Interest in a free, encrypted web chat service called Cryptocat has spiked following the detainment and interrogation of its developer at the US border.
The developer, Nadim Kobeissi of Montreal, was detained at the US-Canada border on Wednesday, he tweeted.
PrivacySOS has posted the relevant tweets here. Here’s what Kobeissi said about the ordeal:
Out of my 4 DHS interrogations in the past 3 weeks, it’s the first time I’m asked about Cryptocat crypto and my passport is confiscated.
Kobeissi says that his interrogator, who claimed 22 years of computer experience, asked him which algorithms Cryptocat used and about its “censorship resistance”.
In addition, his passport was confiscated for about an hour, he said.
Following the incident, interest in the program has risen sharply. “Cryptocat usage has sizably gone up in the past 24 hours,” Kobeissi told me in an email exchange.
The project’s aim is to provide encrypted communications that are easily accessible and free from the governmental or corporate interception that shadow other chat services, such as those from Facebook, Google or Yahoo.
If and when the application reaches its potential, it will provide a safe way for people to communicate when such communications could put their lives at risk. Examples include communications between those who participated in the uprisings of the Arab Spring.
It’s understandable that a spectrum of online users, from government resisters to cyber criminals and terrorists, would be interested in an encrypted, untraceable chat service.
But just because US security developed an interest in the developer, in Cryptocat and in its cryptographic strength, we shouldn’t foster unrealistic ideas about what the application can do, Kobeissi told me, reiterating an earlier tweet:
I really hope this incident doesn't blow confidence in Cryptocat out of proportion. I don't think I was interrogated because Cryptocat is this super incredible encrypted communication tool that scares the US national security - I believe I've been targeted for interrogation simply because of the general nature and apparent popularity of my work.
Kobeissi’s concerns that users not put themselves at risk when using Cryptocat likely have to do with the program’s limitations. According to the project site, this is what Cryptocat can’t do:
* Cryptocat does not anonymize you: While your communications are encrypted, your identity can still be traced since Cryptocat does not mask your IP address. For anonymization, we highly recommend using Tor. Cryptocat even offers a Tor Hidden Service at xdtfje3c46d2dnjd.onion.
* Cryptocat does not protect against key loggers: Your messages are encrypted as they go through the wire, but that doesn't mean that your keyboard is necessarily safe. Cryptocat does not protect against hardware or software key loggers which might be snooping on your keyboard strokes and sending them to an undesired third party.
* Cryptocat does not protect against untrustworthy people: Parties you're conversing with may still leak your messages without your knowledge. Cryptocat aims to make sure that only the parties you're talking to get your messages, but that doesn't mean these parties are necessarily trustworthy.
In other words, Cryptocat at this point is, in Kobeissi’s own words, a “really cool project,” but its developers still have plenty of work to do:
It promises to deliver something great and I've been doing some serious, peer-reviewed, open research and development on all of its aspects. However, the reason why I always make sure to mention that it's still an experiment is that I understand that other projects, such as Tor and OTR, have been under development for five years, ten years or more. Cryptocat is barely over a year old. It needs a lot more testing, a lot more research in order for me to ascertain its effectiveness on the field. Security is difficult.
As Slashdot commenter eldavojohn noted, Kobeissi’s interrogation well may have arisen out of the US’s export controls on levels of encryption, covered under the Arms Export Control Act (AECA) of 1976.
To the US government, certain strengths of cryptographic software constitute munitions; hence, their export has been banned.
If you look at the history of AECA prosecutions, you’ll see that Kobeissi is in good company.
- 1990s: RSA Data Security, who was in a licensing dispute over use of the RSA algorithm in PGP, filed a report on Phil Zimmermann for allegedly violating the AECA. The US Customs Service started an investigation but dropped it after three years.
- 2006: Boeing was fined $15 million for unlicensed foreign sales involving a gyroscopic microchip or gyrochip with military applications.
- 2004–2006: there were 283 arrests, 198 indictments, and 166 convictions based on AECA violations.
- 2007: ITT Corporation was fined for transferring night vision goggles and classified information about countermeasures against laser weapons, including light interference filters, to engineers in Singapore, the People’s Republic of China, and the United Kingdom. They were fined $100 million, although they were also given the option of spending half of that sum on research and development of new night vision technology, the intellectual property rights for which the US government retained.
Obviously, US interest in cryptography is nothing new. There’s nothing remarkable about the interrogation of a developer associated with a program designed to escape censorship and surveillance.
Hopefully, the news coverage continues to promote increased interest in this worthwhile project.
But let’s hope that people read the fine print about what this program can and can’t do.
Kobeissi’s right: it would be a tragedy if the result of his detainment and interrogation were that people put themselves in harm’s way, using Cryptocat without a realistic idea of the level of protection it provides.
Read the fine print. Proceed with caution.