In the online world, our digital footprints hardly ever wash away. The Internet never forgets — and neither does social media.
Web users are coming to terms with ever-increasing storage, both physical and in the cloud. As a result, data retention has become just too easy. Sometimes it’s just an embarrassing picture. Other times, in places where there’s a war or an uprising, people would like remove their sensitive messages, which could be used against them by oppressive regimes getting better at monitoring digital communications.
That’s where Wickr comes in.
The app, which could best be described as a Snapchat for grown-ups, is only available for iOS right now. Launched in June 2012 by a group of security experts, the app sends messages, photos (and soon videos) that will eventually be erased. Wickr allows users to choose how long they want their digital missives to last: as short as one second, and as long as 5 days, 23 hours, 59 minutes and 59 seconds.
The main difference between the two apps, and the reason Wickr is more ambitious than Snapchat, is that it encrypts all messages, striving for perfect privacy and security. Wickr doesn’t just want messages to disappear once they are sent. Wickr doesn’t want anybody, including the app itself, to know what your digital correspondence contains.
Nico Sell, a long-time organizer of famed hacker conference Def Con and Wickr co-founder, says she wanted her kids to enjoy private communication, but also designed the app for “very high tension situations, where if information gets out ahead of time, people could get hurt.” In other words, Wickr is for you and me, for privacy-obsessed people or tinfoil-wearing paranoids, but it is also for journalists and sources, for freedom fighters and activists, people who have something at stake and need to keep their communications under wraps.
“This is really meant to democratize privacy and bring NSA top-secret level encryption to the masses,” Sell tells Mashable.
So how does Wickr’s privacy-enhancing encrypting technology work? Therein lies the controversy.
Messages are encrypted on your phone using a private key, and only the receiver can read them once he or she taps on the unlock button that appears when a message arrives. When traveling through Wickr servers, the correspondence is unreadable to anyone who might be snooping. Wickr claims it doesn’t store any of the messages, so the service can’t even turn correspondence over as scrambled gobbledygook if the feds or police come knocking.
Wickr uses your own password and standard cryptography schemes like AES and RSA to hide the content of your messages. For security reasons, not even your password can be retrieved. If it could, somebody could steal it, or maliciously reset it to intercept your communications and pretend to be you.
Some of the cryptography behind Wickr is widely used on the Internet. It’s the kind that ensures you are really paying Amazon instead of a hacker, or that nobody is spying when you check your bank account online. But Wickr also has a “proprietary algorithm,” secret to everybody except the app developers and some trusted reviewers. Wickr doesn’t have open source code.
In other words, only the company knows precisely how its privacy-enhancing system works. And that’s exactly where Wickr’s privacy and security utopia could fail and crumble, according to cryptography and security experts.
“We have a kind of a maxim in our field, in cryptography, which is that the systems should be open,” says Matthew Green, a cryptography researcher and professor at Johns Hopkins University Information Security Institute.
Green echoes what Bruce Schneier, a cryptography and security guru, has been saying for a long time. “The idea is simple,” wrote Schneier in a 1999 newsletter. “Cryptography is hard to do right, and the only way to know if something was done right is to be able to examine it.”
As it turns out, to have a secure, privacy-enhancing app, you might need to have a thousand eyes on it.
Green says this is nothing new. This maxim, that for some security researchers is almost a dogma, goes all the way back in the history of cryptography, to the 1800s. That’s when Auguste Kerckhoffs, a celebrated Dutch cryptographer, formulated his famous principle: “A cryptosystem should be secure even if everything about the system, except the key, is public knowledge.”
For Green, that means “if you don’t know how a system works, you kind of have to assume that it’s untrustworthy.” He adds that this is not about being an open source activist. But Wickr, he says, doesn’t even have white papers on its website explaining how the system works.
“If you’re somebody who is a wine aficionado, you care about what’s inside the bottle, you don’t care about the label,” Green says. “But unfortunately what’s been hyped [at Wickr] is kind of the label, and we want to know if what’s inside is vinegar or if it’s actually something that we want to drink.”
He is not the only one to question.
“From my perspective I don’t think the company should be telling us, ‘Trust us, it’s safe,’ ‘Trust us, it’s encrypted,’ or ‘Trust us, it’s audited,'” says Nadim Kobeissi, a cryptographer and founder of encrypted browser-based chat service Cryptocat. “We should be able to verify ourselves.”
Kobeissi refers to two recent examples that highlight the importance of open source cryptography software.
The first one is his own creation. Cryptocat, which could be considered a Wickr competitor, was born as an open source project, in which everyone could inspect the code and make improvement suggestions or flag bugs and flaws. Initially, Cryptocat received some criticism, with experts claiming it wasn’t safe to use in high-risk situations. But with the feedback from the community, the application has improved and everybody has learned from it, Kobeissi says.
Another example, he notes, is Silent Circle, an app that also promises encrypted and secure communications. Silent Circle was founded by Phillip Zimmermann, the inventor of the vaunted data-encrypting program Pretty Good Privacy (PGP). Even with his involvement, the cryptographic community retreated when it learned Silent Circle was not open source.
Following pressure from critics and the cryptography open source community, Silent Circle eventually published some of its code. Once it did, “people still found flaws in their software; they still found bugs in it,” Kobeissi says. But “Silent Circle still benefited from making their code open source so that people could review it.”
And Zimmermann, who’s been a pioneer in open source cryptography, also admits that it’s better to have multiple eyes on your product. “I think probably it’s not a good idea to trust crypto software if they don’t publish the source code. It’s not just [to look for] back doors, but what if they screw up and make a mistake?” he said at a security summit in Puerto Rico.
When asked about the open source controversy, Wickr’s co-founder Sell says that they “never considered being open source and don’t plan being open source” any time soon.
Dan Kaminsky, a security and cryptography guru known for spotting a critical flaw in the DNS system and, basically, having saved the Internet as we know it, doesn’t agree with the critics. “Obscurity has some place in the world,” he says. “There are many ways to deliver secure systems: One way is to be as open as possible, one way is not.”
Kaminsky, who serves as a formal advisor for Wickr, has personally reviewed the code and vouches for the security of its cryptography scheme. Additionally, on Feb. 25 the company announced the app has been audited by application security company Veracode and has received its maximum rating. Green, however, notes that Veracode isn’t specifically designed to find “subtle cryptography problems” but rather fool-proof the code for generic bugs and errors. And Schneier also famously wrote that “security has nothing to do with functionality. You can have two algorithms, one secure and the other insecure, and they both can work perfectly.”
The cautionary tale that many reference is the case of Hushmail, an encrypted mail service that used to claim that “not even a Hushmail employee with access to our servers can read your encrypted email, since each message is uniquely encoded before it leaves your computer” — words that echo Wickr’s own proclamations. Sell tells Mashable that Wickr’s “architecture eliminates backdoors; if someone was to come to us with a subpoena, we have nothing to give them.”
As it turned out, Hushmail wasn’t so impenetrable. In 2007 it was revealed that, actually, Hushmail coud eavesdrop on its users communications when presented with a court order.
Cryptography controversy aside, Wickr has some undeniable advantages. It’s extremely easy and intuitive to use. In that regard, it’s a lot like Whatsapp. You install it, create your username and password and it takes just an instant to learn how to send messages. It really looks like any other messaging app you’ve already used a thousand times. And that was the developers’ goal.
“There has been a real problem with security being too difficult for the average user.” Kaminsy says, “Nerds to nerds communication is doing OK, but what about the real world? What about my friends? What about my family?”
Also, since the messages self-destruct, even if somebody somehow gets a hold of your phone or your account, there isn’t that much to see (although the recipient can always take a screenshot). Past communications disappear forever. “Such a feature makes sense when we consider the pervasive world of targeted attacks,” writes Jacob Appelbaum, a famous hacker and Wikileaks supporter, in a mailing list. “If you compromise, say, my email client today, you may get years of email,” but if you compromise something like Wickr, you only get a limited amount of information.
So could Wickr be used by an activist in Syria who is worried about enemy spies and Assad’s regime? Sell has no doubts — she answers that question with an unflickering “yes.”
But cryptography expert Green disagrees. “I would not recommend they use something like Wickr.”
And even Kaminsky is not so sure. “There’s no such thing as 100% security … I don’t recommend you put your life on the line to any consumer grade electronic, to any software,” he says. “Pretending that anything that we can offer is going to stand up to highly funded adversaries with weaponry is foolish.”
UPDATE: An earlier version of this story stated that Phillip Zimmermann admitted Silent Circle’s mistake not to publish its code and changed his mind after the community criticized Silent Circle. In reality, Zimmermann’s company always intended to publish the code.
Image by Nina Frazier, Mashable
Screenshot courtesy of Wickr