It is always easier to use the bold statement “we invented X” rather than a more boring “we were unsatisfied with the technologies at hand, and that is the reason we, after thorough consideration, discarded more traditional methods and made it our way”. Good for marketing, yet I think I owe our inquisitive customers a few explanations on how our technical approach is justified. At the very beginning, I was asking myself the same questions you probably would, and I have my answers ready.
Question one: isn’t using a dedicated, and rather expensive device, a failed OPSEC from the very beginning, violating the main principle to hide a leaf in the forest?
Somewhat, yes. We gave it a good thought and we explored the whole world of “typical” alternatives. Burner phones, burner SIM cards, stateless operating systems, privacy enhanced messengers like Signal and Threema, on-the-top encryption like OTR over more conventional messengers, Tor, etcetera etcetera. I use PGP and OTR over XMPP myself! But I rarely stumble upon counterparts using my approach. And here is the problem we are solving.
The more secure the solution is going to be, the worse it scales and more moving parts it has (and possible points of failure). Burner phones and SIMs are typical examples of a massive OPSEC disaster: one wrong phone call and the whole network is exposed, retroactively. Using a dedicated smartphone with no Google Play services and disabled voice calls could work, but in practice it fails as well, either because of the inability for users to recognize flawed technology (the so-called “Blackberry PGP” scam is a fine example), because of huge maintenance overhead, or because of the temptation to use your secure messenger on your main smartphone just to avoid the annoyance of having two phones at a time.
It takes two to tango. And it takes all peers involved to secure communications within a group. To make it work it is necessary to reduce the probability of human error or negligence, and the only way to do it is to leave out everything that is not absolutely necessary for the task (in our case messaging only). No apps. No voice or video. No documents, files, pictures or anything you cannot type on the keyboard. A minimal and non-persistent message history (we actively promote a “zero inbox” principle to be able to conveniently use the device). No GPS, bluetooth, NFC or wired interfaces.
Since we agreed (I hope) that burner phones and SIM cards are not an option, we are going to offer you the next best thing. Our network identities are dynamic. From the network perspective it looks like a random device.
-this article is partially censored due to recently filed patents. We expect to be able to publish Alex Smirnoff’s full article in the very near future-
We also put remarkable effort in designing every possible part of the device with “zero trust” principle. Our modem device is designed to prevent attacks originating from the cellular network and eSIM module. The computational core does not rely on modem security in any way, and crypto keys are stored in a secure enclave which is inaccessible directly from the OS running the chat applications. We applied the same principle to the software components which are microservice-based.
And we made it tamper-proof and TEMPEST-resistant.
Question two: maybe Tor itself is a red flag and it would be more wise to obfuscate the traffic as some more common protocol?
Not really. Tor gained a lot of popularity, and if we dropped it in favour of something homemade, de-obfuscation would be just a matter of time.
Question three: why no satellite connectivity? It might be cool.
Having a working satellite transmitter certainly IS a red flag. Also, transmissions are due to their strong signal easily triangulated, you need accessories to facilitate the use inside vehicles and buildings (bulky and visible), the battery life is limited and weight constraints apply.
Question four: why no fingerprint reader? It is handy and thus beneficial for overall security.
Especially for investigative journalists and their protected sources, whistleblowers, dissidents, etcetera, the risk of being identified by unique biometrics such as fingerprints and even voice (mic) or face (camera) can be very dangerous. G1 has a maximum focus on security and biometric input simply is a bad idea.
Question five: why no blockchain tech in there?
Blockchain is designed to solve a whole different problem: to archive data! Accountable, unchangeable, for ever there.. We aim to forget quickly. No metadata, no persistent identities, crypto keys are ephemeral and erased irrecoverably, etcetera etcetera.