FYI.

This story is over 5 years old.

Wickr's Self-Destructing Communications Take Aim at Surveillance and Skype

The Wickr app could become the Tristero of digital communication.
September 23, 2013, 8:05pm
The Wickr Andoird home screen, courtesy of Wickr

Something strange though not unpredictable happened in the aftermath of the NSA leaks. Given that private, secure communication wasn't granted basic human right status, private businesses and volunteer collectives stepped in to satisfy the increasingly high demand for eletronic privacy.

The Seattle-based activist collective Riseup.net, which has been around since 1998, is now ramping up its operations, as I noted in a recent interview. Snapchat, a social media app offering self-deleting video sharing and chat services, is gaining more and more users, even though it was reported this past May that the app's photos were not in fact deleted within seconds, but easily retrievable. Companies like Lockbox and Least Authority began positioning themselves as NSA-proof, encrypted cloud-service alternatives. Opportunism or not, the message is clear: People want privacy, and businesses are happy to oblige.

Advertisement

Somewhere between the motivations of these for-profit privacy companies and Riseup.net lies Wickr, an app created by a group of security experts. Striving for total encrypted security, Wickr does not collect data, and allows users to set all electronic communications to self-destruct anywhere from one second to five days. The majority of Wickr's users can enjoy the app for free, while premium users pay a price that finances the company's mass privacy offerings.

Wickr co-founder Nicol Sell and I spoke over the phone about the company's recent Android app launch, which now brings the service to 90 percent of all smartphone users. We also talked about why businesses have had to step in and create a nascent privacy market, and how Wickr's work calls to mind Tristero, the secret postal service in Thomas Pynchon's The Crying of Lot 49.

MOTHERBOARD: Several weeks ago there were reports that the NSA was particularly adept at decrypting secure communications. With what Wickr is doing, is this a cause for concern?

Nico: No, it doesn't worry us. We're all a really paranoid group here. [laughs] We've already made the assumption that the NSA has broken all the math. I actually don't believe they have, but we operated on that assumption and built products that could withstand the breaking of the math. We're using all open-source encryption, but we bind each message to the device, so if the NSA or anyone else were to crack a message in 50 or 200 years, they wouldn't be able to read it.

Advertisement

On top of that, we do something else that is really unique, which is make all of our users anonymous. We also use perfect forward secrecy, which to my amazement is in the mainstream press these days. Essentially, every message or piece of data has a different key. And since every user is anonymous and every piece of data has a different key, if someone wanted to get ahold of one conversation, they would have to break millions and millions of messages. We use the same technology that the NSA uses internally, which is NSA Suite B Compliance, the standard they use for top-secret communications. But, our encryption algorithms actually exceed what they do. And though no one has known the NSA to break that encryption algorithm, if they were to succeed at it, Wickr would still be okay.

Screenshot of the Wickr Android app, courtesy of Wickr

What specifically motivated you to create Wickr?

It was my belief that my family deserved the same level of protection that the NSA enjoys for their communication, or better.

Wickr definitely evokes Mission Impossible's self-destructing messages with its secure file shredder. Can you talk about the technology behind it?

For a message to really self-destruct, we believe it has to be three things: anonymous, private, and secure. There are a number of ways you can go about achieving those objectives. In regards to secure file shredder, specifically, it gets around a lot of the little holes found in other self-destructing apps like SnapChat. The shredder is continually running in the background, shredding anything that you put in the trash, even email. If you were to send an email to trash right now, and someone got ahold of your phone, they could still read the message. So, the shredder continually writes gibberish over all of the memory.

Advertisement

Sounds a bit like Apple's Secure Empty Trash option, which I believe writes lines upon lines of gibberish over and over on the deleted data.

I'm not familiar with the technology behind that, but it sounds to me like the same idea. Everything we've invented here is nothing new, but we've made it easy enough for even my 4-year old to understand. In terms of encryption, too, it's really just PGP. That's the closest thing to Wickr in the email sense. But, when you add it on the phone, then you can get rid of things like key management and having to look at fingerprints. You don't even realize you're sending top-secret messages.

"We don't have any data on our servers—we're a zero-knowledge system. So we absolutely can't make money that way…"

I hope this question isn't too provocative, or taken the wrong way. Wickr is free for 95 percent of users, which is made possible by charging the other 5 percent for secure, professional phone calling. There is nothing inherently wrong in charging someone for a service, but isn't it something of a sad commentary on the state of our modern techno-civilization that businesses have to step in to offer private, secure communications, when privacy is really a human right?

I think you're right on. But, my belief is that the best way to protect a human right is to make a really good business doing it, and getting the top percent of the world to pay for it. And we're all willing to do that, especially if we're saving money.

Advertisement

Essentially we'll have millions and billions of people using our service for free. And that is really important to us because we're trying to bring private correspondence for free to everyone in the world because we believe it's a human right. But, our power users, the people who truly are using Wickr for every single phone call and online conversation, will pay a small price for international calling and texting. The reason we know we'll make money is that it's something consumers pay for, and we're going to cut their bills by one-fifth or one-sixth of typical service plans.

The important thing to note is always follow the money. See how people are making money. We don't have any data on our servers—we're a zero-knowledge system. So we absolutely can't make money that way, and we'll never be forced to make money that way if investors come in and want to control us. If you're sitting on personal data, at one point you will be forced by people more powerful than you, whether financially or emotionally, to hand it over.

Which reminds me of something you said in a recent interview. An FBI agent approached you at a RSA conference, asking if Wicker would give the bureau a backdoor to the system. It blows my mind that the federal government can so casually ask that question.

They can ask you, but they can't force a company to do it. You can be convinced, whether by financial means or what they call “human pressure,” to put in a backdoor. But, there is absolutely no legal authority in the United States to be forced to put in a backdoor. You know what, if the FBI had come to me 20 years ago and asked me that question, I probably would have said yes because I love this country and I want to protect people. Until you understand that the backdoor for the good guys also creates a backdoor for the bad guys, you don't say “No” so clearly. I'm lucky that I know that because I hang out with the whole Def Con community. They educated me about this. I saw people breaking into lawful intercept machines.

Screenshot of Wickr's message self-destruct clock, courtesy of Wickr

It's not that the NSA or anyone else, or Skype—which I consider the bigger threat—are collecting this data, it's that now all of those holes in the database are impossible to protect. And it will get out. I don't trust that the NSA can guarantee that this information will not get leaked. What if information they're collecting gets posted by Anonymous online for everyone to search? That is what scares me, and what I believe is the bigger threat.

When I hear these arguments made in support of electronic surveillance backdoors in order to combat terrorism, I can't help but reject them on purely statistical grounds. What people don't seem to understand is that the NSA and other US intelligence agencies are really working on the margins when it comes to reducing the frequency of violent terrorist acts. In other words, if the feds manage to decrease the frequency at all, it's incredibly marginal. And so, for me, the privacy trade-off is too great. And then, of course, we know that most of these surveillance powers are being used to fight crime totally unrelated to terrorism, which wasn't the original intent of these powers. For these two reasons, I think the argument for electronic surveillance is weak or, to be less polite, bullshit.

Advertisement

You have to look at a tool and say, “Will that tool benefit society more than it will hurt it?” And if you say, "Yes," then it's good for society. Let me give you some examples of other tools: money, shoes, airplanes, screwdrivers, baseball bats, hammers. Those are all things that criminals use every day. Every good tool is used by good and bad people, but it's used more by good people. And private correspondence is one of these good tools.

"[The United States Postal Service] provided the entire populace with a means of private communication, and access to freedom of information without government censorship… giving those tools to the entire world is what needs to be done."

One of my favorite things to talk about is George Washington, and how he, along with one of my ancestors, established the United States Postal Service. There are two big differences between the US and British postal services: the USPS provided the entire populace with a means of private communication, and access to freedom of information without government censorship. And that is what made America great. It's something that most of us believe in, and giving those tools to the entire world is what needs to be done.

When I came across that biographical note, I very quickly associated that and your co-founding of Wickr with Thomas Pynchon's The Crying of Lot 49, in which an underground postal service, Tristero, serves as an alternative to the traditional postal services; which, in the novel, is embodied in Thurn and Taxis. As a private system of communication, Tristero is not only in direct opposition to established postal services, but opposed to government or systems of power in general.

Advertisement

Wow. I've never read it, but that is definitely a cool association. And, you know, William Gibson tweeted about us last week, so we're one step closer to being a verb in one of his novels. Corey Doctorow also wrote about us, which was really cool, too.

While we're on the subject of cyberpunk authors, I want to talk about something I first encountered in Neal Stephenson's Cryptonomicon. In that book there is a famous scene where characters use Van Eck Phreaking to look at a person's computer screen in a nearby room. It seems like that would be possible on a mobile phone. But, for someone to do that, they'd really be having to go out of their way to surveil a person. In other words, as a means of circumventing Wickr, it would be far too logistically challenging.

Agreed. Yeah, there are so many levels of things that have been done, it's just a matter of using them and how much and where. We all have satellites above us, too. [laughs]

I think one thing that you will appreciate along those fictional lines, and this is a bigger vision for us, is I want to start dropping what I call “Space Machines” all over the world. The Space Machine would pretty much look like the Doctor Who time-travel machine. It would be red, and on the inside there would be an iPad or Android device, and you can only do two things on it: search the web anonymously for information, and communicate anonymously.

So, Tardis-like booths of anonymity dotting the globe?

Advertisement

Yes, and I'm calling it The World Post Office.

Groovy.

We haven't done it yet, but I thought you would appreciate that with the science fiction references.

You really need to read The Crying of Lot 49. With what you have, and what you want to do with The World Post Office, Wickr is becoming the digital equivalent of Tristero.

Well, now I know what I'm going to be reading. I can't wait.

"[T]ake a look at Skype's privacy policy and terms of service. They clearly state that they own all of your private communications… They've been telling everyone and no one listens. Personally, this is what scares me."

I want to rewind to Wickr's professional calling service for a moment. Who do you envision using it: activists, dissidents, or businesses?

No, I'm going after Skype directly. I want to take all of their users.

You want to take out Skype?

Yes.

That is a noble goal given its well-known vulnerabilities, not to mention Microsoft's alleged involvement in the NSA's PRISM program. But, what is it about Skype in particular that offends your sensibilities?

I would say a couple of things. First, they're the No. 1 voice calling product in the world, and that's what we want to be and think we can be. And, this is something I've been saying long before the Summer of Snowden: take a look at Skype's privacy policy and terms of service. They clearly state that they own all of your private communications. So, don't use it! This is built-in. They've been telling everyone and no one listens. Personally, this is what scares me.

You may think you have nothing to hide, but I don't want conversations I have with my mother posted online for anyone to search and analyze. And that is what you get into with Skype. If people knew about these terms of service, no one would have said yes. No one. And so it's a really easy switch if we can be easier to use and cooler. We'll keep people because we treat them well, we don't abuse their contacts, and we don't sell their data. That will keep people using Wickr, but what will get people in the first place is free calling around the world, just like Skype.

Elsewhere, you mentioned that everyone should quit or boycott Facebook. Few people have been as aggressive on the question of whether or not to use Facebook. Obviously, people know that Facebook's privacy and data mining policies are not righteous, but I'd like to know what you'd say to people who are already on Facebook but aren't thinking of shuttering their account?

Well, I didn't get off Facebook because I never got on it in the first place. The main thing is Facebook was not made for your benefit. It was made for advertisers. Follow the money. Is that a company to which you would entrust your personal information? I wouldn't, and I sure wouldn't entrust my daughter's personal information to them either. Do you trust that they're not going to sell your health communications to the highest health insurance bidders? Their job is to make money off of our data.

Facebook is a great marketing tool for companies, and it's an amazing platform for someone trying to push something out into the world. But, it's just not an amazing platform for your personal information, personal location, or your conversations with friends.

So to wrap things up here, how else do you envision Wickr being used?

Well, journalists deal with a lot of interesting sources around the world. So Wickr can help in that way. Also, it can be used to survive and securely communicate in a hostile environment. It can also help connect researchers with reporters when it comes to information that, if it got out, could cause people to get hurt. There was no easy way to connect these people before, so this is one of the main reasons I built Wickr. Now, it's even more available because the app works on 90 percent of phones, whereas a week ago it only worked on the 20 percent of people who use iPhones.