Two Navy SEALs are bringing world-class encryption to the iPhone, for everything from state secrets to celebrity selfies. But that means it can be used by criminals as well.

The first rule, former Navy SEAL Mike Janke tells me, is that you have to assume the worst: "Everything you do and say — email, text, phone — is monitored on some level." He's talking about paramilitary operations — spy stuff — but it applies just as much to a gossipy text message. A Wi-Fi sniffer can pluck emails right out of the air. Old texts linger on phones for years, waiting to be smuggled out with malware. Your cell signal is encrypted, but researchers have cracked it in as little as two hours. It rarely occurs to us as we blast out emoji, but for security professionals — a military contractor carrying sensitive information through a hotel in Hong Kong, for instance — that paranoia is a way of life. It's what professionals call an "austere communications environment," something Janke has been navigating for upwards of 10 years, first as a member of an elite SEAL team and then as a private-sector consultant. Without Pentagon-approved tech, a phone call felt too risky. Anyone at all could be listening. In short, there's a security hole — a big one. So Janke got together with a few cryptographers and built something to fix it. The result is an app called Silent Circle that offers on-board military-level encryption for phone calls, texts, email and video. When it hits the App Store next week, anyone with an iPhone and $20 a month will have a secure line at their disposal. So when Janke's paramilitary friends are traveling through hostile territories, they can call home without worrying who they're tipping off. It's not just for spies either. One of the first beta testers was Vern Abila, another ex-soldier who now splits his time between government contracts and protecting the Scarlett Johanssons of the world from embarrassing data leaks. All the recent leaks of celebrity selfies could have been stopped by an app like Silent Circle, and phone calls are even more vulnerable. "The general rule has always been, don't say something on a phone that you wouldn't say in a crowded room," Abila told me. "Silent Circle will change that."

Co-founders Mike Janke, Jon Callas, Vic Hyder and Phil Zimmermann

For the military half of the company, security isn't just for electronics. Vic Hyder, COO of Silent Circle and also an ex-SEAL, told me about his morning commute to the Special Forces' Southern Command in Homestead, Florida. He'd show ID to get onto the base, enter a code to get into the building, then swipe a card, enter another code, walk past a guard and swipe a card again to get into the safe room at the center of it all. There, three password-protected computers let him talk to just three other computers in the entire world, coordinating all Special Forces activity in South America. "You can see the steps, the layering to get to that level, to be able to talk to so few people about so little stuff," said Hyder. It's a model for the nested cryptography of Silent Circle. The "safe room" is the iPhone processor, where all the encryption happens. By the time your text leaves the phone, it's been completely encrypted, unrecoverable without the key. To keep the key safe, Silent Circle uses the ZRTP protocol, a dance of data drops and verifications that's every bit as intricate as the Southern Command's network of swipes and codes. At the end of each call, the keys are erased, so nothing can be decrypted after the fact. The result is an airtight secure line, available to anyone with an iPhone for $20 a month — roughly the cost of an unlimited texting plan. The guts of the program come from legendary cryptographer Phil Zimmermann, who released the groundbreaking PGP (Pretty Good Privacy) tool in 1991. It was the first open-source encryption tool, designed to let anti-nuclear activists plan actions without being surveilled. (It's still around, in case you need to, say, encrypt your hard drive.) But where PGP eventually became unwieldy, Silent Circle uses the app software model to streamline the program, and keep the complex protocols nearly invisible. The other secret weapon is the iPhone itself. The portable processing power lets Silent Circle encrypt everything locally, and confine all the insecure data to a single device that most iPhone users will keep on their person at all times. The simple UI conventions make Silent Circle a lot easier to use than its predecessors, almost seamless mimics of the native iPhone calling tools. If it weren't for the new icon, you might not even know the difference. One of the coolest tricks is a feature called Burn Notice that sends self-destructing texts and pictures. The relevant picture appears on your friend's phone — anything from a classified blueprint to something more Weineresque — and five minutes later, the picture burns up. There have been self-deleting message apps before (TigerText, for instance), but Silent Circle combines the service with the kind of airtight encryption protocols that are rarely been seen in the mobile world. Thanks to the closed platform and near-total data control, they can pull off a trick that's increasingly unthinkable in the modern day: unsending data. They can, in other words, un-ring the bell.

Tap to play or pause GIF Tap to play or pause GIF Silent Circle's Burn Notice feature in action, erasing a series of texts.

But here's a question: Who exactly is listening in? The answer is always delicate. Janke will tell you, if you're making a call from a Russian hotel, it could be secret police or identity thieves or would-be blackmailers who have paid off the concierge. But he's careful to never name the most obvious culprit: the U.S. Government. Warrantless domestic wiretapping is a matter of record by now, one of the few things both the Obama and Bush administrations can agree on. Last year, 1.3 million cell records were pulled by law enforcement, covering anything from stored text messages to location-tracking data. Many analysts believe the NSA caches all domestic data traffic — in other words, everything anyone sends to anyone. The legal barrier for eavesdropping has never been lower. We've learned to be comfortable with it because, for the most part, we've never had any means of escape, but Silent Circle could change that. Even pulling basic use logs from Silent Circle would be difficult, as they're stashed in privacy-friendly districts in Canada and Switzerland, with only the bare minimum of stored user data. If you're worried about court-ordered surveillance, that's essential. If you're worried about paparazzi and would-be blackmailers . . . not so much. Still, as co-founder Jon Callas put it, "We try very hard to stay away from the domestic wiretapping issue," because it can make them sound like conspiracy theorists. It also leads to dangerous places. Once you've established a secure line of communication, there's no telling who's going to use it — from cheating husbands to drug dealers and terrorists. Skeptics have been using this argument against cryptographers since the days of the telegraph — but they're not wrong. Silent Circle is just as effective at protecting the Avon Barksdales of the world as it is protecting corporate whistleblowers (like this recent case). That's a fact most cryptographers have accepted, but as they reach farther into the mainstream, it's an increasingly inconvenient one.

The project also arrives at a moment when technology has mostly outpaced wiretapping laws. CALEA, the most recent wiretapping law, was written in 1994 and wasn't written to apply to VOIP services like Skype. Law enforcement agencies have been lobbying for an update all year, but so far it's stalled in the White House. In the meantime, most VOIP companies are happy to provide transcripts related to active investigations rather than make waves. Silent Circle won't do that, and it could set up the project for a massive court battle when the law is changed. The "portable code room" model means that all the encryption happens on the iPhone, rather than leaving it to be done on an outside server. By the time the data leaves your phone it's indecipherable, and that garbled data is the only thing Silent Circle or anyone else besides your intended recipient could ever see. Because the keys to unscramble the data are deleted after every call is completed, there's no way to decode the call after the fact. All Silent Circle can do is hand over the encrypted data. That might be good enough or it might not — it depends on how the laws are written. It's a reason for Silent Circle to stay on Washington's good side, and downplay the more controversial aspects of the app. And if the company is ever called before Congress to explain exactly what they're doing, it will be two Navy SEALs talking about military contractors, instead of two cryptographers talking about anti-corporate activists. That could make all the difference in the world.

Silent Circle President Phil Zimmermann