sign in sign up
<<
Home , Adium, ChatSecure, Cryptocat, Gpg4win, Jitsi, Open Whisper Systems

NEW AMERICA An Illustrative Inventory of Widely- Available Encryption Applications Kevin Bankston, Ross Schulman, and Jake Laperruque

out ofout the safeofout the encryption safeofout the encryption apps safeofout wouldthe encryption apps safe beofout wouldthe encryption apps safe beofout wouldthe encryption appssafe beofout wouldthe encryption apps safe beof wouldthe encryption apps safe be would encryption apps be would apps be would be onlyonly1 ofonly91a e edofonly91 bya e edof USonly9 government1 bya e edof USonly9 government1 byregulationa e edof USonly9 government1 byregulationa e ed of USonly9 government1 bya e edregulationout of US9 government1 byregulationa e ed ofof US the9 government encrypted byregulationa e ed US government apps regulationby US reportedly government regulation identified regulation as ‘safe’ or Only 1 of 9 ‘safest’ by ISIS would be affected by regulation in the U.S.

When it comes to encryption, the genie is out of the When it comes to encryption, the horse is out of bottle. But encryption isn’t magic. It’s math, and the barn, the ship has sailed, and the toothpaste very well-known math at that. The basic principles isn’t going back in the tube. The math, and the behind modern end-to-end encryption of digital technology, is already out there. Therefore, any , where only the recipient of the message attempt by the U.S. government to pressure U.S. can decode it, are nearly four decades old.1 companies to redesign their end-to-end encrypted services so that they have the keys necessary to U.S. companies like Apple and , providers decrypt the communications—which is really just of the encrypted messaging services iMessage and another way of saying “stop deploying end-to-end WhatsApp, don’t have a monopoly on strong end- encryption”—would be futile. There are plenty of to-end encryption tools. Strong encryption tools other reasons why anti-encryption regulation would are everywhere, and over a billion ordinary people be bad for America, which we’ve laid out many around the world rely on them every day. times over the past year in Congressional testimony, research papers, blog posts, op-eds and more.5 There are countless applications that are freely available online, across the globe, with unbreakable But the biggest reason is just this: anti-encryption end-to-end encryption. The vast majority of those regulation will not make us safer. It’s all cost, no applications are either “” software that benefit. anyone is free to use, review, copy or build on,2 and/or are offered by companies, organizations or developers outside of the United States. In fact, it’s Surveillance backdoors are a lose- so easy to create new end-to-end encryption apps, lose proposition: they won’t make jihadists have been coding their very own secure messaging tools since at least 2007, tools with the terrorists less secure, only names like Mujahadeen Secrets and Security of the ourselves—and former heads of the Mujahid.3 Another app that terrorists are claimed to DHS, NSA and CIA agree. have used, , is based in Berlin.4

The Crypto Cat is Out of the Bag 1 A surveillance backdoor into U.S. products will We agree with former Director McConnell that not stop terrorists from using other end-to-end the encryption genie is out of the bottle, as encryption tools that are widely available online demonstrated by the following charts. That’s why around the world. It will only discourage a lot of the White House and Congress should sensibly normal, law-abiding Americans from using it, while reject any calls to regulate the availability of strong also discouraging international users from relying encryption tools, just as they did 20 years ago.8 on U.S. products that have been rendered less secure. Surveillance backdoors are a lose-lose The figure below is adapted from a chart that proposition: they won’t make the terrorists less reportedly came from an ISIS information security secure, only ourselves—and former heads of the training manual, which identified encrypted DHS, NSA and CIA agree.6 messaging applications that were thought to be “safe” and “safest” (as opposed to “moderately As former NSA Director and Director of National safe” or “unsafe”).9 As you’ll see, all of the Intelligence Mike McConnell puts it, rather encryption apps considered “safest” by ISIS are than trying to fight the inevitable, government open source, foreign-based, or both, as are three investigators need to adapt to a world with out of the four apps considered “safe”. Therefore, of widespread encryption: the nine apps recommended as “safe” or “safest”, eight of them are outside of U.S. regulation’s reach. “Don’t get in the way of pro­gress. Don’t get in the way of innov­ a­ tion­ and creativ­ ity,­ because­ The second figure is an illustrative inventory of the this is go­ing to hap­pen. Some­body’s go­ing many popular, easy to get, easy to use end-to-end to provide this en­cryp­tion.” Therefore, law encryption tools available right now that are either enforcement must “adapt,” says McConnell. “If open source, developed outside of the US, or both, law en­force­ment starts to change the way they and would therefore be minimally affected if at think about this, I think there are many, many all by U.S. legislation or action by U.S. companies. ways to carry out the mis­sion, giv­en that you In sum, it describes sixteen popular apps for fully are faced with a situ­ation where tech­no­logy is encrypted email, chat, messaging or voice calls not go­ing to be re­versed.”7 that are outside of U.S. regulation’s reach.

ISIS’ Favorite Encryption Apps are Open Source, Foreign-Based, or Both10

Apps Labeled Safest by ISIS OSTel Open Source ChatSecure Silent Circle11 Open Source and Foreign Redphone12 Under U.S. Regulation

Apps Labeled Safe by ISIS

Surespot Telegram

2 OPEN TECHNOLOGY INSTITUTE An Illustrative Inventory of End-to-End Encrypted Applications that are Open Source, Foreign-Based, or Both Is App Company or What does it What operating systems Is Company or Org App Open Organization encrypt? is it available on? U.S. Based? Source? N/A; is an open Instant No; Adium is an open Mac Yes Adium development project messaging development project The Guardian Project (nonprofit research Chat iPhone and Android Yes Yes ChatSecure and development organization) iPhone, Mac, and via N/A; is an No; Cryptocat is an a for open development Chat Yes open development Cryptocat Chrome, Firefox, and project project Safari browsers N/A; GnuPG is an open No; GnuPG is an open Email Yes GnuPG development project development project No; Intevation GmbH Intevation GmbH and and G10 Code GmbH Email Windows PC Yes G10 Code GmbH are German-based companies N/A; GPGTools is an No; GPGTools is an GPGTools open development Email Mac Yes open development project project Android devices, N/A; is an open Voice calls and No; Jitsi is an open Windows PC, Mac, and Yes Jitsi development project text messaging development project Linux No; Mailvelope GmbH Mailvelope Mailvelope GmbH Email Web application Yes is a German-based company The Guardian Project iPhone, Android devices, (nonprofit research Voice calls Blackberry, Windows PC, Yes Yes Ostel and development Mac, and Linux organization) N/A; is an open Instant No; Pidgen is an open Windows pC and Linux Yes Pidgin development project messaging development project N/A; is an No; RetroShare is an Text messaging Mac, Windows PC, and open development Yes open development RetroShare and email Linux project project Voice calls and Open Systems iPhone and Android Yes Yes Signal text messaging No; Voice calls and Silent Silent Circle iPhone and Android Yes is a Swiss-based text messaging Phone company iPhone and Android , LLC Text messaging Yes Yes Surespot devices iPhone, iPad, Android No; Telegram devices, , Messenger is a Telegram Messenger Text messaging Partially Telegram Windows PC, Mac, Linux, German-based and via web application company No; Threema GmbH Threema Threema GmbH Text messaging iPhone and Android Yes is a Swiss-based company

The Crypto Cat is Out of the Bag 3 Notes

1. The foundational work in this area began with com/read/former-nsa-chief-strongly-disagrees-with- Whitfield Diffie and Martin Hellman’s New Directions in current-nsa-chief-on-encryption. , IEEE Transactions in Information Theory 7. Kaveh Wadell, The National Journal, Former (Nov. 6, 1976), available at http://www-ee.stanford. Intelligence Director: Law Enforcement Must edu/~hellman/publications/24.pdf. “Adapt” to Encryption (October 1, 2015), available at 2. Open-source software (OSS) is computer software http://www.nationaljournal.com/s/74230/former- with its made available with a license intelligence-director-law-enforcement-must-adapt- in which the copyright holder provides the rights encryption. to study, change, and distribute the software to 8. Danielle Kehl, Andi Wilson, and Kevin Bankston, anyone and for any purpose. Open-source software Doomed to Repeat History? Lessons From The may be developed in a collaborative public manner,” Crypto Wars of the 1990s, New America’s Open which we refer to below as “open development”. Technology Institute, June 2015, available at See Wikipedia, Open-source softare (last modified https://static.newamerica.org/attachments/3407- December 7, 2015), available at https://en.wikipedia. doomed-to-repeat-history-lessons-from-the- org/wiki/Open-source_software. Even the encryption crypto-wars-of-the-1990s/OTI_Crypto_Wars_History. in WhatsApp, Facebook’s secure messaging app, abe6caa19cbc40de842e01c28a028418.pdf. is based on the free and open source software 9. Margaret Corker et al, The Wall Street Journal, TextSecure. How Islamic State Teaches Tech Saavy to Evade 3. For a recent summary of several homegrown jihadist Detection (November 16, 2015), available at http:// secure apps, most or all of which are based on open www.wsj.com/articles/islamic-state-teaches-tech- source software code, see Measuring the Impact savvy-1447720824. of the Snowden Leaks on the Use of Encryption by 10. This chart is adapted from one that originally Online Jihadists, Flashpoint Partners (September appeared in the Wall Street Journal, which was 2014), available at https://fpjintel.com/portal/assets/ reportedly found in a manual used by ISIS for security File/Flashpoint_Jihadi_Encryption_Software_Sept2014. training. See Margaret Corker et al, The Wall Street pdf. Journal, How Islamic State Teaches Tech Saavy to 4. Laurie Segall, CNN, An app called telegram is the Evade Detection (November 16, 2015), available at ‘hot new thing among jihadists’ (November 18, http://www.wsj.com/articles/islamic-state-teaches- 2015), available at http://money.cnn.com/2015/11/17/ tech-savvy-1447720824. Some reports indicate technology/isis-telegram/. that the manual was originally developed for use 5. The wide variety of writing on encryption done by New by activists and journalists, not by ISIS. See Arab America’s Open Technology Institute was recently Crunch, Update: How the Media Cooks News: Kuwaiti collected in this single summary: New America’s security firm writes a guide to Cyber Security for Open Technology Institute, Read This Before You Rail Gaza Journalists, Wired and other Media writes it up Against Encryption (November 19, 2015), available as ‘ISIS OPSEC manual’ (November 23, 2015), http:// at https://www.newamerica.org/weekly/read-this- arabcrunch.com/2015/11/how-the-western-media- before-you-rail-against-encryption/. cooks-news-isis-opsec-manual-isnt-from-isis-it- 6. Mike McConnell et al, The Washington Post, was-reproduced-from-dec-2014-guide-for-gaza- Why the fear over ubiquitous data encryption is activists-journalist.html . Regardless of its origin, the overblown (July 28, 2015), available at https:// point remains: the applications considered to be the www.washingtonpost.com/opinions/the-need-for- most secure are also not effectively regulable by the ubiquitous-data-encryption/2015/07/28/3d145952- U.S. government nor via U.S. companies’ conduct. 324e-11e5-8353-1215475949f4_story.html; Lorenzo 11. Silent Circle’s app is now called Silent Phone, as Franceschi-Bicchierai, Motherboard, Former NSA reflected in Figure 1. Chief: I ‘Would Not Support Encryption Backdoors’ 12. Badphone is now incorporated into Signal, as (October 6, 2015), available at http://motherboard.vice. reflected in Chart 1.

4 OPEN TECHNOLOGY INSTITUTE