You are using an older browser version. Please use a supported version for the best MSN experience.

Silent Circle silently snuffs out its warrant canary — but claims it’s a “business decision”

TechCrunch TechCrunch 5/07/2016 Natasha Lomas

Silent Circle, the maker of encrypted messaging apps and a security hardened Android smartphone, called Blackphone, has discontinued its warrant canary.

Attempting to reach the page where it was previously hosted results in the following notification:

Warrant canaries became popular in the wake of the 2013 Snowden disclosures revealing the extent of government surveillance programs, as a tacit route to signify to users when a service might have been compromised by a government request for user data.

Canaries act as a workaround for U.S. gag orders which prevent companies publicly disclosing warrants for user requests by publishing an explicit statement that they have not received any warrants for user data to date — allowing for the reverse to be signaled if a canary is removed or not updated.

TechCrunch was tipped to Silent Circle’s dead canary by a reader, however the company claims it discontinued the canary as a “business decision” — not because it has received “any warrant”.

“We have not received a warrant for user data,” Matt Neiderman, Silent Circle’s General Counsel told TechCrunch. “As part of our focus on delivering enterprise software platform we discontinued our warrant canary some time ago. The decision was a business decision and not related to any warrant for user data which we have not received.”

The company has run into problems with its warrant canary before, including in March last year when it missed out a statement in an update, which they subsequently added. So it has something of a checkered history here already.

At the time of some of the previous problem Neiderman claimed the company had not received warrants “of any type”. But his denial in the latest instance is arguably a little less explicitly worded. We’ve asked him to confirm whether Silent Circle has received a warrant of any type to date and will update this post with any response.

Although it’s also worth noting the company is not headquartered in the US — previously moving its HQ from the Caribbean to Switzerland on account of what it said were “world best” constitutional privacy protections in the European country. (However other non-US based encrypted comms companies, such as Germany’s Tutanota, do continue to maintain a warrant canary for transparency and good practice purposes, despite not being subject to legal gag orders in the country where they are based.)

Discussing Silent Circle’s decision to discontinue its warrant canary, UK based security commentator Graham Cluley suggested the move does look odd.

It seems an odd business decision to make.

“I would think a company like Silent Circle would have enough nous knowing that if it was to discontinue its warrant canary plenty of people would be concerned. So the sensible thing to have done — if it had been some sort of business decision, and I can’t imagine it’s really that much work maintaining a warrant canary — would have been to have been quite public and open and transparent about it,” he said. “But to silently kill it off seems odd.

“If this really was a business decision why not be open about it? Especially for a company which works in those sort of circles… You would [also] expect that discontinuing something like this could be bad for their business. Could raise concern among their customers. So it seems an odd business decision to make.”

The same tipster who pointed TechCrunch to the dead canary also claimed that a recent Silent OS update to Blackphone’s default apps requires increased security permissions, such as access to the camera, which can no longer be disabled by users.

Silent OS 3.0 was released towards the end of June, and is billed as including various security fixes and features, such as a new Privacy Meter integrated into the Security Center which notifies the user when a security/privacy threat is present and indicates the severity and potential actions to mitigate it, and a CIDS (Cellular Intrusion Detection System), to warn of potential threats in the cellular network interface, such as weak encryption and device tracking via silent SMS. It’s based on the latest release of Google’s mobile platform, Android Marshmallow 6.0.1, and also brings various UX changes to Silent OS’ platform.

There’s no explicit mention of increased permissions in Silent Circle’s blog post about the major platform update. We’ve asked Silent Circle to confirm whether it has increased permissions for its apps in Silent OS and if so, for what purpose, and will update this post with any response.

Cluley told TechCrunch that increased app permissions might be needed to support new features on the platform but again said the onus would be on such an apparently security-focused company to be very clear about its intentions here.

“You would hope if they’re changing their permissions they’ve got some sort of explanation as to why they would need to access your camera, for instance. Maybe it’s to scan in QR codes, maybe it’s for some sort of facial recognition biometric going forward,” he said.

“We do have to be careful about apps and the chance of new permissions creeping in stealthily if you like, and people not realizing that they are granting more permissions than when they initially installed an app. So I think some transparency’s called for.”

“In that kind of climate, wouldn’t a warrant canary be a good thing?” he added.

Adding to the uncertainty here, Silent Circle has undergone some significant employee shifts in recent months, losing two key co-founders: veteran crypto expert Jon Callas and its chief scientist Javier Agüera. We’ve also heard reports of wider staff cuts, although it is not clear whether the co-founders’ departures were voluntary or not (Callas has since taken up a role at Apple).

In addition, a lawsuit filed against Silent Circle by a business partner last month in a New York state court claims the company, which has raised $80 million to date from investors (most recently taking in $50M in February 2015), has failed to pay a $5M debt, according to a report on the Law360 website. The suit further claims it is considering bankruptcy after several major distribution deals fell through.

We’ve asked Silent Circle for comment on the lawsuit and will update this post with any response.

More from TechCrunch

image beaconimage beaconimage beacon