Silent Circle aims for email that's as secure as it gets

PGP and Navy SEALs take on privacy

  • alert
  • submit to reddit

Using blade systems to cut costs and sharpen efficiencies

It's been 22 years since Phil Zimmerman, Jon Callas and the rest of the PGP crew brought encryption to the masses for free, and now the same team – augmented by backing from a couple of former Navy SEALs – has expanded into a new privacy concern that will launch an email service in a couple of weeks.

Silent Circle came out of stealth mode last June with a $20 (£13) per month package for voice, text, and video services that are encrypted by an application on a user's smartphone, tablet or computer. Users download the software and all traffic is handled by the company's own servers.

Encryption keys are set up on each device using the application and are then discarded once the message has been completed, so that they cannot be slurped. To further protect against wiretapping, the firm's servers that handle traffic are located in Canada and Switzerland, with an Asian location to be decided.

Now the company is moving into email, with an encryption system based on decades of encryption experience and the desire for private communications. Based on the team's background, there's good reason to believe it will be successful.

Disruptive tech

Younger readers won't remember the huge kerfuffle caused when Zimmerman put Pretty Good Privacy out there, over 20 years ago. The system was investigated by the US government for "munitions export without a license" after use of the code spread, although no charges were brought.

Security was barely an issue when email was designed, and PGP addressed a key need for internet users. Thankfully, governments around the world recognized that the benefits of encryption have far outweighed the threat, and now similar systems are built into almost every online transaction – but it's still not enough.

"Email is fundamentally broken," Jon Callas, Silent Circle's CTO, tells The Register, pointing out that security was not a serious factor in the original protocols. Wrapping messages in the best possible encryption will give a measure of security, and the team have spent nearly two years honing their product.

"We believe we've got it as good as we can get it," he said. "Nothing is perfect, and anything we find there's a problem with, we'll fix it."

To further test the system's mettle, Silent Circle has put its source code up on Github for analysis by the security community. So far, Callas said, three possible problems have been found. None of them were serious, and all have since been fixed or ameliorated.

The new email service will take the best of this encryption, plus some extra special sauce and tools from PGP, and aims to offer secure service to subscribers across the world.

Baghdad beginnings

It's not just the PGP crew behind Silent Circle. Two of the key backers, including CEO Mike Janke, are former US Navy SEALs who saw a need for this kind of secure communication.

Janke was operating a security detail in Baghdad and became increasingly frustrated with the inability to run a simple, secure communications setup. It was a problem he'd seen around the world, where the presumption of monitoring by outsiders is the norm.

You might think a service like this would have the government worried, but according to Callas the response so far has been very positive. Since the launch, numerous government agencies have tried the service and there have been no moves to squash it on the legal front.

"We've checked with a bunch of people on it and talked to people inside the government. We hired on contract a private attorney who used to be terrorism prosecutor. She advises us and has been our envoy to Congress and other places. We know they need to hear about us first," Callas said.

Such issues are much on the mind of legislators of late. Intelligence agencies are pushing for an extension of the Communications Assistance for Law Enforcement Act (CALEA) to require an automatic backdoor into communications software of this type. A legislative push in the area is expected later this year.

The market chooses

So far, Callas reports that subscription sales for the service have gone much better than he expected, and the company is bringing forward its plans to scale out with a bigger server footprint.

There's been some interest in the service from the highest end of the market, with Nokia's luxury phone outfit Vertu adding it in as an extra for the punter who has €7,900 to splash out on the fanciest of mobiles. But Callas said that for certain types of enterprise employees, the service is proving much more popular than first thought.

There's increasing concern about doing business abroad, now that some states seem to have built industrial espionage into their economic policy. And while Silent Circle isn't free like PGP, it's not massively expensive either. It and similar products may soon become security best practices for enterprises overseas.

With the extension of its service to email, Silent Circle is moving into more popular waters, and it should pick up more customers, depending on how well it can integrate operations into its secure setup. Callas said the company is playing a long game; it's not looking for lightning expansion or to sell out as soon as possible.

We'll see if there's a mass market for this kind of service, but El Reg suspects it could prove more popular than Silent Circle expects. These are paranoid times, and it pays to be as safe as possible. ®

The smart choice: opportunity from uncertainty

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
prev story


Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.