I wrote recently about services like Wickr and Silent Circle that have systems that prevent (or at least highly hinder) the ability of the NSA and other US government agencies to spy on their members’ communications. Nico Sell is the head of Wickr and in an article Max Eddy has Sell explain how their operating model prevents them from being complicit with the government in snooping.
As an example of how to do security right, Sell unsurprisingly pointed to Wickr. She said that her company does not hold the encryption keys to decrypt users’ messages, or see their identities. That way, should Wickr be compelled to hand over data from a court order, investigators will only find junk. And in addition to employing who Sell calls the “best crypto people,” Sell said that individual messages are bound to their intended device. “Even in 20 years or 100 years, if the NSA miraculously breaks these [encryption] equations, they still wouldn’t be able to read these messages.”
Of course, it is utterly intolerable for the US government to think that someone, somewhere, may be communicating in ways that they cannot eavesdrop and store. So it should not be surprising that Eddy also writes about how an agent of the FBU approached Sell after she gave a talk at a conference about the possibility of her company installing a backdoor into its system to secretly spy on their clients.
At a recent RSA Security Conference, Nico Sell was on stage announcing that her company—Wickr—was making drastic changes to ensure its users’ security. She said that the company would switch from RSA encryption to elliptic curve encryption, and that the service wouldn’t have a backdoor for anyone.
As she left the stage, before she’d even had a chance to take her microphone off, a man approached her and introduced himself as an agent with the Federal Bureau of Investigation. He then proceeded to “casually” ask if she’d be willing to install a backdoor into Wickr that would allow the FBI to retrieve information.
But the FBI agent got a lot more than he bargained for.
It was clear that the FBI agent didn’t know who he was dealing with, because Sell did not back down. Instead, she lectured him on topics ranging from the First and Fourth Amendments to the Constitution, to George Washington’s creation of a Post Office in the US. “My ancestor was a drummer boy under Washington,” Sell explained. “Washington thought it was very important to have freedom of information and private correspondence without government surveillance.”
Her lecture concluded, she proceeded to grill the agent. “I asked if he had official paperwork for me, if this was an official request, who his boss was,” said Sell. “He backed down very quickly.”
Though she didn’t budge for the agent, Sell makes it clear that surveillance and security is a complicated issue. “Ten years ago, I’d have said yes,” said Sell. “Because if law enforcement asks you to catch bad guys, who wouldn’t want to help?”
The difference now, she explained, was her experiences at BlackHat. Among those, Sell pointed to a BlackHat event where Thomas Cross demonstrated how to break into lawful intercept machines—or wiretaps. “It was very clear that a backdoor for the good guys is always a backdoor for the bad guys.” [My italics-MS]
It is highly suggestive that what seems like a fairly low-level FBI agent approached Sell just after she gave a talk about the need for companies to beef up their security to prevent spying to ask her to secretly compromise it. It suggests that this is business as usual, that the government is used to company leaders speaking about protecting their customers in public while compromising them in private.
But there seems to be a growing backlash. Cory Doctorow writes that more and more tech companies are withdrawing their support from organizations such as RSA that are seen as having compromised their security to give access to the US government.
I hope this trend among private companies grows.