[liberationtech] Wickr - Leave No Trace

Thu Jun 28 01:58:08 PDT 2012

Opinions on this? Has there been any peer-review?

https://www.mywickr.com/myapp.php

The Internet is forever!  Your private communications don’t need to be. Wickr’s
mission is to provide a free and easy way for anyone to communicate securely
and Leave No Trace. 

Wickr provides:

- military-grade encryption of text, picture, audio and video messages
- sender-based control over who can read messages, where and for how long
- best available privacy, anonymity and anti-forensic features
- security that is simple to use

Wickr deletes all metadata from your pictures, video and audio files, like your
device info, your location, and any personal information captured during the
creation of those files.

We do not require you to tie an email address to your account, allowing you to
be as private and discreet as needed.

We have made this app with the best available security technology, but we
strongly encourage you to only send private messages to people you trust.

FAQs about the App:

How private are my Wickr messages?

Your messages are secured with military-grade encryption during their entire
life span. They can only be read by you and the recipients on the devices you
authorize.

For message encryption, Wickr's patent-pending 'Digital Security Bubble' relies
on both the Advanced Encryption Standard (AES) symmetric block cipher
implemented with random 256-bit keys and the asymmetric RSA-4096 algorithm.

Can Wickr read my messages? 

No. Our service merely facilitates a secure exchange between sender and
receiver. At no time is unencrypted message content stored on our servers. 

Messages are encrypted by the sendi ng device, sent through our service and
provider networks in encrypted form, and decrypted by the receiving device. Our
servers never process or store unencrypted messages nor are they ever in
possession of the keys to decrypt them.

How anonymous am I on Wickr? 

We don't even know your username. And we don't force you to share an email
address or other personal information that could identify you to us or other
Wickr users. 

Your username, along with all other user and device information related to your
account, is irreversibly encoded with multiple rounds of salted cryptographic
hashing prior to being sent to our servers. Even we cannot determine the actual
values based on the hashed values we store.

Does Wickr log or track my communications or activity? 

Minimal logs are kept for the purpose of maintaining system continuity. None of
them contain user communications or message tracking information. 

Our logs contain no message content or tracking information related to the
delivery of messages. What little they do record contain only hashed user and
device information. Our live database contains only hashed sender and receiver
device information, and only while encrypted messages are routing through the
system. This means that we or anyone viewing the database in real time cannot
read any messages or determine which users are communicating. In fact, at a
given moment, the only way we can determine who is communicating with whom is
if we're given both usernames to start with, which amounts to simply confirming
for someone that which they already know.

What about my mobile or Internet provider, can they track my communications in Wickr? 

Your provider may be able to confirm that you are communicating with our
service, but it cannot read your messages and cannot determine with any degree
of certainty with whom you are messaging.

Regarding a provider's ability to establish with whom you are messaging, your
mobile or Internet provider may track things such as IP address allocations and
push notifications. While our indirect message delivery method may make it
extremely difficult to establish all parties to the communication, we cannot
entirely control the extent to which conjecture or inference could be drawn
through observation of data collected from outside of our network.

How strong are Wickr's anti-forensic features? 

Wickr provides the best anti-forensic privacy protection possible on the mobile
platform. 

Our anti-forensic features are specifically designed for the way mobile devices
store and access data. While running, Wickr works continuously to wipe areas of
main memory and device storage recently used to display text or multimedia
content.

-- 
ilf

Über 80 Millionen Deutsche benutzen keine Konsole. Klick dich nicht weg!
		-- Eine Initiative des Bundesamtes für Tastaturbenutzung
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Digital signature
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20120628/e0fbf11b/attachment.asc>