Anti-NSA Blackphone 'commendable,' but will consumers buy it?
The seemingly unending revelations about the National Security Agency's surveillance activities have made consumers increasingly aware of the perilousness of mass communication.
U.S.-based encryption firm Silent Circle is hoping that the heightened paranoia about government snooping will compel consumers to buy the Blackphone, a pro-privacy smartphone the company is launching Monday at the Mobile World Congress in Barcelona.
On its website, Silent Circle calls the Blackphone "the world's first smartphone to put privacy and control ahead of everything else." The device is designed to allow encrypted phone and text communications, private web browsing and secure file-sharing.
“We wanted it to look and feel just like a phone and apps that are already familiar,” says Toby Weir-Jones, chief product officer for Blackphone, in an email interview.
“So it was important that you could use it just like your current phone, but with the knowledge that, behind the scenes, it was vastly safer and more private.”
While computer security specialists applaud the effort to produce a mass-market “anti-NSA” device, they say the Blackphone is neither completely hack-proof nor especially enticing to the general public.
"It is a commendable initiative, but frankly, in my humble opinion, doomed to fail," says Stu Sjouwerman, founder and CEO of Florida-based computer security consultancy KnowBe4.com, adding that the people most interested in the device would likely be organized crime.
Silent Circle, which is privately held, was co-founded by U.S. cryptographer Phil Zimmermann and launched in 2012. Zimmermann is best known as the creator of Pretty Good Privacy (PGP), which is a widely used email encryption software.
Last year, Silent Circle released Silent Phone, an encryption app for Apple and Android smartphones.
The Blackphone is a joint venture between Silent Circle and Geeksphone, a Spanish company that specializes in handset design. Like Geeksphone's previous devices, the Blackphone is built on Google's open-source Android operating system.
The device encrypts text messages and phone calls before sending them to another smartphone user. The recipient must have a Silent Circle encryption app installed in order to decrypt the message and keep the communication private.
Weir-Jones says the phone becomes available for sale on Feb. 24, and that the company expects the first orders to be delivered in June.
Many headlines have touted the Blackphone as "NSA-proof," but the manufacturer itself has taken great pains to dispel that notion.
“The media coined that idea early on after our January 15 release, but we’ve not only never said it, but actively refuted it,” says Weir-Jones.
While the Blackphone has created anticipation in the tech community, security researchers are doubtful about the extent of its privacy measures.
"Blackphone's concept is certainly intriguing, but nothing is 'anything-proof,'" says Con Mallon, senior director of mobile product management at the anti-virus firm Symantec.
"Blackphone is raising the bar and making things more difficult for hackers, but we've seen that [with any new innovation,] flaws will eventually be found and weaknesses will be exploited."
Mallon points out that, like Skype, the Blackphone will use the voice over internet protocol (VoIP) to transmit phone calls. But Skype still goes through Microsoft servers, "and can actually be accessed by the NSA if required," Mallon says.
For his part, Sjouwerman says that Phil Zimmermann's credentials as a cryptographer carry a lot of weight, and that the internal coding of the Blackphone is unlikely to have "major flaws."
However, Sjouwerman points out that any computer application can have bugs. That bug could be anything from a simple typo to a "zero-day" flaw, which is a vulnerability that the code writer may not have noticed – and which a hacker could exploit.
"If someone spends enough time and money to attack that code, they will be able to find a way around it," he says. "So, if the NSA thinks, 'Hmmm, we don't like this,' and they throw a couple of supercomputers at it, they will find zero-day bugs even in that code, and they will be able to circumvent it."
Mohammad Mannan, an assistant professor at the Concordia Institute for Information Systems Engineering in Montreal, says Silent Circle's device doesn't do enough to address one of the most contentious aspects of recent government surveillance: the gathering of metadata.
When asked to account for their spying activities, the NSA and Communications Security Establishment Canada (CSEC) have said that they only collect metadata — that is, the data about the data that is transmitted along with the content — and not the actual substance of phone calls or emails.
But privacy activists say that metadata can be more valuable than actual communications, because it logs key details such as date, time, location and the potential identity of the correspondents.
The Blackphone cannot mask metadata entirely and, as such, is "really not black, to the NSA or anyone," Mannan says. "You still have a lot of data that can be collected."
The Blackphone is not the first encrypted smartphone, says Mannan, adding that there have been several attempts to produce just such a device, including the Cryptophone by German firm GSMK. (There has been much conjecture about the phone used by U.S. President Barack Obama, who according to reports carries a BlackBerry loaded with state-of-the-art encryption software.)
Last year, San Francisco-based QSAlpha launched a crowdfunding campaign on Indiegogo to raise money to produce the Quasar IV Cipherphone.
Both the Blackphone and the Cipherphone emphasize privacy, but tech watchers point out that when it comes to smartphones, consumers are largely interested in convenience and the ability to easily download apps.
Security experts say apps may pose the greatest security threat, because in downloading them, consumers may be unwittingly opening their devices up to new vulnerabilities.
"From our experience, despite the regular coverage in the news of hacking and security concerns, the average user is not concerned enough to demand” an encrypted smartphone, says Symantec's Mallon.
That contention seems to be borne out by the Indiegogo campaign for the Cipherphone, which ended in October, having raised only $98,716 of its $3.2-million funding goal.
Even so, consumers are “a lot more concerned about [privacy] now than they were two years ago,” says Weir-Jones. “We believe average consumers will accept the benefits of privacy only if they come at little or no cost in terms of convenience, usability, or financial cost, so those are our priorities in bringing the phone to market.”
Sjouwerman says the most likely buyer for a device like the Blackphone is an unintended one.
"The only people who are going to be thrilled with this is the criminal class, who are going to be the best customers for this type of product.”
