KoolSpan – AT&T / NSA cooperating partner company?

KoolSpan – AT&T / NSA cooperating partner company?

This is disturbing.

“If you trust AT&T’s new voice encryption service, you are a fool,” writes Christopher Soghoian, a privacy researcher at Indiana University. “$5 says it is CALEA compliant.”

Here is an article about the relationship between KoolSpan and AT&T.

10/06/2010 @ 6:40PM – Source
Andy Greenberg, Forbes Staff

Covering the worlds of data security, privacy and hacker culture.

Privacy Gurus Don’t Trust AT&T’s New Smartphone Encryption

If AT&T wants to offer its private-sector customers smartphone communications that are secure from man-in-the-middle eavesdropping, the company may first have to convince them it’s not the Man.

On Wednesday the telecom giant announced a new encryption option for its enterprise smartphone users, allowing them to insert a chip from its partner company KoolSpan into a phone and encrypt the voice traffic to prevent wiretaps.

The problem: Since becoming the poster boy for compliance with the Bush administration’s warrantless wiretapping scheme, AT&T isn’t exactly a trusted member of the crypto community.

“I think it’s prudent to be skeptical of a company that has a long reputation for providing intercept capabilities to the NSA,” says Moxie Marlinspike, a privacy-focused researcher and founder of Whisper Systems, an encryption program for Google’s Android mobile operating system. “Encryption is important, and becoming more important over time. But what AT&T is offering is not a secure solution.”

As a service provider, AT&T would be subject to the Communications Assistance for Law Enforcement Act, (CALEA) which requires that companies build backdoors into their communications for government agencies, argues Marlinspike. A crucial step in creating a trusted connection without a man-in-the-middle eavesdropper is authenticating the identity of the callers. Since AT&T would be responsible for that authentication step, it could easily spoof an encrypted call while actually decrypting and wiretapping the voice data for a third party, Marlinspike says. And AT&T’s software remains proprietary rather than open source, making an objective review of its security impossible.

Whether CALEA requires a backdoor in smartphones’ encryption software isn’t completely clear. But AT&T’s history of cooperating with even illegal wiretaps by the NSA may be a dealbreaker for many security-conscious users.

“AT&T voice encryption? From the company that brought you NSA wire tapping, they thought you’d also like…. HA!” tweets Jacob Appelbaum, a developer and researcher for the TOR privacy project.

“If you trust AT&T’s new voice encryption service, you are a fool,” writes Christopher Soghoian, a privacy researcher at Indiana University. “$5 says it is CALEA compliant.”

An AT&T spokesperson declined to comment.

The telecom’s new offering comes as debate heats up around encryption for mobile phones and the Internet. The New York Times last week reported that the FBI, Justice Department, NSA, and the White House have met to discuss creating more stringent regulations around digital communications, expanding CALEA or passing a new law that requires backdoors in previously unregulated technologies.

Whisper Systems’ Marlinspike says he won’t build a backdoor into his encryption apps for Android regardless of how the laws change. “We’re never going to provide intercept capabilities for law enforcement or anyone else in our products,” he says. “Even if Google removed our software from its marketplace, I think it would be quite difficult to stop us from providing software for secure communications.”

When law enforcement comes knocking on AT&T’s door, don’t expect the company to be quite so resistant.

Similar Posts
1.5 Star rating out of 5. ★ Voice Encryption Security TrustCall® voice encryption provides:     Secure voice communication via TrustChip®...