Silent Circle aims for email that's as secure as it gets
PGP and Navy SEALs take on privacy
By Iain Thomson • In Security • At 00:25 GMT 6th April 2013
It's been 22 years since Phil Zimmerman, Jon Callas and the rest of the PGP crew brought encryption to the masses for free, and now the same team – augmented by backing from a couple of former Navy SEALs – has expanded into a new privacy concern that will launch an email service in a couple of weeks.
Silent Circle came out of stealth mode last June with a $20 (£13) per month package for voice, text, and video services that are encrypted by an application on a user's smartphone, tablet or computer. Users download the software and all traffic is handled by the company's own servers.
Encryption keys are set up on each device using the application and are then discarded once the message has been completed, so that they cannot be slurped. To further protect against wiretapping, the firm's servers that handle traffic are located in Canada and Switzerland, with an Asian location to be decided.
Now the company is moving into email, with an encryption system based on decades of encryption experience and the desire for private communications. Based on the team's background, there's good reason to believe it will be successful.
Younger readers won't remember the huge kerfuffle caused when Zimmerman put Pretty Good Privacy out there, over 20 years ago. The system was investigated by the US government for "munitions export without a license" after use of the code spread, although no charges were brought.
Security was barely an issue when email was designed, and PGP addressed a key need for internet users. Thankfully, governments around the world recognized that the benefits of encryption have far outweighed the threat, and now similar systems are built into almost every online transaction – but it's still not enough.
"Email is fundamentally broken," Jon Callas, Silent Circle's CTO, tells The Register, pointing out that security was not a serious factor in the original protocols. Wrapping messages in the best possible encryption will give a measure of security, and the team have spent nearly two years honing their product.
"We believe we've got it as good as we can get it," he said. "Nothing is perfect, and anything we find there's a problem with, we'll fix it."
To further test the system's mettle, Silent Circle has put its source code up on Github for analysis by the security community. So far, Callas said, three possible problems have been found. None of them were serious, and all have since been fixed or ameliorated.
The new email service will take the best of this encryption, plus some extra special sauce and tools from PGP, and aims to offer secure service to subscribers across the world.
It's not just the PGP crew behind Silent Circle. Two of the key backers, including CEO Mike Janke, are former US Navy SEALs who saw a need for this kind of secure communication.
Janke was operating a security detail in Baghdad and became increasingly frustrated with the inability to run a simple, secure communications setup. It was a problem he'd seen around the world, where the presumption of monitoring by outsiders is the norm.
You might think a service like this would have the government worried, but according to Callas the response so far has been very positive. Since the launch, numerous government agencies have tried the service and there have been no moves to squash it on the legal front.
"We've checked with a bunch of people on it and talked to people inside the government. We hired on contract a private attorney who used to be terrorism prosecutor. She advises us and has been our envoy to Congress and other places. We know they need to hear about us first," Callas said.
Such issues are much on the mind of legislators of late. Intelligence agencies are pushing for an extension of the Communications Assistance for Law Enforcement Act (CALEA) to require an automatic backdoor into communications software of this type. A legislative push in the area is expected later this year.
The market chooses
So far, Callas reports that subscription sales for the service have gone much better than he expected, and the company is bringing forward its plans to scale out with a bigger server footprint.
There's been some interest in the service from the highest end of the market, with Nokia's luxury phone outfit Vertu adding it in as an extra for the punter who has €7,900 to splash out on the fanciest of mobiles. But Callas said that for certain types of enterprise employees, the service is proving much more popular than first thought.
There's increasing concern about doing business abroad, now that some states seem to have built industrial espionage into their economic policy. And while Silent Circle isn't free like PGP, it's not massively expensive either. It and similar products may soon become security best practices for enterprises overseas.
With the extension of its service to email, Silent Circle is moving into more popular waters, and it should pick up more customers, depending on how well it can integrate operations into its secure setup. Callas said the company is playing a long game; it's not looking for lightning expansion or to sell out as soon as possible.
We'll see if there's a mass market for this kind of service, but El Reg suspects it could prove more popular than Silent Circle expects. These are paranoid times, and it pays to be as safe as possible. ®