Why you shouldn't trust Verizon's new encrypted calling app

Analysis: Thanks to a not-so-secret backdoor, any encrypted calls will be open to intercept anyway, according to the NSA's rules of engagement.
Written by Zack Whittaker, Contributor
NSA operations center
Image: NSA

Verizon is dipping its feet into the "post-Snowden" world with a voice-encryption app: one that opens up constitutionally protected Americans for eavesdropping by U.S. law enforcement and intelligence agencies.

Dubbed Verizon Voice Cypher, the free-to-download app for iPhones, Android devices, and BlackBerrys offers businesses and government users end-to-end call encryption, regardless of the carrier.

The app works by scrambling voice calls using Cellcrypt's technology. But the U.S. government is still able to tap into the calls, according to Bloomberg Businessweek, which first wrote about the service last week.

"It's only creating a weakness for government agencies," Cellcrypt's Seth Polansky told the magazine, disputing the idea that the backdoor creates a security risk. "Just because a government access option exists, it doesn't mean other companies can access it."

There's nothing wrong with that statement -- at least on a factual basis. But, morally it's repugnant to promote a service that opens up potentially anybody who uses it, Americans and all, to greater and more direct surveillance.

Here's why.

In the wake of the National Security Agency (NSA) surveillance leaks, many more people are encrypting their web traffic. It's a smart move alone for the security conscious. Since data thefts and breaches have become a near daily occurrence -- at least for a while it felt like that -- encrypting data makes it harder for hackers to do anything with it.

But the rules of engagement under which the NSA can collect domestic Americans data, the so-called "minimization procedures" also leaked by Snowden, showed that the NSA can retain encrypted data -- even on Americans -- for up to five years.

Just using Verizon's app will make you stand out like a Christmas tree on the NSA's radar.

Making matter worse, the U.S. government in cahoots with its British counterparts have, according to more leaked documents, successfully broken or circumvented many online encryption standards.

Even when encryption is there, it's collectable under secret policies, and crackable.

But the NSA has a backdoor already. Even though it doesn't need one, the law doesn't always require one, either.

Under existing U.S. law, Verizon has to allow its networks to be wiretapped if a warrant is presented. But, that's only if the means are there to do it. In some cases, encryption is set up in such a way that even the company cannot hand over anything meaningful to law enforcement.

Many companies bolstered or altered their systems post-Snowden so that even they couldn't access the data. Apple cannot hand over data it doesn't have the encryption keys to. (That's probably why, at least in part, Apple iPhones have become so popular in the enterprise.)

In recent months, Apple and Google stepped up their customers' device security by taking themselves out of the data demand equation altogether. FBI director James Comey said Apple was allowing its customers to "place themselves beyond the law."

While many companies doubled-down on security, encryption, and privacy protection in the wake of the Snowden leaks, Verizon actively included a backdoor in its calling app. Why remains unclear.

There is no doubt that enterprise customers -- including government users -- want more effective and simple ways to secure their communications: emails, chats, calls -- just to name a few. But the government has been shown to engage in industrial espionage, which it says it "does not."

Though the U.S. Director of National Intelligence James Clapper denied it was industrial espionage, he did say it's "not a secret" that the intelligence community "collects information about economic and financial matters, and terrorist financing," for example to predict financial crises.

Backdoors don't necessarily make products weaker. They do however make your communications less private. Verizon's ill thought-out and half-baked attempt to create something marketed as something you should "trust" may be to some a marketing ploy. To others, it's downright irresponsible. For a few, it's dangerous.

Why Verizon wants to expand in this space is unclear. But while other, more secure services exist that don't contain backdoors -- we know because the code is public and can be inspected -- there's no room for Verizon to compete.

Editorial standards