Privacy concerns sparked by leaks about massive U.S. surveillance programs has spurred encrypted messaging services overseas that could complicate government spying efforts, experts say.
The latest effort to launch such a service was announced recently by Pirate Bay co-founder Peter Sunde and two other Swedish developers. Called Heml.is, the plan is to provide end-to-end encryption, which means messages will be encrypted on the end user devices, hiding the plaintext information from any entity collecting the data.
Whether Sunde and his partners will get Hel.is off the ground remains to be seen. The group is currently in the process of crowd-funding the project and as of Tuesday had raised roughly half of their $100,000 goal, according to its Twitter feed.
Heml.is, which means "secret" in Swedish, will not be the first encrypted messaging service that will have servers located outside the U.S. For example, the Seecrypt Group has its development and network operations based in Pretoria, South Africa.
The media attention given to Heml.is stems from Sunde's notoriety. In 2008, he and three other Pirate Bay operators were sentenced in Sweden to a year in prison for helping to make copyrighted content available through the file-sharing service.
Sunde's shift from defying copyright law to thwarting government spying raises the question of the effectiveness of such efforts, since there are times when communications should be disclosed. While people have a right to privacy, government and law enforcement should have access to email and text messaging in investigating possible terrorists and suspected criminals.
Encrypting messages is legal, but under the Communications Assistance for Law Enforcement Act (CALEA), telephone carriers and Internet service providers have to provide police with a backdoor to gather information during an investigation. The U.S. National Security Agency, which has raised a huge privacy debate in the U.S. with its PRISM surveillance program, gets more leeway in collecting data on the grounds of national security.
[Also see: NSA snooping bolsters opponents of U.S. Internet control]
Encryption can be broken, so it is no guarantee of privacy. However, depending on the technology used, decrypting the data can be extremely difficult.
"We have encryption that's good enough that no coalition of private companies or individuals are going to break it," Matthew Green, research professor in cryptography at John Hopkins University, said. "We don't know whether the NSA has those capabilities, but since they're the NSA, we assume they can do lots of stuff."
However, rather than spend money and time decrypting information, the NSA would more likely have the Federal Bureau of Investigation bug the phones or houses of suspects or plant malware in their computers, Green said.
As important as the encryption in protecting privacy is the metadata attached to communications over messaging services. That data is what's used to identify the senders and recipients, as well as the time they communicated and their location.
Companies use metadata for targeted advertising, but it is also necessary for the network to route messages from the sender to the receiver.
While there are mechanisms for hiding metadata, each has an impact on the overall user experience, William Whyte, chief scientist for Security Innovation, said.
"Protecting the contents is pretty easy; protecting the metadata is possible, but comes at a risk and with a cost," he said. "It's hard to protect metadata."
While the NSA could collect encrypted messages sent through a U.S. ISP, the metadata would belong to the messaging service. To get at the data, the agency would have to work through the legal systems of the country where the service's servers are located. The messaging provider could also choose not to store any metadata after the communications end.
"The limitation of all of these encryption systems is if you can serve that company with a national security letter or a warrant, you can get them to give up that metadata," Green said. "The nice thing about being in another country is the U.S. government can't do that."
Read more about data privacy in CSOonline's Data Privacy section.