From Wikipedia, the free encyclopedia - View original article
|Initial release||June 2012|
|Operating system||iOS, Android|
|Initial release||June 2012|
|Operating system||iOS, Android|
Wickr (pronounced "wicker") is the name of a proprietary instant messenger for iOS and Android and of the company that produces it. Wickr allows users to exchange end-to-end encrypted and self-destructing messages, including photos and file attachments.
The firm, founded in 2012, is based in San Francisco. Its co-founder and CEO, Nico Sell, has claimed “No security is 100%" but Wickr is the best currently available. In addition the company's motto is “Leave No Trace”. Audits by the Electronic Frontier Foundation and by major security firms have given Wickr high marks for its security. Sell, who “berated an FBI agent who asked her to install a backdoor into Wickr,” reportedly “prides herself on the fact that Wickr is designed by professional cryptographers and that it knows absolutely nothing about its users.” The firm “spent years designing the most fleeting message on the market,” stated Time Magazine, noting that messages are instantly “scrambled by military-grade encryption technology” and have individual decryption keys, so that no message ever “sit[s] alongside thousands of other messages on a server with a master key.” Fortune Magazine reported in 2014 that “If a government were to approach Wickr and ask for records of conversations, Sell and her colleagues would be unable to hand them over, because the records aren’t stored.”
Wickr has been described not only as being more secure than other messaging apps, but also as being a “more user-friendly messaging app.”
After it was revealed in January 2014 that information belonging to 4.6 million Snapchat users had been stolen, Wickr experienced 50 percent growth. Inc.com suggested in July 2014 that the use of Wickr was spreading so quickly that it might “be on the verge of becoming part of the network infrastructure itself.” Sell has said that she wants “millions and billions of people to use our free service,” but Time Magazine expressed doubt in February 2014 about the potential breadth of Wickr’s appeal, stating, “Even if the rest of the world chooses to remain outside of Wickr’s walled city on a hill, it at least remains an outlet for those who crave privacy and an option for those who might one day learn to crave it the hard way.”
The "self-destruct" part of the software is designed to use a "Secure File Shredder" which the company says "forensically erases unwanted files you deleted from your device". However the company uses a proprietary algorithm to manage the data, a practice which is prone to error according to many security experts. On January 15, 2014, Wickr announced it is offering a US$100,000 bug bounty for those who find vulnerabilities that significantly impact users. In addition, a recipient can in general use other software and techniques like screen-capture capabilities or a separate camera to make permanent copies of the content.
Wickr was launched in 2012. “My co-founders and I were brought together by the very strong belief that private correspondence is a universal human right and the most important human right for the next century. In order to have a strong social system, you must have strong social discourse,” Sell told Fortune Magazine in 2014. “And that was what George Washington felt strongly about when he started the United States. Those ideals are very important.” She added: “We generally have that freedom in the U.S. even though we complain that we are living in an Orwellian state. But there are places all over the world that are even more tightly controlled than here. Everywhere, no matter where you live, you deserve the right to private correspondence. We want to give everyone that right for free, especially as billions more come online.”
Sell takes an unorthodox position on authority structure, saying that “If you do what needs to be done, the rules can be broken.” Accordingly, Wickr does not require employees to “come into the office nine-to-five. You can work from the Bahamas. I don’t care what you’re doing, as long as you get your work done. That’s the only thing that counts.”
Wickr is different from other communications apps “because we made encryption and security easy to use and transparent to the masses,” Sell told Wired in 2014. “We don't save any of your information to a server; we don't know who you are, who you're talking to or what you're saying; it's all encrypted and we don't have the keys. We are a zero knowledge system and we considered security first when developing our application.” Sell has said, “I didn't want to have a database that I had to protect….That information eventually gets out.”
Users of Wickr can set a message to remain on the app for “anywhere between three seconds and six days,” explained Max Eddy in PC Magazine, “with a configurable default lifespan in the settings.” User information is stored directly not on Wickr servers but “as a cryptographic ‘representation.’” Messages can only be read on the recipient’s device.” Eddy wrote that Wickr “feels seamless and easy to use while still being secure.” Eddy described Wickr as “the best secure messenger on Android” and said that unlike other such apps, “Wickr clearly explains how the app protects your privacy.” Sell has boasted that “no power on earth” could break Wickr.
In addition to text messages, Wickr users can send pictures, video, or audio, and in the iPhone version can also send PDFs and images from cloud services. An update allows users to manipulate images in a wide variety of ways – to draw on them, crop them, superimpose text, and so on. The screenshot function is disabled in Wickr, so that messages are “safely locked within the app,” noted Eddy. “When a message arrives, it's locked and unreadable.” Messages that are unread or undelivered are automatically deleted, and cannot be recovered using digital forensics techniques. Using the File Shredder feature, users can also delete all their messages and overwrite them with junk data. Wickr is designed in such a way that even if its servers were compromised or seized by authorities, “there would be nothing intelligible to obtain.” Data is secured by AES 256 and ECDH521 encryption, as well as by RSA 4096 encryption, which as of mid 2014 was being phased out.
The Wickr system, according to Eddy, “compares cryptographic hashes of phone numbers and email addresses in order to find other users. Neither your phone number nor email address is ever in Wickr's hands.” This solution “neatly sidesteps the problem of messaging services amassing huge amounts of personal information when they copy your contact list in order to find other users.” Moreover, an update referred to as “recent” in Eddy’s July 2014 article “maintains the focus on privacy, but also rescans your address book to look for new Wickr users.” The default “black list” setting on Wickr allows a user’s device to receive messages from anyone, but the app can be switched to “white list” mode, whereby one can receive messages only from authorized contacts.
Asked about the danger of decryption by the NSA, Sell replied that her team at Wickr had “already made the assumption that the NSA has broken all the math. I actually don't believe they have, but we operated on that assumption and built products that could withstand the breaking of the math. We're using all open-source encryption, but we bind each message to the device, so if the NSA or anyone else were to crack a message in 50 or 200 years, they wouldn't be able to read it.” She added that in addition, “we do something else that is really unique, which is make all of our users anonymous. We also use perfect forward secrecy,” meaning that “every message or piece of data has a different key. And since every user is anonymous and every piece of data has a different key, if someone wanted to get ahold of one conversation, they would have to break millions and millions of messages. We use the same technology that the NSA uses internally, which is NSA Suite B Compliance, the standard they use for top-secret communications. But, our encryption algorithms actually exceed what they do. And though no one has known the NSA to break that encryption algorithm, if they were to succeed at it, Wickr would still be ok.”
Eddy described the “refreshed interface” of Wickr as “easier to use, with big tabs for Messages and Friends. In Messages, you see a list of all your threads with other Wickr users. From Friends, you easily start a new conversation or group chat with just a few taps. There's also a button for new messages on the Messages screen, making it easier to start chatting.” Users can also send messages via Wickr to non-users, “who will receive an email invitation to join.”
Wickr announced in January 2014 that it would pay up to $100,000 to anyone who could find a vulnerability in its app that “substantially affects the confidentiality or integrity of user data.” Inc. described the announcement as “a direct blow to Snapchat.”
Sell told Wired in 2014 that Wickr’s objective is “to bring secure, private communications to everyone and new platforms for the financial services and gaming industries.” She also stated that “Wickr's mission is to become the go-to communications platform for text, email, calling and video conferencing…. We are taking Skype head on and aim to scale quickly.” In an interview with the Financial Times, Sell stated that Wickr wished to be the “cheapest and the best” for messaging.
“Our goal as Wickr is to run all the financial transactions in the world,” Nico Sell told CNN Money in June 2014. According to CNN Money, Sell looks forward to seeing Wickr “running in the background at big banks and stock markets.” Inc.com has stated that “Wickr…has much bigger ambitions than helping people avoid the NSA: Sell wants to obliterate the business model on which the world's most powerful tech companies depend.”
In addition, Sell has told CNN that one aim of Wickr was to protect children from “the permanence of the Internet.” She has said that she “started Wickr to give her daughters a tool that would allow them to communicate safely, anonymously, with the capacity to control what information is retained on the other end.”
Wickr's developers, reported PC Magazine in July 2014, “plan to introduce in-app purchases, such as message lifespans beyond the current maximum.” The April 2014 issue of Fast Company quoted Sell as saying, “We didn't come to market until we knew we had something secure, and now we're adding usability features,” Sell has said. “Almost every other consumer product in the world works the opposite way. First they develop the product and all the cool things, and then they backtrack and go, ‘Oh, my gosh, we didn't think of how it could be used in ways we didn't intend.’”
Sell has said that Wickr’s “biggest challenge” is its competition with “viral growth apps,” which, she maintained, “dominate by siphoning down [users] address book and SMS history, and then spamming all [their] friends with a tricky message that gets them to download the app which does cause tremendous growth. But it’s an improper way to treat users. I refuse to siphon down everyone’s address book because I don’t want to be responsible for that information, which I know can be breached.” She said that Wickr’s growth was slower, but she believes that Wickr users “will be more loyal because we’re treating their data well.”
Sell has said that she wants Wickr “to replace Facebook and Skype—simultaneously” and “to create an entire marketplace and have thousands of apps running off Wickr software.” In addition to challenging Facebook and Skype, Wickr seeks to be an alternative to Snapchat and other free international texting tools such as WhatsApp. CNN noted in 2013 that companies like Google and Facebook “make their money on personal data which they use to sell targeted ads. They aren't invested in keeping your personal data private because it's not smart business.” Wickr’s business plan, by contrast, “isn't based on personal data. The app is free, but eventually the company will charge its power users for in-app purchases, such as paying for a message to live forever.”
In July 2014, Sell criticized Facebook for its lack of privacy. “I think instead of the word privacy, I would use the word ownership or control,” Sell said. “That issue of control for me is why I've always boycotted Facebook. Because I didn't want to give my network, my friends, my pictures to someone else to own and control for the rest of history.” She further maintained that “All the cool kids have already made the switch from Facebook….Now, when I tell people I boycott Facebook, they ask me how, and are very interested, instead of looking at me like I'm insane.”
Venture capitalist Jim Breyer, an early investor in Facebook who has since also invested in Wickr, has suggested that Wickr does not necessarily seek to compete directly with these services but “could help improve their underlying security.” He added that “what Nico is doing is extremely complementary to Facebook and how Facebook is developing its messaging strategy….There is room for what Wickr is doing to greatly enhance the effectiveness and the utility of messaging.”
Inc. noted in 2014 that while Snapchat “settled with the Federal Trade Commission after ‘deceiving’ its users into thinking their messages and data weren't retained on company servers,” Wickr offers a “perfect forward secrecy” software that “is as solid as anything out there, according to specialists who have studied it.”
Sell has said that the difference between Wickr and Snapchat “is that Snapchat took [some] college kids months to build, and Wickr took 10 very sophisticated crypto experts a year.” She has also said that Wickr’s secure file shredder “gets around a lot of the little holes found in other self-destructing apps like Snapchat. The shredder is continually running in the background, shredding anything that you put in the trash, even email.”
Bruce Schneier of CNN wrote in March 2014 that “Wickr avoids the problem faced by companies that store user data, such as Lavabit, which shut down its service rather than obey a secret NSA court order to turn over its encryption key, and Microsoft, which in 2011 altered Skype “to make NSA eavesdropping easier.”
As of March 3, 2014, Wickr was processing over 1 million messages per day with recipients in 190 countries. The company said that its usage was doubling every other month. The New York Times reported on that date that after Snapchat was breached, Wickr “experienced a 50 percent bump in user sign-ups, and that the previous week, when “security researchers began to question the security of WhatsApp, Wickr experienced “a 600 percent jump” in usage. The Times noted that one of those who had begun using Wickr instead of WhatsApp was Amit Yoran, former head of cybersecurity at the Department of Homeland Security, who according to the Times “said he switched because of the lack of transparency around WhatsApp’s security and privacy policies.” Sell said that “From the moment we started building Wickr, we assumed we’d be attacked by the most advanced nation-states in the world….Nowadays, I think every company needs to make that assumption.”
As of July 2014, according to Wickr, one million users had downloaded the app.
CNN Money noted in July 2014 that Wickr’s automatic deletion of emails and other sensitive files should make it attractive to the finance industry, noting that while “the Securities and Exchange Commission requires accounting firms to keep their audit records for seven years,” firms often neglect to destroy those records after the seven years are up. “You have all this stuff waiting around for 10 or 15 years,” Sell told CNN, “and it becomes hazardous waste.” Among the firms interested in Wickr is CME Group, which “wouldn't say exactly how they plan to incorporate Wickr's technology into the commodity future trading that goes on at its exchanges,” although CNN noted that “there are at least two obvious uses: securing the communication that initiates millions of dollars of trades a day -- and keeping chats between stock brokers and traders secret.”
Sell has said that she expects Wickr to protect “all the financial transactions in the world” someday, and “plans to incorporate Wickr tech into servers, routers, phones--wherever it can add value.” Sell told Inc.com in July 2014 that “we have signed one of the largest gaming companies and one of the largest financial companies in the world. We are negotiating terms with at least one carrier now. That is all I can say.”
The Financial Times reported on August 25, 2014, that Wickr was “in talks with banks and major financial services companies including Markit to create an alternative to Bloomberg instant messaging.” Wickr, according to the newspaper, was working with CME Group “to create an app that will allow both chat and financial transactions between traders.” The planned app “would undercut Bloomberg while creating a more secure service which automatically deletes messages that regulators no longer require financial services to keep, removing the risk of storing information for longer than is necessary.” According to Sell, “the financial services industry could not trust the big technology companies to create a messaging service because their business is data.” Sell told FT in August that “You do not see Google or Facebook building systems this way because it is not in their interest. They are sitting on databases that they are legally obliged to sell to create value for shareholders.”
In March 2014, Bruce Schneier noted that so-called “ephemeral messaging apps” such as Snapchat and Wickr, which “advertise that your photo, message or update will only be accessible for a short period,” were increasingly popular, especially with young people, and represented “an antidote to sites such as Facebook where everything you post lasts forever unless you take it down -- and taking it down is no guarantee that it isn't still available.” Schneier described these apps as “the first concerted push against the permanence of Internet conversation.” Noting that many teenagers “systematically delete every post they make on Facebook soon after they make it,” Schneier explained that Wickr-type apps “just automate the process. And it turns out there's a huge market in that.”
“Many human rights activists and whistleblowers across the world depend on Wickr to communicate with major human rights groups," Thor Halvorssen, president of the New York-based Human Rights Foundation, has stated. “Wickr makes it possible to envision a world where everyone enjoys privacy. This has huge implications for freedom of conscience and freedom of expression, let alone human rights monitoring and activism.” Halvorssen noted that he communicates “with a lot of people in places where they're tracking everything we're doing,” and said that he was introduced to Wickr by a “Tunisian guy” and soon realized: “This is awesome.” Halvorssen, who ended up investing in Wickr, said: “Viber, Skype, WhatsApp, email--all those platforms are penetrated….I see it every day. The Venezuelan state television plays people's Skype conversations on TV!”
A December 2012 article at the PBS website entitled “Data Security 101 for Journalists” cited Wickr as a key tool for secure communications. A 2013 article reported that “anecdotal evidence suggests the app is used by human rights activists, lawyers, and journalists.”
PC Magazine named Wickr an “Editors' Choice for Android secure messaging.” Max Eddy of PC Magazine described Wickr as “a fantastic service for sending secure, ephemeral messages” and said that despite its “security first” emphasis, “Wickr is easy enough to use for your everyday messaging.” Wickr was also named “best overall messaging app” by PC Magazine, beating WhatsApp, Snapchat and Google.
Wired compared Wickr favorably with its chief competition, Snapchat, stating that the latter had proved in early 2014 “to be neither self-destructing, nor all that secure,” while Wickr, by contrast, promised “military-grade encryption.” According to Wired, Wickr's security “exceeds the compliancy the NSA demands of its own secret communications.”
It was reported on January 28, 2014, that in its latest round of funding, Wickr had “raised $30 million from a band of investors that included CME Group (CME), which runs the Chicago and New York mercantile exchanges.”
On March 3, 2014, Wickr announced that it had completed a round of funding that brought in $9 million. The funding was let by Gilman Louie of the venture firm Alsop Louie Partners. Gilman Louie was the former CEO of the CIA’s venture arm, In-Q-Tel. Other investors include Thor Halvorsssen, president of the Human Rights Foundation; Juniper Networks; the Knight Foundation; and former U.S. government counter-terrorism expert Richard A. Clarke. Wicker said that it planned “to use the new capital to continue to develop its standalone messaging app as well as further its business model,” which included “a pro version of the app for power users.” It also suggested the possibility of licensing its encryption technology to “third-party groups.” The new round of investors also included Steven Bestalel, Eileen Burbidge, Gerhard Eschelbeck, John Hering, Paul Kocher, Jeff Moss, Mark Patterson, Terren Peizer, Shawn Rubin, Adrian Steckel, Joel Wallenstrom, Amit Yoran, the venture capitalist Jim Breyer, and the firm Wargaming, a developer of online games.
Wickr is one of a small number of service providers that have issued “warrant canaries.” A warrant canary is a method by which a communications service provider informs its users that the provider has not been served with a secret United States government subpoena. Wickr’s warrant canary reads as follows: “As of the date of this report, Wickr has not been required by a FISA request to keep any secrets that are not in this transparency report as part of a national security order.”
Andrea London and Kyle O'Meara of the forensics firm Stroz Friedberg “studied how Snapchat, Facebook Poke and Wickr store data on iPhones and Android phones to see how much information the apps leave behind,” and presented their findings at Def Con in Las Vegas in August 2013. The only one of the apps that passed the test was Wickr, which appeared to keep its promise to “leave no trace.” “They claim to use this high-level encryption, and from what I saw during my analysis, there were, as we would say as forensics, no artifacts left behind,” O'Meara said. “They're doing what they say they're doing.”
In a 2013 report on Wickr, Veracode gave it a “high” mark for what it called its “assurance level” and commented: “In its reviewed state, the Wickr met or exceeded the security score outlined in the Veracode Risk Adjusted Verification Methodology for an application at the assurance level specified above.”
Aspect Security, Inc., was engaged by Wickr to conduct an Application SecurityAssessment of the Wickr iOS, Android, Desktop Client, and Server applications in July 2014. “Aspect's team spent 240 hours and used a combination of automated tools, source code analysis, manual penetration testing, and conversations with development project staff to search for missing, broken, and improperly used application security controls. In addition, the Aspect team examined the cryptographic architecture and implementation to identify any security weaknesses that would allow Wickr or a third party to gain access to unencrypted user messages.” Aspect concluded that Wickr’s applications evinced “strong, layered security controls” and “competent use of strong cryptographic algorithms,” and that there were “no weaknesses in the latest version of Wickr software that would allow Wickr or a third party to gain access to unencrypted user messages.”
In 2014, the security firm iSEC Partners tested two assertions about Wickr, namely that it provided “Strong End-to-End Encryption” and that it contained “No Backdoors,” and concluded that both assertions were true.
A 2014 report by the Electronic Frontier Foundation that graded service providers on their protection of user data from government requests gave Wickr a score of 5/6 on the following criteria: “Requires a warrant for content,” “Tells users about government data requests,” “Publishes transparency reports,” “Publishes law enforcement guidelines,” “Fights for users' privacy rights in courts,” and “Fights for users’ privacy rights in Congress.” It was noted that it had not received a score of 6/6 which requires defending users in court; however Wickr has not had this opportunity.