Has encrypted chat service Surespot been compromised by the US government? Surespot user and former Army intelligence officer George Maschke recently published a provocative theory suggesting the answer is yes.
Mr. Maschke’s key pieces of evidence are intriguing. In May 2014, he e-mailed 2Fours LLC, which is Surespot’s parent company, asking whether the company had ever received a National Security Letter (NSL), a court order to provide information, or other government request to cooperate in an investigation. He was assured in writing that 2Fours had received no such requests. That changed in November 2014, when Surespot’s founder, Adam Patacchiola, told Maschke via e-mail that "we have received an e-mail asking us how to submit a subpoena to us which we haven’t received yet."
Despite repeated requests for further information from Nov. 13, 2014, to the present, Maschke has received no replies to his e-mails to Mr. Patacchiola. I made similar requests last week, and have likewise received no response from Patacchiola – via e-mail, Twitter, or the Surespot app itself. Surespot’s Twitter account has been virtually inactive for months, except for one tweet on May 31 about an Intercept story on a United Nations report asserting that encryption is a human right in the Digital Age.
A Surespot server outage June 8 was not noted on 2Fours’ website or the Surespot Twitter account, and the outage forced at least some users (including this author) to restore their Surespot identities and credentials, a highly unusual event in my experience using the service. However, as of February 2015, the company remained in good standing and in business, according to records maintained by the Colorado Secretary of State. The iOS and Android versions of Surespot remain available in their app stores.
If 2Fours was served with a national security letter by the FBI, Patacchiola and anyone associated with Surespot or its operations would be prohibited from publicly divulging that fact under the provisions of the Patriot Act.
There are alternative explanations for Patacchiola’s silence. He could be working on his next major business venture, a serious family or personal crisis may have sidelined him for the past several months, or he could be preparing to sell Surespot.
To try to clear up the mystery, I contacted Patacchiola’s former business partner, Cherie Turbitt Berdovich, at her current employer, Earth Vision Institute. After demanding that I never contact her again, she provided the following legal boilerplate via e-mail:
"Cherie Turbitt Berdovich is not an officer, employee or affiliate of [Surespot]. Cherie is not involved in the operations or management of Surespot in any way and has not been since August 5, 2014. Please immediately retract any and all statements you have made to the contrary, and please do not state or imply that she is involved with [Surespot] in any way in any future articles you might write."
Ms. Berdovich’s refusal to talk about Surespot, and her departure during the period in which 2Fours may have received an NSL or related legal demand for cooperation from the FBI, raise an obvious question: Why would the Feds be so interested in Surespot?
One reason could be due to Islamic state militants. IS militants have reportedly been using it heavily since at least last summer. A UK Channel 4 investigation found that at least 115 IS-linked individuals were using Surespot. In June 2015, a Virginia teenager pled guilty to providing material support to IS, helping it recruit and raise money in the US. As revealed in the plea agreement, his preferred secure communications method was Surespot.
Given that IS connection, Patacchiola’s continued silence could be an indicator that the company is under a Patriot Act-related gag order of the kind that former Lavabit encrypted e-mail service provider Ladar Levison was issued during the federal government’s hunt for NSA contractor-turned-whistleblower Edward Snowden.
Shortly after Mr. Snowden went public in June 2013, the FBI determined that Lavabit was one of his primary means of secure communications. Upon being forced to give up the encrypted secure socket layer (SSL) key for the entire Lavabit service, Mr. Levison shut down the company, feeling it was the only way he could ensure his remaining 400,000 users didn’t have their data put at risk of examination by the FBI.
That the FBI is pressuring companies to cooperate was made clear earlier this month, and the agency has some powerful allies on Capitol Hill who are spurring it on.
In a JUNE House Homeland Security Committee hearing, chairman Michael McCaul of Texas said, “Mobile apps like Kik and WhatsApp as well as data-destroying apps like Wickr and Surespot are allowing extremists to communicate outside of the view of law enforcement.”
Representative McCaul failed to note that the overwhelming majority of the users of secure messaging apps are not terrorists or criminals. His approach is reminiscent of the NSA’s mindset of targeting anyone using Tor or similar anonymizing technologies.
At that same hearing, former CIA officer and current House of Representatives member Will Hurd dispelled the argument that the NSA and the FBI are “going dark” during his questioning of FBI Assistant Director for Counterterrorism Michael Steinbach.
Mr. Hurd asked, "Does end-to-end encryption that's provided by many US companies prevent your ability to do attribution?”
"In some cases," Mr. Steinbach. But under further questioning, he conceded that the kind of end-to-end encryption offered by services such as Surespot have not prevented the FBI from getting information on potential or known terrorists.
When asked by Hurd whether the FBI was pushing for encryption-defeating “back doors” in software such as Surespot, Steinbach replied, "No." But then he elaborated:
"I'm talking about going to the companies who then could help us get the unencrypted information. And the attribution piece – it's important to understand that, depending on the technology involved, this – and this requires, quite frankly, a technology discussion – there are tokens that are used that do not allow for attribution. So it's not quite as simple as just using other techniques or attribution. Sometimes that attribution is not there."
Federal officials pursuing Snowden threatened Lavabit’s Levison with jail time if he did not cooperate with them. The fact that IS militants used a secure messaging app and service based in the US gave federal officials an opening to use the Patriot Act’s material support provision against the Virginia teen mentioned above. They could use the same tactic against Surespot or other small US secure messaging firms that lack the resources to fight back, unlike Apple or Google.
But instead of allowing targeted firms to simply shut down and turn over whatever data they have, the FBI and NSA might prefer that they continue operating as long as possible so as to provide further intelligence gathering opportunities – a sort of digital version of the Bureau of Alcohol, Tobacco and Firearms' Fast and Furious program. The short-term benefits of such an approach are obvious: coercing Surespot via Patriot Act authorities would give the FBI and NSA a chance to unmask known or suspected IS militants or supporters, both abroad and domestically.
But just as ATF's infamous “gun walking” program went tragically and publicly awry, coercing encryption service providers to compromise their systems is something the government will not be able to keep secret for long. Surespot’s service is already suffering from Patacchiola’s silence. If Surespot’s users abandon it, the company will eventually go under – and the FBI and NSA will further damage an already strained relationship with the American tech sector.
Whether Adam Patacchiola and his company are caught up in the kind of FBI squeeze play that doomed Lavabit is something only time will tell.
Patrick G. Eddington is a policy analyst in Homeland Security and Civil Liberties at the Cato Institute, and an assistant professor in the Security Studies Program at Georgetown University. Follow him on Twitter @PGEddington.