Feeds

Silent Circle aims for email that's as secure as it gets

PGP and Navy SEALs take on privacy

  • alert
  • submit to reddit

Using blade systems to cut costs and sharpen efficiencies

It's been 22 years since Phil Zimmerman, Jon Callas and the rest of the PGP crew brought encryption to the masses for free, and now the same team – augmented by backing from a couple of former Navy SEALs – has expanded into a new privacy concern that will launch an email service in a couple of weeks.

Silent Circle came out of stealth mode last June with a $20 (£13) per month package for voice, text, and video services that are encrypted by an application on a user's smartphone, tablet or computer. Users download the software and all traffic is handled by the company's own servers.

Encryption keys are set up on each device using the application and are then discarded once the message has been completed, so that they cannot be slurped. To further protect against wiretapping, the firm's servers that handle traffic are located in Canada and Switzerland, with an Asian location to be decided.

Now the company is moving into email, with an encryption system based on decades of encryption experience and the desire for private communications. Based on the team's background, there's good reason to believe it will be successful.

Disruptive tech

Younger readers won't remember the huge kerfuffle caused when Zimmerman put Pretty Good Privacy out there, over 20 years ago. The system was investigated by the US government for "munitions export without a license" after use of the code spread, although no charges were brought.

Security was barely an issue when email was designed, and PGP addressed a key need for internet users. Thankfully, governments around the world recognized that the benefits of encryption have far outweighed the threat, and now similar systems are built into almost every online transaction – but it's still not enough.

"Email is fundamentally broken," Jon Callas, Silent Circle's CTO, tells The Register, pointing out that security was not a serious factor in the original protocols. Wrapping messages in the best possible encryption will give a measure of security, and the team have spent nearly two years honing their product.

"We believe we've got it as good as we can get it," he said. "Nothing is perfect, and anything we find there's a problem with, we'll fix it."

To further test the system's mettle, Silent Circle has put its source code up on Github for analysis by the security community. So far, Callas said, three possible problems have been found. None of them were serious, and all have since been fixed or ameliorated.

The new email service will take the best of this encryption, plus some extra special sauce and tools from PGP, and aims to offer secure service to subscribers across the world.

Baghdad beginnings

It's not just the PGP crew behind Silent Circle. Two of the key backers, including CEO Mike Janke, are former US Navy SEALs who saw a need for this kind of secure communication.

Janke was operating a security detail in Baghdad and became increasingly frustrated with the inability to run a simple, secure communications setup. It was a problem he'd seen around the world, where the presumption of monitoring by outsiders is the norm.

You might think a service like this would have the government worried, but according to Callas the response so far has been very positive. Since the launch, numerous government agencies have tried the service and there have been no moves to squash it on the legal front.

"We've checked with a bunch of people on it and talked to people inside the government. We hired on contract a private attorney who used to be terrorism prosecutor. She advises us and has been our envoy to Congress and other places. We know they need to hear about us first," Callas said.

Such issues are much on the mind of legislators of late. Intelligence agencies are pushing for an extension of the Communications Assistance for Law Enforcement Act (CALEA) to require an automatic backdoor into communications software of this type. A legislative push in the area is expected later this year.

The market chooses

So far, Callas reports that subscription sales for the service have gone much better than he expected, and the company is bringing forward its plans to scale out with a bigger server footprint.

There's been some interest in the service from the highest end of the market, with Nokia's luxury phone outfit Vertu adding it in as an extra for the punter who has €7,900 to splash out on the fanciest of mobiles. But Callas said that for certain types of enterprise employees, the service is proving much more popular than first thought.

There's increasing concern about doing business abroad, now that some states seem to have built industrial espionage into their economic policy. And while Silent Circle isn't free like PGP, it's not massively expensive either. It and similar products may soon become security best practices for enterprises overseas.

With the extension of its service to email, Silent Circle is moving into more popular waters, and it should pick up more customers, depending on how well it can integrate operations into its secure setup. Callas said the company is playing a long game; it's not looking for lightning expansion or to sell out as soon as possible.

We'll see if there's a mass market for this kind of service, but El Reg suspects it could prove more popular than Silent Circle expects. These are paranoid times, and it pays to be as safe as possible. ®

Boost IT visibility and business value

More from The Register

next story
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.