A recent story in the New York Times shared information on a new crop of secure messaging apps for smartphones. The article, posted in the “Personal Tech” section, offered snippets of information about the functionality of five different consumer-focused tools. These apps, if only generically, likely are not new news to security professionals (most of whom have long considered themselves “professionally paranoid”), but it is noticeable when mainstream media is disseminating information about data encryption to the general public.
As text, instant messaging, and email increasingly replace face-to-face or even voice-based conversations, consumers—or data owners, if you will—want to know that their information exchanges remain private and can’t be accessed without authorization. Implicit recording of day-to-day conversation is a relatively new phenomenon, and with controversy over privacy invasion in the news so frequently, it’s not just the security community that wants to protect its assets.
Don’t tell me what to say
In many cases, consumers’ ordinary conversations don’t contain much “sensitive” data; it’s the knowledge that someone other than the data owner has access to and is storing conversations that is unsettling. Users’ Internet providers, mobile carriers, app cloud storage providers, and more, could all have access to the communication, even if the information contained therein is as simple as, “What would you like for dinner?” The notion that much of consumers’ information is recorded and stored—and could possibly be accessed or handed over to a fourth party without a consumer’s consent—strikes many as an invasion of privacy, even when the user is explicitly opting into an app or service in the name of efficiency or entertainment.
Several security SMEs with whom I’ve spoken (off the record) have admitted to using privacy apps. Others, well, they know the risks, but haven’t gotten around to researching the various options or installing one. It’s not all that dissimilar to the network admin who just hasn’t gotten around to changing “Password1” on default accounts.
Don’t put me on display
Encryption apps are becoming the next big thing, but, according to Nicko van Someren, Chief Technology Officer at The Linux Foundation, many of these new technologies come wrapped in enticing packages but “there are a few things to watch out for.”
Not all apps are built equal, even if their stated aim is the same. Every app offering to help keep user data private markets “end-to-end” encryption or “military-grade” protection. It’s important, though, says van Someren, “that the security of the application has been checked by a third party.” Van Someren believes that best way for this to happen is “for the application to be open source so that security researchers can analyze the source code and check for issues.” Not all tools are built on open source, however, and most average consumers can’t read code, much less check it for errors.
When code can’t be checked, it’s especially important to ensure that your intended provider has conducted an external audit and the results are available. Third-party static and dynamic analysis is readily available, and in cases where the provider wishes to keep its code private—which isn’t necessarily unreasonable, it’s their private intellectual property—app developers should be proud to share their positive results. If they aren’t, find another application.
Jon Callas, CTO and Co-Founder at Silent Circle points out another consideration with some of these privacy apps: they’re tethered to a phone number, which is a unique identifier associated with a distinct individual. “In many countries,” he says, “phone numbers are tied to real people with real identification behind it. Ironically, this is what the signal intelligence organizations want most. They want to know who you're calling and who is in your social graph.”
Some of the apps allow users to choose a handle, further obscuring the user from the communications conducted through them. Callas believes proprietary code is the way to go: “Wickr or Silent Circle, for example, which are proprietary, unvetted crypto, are in many cases a better choice than Signal, which is open source and vetted—simply because with the former, you get to pick a handle.”
Don’t try to change me in any way
Another important aspect of encryption apps is knowing where, when, or how the apps might collect and/or store information. Even if the purpose of the app is to encrypt data, it might be collecting separate user information, such as email address or location, and storing it for later use or to contact the user if a potential incident occurs. A new tool called Sieve aims to remedy that issue by containerizing what data is shared with apps themselves, but until that technology is commercially available, users need to read the Ts&Cs and FAQs and learn what, if any, data is collected or kept by the provider.
Writes Warren Kruse, Vice President of Data Forensics at Altep, “Data sometimes exists in more than one place so don't use tunnel vision and focus on just one location; think about where else it could be located: backups, synced computers, cloud, etc.” Stored locations, he adds, do help when a forensic investigation is necessary, but consumers need to determine the level of privacy with which they, individually, are comfortable. The aim of these apps isn’t to prohibit law enforcement from doing its job; it’s to protect our data from unauthorized or illegitimate access, whomever the party attempting access may be.
Callas adds, “Of course, in these troubled times, everyone talks about the bad uses of communications,” but not everyone who wants to keep conversations private is plotting malfeasance. People in abusive relationships, for instance, might legitimately need to disappear from their past. A mechanism to do so—a combination of a privacy device and apps—can, quite literally, be life-saving.
For those who simply don’t want to be tracked, privacy apps are legitimate too (hence the emergence of so many new tools that meet consumer demand). Unfortunately, there is no real way to hide completely. Anyone who owns a credit card or a house, ventures out into public, or just generally lives will have to deal with some aspect of surveillance.
The choices about our personal communications, however, are becoming greater and easier to use than ever before. “The bottom line is,” Callas says in closing, “that security and encryption is good, and we really need it, but there's also the aspect of knowing what you're protecting against.