At a recent RSA Security Conference, Nico Sell was on stage announcing that her company—Wickr—was making drastic changes to ensure its users’ security. She said that the company would switch from RSA encryption to elliptic curve encryption, and that the service wouldn’t have a backdoor for anyone.
As she left the stage, before she’d even had a chance to take her microphone off, a man approached her and introduced himself as an agent with the Federal Bureau of Investigation. He then proceeded to “casually” ask if she’d be willing to install a backdoor into Wickr that would allow the FBI to retrieve information.
A Common Practice
This encounter, and the agent’s casual demeanor, is apparently business as usual as intelligence and law enforcement agencies seek to gain greater access into protected communication systems. Since her encounter with the agent at RSA, Sell says it’s a story she’s heard again and again. “It sounds like that’s how they do it now,” she told SecurityWatch. “Always casual, testing, because most people would say yes.”
The FBI’s goal is to see into encrypted, secure systems like Wickr and others. Under the Communications Assistance for Law Enforcement Act (CALEA) legislation, law enforcement can tap any phone in the US but they can’t read encrypted communications. We’ve also seen how law enforcement have followed the lead of the NSA, and gathered data en-masse from cellphone towers. With the NSA reportedly installing backdoors onto hardware sitting in UPS facilities and allegedly working to undermine cryptographic standards, it’s not surprising that the FBI would be operating along similar lines.
It was clear that the FBI agent didn’t know who he was dealing with, because Sell did not back down. Instead, she lectured him on topics ranging from the First and Fourth Amendments to the Constitution, to George Washington’s creation of a Post Office in the US. “My ancestor was a drummer boy under Washington,” Sell explained. “Washington thought it was very important to have freedom of information and private correspondence without government surveillance.”
Her lecture concluded, she proceeded to grill the agent. “I asked if he had official paperwork for me, if this was an official request, who his boss was,” said Sell. “He backed down very quickly.”
Though she didn’t budge for the agent, Sell makes it clear that surveillance and security is a complicated issue. “Ten years ago, I’d have said yes,” said Sell. “Because if law enforcement asks you to catch bad guys, who wouldn’t want to help?”
The difference now, she explained, was her experiences at BlackHat. Among those, Sell pointed to a BlackHat event where Thomas Cross demonstrated how to break into lawful intercept machines—or wiretaps. “It was very clear that a backdoor for the good guys is always a backdoor for the bad guys.”
How To Be A Good Guy
“I’m not against helping law enforcement, but the most important thing to me is protecting my friends and family the best way I know how,” said Sell. She suggested that the NSA and other agencies go back to a model where individuals are targeted, instead of monitoring all communications and sorting it out later. “There are plenty of ways to track people without trampling human rights,” she said.
As an example of how to do security right, Sell unsurprisingly pointed to Wickr. She said that her company does not hold the encryption keys to decrypt users’ messages, or see their identities. That way, should Wickr be compelled to hand over data from a court order, investigators will only find junk. And in addition to employing who Sell calls the “best crypto people,” Sell said that individual messages are bound to their intended device. “Even in 20 years or 100 years, if the NSA miraculously breaks these [encryption] equations, they still wouldn’t be able to read these messages.”
It’s clear that for Sell, this is about more than good security. “I’m doing the right thing here, and it’s the right thing for them, too,” she said. “I’m not afraid of them.”