The Promise of Privacy: Secure Messaging in 2014 Part 2

On Tuesday we began our exploration of secure messaging, a concept that was barely a whisper on the collective conscious until the mass surveillance Snowden leaks of last year.

In the first half of our two part series we examined the features and security of apps like Yik Yak and FireChat, and now we thought it would be a good time to provide our readers with an insight into the rest of the options available for the average Joe who’s looking for a reliable solution to the ever-present problem of personal and corporate surveillance online.

whisper

Are communications ever really private in 2014? Photo: wavebreakmedia / Shutterstock

Blackphone

Developed and manufactured as a joint effort between SilentCircle founder Phil Zimmermann and the mobile device company GeekPhone, Blackphone is an encrypted smartphone that automatically protects all text messages, phone calls, and emails that are sent to and from the device, and is built on a modified version of the Android architecture known as PrivateOS.

“We exist to set the standards for our collective privacy, to create the digital world we should live in”, reads the front page of Blackphone’s website.
“That’s why we see ourselves as a project. In order to continually be safe with our data, it’s imperative that we do everything possible to protect it. We have to learn more and evolve faster.”

blackphone

On the surface, Blackphone definitely looks like one of the best options for secure communications for the average consumer.

The phone features a number of encrypted applications that can do everything from automatic web-browser protection to setting up private communication channels that can be linked up and encrypted between any two Blackphones on different carriers and providers.

Blackphone also gives its users a range of increased permission controls that can specifically designate how much room each app has to roam on the device along with which bits of data are sent back to home base for analysis.

While this level of control might sound well and good on paper, the inherent flaw in the plan exists in the application layer used to support it. Android, for all its popularity and open-source customization capability, is not usually known for its spectacular security standards.

As Tim Cook pointed out earlier this year at the World Wide Developers Conference, over 99 percent of all mobile malware is exclusive to Android, as the architecture is open to anyone for development.

Although it was never established whether or not Android was the culprit, only two months after its release, penetration testers at the annual hacking conference DefCon were able to break through Blackphone’s many defense systems by exploiting a hole in the debug kit used by developers to create apps for the device.

Blackphone responded almost immediately by patching up the hole as well as going out of their way to thank them for pointing out a flaw that the company themselves hadn’t previously considered.

Silent Phone & Silent Text

Developed by the same Phil Zimmermann of Silent Circle who spearheaded the Blackphone initiative, Silent Phone and Silent Text are two phone apps (for iOS and Android) that use a 256-bit AES encryption standard to lock down the content of messages and phone calls between two phones, both running the program at the same time.

zimmermann

Phil Zimmermann. Photo: AFP

However, the data sent and received between each destination can only be considered ‘secure’ as long as there isn’t a piece of spyware already installed to monitor traffic beforehand.

A third option from Silent Circle was called Silent Mail, which had originally been planned as a way to create an email system that could withstand the ever-present threat of government surveillance operations targeted towards anyone who the establishment might consider a threat.

Disappointingly, on August 9 of last year Silent Circle decided to shut the service down, claiming that the company could “see the writing on the wall”, and knew that it would be impossible to create a truly secure option in a post-Snowden world.

Samsung Knox

As the up-and-coming contender for the government’s golden-boy status, Samsung Knox is proving itself to be one of the best approaches to security that can be implemented on a wide enough scale to actually make an impact in the expanding market of encrypted devices.

Blackberry has long held the title as the go-to option for government staff, known throughout the Department of Defense as one of the most reliable ways to transmit classified information between two officials.

Lately however, the company has lost its ground in the market with dwindling revenues and boardroom shake-ups, and with that their offerings have lagged woefully behind the times and the rest of the competition, leaving a void that Samsung was already prepared to fill.

That’s where Knox comes in. Designed from the ground up with protecting users at the forefront of its philosophy, Samsung has recognized a hole in the mobile line-up that could only be filled by a company as large as theirs.

Knox exists inside a specially designed chip that can be installed on any phones that require the upgrade, and brings a battle-hardened version of Android in tow.

Knox allows for the ability to quickly switch between what the phone calls “personal” and “work” profiles, with the former giving them access to the Google Play store. The latter locks things down so that only a previously established set of processes can function at any given time.

One drawback of the platform is that Knox-enabled devices are limited to the Samsung Galaxy S4 and S5, with every other phone in their line-up qualifying under what the company calls “unsafe for work”.

Photo: Samsung

Photo: Samsung

IRC

One of the oldest, and most tried-and-true methods for communicating anonymously across the Internet, IRC (short for Internet Relay Chat) was one of the very first chat applications to appear on the earliest versions of the web.

It provided its users with a simplistic but effective platform through which messages and files could be transmitted between two points without any identifying information required in order to sign up.

In recent years the FBI and NSA have been more focused on outing users of the IRC community than ever before. Several members of the hacktivist organization Anonymous were caught using their own chat channels to organize DDoS campaigns, as well as several other major attacks like those that brought down the front page of MasterCard and PayPal after their refusal to process donations for WikiLeaks.

Dark Mail

After the feds knocked down the door of Lavabit on the hunt for any trace of Edward Snowden they could get their hands on, founder and CEO of the company Ladar Levison decided to do the only thing he knew would protect the sanctity of his users and the data they’d entrusted to his servers: shut the whole operation down and delete the keys to the kingdom before the hinges finally gave out.

Ladar Levison

Ladar Levison. Photo: Gage Skidmore / Flickr

Once the debacle had invariably gone the way of Internet legend, Ladar resurfaced with a new business partner, a fresh plan, and lofty promises for what he believed would be the future of email security.

The new project, Dark Mail seeks to create a fully encrypted, NSA-proof system that can be used to covertly send sensitive information between two consenting parties. Unlike other solutions in this list that rely on standard protection methods to conceal their content, Dark Mail will utilize an all-new encryption standard called DIME, or the Dark Internet Mail Environment.

According to its inventor, the system works by breaking up each piece of a message and encrypting it individually, scrambling the contents so much that it would take today’s most powerful supercomputers several years just to get through the first half of a 200 word email.

Despite the ubiquitous voice of supporters at this year’s Defcon conference, Levison is still struggling to get the initiative up and running, and has even gone as far as publicly asking for the assistance of the hacker community at large in order to establish Dark Mail as a reliable option before the start of 2015.

“We need more people to help us. We took a year off from personal gain. If anyone’s interested moving to dallas and working for a subsistence wage on the DarkMail project, please come talk to me.”

Virtual Private Networks

In the end, one of the oldest available options for staying anonymous on the Internet is still the best: VPNs, or virtual private networks.

hidemyass-server-locations
HideMyAss is one such VPN provider

These programs work by creating a connection between your phone, tablet, or home computer to a server located in any number of other countries (depending on the service you use), and anonymizing your traffic through a second IP that can’t be traced back to anywhere but the VPN company themselves.

In essence, the process strips your traffic of any identifying information that could lead interested parties back to your machine. Instead it creates a buffer between you and the rest of the Internet that can only be traced by the most determined of pursuers or prosecutors.

Used in conjunction with applications like IRC, this tool can be powerful for anyone hoping to find a way to keep their communications encrypted.

Which begs the question: are any of the solutions mentioned above truly safe from the prying eyes of the respective governments that lord over the heads of each?

If a company is based out of the United States, the NSA can submit a FISA (Foreign Intelligence Surveillance Act) request at any point that essentially forces them into revealing their user’s data by law, or risk being imprisoned themselves. The same goes for several other countries. As long as these outfits run their operations out of a country that’s an enemy to the personal privacy of its citizens, it’s nearly impossible for them to actually put up a fight that their overlords wouldn’t ultimately win.

No matter how many millions of dollars go into the development of encryption standards that can stand up to the most concerted cracking efforts, in the long run the funding of these federal systems will always far outstretch any offensive that a private company might be able to launch on their own.