BitTorrent has now made its private messaging app "Bleep" publicly available: an encrypted P2P tool for voice messages and text chat. It continues a bit of a glut in the private messaging market, with TextSecure, Bitmask, and others recently joining the fray.
The Alpha version of Bleep is available for download by any Android users willing to give it a test run (an iOS version will soon follow). I caught up with folks from BitTorrent about Bleep's peer-to-peer technology, its decentralized architecture, the kinks found by invite-only users, and why "the cloud" is not a good idea.
Bleep, which is end-to-end encrypted, with every message stored locally on mobile devices, allows users to sign up with either an email or mobile number or through its "incognito mode," meaning no personally identifiable information is necessary. Bleep initially registers all users as incognito, so they essentially have the choice to verify their identity via email or phone number.
"That's a personal choice and one of convenience," said BitTorrent's Christian Averill. "And even in those cases the lookups (i.e. actually finding the IP address of your contact) is done via our DHT [Distributed Hash Table, which decentralizes everything], so there is no exposure to BitTorrent as to who you are contacting or even when."
For now, Bleep users can only make voice calls and send text messages to other online Bleep users. If users like, they can import their Google address book, and invite friends to use Bleep through email, SMS, QR code, or a public key. Users can also move their existing Bleep account across multiple devices; though only received messages (not sent ones) appear across all devices.
As Averill noted, several things set the stage for Bleep. The first was that they wanted a voice call and messaging app that zeroed in on BitTorrent's main focus: decentralized architectures and applications. Given that this was the internet's original design, they felt it was only appropriate that Bleep should adhere to this principle.
"We see it as the only way to make the internet sustainable," Averill said. "When the PRISM scandal broke a year ago, the world became acutely aware of what we have known all along: putting all your eggs in one basket, in this case centralized servers, or 'the cloud'—is not a good idea."
Averill said that BitTorrent already had several applications available or in development that respected end user privacy, and gave them control over their data. BitTorrent Sync, which allows users to share files from device to device, was one such application. In the fall of 2013, during one of BitTorrent's Paloozas, their bi-monthly hackathons, one of their teams worked out solution for server-less communications. Thus was born Bleep, at least in incubatory form.
"Putting all your eggs in one basket, in this case centralized servers, or 'the cloud'—is not a good idea."
"The most important thing to understand is that most text and voice applications run through a central server, aka the public cloud," said Averill. "Even encrypted chat services are exposed as they pass through that server. Those messages and related metadata—who you contacted, the length of the voice call, the time, etc.—are all warehoused on that server."
Averill said that this is a problem even before the NSA vacuums this information for analysis, because hackers are attracted to such a large cache of data. "It's the so-called 'honeypot' and they will find a way to hack into the server then hold hostage or leak personal information or private moments to the public," Averill added, citing the Snapchat and iCloud hacks of 2014 as examples of this type of exploit.
With Bleep, once a user accepts a friend's invite, the engine creates an encrypted tunnel over UDP (User Datagram Protocol, an internet protocol for sending messages) between the two peers. These messages are end-to-end encrypted. BitTorrent also supports forward secrecy, which means that they occasionally change the encryption key to make it more difficult for an observer to decrypt traffic; even if, by some miracle, as Averill put, the encryption key is compromised.
BitTorrent is hoping any other bugs will be discovered in the open Alpha test.
If you're wondering how easy it is to invite a friend to use Bleep with a public key, it's not very stressful. Every user's public key can be found in their settings, and it's available as a text string that they can copy and paste or as a QR code. The key is automatically inputed by a user's contact in the same place they would add the user through email or mobile number.
"You could even write out your key on a piece of paper, fold it up, and pass it to them like a note," Averill added.
So what are some of Bleep Alpha's kinks? The main issue, as Averill explained, is that if Android users have to run Bleep "WiFi Only," then it's a big drain on their battery and data plan. And, of course, connection will be spotty. BitTorrent is hoping any other bugs will be discovered in the open Alpha test.
"Privacy is not up for debate," Averill said. "People should be able to speak freely without worrying about who is going to snoop on them or that their private moments will be exposed to the public; and the tools that achieve this should be easy to use."