As U.S. Officials Fret Over Encryption, German Firms Market Secure Calls

How secure is an open question.


garryknight / Foter

FBI Director James Comey complains about the availability of encrypted products from Apple and Google. Justice Department officials fret that protecting customers' privacy creates a "zone of lawlessness" by keeping government snoops out. But German companies are actually competing to make end-to-end secured connections a regular offering. At least for their business customers, Vodafone and Deutsche Telekom now offer encrypted communications. How encrypted is an open question.

According to the Wall Street Journal:

Vodafone said Wednesday it had begun offering its corporate customers in Germany an encryption application through which they can make secure phone calls.

Vodafone developed the application with German security firm Secusmart, recently acquired by Blackberry.

While Vodafone announced it was working on the app at last year's CeBIT fair, on Wednesday it formally launched it for the German corporate market.

Wednesday's launch catches up with Deutsche Telekom, the country's largest telecommunications company, which launched a similar app last summer. Both companies cite high demand from corporate customers for secure mobile voice communication.

Note that neither offering is available yet to private customers—only businesses.

Germany tends to be very sensitive to privacy after the country's experience with not one, but two totalitarian regimes. That said, Germany's BND has worked with the NSA in the past. Whether that means the local snoops have connived themselves a backdoor of the sort that American officials very openly demand is unknown, but it wouldn't be surprising. When Deutsche Telekom announced its intentions to target an international market seeking refuge from the NSA, Christopher Soghoian of the ACLU cautioned, "I would think that Telekom gives the same level of help to the German government as AT&T does to the US government. Like all telecoms around the world, when a government says jump, they jump."

If you're looking to make encrypted phone calls as an individual, and not using a product offered by a company with chummy ties to security services, you do have options. Philip Zimmermann of PGP fame is president and co-founder of Silent Circle, a company that offers just such services. And PC Magazine gives an "excellent" rating to RedPhone, which offers encrypted phone calls and texting for free.

NEXT: How to Justify Continued Federal Meddling in Internet Service? Just Keep Changing the Goals!

Editor's Note: We invite comments and request that they be civil and on-topic. We do not moderate or assume any responsibility for comments, which are owned by the readers who post them. Comments do not represent the views of Reason.com or Reason Foundation. We reserve the right to delete any comment for any reason at any time. Report abuses.

  1. Serious question: Without having access to the source code for these encryption products, how in the world can we ever know if they haven’t been compromised right out of the gate?

    1. That’s why, in a nutshell, open-source encryption preferred by those serious about these things.

    2. We don’t. I mean, the general public won’t. However, there are rare people capable of determining weak points (if they’re to be found). It’s a wait-and-see sitch for now.

  2. I started a new job last week and have actually been, um, working during the day, so I missed out on Richman’s Sniper piece. Holy shit, 630+ comments? I’m sort of curious but I think even I know better than to wade into that mess now. This is why Richman should only be posted on the weekends.

    1. Today the planets are aligned for the stupid. Richman says that Kyle the sniper is no different than Adam Lanza. Shikha wrote about TFW (The First Wookie) overcoming racism in India with her fashion statement. Obumbles says that the Taliban is not a terrorist organization. John McCain calls Code Pink lowlife scum.

      Oh, wait, that last one is a good call. Speaking of which, someone claiming to be John McCain commented on a Reason thread the other night.

      1. Claiming to be? Nah, that was him. He’s been lurking here for a while, ever since he failed to take my winning advice in 2008.

        1. What advice? Not to be a statist shit weasel? Because he definitely didn’t take that advice.

          1. I was more specific than that, but yeah, mostly.

      2. When you find yourself agreeing with John McCain on literally anything, it may be time to take a step back and examine your prejudices.

        1. why? Code Pink is as feckless as it is predictable and tribal. It says nothing as Obama drone murders with abandon, choosing instead to come out of hiatus to protest Kissinger. It protests a guy who brought about the end of a war but acquiesces to one who kills from afar with impunity.

          1. I know, right? I mean, Kissinger? If you’re still protesting Kissinger while Obama drone-murders wedding parties right under your nose, it’s pretty clear what magazines Code Pink subscribes to.

          2. They aint called Code Pink for nuthin.

      3. Humanity has evolved into being nothing more than a 24/7 derpathon.

        We’re going to one day watch that movie Idiocracy and wonder why it couldn’t have turned out to be ONLY that bad.

        1. In the Michelle Obama’s Dress Saved the world thread, I came to the realization that the Earth and humanity were created strictly for the purpose of entertaining someone. Aliens, God, I don’t know who, but Reality TV World, we are.

          1. Yeah, I think I sort of helped start that one.

            I’ve often wondered if we are not a sort of a SIM designed solely for the purpose of the entertainment of the creator.

          2. I have made that exact claim to my wife many times.

  3. Declare it to be munitions! Build backdoors into it! Mandate, forbid, inhibit!

  4. Hahah, “zone of lawlessness” indeed. Sometimes I like to imagine what the NSA spying scandal coverage would have been like if that story had broken under a Republican administration.

    1. There would have been a lot more noise from the press but the end result would have been the same.

      Both parties are composed of control freaks and neither would be willing to give up that kind of power.

      Notice all of the complaining the Republicans are doing about Obumbles actions expanding presidential power. Complaining but no action. They are drooling all over themselves to get their hands on it.

      How many more administrations following this pattern before we are a straight up totalitarian dictatorship?

      1. Let’s find out. One, two, three.


        1. In my original writing I claimed three, but then rephrased as a question.

          So, I am not crazy. Or not crazy alone. One or the other.

  5. Ladar Levison (props on the name, BTW) is working on his secure email program Lavabit. I think the code has been released in beta, or something along those lines.

    1. I believe you are thinking of DIME (trigger warning: large PDF), which he is working on with Phil Zimmerman (the same one mentioned above) and a couple of others. It is in the same spirit as Lavabit but technically quite different, and is a protocol, not a program, though they have released a sample implementation (and for that matter, Lavabit was a service, not a program).

      1. *correction, because I trusted a source I should not have trusted: DIME is not a protocol unto itself; it encapsulates DMAP and DMTP protocols and D/MIME message format (corresponding, of course, to IMAP, SMTP, and MIME, respectively)

        1. What does it do that we couldn’t already do with PGP?

          1. I have not read enough about it to give a good answer.

            Levinson was in a Reddit thread about it; he talks about PGP a little, albeit not in a way that likely answers your question (it doesn’t answer mine, certainly):

            PGP has 20 years worth of improvements that make it a compatibility nightmare.

            D/MIME is simply a cryptographic layer on top of a MIME message. From that point of view, it’s closer to S/MIME in format. The plan is to simply replace the Thunderbird S/MIME component with the D/MIME variant.

            Anyone wanting to communicate securely with another DIME user will need to have a DIME enabled client. Of course nothing is stopping them from using SMTP just like they do today. Some people probably get a kick out of knowing that someone is reading their messages. Even if it isn’t the person they sent it to.

            Technically nothing is stopping someone from creating a PGP message and sending it over DIME. The goal for DIME was to create a system that could function as securely as possible, but still be email. PGP has a different set of goals. Which is why its damn near unusable.


            1. PGP has 20 years worth of improvements that make it a compatibility nightmare.

              D/MIME is simply a cryptographic layer on top of a MIME message.

              I guess I’d like to know what he means by ‘compatibility nightmare’.

              I mean, PGP essentially was: “[…]simply a cryptographic layer on top of a MIME message.”

              PGP has a different set of goals. Which is why its damn near unusable.

              I guess I too need to do more reading. I admit I haven’t used PGP in years, but a PGP plugin did essentially that, automatically encrypted your email to a specific recipient.

              Unless that’s what he’s talking about (thinking as I type). That PGP’s process was cranky in that you had to choose a recipient, type in passwords etc.

              1. Another quote from him in the reddit thread, which also doesn’t add a whole lot:

                DIME is about integrating the end to end security of PGP or S/MIME into the standard mail system. It doesn’t solve every security problem. I realized early on that if I built a system which addressed every possible threat, it wouldn’t be email anymore.

                Instead I decided to take the flexible approach and let the users decide where on the spectrum they are in terms of the security/usability tradeoffs. For those on the extreme end, who who prefer P2P, I made it easy to integrate a P2P extension into the Signet format so people can ‘advertise’ support for XYZ protocol and then upgrade their messaging to that, if email isn’t quite security enough.

                CCC and Defcon talks are linked in the Reddit thread, BTW.

  6. Sort of related: Shadowcash
    for those who’ve been waiting for ZeroCoin/ZeroCash. The first fully working NIZK (non-interactive zero-knowledge) implementation of a cryptocurrency / transaction framework.

    Also planned is ShadowBook, ShadowChat, and ShadyBay:

  7. Microsoft offered end-to-end encryption solutions to companies that need to maintain higher degree of security in communications (banks, for example)

    … then handed over their encryption keys to the NSA on request

    When this was mentioned, i suggested that financial services firms should rightly ask why exactly they’re paying MS extra cash for ‘security’ when they take the money then actively undermine the very service provided

    I think it was later clarified that the real value being provided was “liability limitation”. By paying for “security” firms could claim they’d made the necessary effort.

    Which is what i suppose most of these telcos are hoping for as well. They know their ‘security’ is actually paper thin, but that Compliance Officers? will probably ‘pay extra’ for any kind of nominal security service if it helps reduce corporate liability in the event of any data breach.

    I would think any “real” security solution would have to be one that’s not in the hands of any government-regulated 3rd party

    1. will probably ‘pay extra’ for any kind of nominal security service if it helps reduce corporate liability in the event of any data breach.

      This is just my opinion, but I don’t see anyone avoiding “liability”. Everyone can get sued… and does.

      What I see is that they avoid government regulatory scrutiny. I think back to my halcyon days of gainful employment, and the first thing that comes to mind is HIPAA. 99% of it is bullshit, but that 99% is satisfying regulators and auditors, saying you have “made the necessary effort” as you so eloquently put above.

      1. “avoid government regulatory scrutiny”

        That was certainly part of it.

        FINRA requires certain financial communications to use ‘best-available’ security. Whether it actually does anything isn’t really the point.

        There is just as much pointless regulation in finance as their is in healthcare (if not more); as you say, 99% of it doesn’t accomplish anything other than ticking off compliance boxes.

        As an example – documents which link social-security #s & client account #s is like one of the biggest No-No’s in the entire FS business. if they go in any electronic communication there are a dozen security protocols that must be followed, including destruction of documents after the fact, etc.

        Yet 1000s of people routinely throw the same documents in the (*unshredded) trash every day. And *worse*. So much corporate effort goes into ensuring that companies are meeting the top-down, federally-imposed requlatory requirements that *actual security* efforts go completely ignored.

        Which is basically the root of my belief that if companies were responsible for everything themselves, and there were no Federal Oversight system? That there would be *far, far better* management of client security, anti-money-laundering, etc. processes. They’d be *real*

    2. Yeah there are lots of pieces in security and one has to be aware of key management even with end-to-end encryption.

      For instance, with Bitlocker in Windows 8.1, if you sign in with your Microsoft account (required for OneDrive, app store and other services) the key created for your Bitlocker encrypted drive–normally stored in TPM or a USB drive–is automatically backed up to their servers, which is used for drive recovery in emergencies.. but also for law enforcement of course.

      I suspect this changed behavior with bitlocker keys in contrast to previous Windows versions had to do with pressure from the FBI concerning bitlocker, as a way around putting an explicit backdoor:

      1. I have no evidence other than my gut, but I believe that BitLocker was in fact an NSA/FBI-compliant encryption.

      2. One reason why I will never trust “the cloud”.

        When I was briefly looking for a job when my previous one was moving, Amazon was hiring a metric shitton of people to work in Herndon, VA, and a US clearance was required.

        Wonder what they were doing…

        1. You certainly shouldn’t trust the big name providers. There are smaller ones that can be trusted more.

          You also can personally encrypt things before having them backed up in the cloud, with your own keys.

          1. I’d much rather have control of my own shit end-to-end as much as possible.

            Storage is cheap these days.

  8. The release of “The Imitation Game” reminds us all to never use German encryption.

  9. Christopher Soghoian of the ACLU cautioned, “I would think that Telekom gives the same level of help to the German government as AT&T does to the US government. Like all telecoms around the world, when a government says jump, they jump.”

    This is true. Telecoms are much, much worse than information services companies like Google. (They’re even worse than cable ISPs like Comcast.) Telecoms are also much more heavily regulated by the government. These things are related. And yet silly groups like EFF push for Title II and other regulation, even though it will make companies more responsive to governmental requests.

Please to post comments

Comments are closed.