IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Can the New Blackphone Combat NSA Spying?

In February, a team of Spanish mobile phone makers and security experts will unveil a new phone to fight government intrusion.

As Obama tries to comfort a nation that has in recent months become increasingly disillusioned by the National Security Agency’s spying activities, a new phone company will try to capitalize on that distrust. 

Spanish smartphone startup Geeksphone and encrypted communications provider Silent Circle have created a new device called Blackphone. The two companies have only released limited information about the project so far, with plans to unveil the device in greater detail during the Mobile World Congress show in Barcelona in February.

Blackphone will run an Android-based operating system called PrivatOS that the companies claim will allow users to communicate securely. Through VPN, the device will allow for secure text messaging, file storage and retrieval, video chat, and Internet browsing, according to the developers.

Silent Circle is known for its subscription-based peer-to-peer encrypted text messaging, phone call, video call and file transfer services, which will presumably be integrated into Blackphone’s capabilities.

Though the news of NSA spying has created an opening in the market for a phone like this, says IT Market Analyst Rob Enderle, the lack of name recognition could prevent Blackphone from attaining high-volume market penetration.

Like this story? If so, subscribe to Government Technology's daily newsletter.

“The good news is they’re in Spain, because that’s where Mobile Congress is,” Enderle said. “The bad news is they’re in Spain, because nobody believes good phones come out of Spain.”

A well-known phone or security brand attached to Blackphone might be necessary for the device to really take off, he said.

From a technical standpoint, Enderle said, ensuring mobile communications means ensuring that the hosted services that phones use are secure. Just making a phone secure is useless if the NSA or hackers can access the servers where the text messages, emails or web logs are stored. So as of right now, it looks like the Blackphone makers only have half the solution, Enderle said.

Additional NSA-Proof Solutions?

News of NSA spying has in recent months spawned many different solutions advertised as being totally secure, but the same problem Enderle pointed out applies to all forms of digital communication. If the NSA is monitoring Internet traffic at a very low level of the infrastructure, as some have claimed the agency is, then it may not matter what sort of apps, Web browsers or tricks are used, because they’re all layered on top of a foundation made of sand.

“You really need a solid foundation,” Enderle said. “The problem here is the NSA has been able to penetrate the foundation.”

Apps like Snapchat and Wickr play into the idea of leaving no trace online, automatically deleting all communications from both sending and receiving devices, but because the content remains stored on the services’ servers, there’s an argument that the communications are ultimately not secure.

After news of the NSA spying broke, Silent Circle even shut down its encrypted email service because the company no longer believed it was secure, and did not want to lull their users into a false sense of security. Lavabit, email service of choice for Edward Snowden himself, also shut down its service for similar reasons.

Identifying an individual online, according to Peter Eckersley, technology projects director for the Electronic Frontier Foundation (EFF), is a matter of spotting what he calls “33 points of entropy.” What this means is that having only someone’s zip code is not enough to identify that person, nor is having only a date of birth or solely a gender. But having someone’s zip code, gender and date of birth is probably enough to identify any person online, or at least get very, very close.

The takeaway from Eckersley’s theory is that the data collected by normal Web browsing for most people is around the halfway point of being personally identified. And this is nothing compared to agencies like the NSA that are actively searching for identities or looking for additional context on an individual.

An online tool called Panopticlick can scan a user’s online “fingerprint” and reveal that user’s points of entropy along with the uniqueness of that user's fingerprint. The tool simply looks at normal information that a user’s Web browser shares, such as installed fonts, plug-ins, time zone, screen size and so on. As the points of entropy approach 33, one’s chance of remaining anonymous are reduced.

Government Technology tried it out and found that one writer’s online fingerprint was found to be unique among 3.7 million tested browsers, with a score of 21.85 points of entropy, or bits of identifying information -- probably not enough to be identified without additional information, but also less anonymous than expected.

Colin wrote for Government Technology and Emergency Management from 2010 through most of 2016.