In June 2014, I suggested Surespot Encrypted Messenger to visitors to AntiPolygraph.org as a secure means of contacting me, and I’ve been including my Surespot address (georgemaschke) in my signature block on message board posts and e-mails, as well as on AntiPolygraph.org’s contact page. Now I’m not so sure about Surespot. I fear the developer may have received a secret demand to facilitate electronic eavesdropping on Surespot users, as did Ladar Levison, who operated the now defunct Lavabit e-mail service.

Surespot is a free, open source, easy-to-use app for Android and iOS that allows users to exchange encrypted messages using public key cryptography. The source code is available on GitHub. Surespot is provided by 2fours, a small company run by Cherie Berdovich and Adam Patacchiola of Boulder, Colorado.

The Electronic Frontier Foundation’s Secure Messaging Scorecard gives Surespot relatively high marks:

Before recommending Surespot, being cognizant of the Lavabit saga, I e-mailed Berdovich and Patacchiola to ask about any governmental demands for information, sending the following questions on 31 May 2014:

1 – Have you ever received a National Security Letter? 2 – Have you ever received a court order for information? 3 – Have you ever received any other request to cooperate with a government agency?

Berdovich replied that the “[a]nswer to all three questions is no.” Because Surespot’s website doesn’t include a warrant canary, I wrote again on 12 Novembember 2014 asking the same three questions. Patacchiola, who programmed Surespot, replied the same day: “1 and 2, still no, 3 we have received an email asking us how to submit a subpoena to us which we haven’t received yet.”

The following day, I asked Patacchiola if he could say what agency or organization is seeking details on how to submit a subpoena. He did not reply.

In April 2015, I sent Patacchiola a similar set of questions but received no reply. I wrote again on 25 May 2015, asking:

1. Has 2fours received any governmental demand for information about any of its users? 2. Has 2fours received any governmental demand to modify the surespot client software? 3. Has 2fours received any governmental demand to modify the surespot server software? 4. Has 2fours received any other governmental demand to facilitate electronic eavesdropping of any kind? If the answer to any of the above questions is yes, can you elaborate?

I have also attempted to contact Berdovich and Patacchiola via the Surespot app itself but have received no reply. While its possible that they’ve simply tired of being pestered by me about government demands for information, I don’t think that’s the case and suspect they are under a gag order.

Surespot is doubtless of interest to U.S. and British intelligence and law enforcement agencies because of its adoption by English-speaking supporters of the Islamic State. In February 2015, the U.K. Daily Mail reported that the Islamic State in Iraq and Syria (ISIS) was using Surespot to recruit British brides for jihadis:

And on 26 May 2015, the U.K. 4 News ran a story heralding “Intel fears as jihadis flock to encrypted apps like Surespot”:

While Islamic State supporters may use Surespot, so too do a diverse group of people, including individuals who wish to contact AntiPolygraph.org privately. The Google Play Store indicates that the Android version of Surespot has been installed 100,000-500,000 times. It would be inappropriate for any government agency to take action that would compromise the privacy of all users of a messaging service in the course of its effort to investigate one, or a few. But that is what happened to Lavabit, the privacy-focused e-mail service used by NSA whistleblower Edward Snowden. The government secretly ordered Lavabit’s proprietor, Ladar Levison, turn over his server’s secret key, and forbade him from telling anyone about it. I fear something similar may have happened to Surespot’s Adam Patacchiola.

Update (12 June 2015): The day after this post went online, on 8 June 2015, the Surespot server (server.surespot.me) experienced an outage, two references to which are to be found on Surespot’s Facebook page. Two days thereafter, on 10 June 2015, the U.S. Department of Justice filed a Statement of Facts (PDF) in U.S. v. Ali Shukri Amin that mentions the use of Surespot by the defendant, a supporter of the Islamic State in Iraq and the Levant (ISIL):

11. In or about late November or early December 2014, the defendant put RN [Reza Nikbakht] in touch with an ISIL supporter located outside the United States via Surespot in order to facilitate RN’s travel to Syria to join and fight with ISIL. … 18. On January 16, 2015, an overseas ISIL supporter communicated to the defendant via Surespot that the group of ISIL supporters, including RN, had successfully crossed over into Syria.

The Statement of Facts does not specify how the Department of Justice came to know these details. Under terms of the plea agreement (PDF), Amin “agrees to provide all documents, records, writings, or materials of any kind in [his] possession or under [his] care, custody, or control directly or indirectly to all areas of inquiry and investigation.”

In addition, Amin also agrees that, at the request of the United States, he “will voluntarily submit to polygraph examinations, and that the United States will choose the polygraph examiner and specify the procedures for the examinations.”

Update 2 (26 July 2015): In a Twitter post today, information security researcher “the Grugq” reports having received confirmation that Surespot has been compromised:

Do not use SureSpot. It has been backdoored/broken to facilitate monitoring. I have received confirmation of this: https://t.co/LlffyxEMy3 — thaddeus e. grugq (@thegrugq) July 26, 2015

Update 3 (16 September 2015): In a blog post dated 14 September 2015–its first in more than a year–Surespot claims that it “has never been compromised,” that “the privacy of all communications on our system is secure,” and that it “is not being forced to shut down or build a back door for authorities to monitor user communications.” The post does not address whether any metadata associated with the Surespot message server has been provided to authorities. Such metadata includes user names, friend relationships, conversation relationships, message timestamps, and possibly, user IP addresses.