Developer’s Silence Raises Concern About Surespot Encrypted Messenger

surespot-youtubebannerIn June 2014, I suggested Surespot Encrypted Messenger to visitors to AntiPolygraph.org as a secure means of contacting me, and I’ve been including my Surespot address (georgemaschke) in my signature block on message board posts and e-mails, as well as on AntiPolygraph.org’s contact page. Now I’m not so sure about Surespot. I fear the developer may have received a secret demand to facilitate electronic eavesdropping on Surespot users, as did Ladar Levison, who operated the now defunct Lavabit e-mail service.

Surespot is a free, open source, easy-to-use app for Android and iOS that allows users to exchange encrypted messages using public key cryptography. The source code is available on GitHub. Surespot is provided by 2fours, a small company run by Cherie Berdovich and Adam Patacchiola of Boulder, Colorado.

The Electronic Frontier Foundation’s Secure Messaging Scorecard gives Surespot relatively high marks:

EFF Secure Messaging Scorecard - Surespot

Before recommending Surespot, being cognizant of the Lavabit saga, I e-mailed Berdovich and Patacchiola to ask about any governmental demands for information, sending the following questions on 31 May 2014:

1 – Have you ever received a National Security Letter?

2 – Have you ever received a court order for information?

3 – Have you ever received any other request to cooperate with a government agency?

Berdovich replied that the “[a]nswer to all three questions is no.” Because Surespot’s website doesn’t include a warrant canary, I wrote again on 12 Novembember 2014 asking the same three questions. Patacchiola, who programmed Surespot, replied the same day: “1 and 2, still no, 3 we have received an email asking us how to submit a subpoena to us which we haven’t received yet.”

The following day, I asked Patacchiola if he could say what agency or organization is seeking details on how to submit a subpoena. He did not reply.

In April 2015, I sent Patacchiola a similar set of questions but received no reply. I wrote again on 25 May 2015, asking:

1. Has 2fours received any governmental demand for information about any of its users?

2. Has 2fours received any governmental demand to modify the surespot client software?

3. Has 2fours received any governmental demand to modify the surespot server software?

4. Has 2fours received any other governmental demand to facilitate electronic eavesdropping of any kind?

If the answer to any of the above questions is yes, can you elaborate?

I have also attempted to contact Berdovich and Patacchiola via the Surespot app itself but have received no reply. While its possible that they’ve simply tired of being pestered by me about government demands for information, I don’t think that’s the case and suspect they are under a gag order.

Surespot is doubtless of interest to U.S. and British intelligence and law enforcement agencies because of its adoption by English-speaking supporters of the Islamic State. In February 2015, the U.K. Daily Mail reported that the Islamic State in Iraq and Syria (ISIS) was using Surespot to recruit British brides for jihadis:

Daily Mail - British jihadi brides groomed using messaging app

And on 26 May 2015, the U.K. 4 News ran a story heralding “Intel fears as jihadis flock to encrypted apps like Surespot”:

4 News - Intel fears as jihadis flock to encrypted appsWhile Islamic State supporters may use Surespot, so too do a diverse group of people, including individuals who wish to contact AntiPolygraph.org privately. The Google Play Store indicates that the Android version of Surespot has been installed 100,000-500,000 times. It would be inappropriate for any government agency to take action that would compromise the privacy of all users of a messaging service in the course of its effort to investigate one, or a few. But that is what happened to Lavabit, the privacy-focused e-mail service used by NSA whistleblower Edward Snowden. The government secretly ordered Lavabit’s proprietor, Ladar Levison, turn over his server’s secret key, and forbade him from telling anyone about it.1 I fear something similar may have happened to Surespot’s Adam Patacchiola.2

Update (12 June 2015): The day after this post went online, on 8 June 2015, the Surespot server (server.surespot.me) experienced an outage, two references to which are to be found on Surespot’s Facebook page. Two days thereafter, on 10 June 2015, the U.S. Department of Justice filed a Statement of Facts (PDF) in U.S. v. Ali Shukri Amin that mentions the use of Surespot by the defendant, a supporter of the Islamic State in Iraq and the Levant (ISIL):

11. In or about late November or early December 2014, the defendant put RN [Reza Nikbakht] in touch with an ISIL supporter located outside the United States via Surespot in order to facilitate RN’s travel to Syria to join and fight with ISIL.

18. On January 16, 2015, an overseas ISIL supporter communicated to the defendant via Surespot that the group of ISIL supporters, including RN, had successfully crossed over into Syria.

The Statement of Facts does not specify how the Department of Justice came to know these details. Under terms of the plea agreement (PDF), Amin “agrees to provide all documents, records, writings, or materials of any kind in [his] possession or under [his] care, custody, or control directly or indirectly to all areas of inquiry and investigation.”

In addition, Amin also agrees that, at the request of the United States, he “will voluntarily submit to polygraph examinations, and that the United States will choose the polygraph examiner and specify the procedures for the examinations.”

Update 2 (26 July 2015): In a Twitter post today, information security researcher “the Grugq” reports having received confirmation that Surespot has been compromised:

Update 3 (16 September 2015): In a blog post dated 14 September 2015–its first in more than a year–Surespot claims that it “has never been compromised,” that “the privacy of all communications on our system is secure,” and that it “is not being forced to shut down or build a back door for authorities to monitor user communications.” The post does not address whether any metadata associated with the Surespot message server has been provided to authorities. Such metadata includes user names, friend relationships, conversation relationships, message timestamps, and possibly, user IP addresses.

 

  1. Levison contested the secret order in court, but lost. He ultimately turned over his secret key after shutting down Lavabit entirely. He was threatened with arrest for closing his own business. []
  2. On 22 May 2015, the Daily Mail reported that Cherie Berdovich “left the [Surespot] organisation last summer.” []

An Attempted Entrapment

bear-trapIn May 2013, I was the target of an attempted entrapment.1 Whether it was a federal agent attempting to entrap me on a contrived material support for terrorism charge or simply an individual’s attempt to embarrass me and discredit AntiPolygraph.org remains unclear. In this post, I will provide a full public accounting of the attempt, including the raw source of communications received and the IP addresses involved.

As background, it should be borne in mind that a federal criminal investigation into providers of information on polygraph countermeasures, dubbed “Operation Lie Busters,” has been underway since at least November 2011, when an undercover U.S. Customs and Border Protection agent, posing as a job applicant, contacted Chad Dixon of Marion, Indiana for help on passing the polygraph. In December, 2012, Dixon pleaded guilty to federal charges of wire fraud and obstruction of an agency proceeding, for which he has been sentenced to 8 months in federal prison.

Doug Williams of Norman, Oklahoma, a former police polygrapher who has been teaching people how to pass polygraph examinations for some three decades and operates the website Polygraph.com, was also the target of a sting operation and in February 2013, U.S. Customs and Border Protection executed search warrants on his home and office, seizing business records. He has been threatened with prosecution but to date has not been charged with any crime.

With this in mind, I received a most curious unsolicited communication on Saturday, 18 May 2013 from <mohammadali201333@yahoo.com>. The message was sent to my AntiPolygraph.org e-mail address <maschke@antipolygraph.org> and was titled “help help help please” (155 kb EML file.) The message body was blank, but there was a PDF attachment with a short message written in Persian, the language of Iran:

I know Persian, a fact of which the writer was evidently cognizant. Here is a translation:

Greetings and respect to you, Mr. George Maschke,

I am Mohammad Aghazadeh and have been living in Iraq for five years. I am a member of an Islamic group that seeks to restore freedom to Iraq. Because the federal police are suspicious of me, they want to do a lie detector test on me. I ask that you send me a copy of your book about the lie behind the lie so that I can use it, or that you help me in any other way. I am very grateful to you.

The book to which the message refers is The Lie Behind the Lie Detector (1 mb PDF), AntiPolygraph.org’s free e-book that, among other things, explains how to pass (or beat) a polygraph “test.” Factors that made me highly suspicious about this message include:

  • Why would someone who supposedly fears the police send an unencrypted e-mail acknowledging that he’s a member of an Islamic group that is trying to change the government of Iraq?
  • Why would such a person also provide his full name and how long he’s been in the country?
  • To my knowledge, there aren’t any Iranian-backed Islamic groups seeking to “restore freedom to Iraq.” In fact, Iran and Iraq have good diplomatic relations.
  • Why did this person ask me to send a book that is freely available on-line? Note that this message didn’t ask for a “Persian edition” of The Lie Behind the Lie Detector.

I suspected the message was a likely attempt to set me up for prosecution on charges of material support for terrorism (or something similar).2 It seemed highly unlikely that the message could be genuine. Nonetheless, about half an hour after receiving the message, I provided “Mohammad Aghazadeh” the same advice I would give to anyone accused of a crime who has been asked to take a polygraph test:

Dear Mr. Mohammad Aghazadeh,

Our advice to everyone under such circumstances is not to submit to the so-called “test” and to consult with a lawyer and comply with applicable laws.

George Maschke

Evidently, that response was not satisfactory, for the following day, Sunday, 19 May, about 24 hours after receipt of the first message, I received the following reply (11 kb EML file):

It reads:

Greetings and great respect, Mr. Maschke,
I am very grateful to you for your reply about the lie detector test.
I am not in circumstances where I can refrain from taking the test.
I saw your book on the Internet, but because I don’t know English, I wasn’t able to use it.
I will be very grateful to you if you would send me the Persian edition of it.
I don’t know how I will pass the test.
They have frightened me greatly. What am I to do????

I replied, “Unfortunately, said book has not been translated to Persian.” I have received no further communication from this person.

I Googled the e-mail address <mohammadali201333@yahoo.com> and found no mentions. Both e-mail messages originated from the same IP address: 159.255.160.115.
This address traces to Arbil (also spelled Erbil), Iraq, where the United States has a consulate.

I checked AntiPolygraph.org’s server access log for the IP address 159.255.160.155, and here is what I found:

9 May 2013

08:24:48 (GMT), someone at this IP address landed on AntiPolygraph.org’s publications page after a search on Google.iq (search terms unknown) using Google Chrome under Windows NT 6.1 (Windows 7).

08:24:59 lands on home page after searching Google.iq for: george maschke antipolygraph.

08:25:37 downloads The Lie Behind the Lie Detector.

10:09:15 fetches The Lie Behind the Lie Detector a second time after searching “george counter polygraph” but this time with Firefox 2.0.0.12 under Windows NT 5.1 en-US (Windows XP 32-bit).

18 May 2013

07:04:18 Lands on home page after unknown search on Google.iq using Microsoft Internet Explorer 10 under Windows NT 6.1 (Windows 7).

07:04:41 Fetches Federal Psychophysiological Detection of Deception Examiner’s Handbook.

07:05:46 Fetches The Lie Behind the Lie Detector.

07:06:27 Fetches DoDPI  Law Enforcement Pre-Employment Test Examiner’s Guide.

07:06:55 Fetches DoDPI Interview and Interrogation Handbook.

07:07:29 Fetches DoDPI Numerical Evaluation Scoring System.

11:07:04 Returns to home page using Microsoft Internet Explorer 10 under Windows NT 6.1.

11:07:08 Views recent message board posts. (Note: this action suggests the visitor is familiar with the site.)

11:08:10 Does a message board search (search terms not logged by server).

11:08:25 Searches message board again.

11:08:36 Searches message board again.

11:08:48 Searches message board again.

11:09:27 Searches Google (terms unknown) and lands on message board thread, Al-Qaeda Has Read The Lie Behind the Lie Detector.

11:10:02 Gets message board thread, Al-Qaeda Documentation on Lie Detection (which is linked early in the previous thread).

Note that both of the foregoing message threads include accusations against me of disloyalty to the United States.

11:10:34 Gets document Al-Qaeda Documentation on Lie Detection.

11:10:41 Returns to message board thread, Al-Qaeda Documentation on Lie Detection.

11:30:20 Last load of any page.

The browsing behavior documented in the server log does not suggest to me an individual who doesn’t know English. Also, the use of different web browsers and operating systems suggests to me that the IP address might belong to an organization rather than an individual.

I also found a few other visits from other nearby IP addresses (first three numerical blocks of the IP addresses are the same):

On 3 May 2013 at 10:51:20, IP 159.255.160.5 landed on an image of Tyler Buttle after searching Google.iq with an iPhone for “photo+sebel+can+sex”.

On 7 May 2013 at 18:08:25, IP 159.255.160.80 searched Google.iq for unknown terms and landed on the blog post Is Patrick T. Coffey Fit to Be Screening Police Applicants? using Firefox 20 under Windows NT 5.1 (Windows XP).

Twenty-six seconds later, at 18:08:51, the same IP moved on to the blog post Polygrapher Patrick T. Coffey Threatens Lawsuit, Demands Retraction.

I can well understand why someone in Iraq might search for sexy pictures of Sibel Can, a Turkish singer. (The searcher, who misspelled “Sibel,” must have been disappointed to find a picture of Tyler Buttle instead.) But why would anyone in Iraq be interested in Patrick T. Coffey, a private polygraph examiner based in Burlingame, California?

Patrick T. Coffey in Iraq
Photograph posted by Patrick T. Coffey to Facebook on 1 May 2013. The Arabic caption under the American and Iraqi flags reads: “Together We Achieve Success”

Coffey has done contract work in the Middle East before, and I wondered whether he might have been on contract in Iraq during the relevant period. Coffey lost his contract for pre-employment polygraphs with the San Francisco Police Department in the aftermath of S.F. Weekly’s reporting about bigoted and intemperate remarks he made on AntiPolygraph.org. Coffey clearly despises me, as you’ll observe from comments he posted under the nom de guerre TheNoLieGuy4U in the message thread Al-Qaeda Has Read The Lie Behind the Lie Detector. Those comments begin at page 2 and include a demand to know whether I have “personally ever translated or assisted any person in the translation of anti-polygraph materials or literature into Arabic, Farsi [Persian], or any other language?” (As if that were some sort of a crime. In fact, I haven’t.)

I was able to confirm that Coffey was indeed in Iraq for three weeks, including the relevant period when the visits to AntiPolygraph.org were made and the e-mails were sent. I called him on the morning of 26 May to ask whether he might have enlisted the aid of a Persian-speaking colleague while in Iraq in a personal effort to test and perhaps discredit me. Coffey denied any involvement with, or indeed, any knowledge of, the e-mails. He even refused to confirm that he had been in Iraq.

Coffey did volunteer that he understands from hearsay that the Department of Defense has an “open case” about me with respect to “the countermeasure question.” His implication was that it’s a criminal case. However, I have been out of the Army reserve for nine years and am not subject to the Uniform Code of Military Justice.

So was this attempted entrapment part of the U.S. government’s Operation Lie Busters, or the intrigue of a polygraph examiner with an axe to grind, or possibly a combination of both? I don’t know, but I welcome comment from any readers who might.

  1. McClatchy newspaper group investigative reporter Marisa Taylor first reported on this matter on 16 August 2013 in “Seeing threats, feds target instructors of polygraph-beating methods.” The present article explains this incident in fuller detail. []
  2. I should note that an “Islamic” group is not necessarily a terrorist group, or even a militant one, though I suspect that in the sender’s mind, they are the same thing. []