NSA-evading devices pitched to conceal trails

NSA leaks spurring systems to cover tracks, evade spies

WASHINGTON - The National Security Agency’s snooping on email traffic and phone records has prompted a cottage industry in products meant to keep spies out of their customers’ business.

Among the companies promoting devices at the 2014 RSA technology-security conference held last week in San Francisco, which attracts thousands of corporate executives, is Silent Circle. The company said its Blackphone, which is based on the Android operating system, will leave no unshielded records of calls, text messages or data storage for spies to obtain and mine.

Even if the Blackphone isn’t NSA-proof - and cofounder Mike Janke said nothing can be - it makes a spy’s task a lot tougher, he said.

“You can’t be halfway pregnant,” Janke, a former Navy commando specializing in secret communications, said in a phone interview. “You either stand for privacy or you don’t.”

It’s not just startups marketing off former National Security Agency contractor Edward Snowden’s disclosures about the agency’s secret use of communications records. Verizon Communications Inc., which Snowden revealed is under court order to give the agency records of millions of U.S. phone calls, is at the conference talking up secure services, as are BAE Systems Plc and Symantec Corp.

All are looking for a bigger piece of a global information-technology industry that Gartner Inc. estimates will be valued at $3.8 trillion this year.

Silent Circle’s Blackphone package, priced at $629, includes a two-year subscription as well as encrypted online file storage provided by SpiderOak Inc. and private Web browsing from Disconnect Inc. Silent Circle, based in National Harbor, Md., outside Washington, D.C., estimates the total value at $1,508.

The services from Silent Circle and SpiderOak are based on peer-to-peer technology, meaning users generate and retain their own encryption keys and the companies don’t have access to content created by customers.

“We’re practicing security through privacy,” said Ethan Oberman, chief executive officer of SpiderOak.

While no company can promise users immunity from the National Security Agency, strong encryption is hard to crack, and when it comes to government surveillance the goal is to forceagencies to go directly to users with a court warrant, Janke said.

Janke started Silent Circle with Phil Zimmermann, creator of the industry-standard encryption known as Pretty Good Privacy or PGP. The two created Silent Circle without outside funding.

Silent Circle said it has Blackphone orders from companies in the oil and gas, manufacturing and technology, health-care and transportation industries. Orders have come from almost two dozen of the world’s top public companies and 11 governments, Janke said.

Of course, the same technology that makes it hard for government snooping also may be used by hackers and criminals to hide their trails.

SpiderOak intends to compete for corporate customers with its cloud services, Oberman said.

Oberman said he would expect large companies tofight back if and when companies that don’t retain or analyze customer data begin to threaten their profits.

“The first one through the wall is going to get bloody, no matter how this goes,” he said.

Paul Henninger, global product director for London-based BAE Systems’ applied intelligence unit, said: “It’s absolutely worthwhile” for companies to try to commercialize peer-to-peer technology, including using distributed encryption keys.

“Most of the large companies are taking significant steps to broaden and audit their use of encryption,” Henninger said. He questioned whether the technology is practical for widespread use, given that some services can be difficult to use.

Providing secure communications is “a huge growth area” for Verizon, said Eddie Schwartz, the New York-based company’s vice president of global security solutions.

Verizon provides managed security services to companies, which include monitoring networks and data for hacking threats. The company views its ability to monitor global Internet traffic as an advantage to offer customers the latest threat intelligence, Schwartz said.

“We sit on a fairly significant portion of the world’s Internet traffic,” he said. “The Internet is a living body of activity that we are constantly examining.”

Verizon also offers companies cloud services, which refers to online file storage and sharing.

Companies that retain data about their customers for legitimate reasons, such as complying with laws in countries where they operate or for auditing purposes, aren’t necessarily creating security risks, said Piero DePaoli, Symantec’s senior director of product marketing.

Symantec, based in Mountain View, Calif., sells encryption services and issues certificates that enable secure connections over the Internet, such as for electronic commerce.

DePaoli said the security and privacy of user data is “a very serious issue.” Symantec has strict policies on handing information over to governments, he said.

“We don’t share customer information with governments under any circumstance unless we have a request that’s compliant with the law and consistent with our privacy policies and our applicable customer agreements,” he said.

Christopher Soghoian, principal technologist and senior policy analyst for the American Civil Liberties Union, said there’s an element of buyer-beware as “there’s a long history of people selling security snake oil.”

Still, he said, such pitches have appeal because any form of data retention, even if well-intentioned will eventually be used against the customers of the service.

“I don’t think that companies can be both in the surveillance business and the cybersecurity business,” Soghoian said.

Business, Pages 25 on 03/03/2014

Upcoming Events