Silent Circle, the maker of secure messaging apps and a security hardened Android smartphone, called Blackphone, has discontinued its warrant canary.
Attempting to reach the page where it was previously hosted results in the following notification:
Warrant canaries became popular in the wake of the 2013 Snowden disclosures revealing the extent of government surveillance programs, as a tacit route to signify to users when a service might have been compromised by a government request for user data.
Canaries act as a workaround for U.S. gag orders which prevent companies publicly disclosing warrants for user requests by publishing an explicit statement that they have not received any warrants for user data to date — allowing for the reverse to be signaled if a canary is removed or not updated.
TechCrunch was tipped to Silent Circle’s dead canary by a reader, however the company claims it discontinued the canary as a “business decision” — not because it has received “any warrant”.
It seems an odd business decision to make.
“I would think a company like Silent Circle would have enough nous knowing that if it was to discontinue its warrant canary plenty of people would be concerned. So the sensible thing to have done — if it had been some sort of business decision, and I can’t imagine it’s really that much work maintaining a warrant canary — would have been to have been quite public and open and transparent about it,” he said. “But to silently kill it off seems odd.
“If this really was a business decision why not be open about it? Especially for a company which works in those sort of circles… You would [also] expect that discontinuing something like this could be bad for their business. Could raise concern among their customers. So it seems an odd business decision to make.”
The same tipster who pointed TechCrunch to the dead canary also claimed that a recent Silent OS update to Blackphone’s default apps requires increased security permissions, such as access to the camera, which can no longer be disabled by users.
Silent OS 3.0 was released towards the end of June, and is billed as including various security fixes and features, such as a new Privacy Meter integrated into the Security Center which notifies the user when a security/privacy threat is present and indicates the severity and potential actions to mitigate it, and a CIDS (Cellular Intrusion Detection System), to warn of potential threats in the cellular network interface, such as weak encryption and device tracking via silent SMS. It’s based on the latest release of Google’s mobile platform, Android Marshmallow 6.0.1 and also brings various UX changes to Silent OS’ platform.
There’s no explicit mention of increased permissions in Silent Circle’s blog post about the major platform update. We’ve asked Silent Circle to confirm whether it has increased permissions for its apps in Silent OS and if so, for what purpose, and will update this post with any response.
Cluley told TechCrunch that increased app permissions might be needed to support new features on the platform but again said the onus would be on such an apparently security-focused company to be very clear about its intentions here.
“You would hope if they’re changing their permissions they’ve got some sort of explanation as to why they would need to access your camera, for instance. Maybe it’s to scan in QR codes, maybe it’s for some sort of facial recognition biometric going forward,” he said.
“We do have to be careful about apps and the chance of new permissions creeping in stealthily if you like, and people not realizing that they are granting more permissions than when they initially installed an app. So I think some transparency’s called for.”
“In that kind of climate, wouldn’t a warrant canary be a good thing?” he added.
Adding to the uncertainty here, Silent Circle has undergone some significant employee shifts in recent months, losing two key co-founders: veteran crypto expert Jon Callas and its chief scientist Javier Agüera. We’ve also heard reports of wider staff cuts, although it is not clear whether the co-founders’ departures were voluntary or not (Callas has since taken up a role at Apple).
In addition, a lawsuit filed against Silent Circle by a business partner last month in a New York state court claims the company, which has raised $80 million to date from investors (most recently taking in $50M in February 2015), has failed to pay a $5M debt, according to a report on the Law360 website. The suit further claims it is considering bankruptcy after several major distribution deals fell through.
We’ve also asked Silent Circle for comment on the lawsuit and will update this post with any response.