, characterized by a cypherpunk scene that pursued the practice on civil libertarian grounds. "I always distanced myself from the cypherpunks," Zimmermann told me. "I made the political calculation that we would win the war if we would stay clear of the cypherpunks and just shepherd this through the legal system."
The last 15 years have proved him right. Because of data-breach laws, every corporate database is kept under state-of-the-art encryption, and the result has been a powerful shift towards the mainstream. PGP and tools like it are as vital to corporate IT as anti-virus software. The cypherpunks are gone. Zimmermann remains.
But the political battle is far from over, so when Silent Circle tells the story of its perfect user, they don't talk about corporate whistleblowers or anti-nuclear activists, but one of Hyder's army friends, now making classified trips through war-torn countries for reasons he cannot disclose. "As he's going from central Africa, Afghanistan, Iraq," Hyder says, "he can call home and say, hey, I'm going to be home tomorrow. And he can tell his wife, right into her ear, and know nobody else is listening."
It's not quite a safe room, but it's close.
Photos for Buzzfeed by Michael Schmidt
This article has been updated to reflect that fact that TigerText does apply encryption to text messages.
It was a lesson in the politics of cryptography. At the time, encryption was seen an anti-establishment tool, characterized by a cypherpunk scene that pursued the practice on civil libertarian grounds. "I always distanced myself from the cypherpunks," Zimmermann told me. "I made the political calculation that we would win the war if we would stay clear of the cypherpunks and just shepherd this through the legal system."
The last 15 years have proved him right. Because of data-breach laws, every corporate database is kept under state-of-the-art encryption, and the result has been a powerful shift towards the mainstream. PGP and tools like it are as vital to corporate IT as anti-virus software. The cypherpunks are gone. Zimmermann remains.
But the political battle is far from over, so when Silent Circle tells the story of its perfect user, they don't talk about corporate whistleblowers or anti-nuclear activists, but one of Hyder's army friends, now making classified trips through war-torn countries for reasons he cannot disclose. "As he's going from central Africa, Afghanistan, Iraq," Hyder says, "he can call home and say, hey, I'm going to be home tomorrow. And he can tell his wife, right into her ear, and know nobody else is listening."
It's not quite a safe room, but it's close.
Photos for Buzzfeed by Michael Schmidt
This article has been updated to reflect that fact that TigerText does apply encryption to text messages.