There's a growing number of slick, easy-to-use encryption apps.
Image: Open WhisperSystems
The NSA is not thrilled about the fact that encrypted communications are becoming easier and more widespread than ever before. Its director, Admiral Mike Rogers, said as much last week during a cybersecurity event in Washington, D.C., where he joined the FBI in asking for a "legal framework" by which government agencies can insert backdoors into commonly used communications software.
So chances are, NSA and co. are not going to like Signal, a cross-platform app that now lets you send encrypted text, picture and video messages to virtually anyone with a smartphone.
The free app is made by Open Whisper Systems, makers of TextSecure and Redphone, which allow Android users to send end-to-end encrypted texts and calls, respectively. That means that short of someone hacking your phone and stealing your encryption keys, no one—not even the app's creators—can eavesdrop on your calls and texts.
With Signal 2.0, iOS users are finally getting in on the game, making it "possible to send end-to-end encrypted group, text, picture, and video messages between Signal on iPhone and TextSecure on Android, all without SMS and MMS fees," the company says in a blog post. All you need is a phone number (stored as a hash, a fixed string of encrypted characters) to register with Whisper Systems' servers, and the app does the rest seamlessly in the background. A previous version of Signal did the same for phone calls on iOS, and the developers say they'll soon unite the different versions into one cohesive platform.
The new release comes as the Department of Justice and various intelligence and law enforcement agencies have turned up the volume on their complaints about strong commercial encryption, warning that its widespread adoption is creating a "zone of lawlessness" for drug dealers, kidnappers and other horsemen of the infocalypse.
The NSA would probably love to put a backdoor in something like Signal, but it would be too obvious
When challenged by security guru Bruce Schneier last week, the NSA director seemed to pretend to not understand that creating backdoors for the "good guys"—security holes intentionally introduced for surveillance purposes—necessarily creates vulnerabilities the bad guys can find and exploit too.
The NSA would probably love to put a backdoor in something like Signal, but fortunately for privacy advocates, all its code is open-source, making it much harder to hide flaws—intentional or otherwise.
Like anything in computer security, there are a couple caveats. For one, text messages sent using Signal can only be encrypted when you have Wi-Fi or a data connection (3G, LTE and the like). That's because Apple doesn't allow developers to mess with regular SMS.
That's unlike TextSecure, the Android version that will soon merge with Signal, which has an option to fall back to SMS when data networks are unavailable. Fortunately, it won't be too much of a problem for future smartphone users, since "legacy" network applications like telephony and SMS are slowly transitioning onto data networks anyway, whether through things like Skype and VoLTE or third party messages services like WhatsApp (which also now uses TextSecure encryption).
Secondly, it's important to remember stuff like Signal can't protect you from the mass-collection of metadata, such as who you call or text, when, and how frequently. All of that information is still being scooped up in bulk by the NSA's domestic phone records dragnet, which was re-authorized by a secret court for the umpteenth time last week. Congress failed to shut down the program last year, despite a widely-supported reform bill and multiple independent panels finding it constitutionally dubious and ineffective at disrupting terrorist plots. The Patriot Act, which authorizes the warrantless dragnet, is scheduled to expire this June.
Either way, the growing number of slick, easy-to-use encryption apps is going to be a punching bag for police and spy agencies in the days to come. The recently-revealed hack of SIM card manufacturer Gemalto shows the government has little problem circumventing encryption entirely by stealing encryption keys at the source, allowing them to unlock previously inaccessible communications. And if the FBI can convince Congress to mandate backdoors, no fancy app can save you from whoever decides to come through them.