Messaging security startups are suddenly pulling in investors – what is going on?
Encryption is turning messaging apps into 2016’s hot trend
Of all the trends worth talking about for 2016 none is surely as intriguing as the sudden and largely unnoticed rise of communication apps that use strong encryption to secure messages, voice calls, video, file transfers and even route SMS texts.
Usually marketed for communication rather than security, these apps have quietly spread in the last couple of years on the back of mobile devices, often arriving at the door of businesses as part of BYOD. The best-known mainstream example is probably Facebook’s WhatsApp messenger, unpopular in IT departments because it uses the sort of encryption that makes it difficult to monitor or counter. Worse, in late 2014 WhatsApp upgraded the app’s security another notch when it started using full end-to-end encryption from Open Whisper Systems’ respected TextSecure, the sector’s pioneering platform.
WhatsApp’s older security architecture stored the encryption keys on its servers as messages whizzed around the Internet whereas TextSecure’s public key design stores those on the devices themselves. This means that the encryption keys can’t be seized in transit making the app a worry for anyone that might want to do that, particularly for compliance. A second layer of security in TextSecure called ‘perfect forward secrecy’ means that even if one of those keys is somehow intercepted, this can’t be used to unlock any previous messages.
A curious feature of this sector is the way that until recently been it has been dominated by a small group of specialist firms that understand complicated encryption. Open Whisper Systems is one name but another is Phil Zimmermann’s Silent Circle, whose technology is embedded inside the Blackphone, a fusing of end-to-end encryption with a ‘hardened’ Android smartphone.
Zimmermann’s name alerts us to the long history of messaging and encryption. During his career he has been involved in various projects but it was his creation of an email encryption program called Pretty Good Privacy (PGP) in 1991 that put him in the history books.
PGP upset the US Government of the time, worried that allowing encryption to be used by anyone held dangers. They were right, of course, but lost the battle and a legal case against PGP’s distribution was dropped in 1997. Since then this kind of software has become a mainstay of communication in countries where free speech is frowned upon.
A quarter of a century later and the debate remains the same. People want to communicate using end-to-end encryption because it is incredibly hard to tap but not everyone is happy about that. The deeper question is why this software is taking off now and where it might be leading the world.
Increasingly, security rather than communication and convenience is becoming the important feature. In the second half of 2015 alone, several new business-oriented messaging platforms have appeared from UK-based startups, including SQR Systems, a mobile app and platform spun out of Bristol University and part funded by the UK Ministry of Defence. Another is Pryvate from a firm called Cryptique that uses servers based in Jersey while, more recently, Belfast-founded SaltDNA was handed $3 million by Atlas Ventures to move its operations to Boston to meet US demand.
Further afield there are US startups such as Symphony (formely Perzo but now backed by Google Ventures) and from the UAE, an app called Flock. These are only the prominent examples; one secure messaging startup would be interesting but this many looks like a trend.
Several forces seem to be colliding at once, starting with the way that cloud technology has given the sector a shot in the arm. The power of cloud platforms is that they scale in a way that older designs couldn’t and offload the complexity users once struggle with when using public key encryption.
Investors pumping money into the sector now believe that businesses are ready to commit. A defining moment was probably the Edward Snowden revelations in 2013. Although often analysed for its impact on personal privacy the longer-term effect has been to introduce the same worry into enterprises. If governments can spy on communications, why not criminals, competing governments or even business rivals?
The market potential of this sector could be huge. Hitherto, enterprises have based their communication security on what now look like out-of-date assumptions and a new generation of tech entrepreneurs thinks it is sitting on the solution. It’s extraordinary that the large security firms have been blindsided by this, ceding the business opportunity to what is still in many ways a startup cottage industry. But in 2016 change –and money – is in the air.