Foreign messaging services complicate government spying

Privacy concerns sparked by leaks about massive U.S. surveillance programs has spurred encrypted messaging services overseas that could complicate government spying efforts, experts say.

The latest effort to launch such a service was announced recently by Pirate Bay co-founder Peter Sunde and two other Swedish developers. Called, the plan is to provide end-to-end encryption, which means messages will be encrypted on the end user devices, hiding the plaintext information from any entity collecting the data.

Whether Sunde and his partners will get off the ground remains to be seen. The group is currently in the process of crowd-funding the project and as of Tuesday had raised roughly half of their $100,000 goal, according to its Twitter feed., which means "secret" in Swedish, will not be the first encrypted messaging service that will have servers located outside the U.S. For example, the Seecrypt Group has its development and network operations based in Pretoria, South Africa.

The media attention given to stems from Sunde's notoriety. In 2008, he and three other Pirate Bay operators were sentenced in Sweden to a year in prison for helping to make copyrighted content available through the file-sharing service.

Sunde's shift from defying copyright law to thwarting government spying raises the question of the effectiveness of such efforts, since there are times when communications should be disclosed. While people have a right to privacy, government and law enforcement should have access to email and text messaging in investigating possible terrorists and suspected criminals.

Encrypting messages is legal, but under the Communications Assistance for Law Enforcement Act (CALEA), telephone carriers and Internet service providers have to provide police with a backdoor to gather information during an investigation. The U.S. National Security Agency, which has raised a huge privacy debate in the U.S. with its PRISM surveillance program, gets more leeway in collecting data on the grounds of national security.

[Also see: NSA snooping bolsters opponents of U.S. Internet control]

Encryption can be broken, so it is no guarantee of privacy. However, depending on the technology used, decrypting the data can be extremely difficult.

"We have encryption that's good enough that no coalition of private companies or individuals are going to break it," Matthew Green, research professor in cryptography at John Hopkins University, said. "We don't know whether the NSA has those capabilities, but since they're the NSA, we assume they can do lots of stuff."

However, rather than spend money and time decrypting information, the NSA would more likely have the Federal Bureau of Investigation bug the phones or houses of suspects or plant malware in their computers, Green said.

As important as the encryption in protecting privacy is the metadata attached to communications over messaging services. That data is what's used to identify the senders and recipients, as well as the time they communicated and their location.

Companies use metadata for targeted advertising, but it is also necessary for the network to route messages from the sender to the receiver.

While there are mechanisms for hiding metadata, each has an impact on the overall user experience, William Whyte, chief scientist for Security Innovation, said.

"Protecting the contents is pretty easy; protecting the metadata is possible, but comes at a risk and with a cost," he said. "It's hard to protect metadata."

While the NSA could collect encrypted messages sent through a U.S. ISP, the metadata would belong to the messaging service. To get at the data, the agency would have to work through the legal systems of the country where the service's servers are located. The messaging provider could also choose not to store any metadata after the communications end.

"The limitation of all of these encryption systems is if you can serve that company with a national security letter or a warrant, you can get them to give up that metadata," Green said. "The nice thing about being in another country is the U.S. government can't do that."

Read more about data privacy in CSOonline's Data Privacy section.

Join the CSO newsletter!

Error: Please check your email address.

Tags Heml.isPRISMpirate bayapplicationsnsasoftwaretwitterdata protectionData Protection | Data Privacy

More about Federal Bureau of InvestigationNational Security AgencyNSA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place