My colleague, Jim Rapoza, is much smarter than I am. I know this because as he was completing his thoughts on The Next (and Possibly Last) Generation of Smartphones, he asked me if I would like to write something on the availability of the latest gadget for the security- and privacy-conscious (the Blackphone). Or, he said, if it would be easier he could “just interview me for a five-minute podcast”.
The reality is, I’m not smart enough to do that kind of thing off the cuff. Although I do realize that we’re living in an increasingly “low-information” society – and although I do actively participate in the cartooning of IT security – my experience has been that security- and privacy-oriented people generally have an extremely low tolerance for posers. So content can be concise and easy to absorb, but it also has to be technically accurate. And for me, that sometimes takes a while.
If you haven’t heard about the newly available Blackphone, here are some salient facts:
- Blackphone is a smartphone specifically designed “for information workers, executives, public figures, and anyone else unwilling to give up their privacy” – that is, “people who recognize a need for privacy and want a simple, secure place to start.” (The issue of personal privacy is anything but new, but in the wake of Edward Snowden it has very high visibility lately.)
- Blackphone is the product of a partnership between Geeksphone (a Spanish smartphone manufacturer) and Silent Circle (a software provider specializing in encrypted communications).
- One of the founders of Silent Circle is Phil Zimmermann – developer of Pretty Good Privacy (PGP), survivor of a 3-year government investigation for publicly posting his encryption algorithm, and inductee of the Internet Society’s Internet Hall of Fame – which signals that it may be worth paying attention.
Blackphone’s bundled features / capabilities include:
- A “security-enhanced” version of Android, called PrivatOS
- A two-year subscription to secure voice calling, secure video calling, and secure text messaging services from Silent Circle – to enable encrypted peer-to-peer communications between your Blackphone and other devices that have installed these services
- A two-year subscription to a VPN service and an anonymizing web search capability from Disconnect – for secure wireless, private browsing and private search
- A two-year subscription to cloud-based file storage and file-sharing from SpiderOak – for secure storing, synching, sharing and accessing of personal data
- A Wi-Fi management app called Smarter Wi-Fi Manager – which disables Wi-Fi except when you are in trusted hotspots
- User control over the Blackphone’s data and services, including remote wipe
Before I can finally get around to telling you what I think, here are some interesting views that you should be aware of:
- A traditional product review of Blackphone, from Ars Technica
- The comments on Bruce Schneier’s blog – I phrase it this way, because Bruce Schneier is one of the few people who can get away with publishing a six-word blog post
- A blog from BlackBerry that tries to position the Blackphone as “consumer-grade” and “inadequate for business” – which to me signals that Blackphone is striking a chord
- A blog from Blackphone that provides a counterpoint to the BlackBerry blog
Sigh. You really do need to know all of that, before we can start to talk about what I happen to think. Jim, you can start the podcast recording now.
First – is there really a market for consumer-oriented products that are purpose-built for security and privacy? Yes – and as evidence, I would suggest that when a television show such as Doomsday Preppers enjoys some longevity, there’s a certain segment of the population that cares enough to spend their hard-earned money on it. At the same time, however, I am personally familiar with a long history of failures for products with similar value propositions. As I wrote about in Two-Factor Authentication: What a Long, Strange Trip It’s Been, these include the AOL Passcode (I had one), circa 2004, and the E*TRADE Digital Security ID (I had one of these, too), circa 2005. I also have an IronKey – a USB drive with “military-grade encryption” – which has been in the market for about the same amount of time, but is still at it. (By the way, Jim, the vision that you painted in your blog is pretty much what IronKey and others have been offering for many years – except that the end-user experience is made portable on a secure USB drive, rather than strictly from the cloud.)
Second – but how big a market is it? The time-honored, simplified answer has always been that there are trade-offs between three high-level things:
- Security and privacy
- Functionality and convenience
- Total cost (including up-front cost and ongoing subscriptions)
How many consumers will value their personal security and privacy so much that they are willing to sacrifice some functionality and convenience (read the review), and also pay a premium price? Plus, it isn’t clear how much advantage is in the bundling and bundled pricing, as opposed to a la carte licensing of the specific services that we really care about.
Third – is it really more secure? This goes back to my point about the requirement to be technically accurate. Until the Blackphone hardware and PrivatOS have been reviewed and vetted by an authoritative source … until the infrastructure and services from Silent Circle and the other software providers have been evaluated and scrutinized by knowledgeable experts … then there will always be some appropriate skepticism. However, if we set our standard as “pretty good” privacy and security … and “better than off-the-shelf” … then that’s a different story.
Bottom line – the Blackphone is not for me, but I can think of several people who might like it. And that’s what innovation and the free market is all about, Charlie Brown.
For more on mobile security, read the Aberdeen report When is Enough Mobile App Security Actually Enough?