by Mary Branscombe
Credit: Credit: US Amry Alaska via Flickr
If everyone encrypted their emails and phone calls and messages, the NSA wouldn’t know nearly as much about us and nor would the hackers who routinely breach services from the Sony PlayStation network to Boxee.
Why don’t we do it? It’s not because of insufficient or overly complex technology, claims Jon Callas. He was the CTO of PGP, then spent some years working on iOS security at Apple before becoming the CTO of Silent Circle, the secure messaging service that will launch its own highly secure Blackphone in June.
The real irony is what Callas calls the security cliff. “If you start out with no security and you want to get up to lots of security,” he points out, “it’s not a ramp. It’s a cliff.” That gives you a lot of reasons not to even start adding security because it won’t be perfect. “We have no security because security people have argued that it’s better to have no security than some security.”
Neither Silent Circle nor Blackphone will give you absolute security but they’re more secure than what you get out of the box. “Many people will get more security than they would on another device. Yes, if there’s a flaw in Android we have it just like everybody else does. But we are tightening up the OS. We’re putting in the sort of fine-grained permissions Google took out in 4.4.2. We have a security manager that we’ve taken care to have a decent user experience on. We’re shipping some policies, we have some quasi-virtualization. Just as BlackBerry is trying to separate things into buckets so you have a work bucket and personal bucket, and Good Technologies does this extraordinarily well. We’re almost certainly going to ship with a container.”
Blackphone will include some other security apps like a Wi-Fi security toolkit (which might also improve your battery life).
“It looks at your Wi-Fi and uses a combination of location and network and other things so if you’re driving down the road you won’t connect to everything that is called Linksys. If someone puts up a base station with the same name as one you use at home, you won’t connect to it.” It’s not infallible, but it does make it much more expensive to attack you. “Now they need a GPS jammer and to spoof the MAC address of your home wireless before they get you, which kind of ups the game.” Plus you get storage fromSpiderOak, VPN private browsing from disconnect.me, and anonymous searching.
There are other ways to get much of this security on your own Android phone: Silent Circle will open source many of its extras, and you can buy the Silent Circle service and install similar security utilities. “A number of the mods we make to the kernel are similar to things in Cyanogen,” Callas points out.
But the attraction is that you don’t have to do that yourself. “The target user for Blackphone is that you want to be more secure, you want more privacy — but you’re not an expert. If you were an expert you could mod it yourself, but one, what is your hourly rate, and two, are you good enough to do it yourself? “
And possibly the most important feature on the Blackphone is that you get updates for at least two years. “Most Android phones never get updated, but we can ship features that didn’t make it on day one, we can ship security updates.”
Similarly, you can still use Facebook and Twitter, and you can use Silent Circle and Blackphone to call people who aren’t using the service. “We call it out-circle access. You can call encrypted to our servers and get onto a normal call so you can use your secure phone to wish your mother happy birthday or call your travel agent. And at least you know the person who hacked the hotel network isn’t listening in.”
In his view, you climb the security cliff by starting to climb it. “I want it to be better than it is. What you have to do is make a step forward. If you start a random walk that goes to security then it’s a problem that will solve itself in say ten years. I’m looking at it as a ten-year or a twenty-year or a fifty-year problem instead of thinking I’m going to ship the silver bullet that ‘solves’ security.”
Yes, there are ways to compromise Android, but that doesn’t mean it’s not worth using, he believes. “I can’t do anything if your OS is compromised,” Callas admits frankly. “If you downloaded the wrong app and it compromised Android, I can’t do anything. Don’t do that; you’ll hurt yourself. I can’t do anything about insecurity in the baseband processor, but I’m not letting that stop me. I want to make it so that the first Blackphone is better than what you get elsewhere because we’ve done a bunch of things you could have done yourself but that you won’t have done. And then the next one might have a hardware security chip preloaded or eventually that will be on the motherboard.”
Security through convenience
We’ve had secure communication systems before; in fact Callas spent years building them. But they never became mainstream. What’s going to be different this time?
It’s not just ease of use and he claims it’s a myth that email encryption is hard. “The stuff we did in 2000 literally passes the ’79-year-old mother’ test, because my 79-year-old mother uses it.”
In fact PGP is widely used, just in places you don’t see. “PGP is wildly successful on the Internet as a way to sign code drops; go to any tarball on the Web and it will have PGP. It’s the default integrity system. Systems you don’t see in the banking industry, for interbank transfers, are all based on it. It’s used for securing large amounts of manufactured goods in Europe, especially in Germany.”
So why isn’t encrypted email in every mail system? “The reason it isn’t there is because people didn’t want it, although the people who did want it wanted it enough for us to sell it to them.”
That’s changed, thanks to Snowden and the NSA. Now, Callas says, “the thing that has to happen is it has to be completely effortless to use. Any sort of security has to be completely effortless to use.” He thinks the Silent Circle app already has that, plus it’s familiar and — crucially — it’s better than what you already have.
“We’re mimicking voice and video calls and texting and as much as possible it looks like the service it mimics. You can use it without looking up the security, but I can show you on my iPhone where we’re doing encrypted email and it just darn works.”
In fact, “just working” has its own appeal.
“A friend of mine told me he’d been getting a bunch of our mutual friends to start using Silent Circle phone. They were asking ‘Why should I use it? Do I really need the security?’ and he said they should do it because the voice quality is better than a landline. At which point they all said, OK, sign me up. Another friend told me he gets better call quality and reliability using Silent Circle on his mobile phone than mobile calls with his carrier. We’re being successful because we’re creating a voice system that’s better than your cellphone, for $10 a month, which is basically the cost of lunch. By making it so the secure app isn’t any different, I’m getting people to do security by getting better voice quality.”