How Sky Global was Indicted for Selling Security
The point of security is to control your data. You get to decide who sees data and who does not. Both encryption and access control are designed to permit authorized people to access files, data, networks or devices and keep unauthorized people from getting such access. Security both enhances and enables privacy.
To the U.S. government, that’s a problem.
On March 12, 2021 a federal grand jury in San Diego indicted Canadian phone manufacturer Sky Global for developing and selling secure phones. According to the indictment, the company sold more than 70,000 specially modified Google Pixel, Blackberry or Nokia handsets. The indictment noted that the company takes these off-the-shelf devices and “removes the internal hardware/software responsible for the GPS, camera, Internet, and voice communications” and then “installs sophisticated encryption software and routes the data through encrypted server[s] located in Canada and France,” including proxy servers.
In addition to providing secure phones and encrypted networks, the indictment charges that SkyPhone initiates ongoing subscription services for their clients (at $1,200 – $2,000 for a half year subscription), and can remotely wipe or reset devices for their customers.
This is all pretty standard stuff for high-end security. You encrypt data from end to end, you locate it on a secure(d) device, you transport it through an encrypted and anonymized network, and you wipe the contents if the device falls outside your control. It’s exactly what you would want if you were a bank, hospital, cryptocurrency trader or simply a person who cared about security.
It’s also what you would want if you were a narcotrafficker, criminal or otherwise hiding from the law. The grand jury charged that Sky Global took an “ask nothing/do nothing” approach toward its clients to permit them to “have plausible deniability from the activities of their clients.”
Criminal Enterprise
The indictment next asserts that Sky Global and its customers and clients constituted a single “criminal enterprise” designed to participate in global drug trafficking, money laundering and obstruction of justice, and to – heaven forbid – promote the reputation of Sky Global, preserve Sky Global’s profits and make money. The charges attribute to the phone company all of the acts of its customers, including the idea that it was the purpose of the “enterprise” to protect “its leaders, members, and associates” from “detection, apprehension and prosecution by law enforcement.”
That is, because the customers used the phones to conceal their activities from law enforcement, this was a “purpose” of the enterprise for which the phone manufacturer is criminally liable. They also allege that the Canadian company maintained servers in Canada “[t]o stay outside the reach of law enforcement of the United States” and that they used proxy servers “to further disguise the physical locations of its servers.”
Or, in other words, they operated the way most companies operate.
Trouble for Security Vendors
Depending on the facts presented at trial, the case is either a run-of-the-mill drug conspiracy or a deeply troubling expansion of U.S. criminal law which endangers the very fabric of the information security business. If you rent fast cars, your customer can use that car as a getaway car to evade the police. If they come to you and say, “I want a car to evade the police,” and you rent them a car designed for that purpose, you run the risk of becoming part of that conspiracy or enterprise – sort of the wheel man for the robbery. You are knowingly aiding and abetting a known or anticipated crime. What’s a good ski mask for a bank robbery? Can you recommend a decent shotgun for a malicious assault? Under some circumstances, a court could even apply a “knew or should have known” standard to the sale of a legal product — a liquor store selling booze to a 21 year old, while a couple of 17 year olds hang out outside.
Either the seller of the product knows the purpose for which the product will be used and intends to further that purpose, or they know the purpose for which it will be used, and are “willfully blind” as to whether they are furthering that purpose. In fact, in October of 2018, the same prosecutor’s office successfully charged another Canadian secure phone manufacturer, Phantom Secure, with operating the same kind of transnational criminal enterprise. That may be what’s happening here.
But maybe not.
What’s missing from the indictment, and the accompanying press release, is any allegation that the owners and operators of Sky Global intended to further specific crimes by specific persons. It is not a crime to attempt to evade detection by the police, or by intelligence agencies, or by ex-spouses. The acting U.S. Attorney for San Diego noted “[t]his groundbreaking investigation should send a serious message to companies who think they can aid criminals in their unlawful activities.”
There’s a missing word there – like, “intentionally.”
The nature of security is that it keeps things from being seen, and the government wants to be able to see and hear whatever the government wants to see and hear – presumably with an appropriate warrant or court authorization, right? For years they have been complaining to Congress, regulators, courts and others about the so-called “going dark” problem — the use of commercial and other encryption products that don’t have a secret “back door” that would allow them to secretly surveil whomever they want to surveil, and threatening to make the sale or distribution of encryption software without such a back door illegal. At the same time, prosecutors have threatened to prosecute security researchers or others for disseminating “hacker tools.”
This case has potentially devastating impact on companies that sell security products or consultants that consult on security. Ring doorbell cameras can alert residents of police raids to enable them to destroy evidence in advance, or even put police lives at risk. Should Amazon be charged as a cop-killing “criminal enterprise?” Automated license plate readers and traffic cameras can be used by police to surveil citizens, or by criminals to surveil police. All security products and services – properly deployed – make it more difficult for police and intelligence agencies to do their jobs. If a protester in Shiraz uses encryption to communicate with others to avoid the scrutiny of the security police, is the manufacturer of that encryption software criminally liable in Iran for its sale? Are they liable for obstruction of the investigations and subject to arrest, prosecution and seizure?
It’s one thing is a device is “purpose built” for crime – a server designed to serve up child porn and disguise it, for example – but it is another thing altogether to go after crypto companies for the acts – known or unknown – of their customers. Most responsible security professionals would be at least hesitant to provide products or services which they have good reason to believe would further some crime.
On the other hand, many people – even those engaging in perfectly lawful activities – have good reason to conceal their communications from the police. Criminal lawyers, for example, have a duty to protect the confidentiality of communications with their clients (of course, they can’t use that to further a crime or fraud), and often use encryption tools specifically to prevent law enforcement from listening in. Those engaged in political activities may have reason to fear surveillance and data gathering. It is when the actions of the security company go beyond helping the client secure their data to helping the client commit a crime that the Rubicon is crossed. Whether the Sky Global case is such a case remains to be seen. But for now, if you ask a customer why he/she wants security and they say, “You don’t want to know,” maybe you should move to a different customer.
