U.S. Indicts CEO of Encrypted Phone Firm 'Sky'

The U.S. the Department of Justice announced an indictment against the chief executive officer of Sky Global and an associate for allegedly selling their devices to help international drug traffickers avoid law enforcement on Friday.

The indictment is rare in that it marks only the second time the DOJ has filed charges against an encrypted phone company, and signals that the DOJ will continue to prosecute the heads and associates of companies that they say cater deliberately to facilitating criminal acts. The move also comes just days after the company, responding to law enforcement action against the firm in Europe, vehemently denied being a preferred choice for criminals, and Jean-Francois Eap, Sky's CEO, specifically told Motherboard that his product exists for the prevention of identity theft, hacking, and other privacy issues.

"The indictment alleges that Sky Global generated hundreds of millions of dollars providing a service that allowed criminal networks around the world to hide their international drug trafficking activity from law enforcement," Acting U.S. Attorney Randy Grossman said in the announcement. "This groundbreaking investigation should send a serious message to companies who think they can aid criminals in their unlawful activities." The announcement added that warrants had been issued for their arrests on Friday.

Eap and Thomas Herdman, which the announcement describes as "a former high-level distributor" of the devices, are charged with a conspiracy to violate the federal Racketeer Influenced and Corrupt Organizations Act (RICO). RICO has traditionally been used to prosecute mafia bosses, but the Southern District of California also used it against another encrypted phone company called Phantom Secure.

When Motherboard asked a source at Sky for comment on the indictment, the source replied "sorry what indictment?" When Motherboard then provided a link to the DOJ press release, the source did not respond.

Sky is part of the encrypted phone industry, which generally takes BlackBerry or more recently Android devices, and installs their own encrypted messaging applications that route messages through their own infrastructure, and sometimes offer a remote wipe feature that can remove messages or other content if the phone is seized by law enforcement. The companies can charge thousands of dollars per device for an annual subscription.

Rather than view these companies as a neutral party, such as when a criminal uses an Apple or Google product, authorities increasingly view the companies as criminal. The announcement is sparse on the details of the case against Eap and Herdman, but alleges that "Sky Global’s purpose was to create, maintain, and control a method of secure communication to facilitate the importation, exportation, and distribution of heroin, cocaine and methamphetamine into Australia, Asia, Europe, and North America, including the United States and Canada; to launder the proceeds of such drug trafficking conduct; and to obstruct investigations of drug trafficking and money laundering organizations by creating, maintaining, and controlling a system whereby Sky Global would remotely delete evidence of such activities."

The indictment comes after a wave of activity by European law enforcement agencies against the company. Earlier this week, agencies said they had managed to obtain nearly a billion messages sent between Sky users, and decrypt around half of those. In a statement to Motherboard, Sky maintained that its main service remained secure, and that instead someone had installed a rogue version of Sky's app onto phones and then sold those to unsuspecting customers.

"The platform exists for the prevention of identity theft and hacking, the protection of personal privacy rights, and the secure operation of legitimate personal and business affairs. With the global rise of corporate espionage, cybercrime and malicious data breaches, privacy and protection of information is the foundation of the effective functioning for many industries including legal, public health, vaccine supply chains, manufacturers, celebrities and many more," Eap told Motherboard in a statement at the time.

After the publication of this piece, Eap told Motherboard that "In the coming days, my efforts will be focused on clearing my name of these allegations."

A copy of the indictment is embedded below.

Update: This piece has been updated to include an embed of the indictment itself and a link to a new Motherboard article giving more context from Eap.

Subscribe to our cybersecurity podcast CYBER, here.