Hacked - Trojan Phone
Episode Date: November 16, 2022The story of the international plan to put a very insecure phone into the pockets of criminals around the world. Network access security that scales with your business — NordLayer secures your orga...nization’s traffic and data to provide your colleagues with safe, reliable, remote access. nordlayer.com/hacked Learn more about your ad choices. Visit podcastchoices.com/adchoices
Transcript
Discussion (0)
During World War II, there was a Swiss cryptography company called Crypto AG.
And they got their big break with a contract to build code-making machines for the states during the war.
They make a bunch of money, and they become the go-to maker of encryption devices for decades.
Gears, circuits, eventually silicon, there's new tech coming and going, crypto-A-G, they ride it all out.
Throughout the 21st century, they sell to over 120 different countries.
They sell to nuclear rivals.
They sell to military junta's.
When the Vatican needed encryption, they bought it from Cryptoagy.
But what none of their customers knew was who really owned Cryptoagy.
For the last 50 years of its existence, Cryptoag was owned by a highly classified partnership
with West German intelligence and the CIA.
And the devices they made that whole time were, for decades, rigged.
so the U.S. could easily break the codes that countries used to send encrypted messages to each other.
A CIA report described the crypto AG situation as, quote, the intelligence coup of the century.
Foreign governments were paying good money to the U.S. and West Germany for the privilege of having their most secret communications read by at least two and as many as five or six foreign countries.
They designed the tech, they put the back doors in, and they sold it, and then spies listened.
Decades went by until Cryptoagy eventually got squeezed out by the spread of online encryption tech.
They didn't manage to make that most recent jump.
But for decades, they heard everything based on this very simple idea.
Rather than trying to break the encryption, why not be the one to sell it?
So that's Cryptoagy.
50 years later, just this last couple years, some folks started asking,
the same questions that those crypto AG folks did back in the 70s.
Same question, but about new tech.
And while their target was criminal rather than foreign powers,
the idea was the exact same.
Rather than break the encryption tool,
why not become the one to sell it?
The question then is what device do people rely on
to encrypt their messages in 2022?
So we're going to talk about the very wild story
of the Anom phone here on Hacked.
It sounds like a crypto company, doesn't it?
Well, we literally just spent the hour before starting to record this episode
talking about FDX and the goings-on of the crypto world.
Yay, crypto.
So I just love the fact that we're transitioning hot
from a crypto conversation about crypto
to a crypto conversation about cryptography
because I actually much prefer cryptography.
It sounds like it should be a crypto company
that's either running TV ads or in the news for having fled with a whole bunch of money.
Or just, you know, been completely outed as the Ponzi scheme it was.
One of those things.
In reality, it is a, the weirdest phone startup I have ever heard about.
Super interesting story.
Also, I think kind of our second part, it's making this month into the months of Hollywood Hacked,
where last episode was all about a show that was being adapted for film.
And then I think in the last couple days,
a book being written about this by one of my main kind of sources in my note taking
got adapted or got licensed by Netflix to be another show,
I think this time by the makers of Ozarks.
So this is our second thing in a row that's going to get the Hollywood treatment
over the next couple of years.
Hell yeah.
Today's podcast is brought to you by Nordlayer.
Nordlayer safeguards your companies network, but it's also a lot more than just a VPN for business.
As you already know from this podcast, business networks today are more vulnerable than ever due to where do we start?
Remote work, ransomware attacks, and data leak incidents.
Nordlayer secures and protects both remote workforces as well as business data, and it can even help you ensure security compliance.
Simply go to Nordlayer.com slash hacked and get an entire month.
free. Nordlayer is easy to start. It takes less than 10 minutes to onboard your entire business onto a secure network.
Nordlayer is easy to combine as it's hardware free and it's compatible with all major operating systems.
And finally, Nordlayer is easy to scale as you can choose a plan unique to your business requirements and your rate of growth.
If you want to secure your business network, go to Nordlayer.com slash hacked to get your first month free.
That's Nordlayer.com slash hack.
I would now like to invite Calvin Chivers, representing the United States of America,
Assistant Director, Criminal Investigative Division of the U.S. Federal Bureau of Investigation.
Mr. Chivers, the floor is yours.
Over the last 18 months, the FPI provided criminal organizations over 300, as mentioned by my colleague,
in over 100 countries encrypted devices that allowed,
us to monitor their communications. Scott, let's say you're a criminal shopping for a smartphone.
You're not a cyber criminal. You are an analog criminal who needs a phone, a phone to do your
crimes, essentially. But these are serious crimes, right? Like you could reasonably have a, you know,
a warrant out or a tap against your phone. There might be an international warrant for your
arrest, but you're not necessarily technically sophisticated. I want like the ultimate criminal
burner is what you're saying exactly so what kind of smartphone do you buy what
are you shopping for I would love something that probably doesn't have internal
microphones so it's something that I'd have to plug in like a headset to use I'd
probably love something that didn't have cameras on it sure something that probably
doesn't have a GPS chip in it yeah would be better and good yeah what else would I
want I want something that like there's probably no way
could find a phone that could do this, but something with like a physical destroy button on it,
like when I flip a little slider on the back and push a button, the inside of it essentially
just melts. That would be ideal. Something with flippable SIM cards, for sure, not an E-Sim
because you probably want to be rolling Sims. I don't know. I feel like that would be the beginning
of my shopping list. That's pretty, that's honestly pretty comprehensive. Like, that's a lot of,
a lot of those features you just said. And even ones that you weren't sure if they would be
available, that's a pretty good summary of what this marketplace in 20, say 20 looked like.
Okay.
To get into the Anam phone, let's start by taking a little tour through some of the real-world
answers to that question, because the competition of this device, this sort of honeypot,
gives a pretty good sense of what this phone had to do and who it was doing it for.
First big example is an Encro chat phone.
Anchor chats created by a European communications network and service provider the same name.
It started out as a privacy-focused phone that very quickly found its audience in the criminal community.
In terms of its unique hardware qualities, you just named most of them.
It had a panic button.
It actually had a panic button.
It had a panic button.
It deleted the contents of the phone.
The button you push it and it wipes the whole thing.
And a lot of the features are just about wiping this thing as fast as humanly paused.
It also had, as you said, all of its sensors removed. No camera, no mic. I believe no GPS. If you want to talk in it, you have to plug in a headphone with a microphone.
I just want to interrupt and say that I had never looked at this device before I said that list of things. So if it's pretty accurate, then maybe I am a criminal.
I think you have a go bag and you were like, oh, I don't know off the top of my head and you were staring at one of these devices.
In terms of the software, and it's the same basic set of goals, right?
It came with a pin that isn't the real pin.
It's for if you need to provide the cops with a pin and they enter that pin, it would wipe the device,
a fake pin for deleting all the contents off it.
Brilliant.
Came with a kill pill feature, which allowed you to send, say you didn't have the phone and you
couldn't provide a fake pin, you could send this kill pill to it that would remotely wipe it.
You can send encrypted messages, make encrypted calls, and write encrypted notes,
all using the Ncrochats proprietary apps, Ncro Talk, Ncrote's, Ncrote,
and all of the data for all of that, the kill pill, all of their different sort of pre-baked-in apps,
all of it flowed through their central servers located in France.
And if that is sticking out as a potential vulnerability,
having all of that stuff go through servers operated by some company you've never heard of,
you have correctly identified the problem with encrochat.
Nice.
I really had never looked at one of these phones, so it's really funny that I like nailed
that list.
I'm a little shocked, but.
It kind of makes sense, right?
There's only so many things that you need a crime phone to do and most of it's privacy
base.
So how extreme can you get with privacy on the hardware?
Exactly.
All the remote stuff, I kind of just assume would be there no matter what.
It was originally marketed to celebrities, but by 2017, it was regarded by law enforcement
and is kind of the go-to for criminals.
And it's a pretty good option.
But those French servers where all the messages went through.
In 2019, a joint operation between the UK, French and Dutch police got a warrant.
They broke into those servers and they put a piece of malware on them,
which interrupted the panic-white feature, gave them access to the messages that were being sent
between users, recorded the real pins on the lock screens being used.
It's unclear to me whether the content was actually unencrypted or it was encrypted,
but they broke it once they got in.
But regardless, by April 2020, European agencies had access to millions of texts,
hundreds and thousands of images being sent between these devices.
It led them to make hundreds of arrests, and they seized millions of pounds of drugs,
cash, and weapons.
If you've been a longtime fan of the show, you'll remember my first problem with passwords episode
where I kind of go on about password managers being like the keychain.
And if you ever lose access to the keychain, you like lose everything.
And I feel like that's the same thing they did here is like they gave these phones out
They got people to trust them and then they took them over and they got access to everything
It's like yeah all of the things and features and safety features you think you have you don't have
But you trust that you have them and we're gonna like exploit that trust
All the security features we've sold to you are only as secure as our operation is and most operations aren't that secure in the face of a warrant is kind of what this keeps
going back to.
Huh.
Anchor shot goes down, but another one pops up.
Phantom Secure, a firm that told privacy-focused Blackberry phones, which ended up catering again,
primarily to the criminal market.
Their big, famous customer was El Chapo.
And if it's good enough for him, you know, what are you doing that he isn't?
So for a while, Phantom Secure was the big one until its CEO was arrested.
And interestingly, was offered significantly less time following his arrest if he installed a backdoor,
But according to multiple sources refused, because the only thing scarier than the FBI is the Sinaloa cartel.
So you probably don't want to use Phantom Secure.
And Krochak comes up, goes down.
Phantom Secure goes up, comes down.
As long as there are people technical enough to use a phone in, you know, criminal endeavors, but not technical enough to stay secure, is going to be a market for this kind of thing.
And law enforcement just ends up playing whack-a-mole the whole time.
Typically, there's some kind of a distributor.
in the middle of all this, someone who knows these devices has a good lay of the land,
but also knows the criminals and can buy and set up the device for them, acting as kind of a middleman,
right?
Mm-hmm.
And the story of the Anam phone starts with one of those middlemen.
In 2018, the FBI gets a new informant.
We don't know exactly who this person is, but he sold these types of phones.
He had buyers.
He kept them up to date on the hottest new device.
That was his niche.
And the San Diego FBI branch had been working with this informant who was facing charges and had offered to cooperate with the FBI in exchange for a lighter sentence.
And I'm really, really curious what the pitch he gave is for this next part.
Because this informant comes up with an idea.
Prior to his arrest, the middleman had been developing his own product to distribute.
This sales middleman was getting into the man.
manufacturing and supply side.
And the idea he brought the FBI is what if, just like Crypto AG did 80 years ago after
World War II, instead of law enforcement waiting for another one of these things to pop up
and having to inject malware on the server or try and get the CEO to install a backdoor,
what if you skipped all that?
And law enforcement made and distributed the phone itself.
What if law enforcement ran his...
company he wanted to start and produce the devices and sold them to criminals all around the world,
all with the backdoor pre-installed.
This whole like theater of security.
That is the idea behind the Anompho.
It seems like you would be, you'd be making friends with a very powerful group and then making dire enemies with very, a multitude of very bad people.
Yeah, like internationally, hundreds of them around the world.
You have the worst enemies you could have.
I got a few buddies of the FBI now, but I also have like 80,000 mortal enemies in every criminal syndicate around the world.
Mm-hmm.
You know, I don't know if there's enough money in that transaction for you to be safe for the rest of your life.
Yeah, that's a scary proposition.
Is there enough jail time it could get you out of that you would take that deal?
Is another interesting question.
Totally.
I don't think so.
I'm just going to go to jail.
I'm safe.
I haven't done anything to these criminals that I'm hanging out with here in prison.
I'll just, yeah.
I don't know.
It's an interesting question.
Let's talk about the Anom phone itself.
Joseph Cox, a journalist who we weren't able to get a hold of for this and has done a lot of the essential reporting on this story.
He's got that book coming out.
Very excited to read it.
He got his hands on one of these devices.
The one he got was a normal pixel 4A.
You turn it on normally and it's got all the standard apps, Instagram, Facebook, Netflix.
But none of them actually work.
Click into them.
They don't actually open.
But if you reset the phone and you enter a different pen,
it opens this whole other partition space within the phone running something called Arcane OS,
which is how folks who bought these years later on Craigslist by accident realized,
realized what they had bought. It's got new apps, new wallpaper, clock calculator settings.
Pretty much that's it. Go into the calculator app, however, you can get access through it to a
login screen that says enter anom ID, which is where once you enter your anom ID set up for you
by the middleman, you find the concealed messaging app called Anom. It's kind of the beating heart
of this whole thing. It's what you'd use to communicate with other Anom users. And this
app that you have to go through all of that theater to get to is the place where the CA
had access to.
I like that theater.
It's fun, right?
Yeah.
You got to punch a code into the calculator to open the login, to type in your password, to let the CIA see what you're sending.
You got to notify them.
You got to notify them by going through this process of steps.
You got to really let them know.
And they're like, oh, okay, this person's a criminal.
Like, turn on monitoring on this device.
We don't want to waste space in our monitoring matrix.
You only got so much server space.
Exactly, exactly.
It's got the same pin wipe functionality as the Ncrochat phone.
It's got a lot of the same features as most of these other devices.
If you've bought a phone like this before, it's a little different, but it's the same basic idea.
And it brought up this interesting question when I was reading about this, which is if you buy a privacy phone like this, from a company that there is intentionally very little written about, just on a technical level, is there any way to test?
if it's actually private and secure.
Does it always come down to trust?
Yeah, probably.
Unless you hacked the communications process
and got access to the servers
and could look at everything,
there'd be very little way to tell.
Because like how do you even,
even if there was like key base encryption,
like how would you even trust that the keys or,
I don't know,
it'd be very technically challenging.
Which means you're not just trusting,
you're not just trusting this company
you've never heard of,
you're also trusting
whatever dude showed up at your doorstep
with a trench coat
full of weird smartphones
and has told you that,
oh yeah, the Anom phone
is super legitimate in locked down
and encrypted,
or the Ncro chat phone
is super legitimate in locked down.
You have to trust that guy
and you have to trust
the company you've never heard of.
There's a lot of trust involved
in using a device
that seems like it would only be
used by people who have very little reason to trust anybody.
Yeah.
I don't know.
I guess the motto of the internet these days, trust everybody.
Nobody's trustworthy.
So what's involved in starting and operating a fake crime phone company?
First, the FBI had to get a network of people who were selling NCHAT and Phantom Secure
type devices to start selling their a nom phone.
At first, it was a small kind of launch.
50 devices distributed in Australia.
for beta testing in 2018.
And they just did it through, you know, word of mouth,
a couple undercover agents pushing it out to folks,
but it was small, small launch.
Most of the distributors were not informants.
They did not know who was behind the device they were pushing.
So they start getting it out there,
which is when the nitty-gritty of actually running a phone company becomes reality.
Their phones, over time people want upgrades, new devices,
smaller phone, bigger screen, whatever.
So now they're iterative.
and come out with new versions. They have to provide software updates as people find bugs. They have to
handle customer service. But they kind of pull this off and keep moving units. But because of
who their clientele is and in turn who their competition is, these weird edge cases start to
emerge. So your competition's also catering to criminals, which means that the risk of, I don't know
if you call it hackers or corporate espionage in this context, but that goes through the roof.
They're just trying to fend off attacks now while they're running this
so they don't get figured out by their competition as being the feds.
You also have to avoid the thing becoming too popular.
It really can't get into the hands of anyone that isn't a criminal you've individually targeted
because then you have the public having their messages routed through government-operated servers,
which has pretty intense legal implications.
So I'm just trying to see if there's actually like some messaging app out there that's actually,
Like, you could build a messaging app where if you wanted to talk to me, I send you my public key.
All messages to me get encrypted and you need my private key to encrypt them and vice versa.
How do you know that any quote unquote secure messaging apps are actually secure?
Right.
Like, are any of them open source?
Can I like see the code?
And anyway, now I'm just curious.
know enough about these apps, but I would be looking at Signal because I know that there's enough
people using it that it's probably been dug into pretty hard. And it's open source. I'm looking at the
source code for it right now. There you go. Let's talk about how they talked over this device.
Motherboard talked with a guy in Australia who said that Anom was able to make big inroads in the
criminal community there. And I guess that the common way it was used was in tandem with a couple
different encrypted phones. The big one in Australia was called cipher, but the idea was sort of the
same everywhere. Folks would use one phone for discussing the logistics of an operation and another
phone for talking about the money side of things. They would split communications between multiple
different devices and chat services. A lot of these encrypted phones only let users communicate
to each other only on their network. Anam users were talking to other Anom users through the Anom app.
cipher users were talking to other cipher users through the cipher app, meaning that if you wanted
to talk to people on that network, you needed to have a phone that worked on that network. You'd end up
with like a bag of these different things. And over time, Anom made its way into thousands of people's
bags of burner phones. And they used it, as we will discuss, to share millions and millions of
messages over the window of time when this was all going down.
A nom distribution starts out slow.
In October of 2019, there was only a couple hundred of users of these things around the world.
They run this company, and over the years it starts to grow.
By May 2021, there were 11,800 devices with a nom installed around the world.
Swedish police had access to 1,600 conversations.
Europol stated that 27 million messages were collected from anam devices around 100 countries.
In 2021, there was a very large volume of data flowing through this network that law enforcement
had built.
And the question then is when, if ever, do you put a bow on this thing and start arresting people?
Sure.
The second you pull the pin once, that's going to travel so fast.
It's not like the, it's not like people aren't communicating like they were 50 years ago, 60, 70 years ago.
I'm not sending a letter to somebody to be like,
yo, don't trust this service.
Yeah.
It's like instantly,
everybody will know that they're burnt and throw them away.
The second,
it's like at what point you're sitting there watching active crimes happen
and at what point do you say that crime is so big that it's more valuable
to shut that crime down than to turn off this entire network we've built of Intel.
that's got to be tough.
Especially because it probably wasn't cheap either.
You'd be hundreds of millions of dollars in at this point probably.
Yeah.
The thing that makes it different from Cryptoag is that let's imagine some country figures out that their communications on this device were unencrypted.
And they become suspicious.
They have no reason to tell Cryptoag's other customers about their, uh,
suspicions because they're other countries.
If a criminal gets arrested for something that they communicated about on this phone,
they do have an incentive to tell other criminals,
hey, stop using this phone.
So you don't have that level of like,
the motivations are just completely different when you're dealing with criminals versus
nation states.
So the second you arrest one person,
you kind of have to arrest everybody at the same time.
Yeah, that's a big day.
That is what happened.
We arrested like a few thousand people.
It's a big day.
Just decide to blow the entire thing up and just arrest everybody.
Let's go.
Let's talk about that.
After the break, you will be arrested.
Think about the last time you heard a breach story on this show.
It always starts the same way.
Someone somewhere saw something too late.
An alert buried, a signal missed, an SOC that just couldn't keep up.
Arctic Wolf set out to solve that problem by rebuilding security.
operations from the ground up for a world where attackers are already using AI. They created the
Aurora Super Intelligence Platform, a fully agentic system powered by the swarm of experts. Instead of
single-purpose bots or lucky-guess LLMs, this swarm is full of deterministic agents that handle
whole entire workflows. Humans stay in the loop and on the loop to validate the critical decisions
and keep everything trustworthy. And all of this is just off running on their secure operations
graph. A constantly updating intelligence engine fueled by more than nine trillion telemetry events
every week and over a decade of real-world incident response. The system reasons on real signals and
real context not synthetic training data. And the result is the new Aurora Agent SOC. It's the first
SOC that is agent led by design. You get agents that coordinate, agents that investigate, agents that respond
at machine speed, and hundreds more that automate the repetitive work that normally buries
human analysts. Arctic Wolf didn't try and bolt AI onto an old model. They rebuilt the model entirely.
What makes it even more effective is how it works with Arctic Wolf's concierge experience.
The team brings customer-specific context directly into the platform so every AI-driven decision
reflects your environment instead of generic assumptions. The automation frees your concierge security
team to focus on higher value strategy and proactive risk reductions while the agents handle the grind.
If you want to see what trustworthy production
ready AI and security operations actually looks like, go to arctic wolf.com slash hacked.
Never feel like cyber threats are evolving faster than anyone can keep up?
Last year, 2025 was nothing short of a record-breaking year for major breaches,
from sophisticated ransomware operators to AI-enabled attacks that turn defenses on their
head. Organizations around the world saw headlines they never expected and cybersecurity
teams were tested like never before, but here's the thing. These incidents aren't just
news headlines. They're learning opportunities. And that's why Arctic Wolf is hosting a live
webinar on February 5th diving to the most impactful breaches of 2025. Their field CTO and security
leaders are going to unpack not just what happened, but why these attacks succeeded. And most
importantly, what businesses can do to fortify their defenses for it's too late. You're going to walk away
with real insights into how threat actors are evolving, how defenders are responding, and what
strategies can help you stay ahead of the next big breach. It's not fearmongering. It's practical.
intelligence from experts in the trenches. Register now at arctic wolf.com slash hacked.
And there are a number of things that resulted from this. Not only have we heard about the number of
rests and the number of seizures, but there were over 100 threats to life that were mitigated.
And to give you an idea of the magnitude of our penetration, we were able to actually see
photographs of hundreds of tons of cocaine that were consistent.
concealed in shipments of fruit.
We're able to see hundreds of kilos of cocaine that were concealed in canned goods.
There's speculation that the reason Anam ended had to do with a warrant to a server expiring.
This suggests maybe that they had repurposed a server that they had gotten a warrant to at some point.
It's unclear to me technically what went on here.
But on June 7th, a warrant to a server they were using in this operation was set to end, which
which lines up pretty perfectly with the grand finale to this whole thing.
Around the world, the next day, June 8th, 2021, search warrants were simultaneously executed.
Across 16 countries, over 800 people were arrested.
You've got alleged members of the Australian-based Italian mafia, you've got outlaw motorcycle gangs,
you've got drug syndicates, you've got Albanian organized crime.
this one day they seize 40 tons of drugs,
eight tons of cocaine, 22 tons of weed,
250 guns, 55 luxury cars, and 58 million bucks in crypto and currency.
We get this deluge of court documents that paint a pretty good picture of the scope of this thing,
not just in terms of the arrests,
but the resources that went into it that you mentioned earlier.
Over the three years it was going,
more than 9,000 police officers across 18 countries were involved in the operation.
Whoa.
Your poll described it as the biggest ever law enforcement operation against encrypted communication.
I won't list off all the different countries where there were arrests.
But interestingly, there was one country where no one was arrested for crimes communicated about on the Anom network.
No arrests were made in the U.S.
Because of privacy laws that prevent the law enforcement from collecting messages about domestic subjects.
It would have been illegal to collect the messages necessary.
to arrest people for crimes talked about on Anam phones.
But the DOJ did indict 17 people, foreign nationals living in the states, not for crimes they
talked about on Anam phones, which they couldn't do.
But they were able to arrest them under the Racketeering Act for their participation
as distributors of these phones.
The people who were doing customer service, setting up subscriptions for new customers,
canceling accounts, those middlemen moving Anom phones were arrested.
by the people who made the phone
that those people were working for.
When the FBI wanted to distribute
Anam phones, they wanted it to seem legitimate.
So they tricked the middlemen
that sold other phones in the past, things like
NcroChat phones and Phantom Secure,
to move this hot new crime phone, the Anom phone.
And then at the very end,
they arrested all of those people.
For doing what they asked them to do.
Precisely.
Isn't that a, isn't that like a control?
Isn't there laws against that?
Apparently they managed to find a way to wiggle their way through it because several of those people were arrested.
I'm definitely not a criminal lawyer.
That's not, if you are 55 episodes deep into this show and that was not immediately clear to you,
I, Jordan, I'm not a criminal lawyer.
One day, Jordan.
One day we'll both be criminal lawyers.
It just represents the, the, the, the, the, the liability.
of trust.
And it's like, I feel like that liability of trust.
And, you know, now, today we're not talking about, like,
cyber security from the, like, yay, pro-cyber security and keep the bad guys out.
This is definitely a conversation about, like, yay, the bad guys.
So it's like the second you start trusting something, the second you become liable for it,
you know, it becomes a liability in your life, obviously.
We've all seen enough criminal movies to know that you need to clean up loose ends,
et cetera, et cetera.
And I feel like this is one of those things where it's like, if you choose a messaging platform that you inherently believe to be secure, chances are it's probably not secure.
It's like the only thing that's like you can truly verify for security.
It's like, you know, if you go back with criminals and organized crime for years, you know, they used to they have their own cryptography.
You know, you can create your own ciphers, you know, whatever that is, whether it's specific language or whether it's literally.
specific ciphers and actually using ciphers to code messages.
If you can do that, you know, that is something that you can trust because you've created it.
But it is again, as it is again hackable.
So, you know, is there really anything you can trust these days, Jordan?
Certainly can't trust the crypto market.
There's this idea that comes up sometimes of going dark.
It's a term that law enforcement uses.
It's military lingo, and it's for when communications drops from a public channel where you can monitor it to a private channel.
And it's had a big spike in usage in terms of the debate over how strong encryption used by normal people should be.
A mobile app that uses like end-to-end encryption designed to protect your data, but that same tech can be used to prevent law enforcement from being able to get access to those communications.
which however you feel about it.
Sometimes they do legally have a right to do.
To put a name to this idea and to frame this debate, they call it going dark.
And the argument typically coming from law enforcement is that tech companies shouldn't
make products that let people go truly, truly dark.
NSA has proposed something I hadn't heard of called split key encryption.
I didn't know about that.
Basically, they have one half of a key.
the vendor has the other half.
But with all that stuff, folks on the other side of that debate
maintained that the complexity of implementing that provides, again,
a point of entry that would ultimately endanger the end users' data.
I think the conversation around it, you know,
I'm by no means an expert in online messaging platforms.
But when people use terms like end to end or point-to-point encryption,
I'm assuming they're talking about something like SSL on the web.
So it's like my connection from my device to the server connection is encrypted so that nobody can sniff and see what I'm saying.
And then the connection from the server to the other device say yourself is encrypted.
So nobody can sniff and see what you're saying.
But the passage of information between those two devices is probably done in raw text.
So like they're probably like I highly doubt like maybe signal, but like WhatsApp and Facebook and
Facebook messenger and stuff for not using individually assigned keys where when I type a message in,
it gets encrypted in your public key, sends to you, and then decrypted with your private key.
I don't want to guarantee it, but there's a high likelihood that they don't do that.
Some of the true encryption, you know, privacy-based messaging apps might do that, but I don't
think 90% are.
And when they use terms like end to end and point to point, that leads me to believe that it's not truly encrypted.
They're just encrypting the tunnel that the messages are going through.
So the debate here, as I understand it, is assuming not just the tunnel, but the package itself is encrypted.
And you live in a jurisdiction, we do, probably everyone listening to this does, where if law enforcement has good evidence that you've done a crime, they can go get a warrant to try and,
and get access to your phone or your messages or whatever.
But because of hypothetically the strength of that encryption being robust enough that they
actually just can't get access to the message, what does it mean if they come to a tech company
say, we need access to this message and the tech company says because of the design of this
platform, we literally cannot give that to you if we want it to.
Privacy-minded folks would say that is the product being used by the user as it was designed
and intended.
Law enforcement is saying that makes it impossible for you to respond to this legal
request.
And that's where the debate about going dark is sort of living right now.
Should law enforcement and the government have the right to tell the manufacturers of
that tech that they can't encrypt it to the degree that makes it impossible for them to
respond to these warrants?
Yeah, we're just going full circle back to.
to the philosophy episode about the right to privacy and like, you know, the email and Twitter
scanning stuff where it's, right. Yeah. You know, what is the tradeoff and what is the balance
the society strikes between privacy and security? And this is just another one of those elements.
Sure. It also introduces a question of how, I guess to zoom back into the Anom phone itself
outside of whether or not you want to use signal versus I message versus WhatsApp.
devices like the Anom phone, NCHAT, Phantom Secure.
It introduces a question of how effective these devices can really be.
Not whether a person can use a device securely,
but what happens when you market and buy a device marketed to
the hyper-privacy concerned?
Because does buying one of those devices,
not using an app that lots of folks use,
but buying a phone with the camera removed and the GPS taken out
and the mic ripped out, does buying that phone inadvertently identify you to the kinds of people
that would be looking into activities done on that phone, to law enforcement?
Does being on a shopping list of people who bought this phone shine a spotlight on you?
This is going to sound weird, but I bet 50 plus percent of the people that buy these devices
aren't actually criminals.
I would agree with that.
They're just people that have privacy, they have a priority of privacy.
for what reasons that's on them
but they have, you know,
the people that really are worried
or maybe they're conspiracy theorists
or maybe they're whatever.
So I bet a lot of these devices
ends up, end up in the hands of regular people
or what I would say regular people,
you know, air quotes, non-criminales.
Sure, sure. Yeah.
But if I'm a, I don't know,
like, you know, if I'm a true criminal,
like especially if I'm a big organized criminal,
it's not that hard to write
your own messaging platform.
I'd be going so dark that they didn't even know it existed.
You know?
That's just me.
And who am I?
Yeah,
this whole time I've been kind of glibly calling it a crime phone for doing crimes,
just because it's sort of funny to say.
But the makers of devices like this could rightly say,
no, this is a privacy-based device.
And maybe a feature, like a pin that lets you wipe the contents of the device,
It seems like something that's only useful to a quote unquote criminal.
But what if where you live being a political like dissident is criminal?
Totally.
Or being a journalist is kind of criminal.
Those devices should probably be able to exist for those people in my personal opinion.
Anyway.
Thanks for listening, everybody.
And a big shout out to our main kind of sources for this episode.
Again, all of Joseph Cox and Motherboards fantastic reporting on this story, as well as a piece by
Lily Hahn Newman for Wired.
We weren't able to get an interview to pepper into this one.
But that stuff was, first and foremost, just fun and interesting to read, fun to learn about.
And super useful for us getting to talk about it for you folks.
Thank you to our new patrons on Patreon since the last episode, Michael Ler and Cyberdick Tracy,
who I owe a response to your message.
Best way to support our little show, patreon.com, slash hacked podcast.
That's patreon.com slash hacked podcast.
The only Patreon promoted in the final 20 seconds of each episode.
Thanks again for listening.
Catch you in the next one.