Snowden’s App Probably Can’t Protect You From Targeted State Surveillance
The media overhyped Snowden’s new app, according to security experts, and also made no mention of its origins.
Right before Christmas, NSA whistleblower Edward Snowden launched a new app to turn an Android phone into an internet-connected alarm system that can help at-risk users guard or at least monitor against attackers trying to tamper with their computers or other devices while they’re left unattended.
The app, called Haven, garnered glowing media coverage from publications such as The Verge, The Intercept, and Wired, who wrote that the app “could protect its users from more than just hands-on computer hackers; it could guard against everyone from abusive spouses to authoritarian police.” The app’s goal is to give users a chance to find out about so-called “evil maid attacks,” a scenario where someone who has access to your house or hotel room can get their hands on your computer or cellphone and hack it.
Read more: The Motherboard Guide To Not Getting Hacked
“Edward Snowden and his friends have a solution,” wrote The Intercept’s technologist Micah Lee, who’s credited along with Snowden for being the driving force behind the app, with the help of developers from the Guardian Project.
But the security community is split on the potential utility of Haven, with many experts saying that an app cannot possibly protect a target from state-sponsored surveillance. Some say using Haven may even be dangerous to those who might be worried about government spies.
“The ease of use and simplicity that Haven brings to SecureIt makes it more accessible,” the security researcher who goes by the name The Grugq said in a chat message, warning not to mistake this app as a silver bullet.
“When you’re a target you’re a target. No mobile phone app will solve your nation state problem,” he added, referring to the scenario where government spies are after you.
Security expert Mara Tam, said on Twitter that “having knowledge of being physically surveilled by an autocracy is already dangerous. Having strong proof may well get you killed,” and that “telling people at risk from physical harm by nation state security services to log this shit is insane.” Others in the infosec community suggested that the solution to state surveillance is not more surveillance.
Of course, state surveillance isn’t the only application of Haven. Lee wrote that Haven can be useful for victims of domestic abuse as well, to figure out if their abuser is tampering with their devices. Snowden told The Verge that this is one of the threat models of Haven, and as we’ve reported previously, there is a huge problem of people using “stalkerware” to surveil their partners.
Snowden told Sarah Jeong that Haven users don’t need to be saving the world to benefit from it. The Verge added that Snowden “acknowledged” that the most likely users “are paranoid developers and human rights activists in the global south.”
It’s also worth noting that, little of the media coverage mentions that Haven is built on top of something else.
The app is a fork of a previous open-source project by Italian hacker Marco Ziccardi. His project was called SecureIt, and the Guardian Project’s Nathan Freitas himself credits Ziccardi for being the basis for Haven in his blog post (Ziccardi is also mentioned in the code repository of Haven.)
“We used SecureIt as a starting point,” Freitas told me in an email. “Mostly for the way it handled the camera motion detection. This was a prototype project with a miniscule amount of funding, so we really didn't want to start from scratch. The rest of the app is significantly different, from the way data is stored, to how remote notifications are handled (Signal, Tor, etc), to the way the sensors are monitored, to the entire user experience and user interface.”
Freitas said they actively tried to get in touch with Ziccardi multiple times but never heard back. I also did not get a reply from him.
Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at firstname.lastname@example.org, or email email@example.com
Of course, there’s nothing wrong with forking an open source project, that’s the whole point of making code open source: allowing others to build on it if they want. And Snowden and the other developers of Haven appear to have done significant work after forking the original app. But it seems that no one except for Freitas was too keen on disclosing the origins of the project.
The media coverage unequivocally billed this as “Snowden’s app.” (Snowden did not respond to a request for comment made via Twitter.) And Ziccardi’s project is not mentioned at all in The Verge, Wired, and The Intercept articles.
Wired’s Andy Greenberg, who first wrote about the app, said on Twitter that he was “pretty sure nobody mentioned it to me in several interviews, (and I wish they had).”
Trevor Timm, the founder and executive director of the Freedom of The Press Foundation said on Twitter that they “credited” the original developer “all over the place.”
Timm added that the Guardian Project reached out to the developer “multiple times” and the original project is “credited in the Haven documentation “multiple times.” Finally, he concluded, “if you actually look at the code, there's been huge changes since the fork.”
Get six of our favorite Motherboard stories every day by signing up for our newsletter.