In the 1990s, cryptography pioneer and Pretty Good Privacy (PGP) creator Phil Zimmermann faced federal criminal investigation. His encryption software was so strong, it was charged, there was fear it violated arms trafficking export controls.
Now Zimmermann has launched a new startup that provides industrial strength encryption for smartphone users. And this time around, his business partners include two ex-Navy SEALs.
Silent Circle, which launches on October 15, is a secure communications product for Android and iOS that works on a paid subscription model. Users will have access to encrypted phone calls, emails, VoIP videoconferencing, SMS text messages, and MMS multimedia messages. Security varies depending on whether communications are made to another user on Silent Circle’s closed network, or to an outside user. Text and multimedia messages are wiped from a phone’s registry after a pre-determined amount of time, and communications within the network are allegedly completely secure.
Subscribers will pay $20 a month, which includes unlimited subscriber-to-subscriber conversations, encrypted video conferencing, encrypted text messaging, encrypted email, and storage. Text messages will only be encrypted when sent to other Silent Circle subscribers. Outdialing to public telephone networks (in which Silent Circle users’ ends are secure but the other end is insecure) will be optional with an additional fee. For an additional $39 a month, Silent Circle is offering 3000 calling minutes for the United States, Canada, and Puerto Rico. However, release of the encrypted email product has been delayed “so that they can focus on the launch of” the other products. Silent Circle was originally supposed to launch on September 17 before being pushed back to October.
Once installed, Silent Circle has a simple interface that requires no learning curve to encrypt communications. The project’s target market, according to Zimmermann, are troops serving abroad, foreign businesspeople in countries known for surveillance of electronic communications, government employees, human rights activists, and foreign activists. For enterprise sales, Silent Circle will be marketed direct to employees as a security measure which they can deduct from their travel expenses. While the company appears to be focusing on the mobile market, a secure Windows VoIP communications product will be released on October 15th as well; full desktop versions for Windows and Mac will be launched at a later date.
The startup’s secret sauce is the dead-simple interface.
“Almost all of the companies in enterprise and defense that came to us, 60% of their problems are away from the office,” says Zimmermann. “Everyone has a solution [for security] inside your building and inside your network, but the big concern of the large multinational companies coming to us is when the employees are coming home from work, they’re on their iPhone, Android, or iPad emailing and texting. They’re in a hotel in the Middle East. They’re not using secure email. They’re using Gmail to send PDFs. At the same time, the companies can’t mandate what employees put on their personal iPads.
Zimmerman claims that, “there isn’t a commercial service out there that you can trust,” just before underscoring his company’s primary ambition: “Where do you build that trust into an elegant platform?”
Zimmermann’s partners at Silent Circle are PGP Corporation cofounder Jon Callas and former Navy SEALs Mike Janke and Vic Hyder. Both Hyder and Janke have both been involved with security consultant businesses (Hyder at Trident Crisis Management Group and Janke at SOC) and have extensive ties to the close-knit community of military contractors serving overseas. In conversations with the press, the team emphasizes their mix of computer security bona fides and special forces experience. Besides the two SEALs, the company’s employees also include three British ex-SAS communications experts.
The startup’s secret sauce is the dead-simple interface of their secure communications products. Both the iOS and Android versions are skinned to look like their respective systems’ dialing/text message systems. Video conferencing strongly resembles Skype. Subscribers will have ten-digit identification numbers which resemble phone numbers (and which, Silent Circle claims, will become phone numbers at a later date). Zimmermann deliberately contrasts this to his experience at PGP, which he tells Fast Company “went over to enterprise so much that it was neglecting the individual. This, however, was all about the individual. It was very appealing to me. It sounded like a market that needed to use this–I spent a lot of years trying to tell people who didn’t care about cryptography why they had to care about crypto, now here are people who already do.” Unlike PGP, which required a steep learning curve, Silent Circle’s peer-to-peer encryption does not require any training or prior experience.
Of course, any encryption tool is only as good as the encryption it provides. If Silent Circle promises secure encryption, they need to deliver it to their customers. Another high-profile encryption tool, Cryptocat, was at the center of controversy earlier this year when Wired‘s Patrick Ball raised serious concerns about its effectiveness. For encryption tools, which are frequently used by dissidents living under repressive regimes and others with legitimate reasons to avoid government surveillance, the consequences of failed encryption can be deadly.
Silent Circle, in fact, pushed back their release date by more than a month in order to fine-tune their product before public release. The company boasts that they use open source peer-reviewed encryption and offer redundant servers abroad; encryption and hashing algorithms used by Silent Circle include Elliptic Curve Cryptography (P-384), Advanced Encryption Standard (AES-256), and Secure Hash Algorithm (SHA-256). Users will also be offered options for the Skein hash function, as well as the Twofish and Threefish ciphers. These functions and ciphers are commonly used in other encryption tools.
According to Zimmermann and Janke, all products use device-to-device encryption. PGP RSA public key encryption will be used for emails, ZRTP for video and voice, and a custom instant message protocol called SCimp, which, Silent Circle says, is currently in the peer review process, will be open sourced with white papers to follow.
Unlike PGP, which required a steep learning curve, Silent Circle’s peer-to-peer encryption does not require any training or prior experience.
The email product will be a Sparrow-like app with 100% peer-to-peer encryption. Text messages will be encrypted device-to-device with a special option to set a timer that will erase them from the registry. As a bootstrapped for-profit encryption firm, Silent Circle’s financial health will only be as good as the product they put forward. “We delayed the launch so that we’d be absolutely sure our company had everything,” Zimmerman told Fast Company.
Silent Circle stresses that their product offers secure communications within the networks and only uses Canadian servers that are outside of U.S. government control. Canada has far more stringent data privacy regulations than either the United Stations or the European Union, meaning that users’ encrypted communications are less likely to be intercepted by American authorities. Zimmermann and Janke noted that law enforcement and outside parties would not be able to snoop on communications conducted via Silent Circle; they also noted that law enforcement are frequent users of services such as Tor, which they use to avoid surveillance by outside intelligence agencies. The company also stressed that only users would be able to decrypt secure conversations; Silent Circle will not have eavesdropping abilities. Besides the Canadian servers, additional servers will be added in Switzerland.
Hyder, Janke, Zimmermann, and Callas all emphasized that their company was a “double-only-Nixon-can-go-to-China-thing” where their combination of cryptography bona fides and military connections opened more potential markets than either would have on their own. Silent Circle is aggressively chasing after companies who will steer individual employees their way as customers, even down to offering pre-paid encryption gift cards called “Ronin Cards.” Purchase for most of Silent Circle’s encryption products will be through the company’s website and the secure phone call and text message applications will be sold through Apple and Google’s app stores.
While the company talks a great deal about Silent Circle’s benefits for activists abroad, the $20 a month subscription fee filters many of them out. It seems more likely that the primary market will likely be corporations, governments, consultants, military serving abroad, and military contractors. According to the company, a deliberate choice was made to sidestep procurement cycles and market their product directly to users as a tool to be placed on expense accounts.