Among the companies promoting devices at this year's RSA technology-security conference in San Francisco, which attracts thousands of corporate executives, is Silent Circle LLC. The company said its Blackphone, which is based on the Android operating system, will leave no unshielded records of calls, text messages or data storage for spies to obtain and mine.
Even if the Blackphone isn’t NSA-proof — and co-founder Mike Janke said nothing can be — it makes the spies’ task a lot tougher, he said.
“You can't be halfway pregnant,” Janke, a former Navy commando specializing in secret communications, said in a phone interview. “You either stand for privacy or you don't.”
It's not just startups marketing off former NSA contractor Edward Snowden's disclosures about the agency's secret use of communications records. Verizon Communications Inc., which Snowden revealed is under court order to give the NSA records of millions of U.S. phone calls, is at the conference talking up secure services, as are BAE Systems Plc and Symantec Corp.
All are looking for a bigger piece of a global information-technology industry that Gartner Inc. estimates will be valued at $3.8 trillion this year.
Silent Circle’s Blackphone package, priced at $629, includes a two-year subscription as well as encrypted online file storage provided by SpiderOak Inc. and private Web browsing from Disconnect Inc. Silent Circle, based in National Harbor, Maryland, outside Washington, estimates the total value at $1,508.
The services from Silent Circle and SpiderOak are based on peer-to-peer technology, meaning users generate and retain their own encryption keys and the companies don’t have access to content created by customers.
“We’re practicing security through privacy,” Ethan Oberman, chief executive officer of SpiderOak, said in a phone interview.
Companies lose confidence when the NSA “blurs the line between its defensive and intelligence-gathering roles and exploits its position of trust within the security community,” Art Coviello, chairman of RSA, said in a keynote speech opening the conference today.
RSA, the security arm of Hopkinton, Massachusetts-based EMC Corp., supports a White House advisory panel's recommendation in December that the NSA's offensive and defensive components be separated, Coviello said. The defensive unit should be managed by a separate entity, he said.
“If we can’t be sure which part of the NSA we’re actually working with and what their motivations might be, then we should not work with the NSA at all,” he said.
While no company can promise users immunity from the NSA, strong encryption is hard to crack, and when it comes to government surveillance the goal is to force agencies to go directly to users with a court warrant, Janke said.
Janke started Silent Circle with Phil Zimmermann, creator of the industry standard encryption known as Pretty Good Privacy or PGP. The two created Silent Circle without outside funding help.
Silent Circle said it has Blackphone orders from companies in the oil and gas, manufacturing and technology, health care and transportation industries. Orders have come from almost two dozen of the world's top public companies and 11 governments, Janke said.
Of course, the same technology that makes it hard for government snooping also may be used by hackers and criminals to hide their trails.
SpiderOak intends to compete for corporate customers with its cloud services, Oberman said.
Oberman said he would expect large companies to fight back if and when companies that don’t retain or analyze customer data begin to threaten their profits.
“The first one through the wall is going to get bloody, no matter how this goes,” he said.
Paul Henninger, global product director for London-based BAE Systems’ applied intelligence unit, said “it’s absolutely worthwhile” for companies to try to commercialize peer-to-peer technology, including using distributed encryption keys.
“Most of the large companies are taking significant steps to broaden and audit their use of encryption,” Henninger said in a phone interview. He questioned whether the technology is practical for widespread use, given that some services can be difficult to use.
Providing secure communications is “a huge growth area” for Verizon, Eddie Schwartz, the New York-based company’s vice president of global security solutions, said in a phone interview.
Verizon provides managed security services to companies, which include monitoring networks and data for hacking threats. The company views its ability to monitor global Internet traffic as an advantage to offer customers the latest threat intelligence, Schwartz said.
“We sit on a fairly significant portion of the world’s Internet traffic,” he said. “The Internet is a living body of activity that we are constantly examining.”
Verizon also offers companies cloud services, which refers to online file storage and sharing.
Companies that retain data about their customers for legitimate reasons, such as complying with laws in countries where they operate or for auditing purposes, aren’t necessarily creating security risks, Piero DePaoli, Symantec’s senior director of product marketing, said in a phone interview.
Symantec, based in Mountain View, California, sells encryption services and issues certificates that enable secure connections over the Internet, such as for electronic commerce.
DePaoli said the security and privacy of user data is “a very serious issue.” Symantec has strict policies on handing information over to governments, he said.
“We don’t share customer information with governments under any circumstance unless we have a request that’s compliant with the law and consistent with our privacy policies and our applicable customer agreements,” he said.
Christopher Soghoian, principal technologist and senior policy analyst for the American Civil Liberties Union, said there’s an element of buyer-beware this week as “there’s a long history of people selling security snake oil.”
Still, he said, such pitches have appeal because any form of data retention, even if well intentioned, will eventually be used against the customers of the service.
“I don't think that companies can be both in the surveillance business and the cybersecurity business,” Soghoian said.
SpiderOak is among several companies sponsoring an alternative conference in San Francisco on Feb. 27 to promote secure and trusted technology. Soghoian is scheduled to speak at the conference, known as TrustyCon, as well.
It’s a backlash stemming from a report by Reuters that RSA received $10 million from the NSA to embed encryption software so the agency could crack into widely used computer products.
Kevin Kempskie, a RSA spokesman, referred to a statement the company issued Dec. 22 that it “never entered into any contract or engaged in any project with the intention of weakening RSA’s products, or introducing potential ‘backdoors’ into our products for anyone’s use.”