A cryptographer who goes by the pseudonym Moxie Marlinspike reported on his blog earlier this week that Saudi telecom company Mobily recently approached him for help with intercepting encrypted data sent from mobile apps like Twitter, Viber, and others.
I learned that they are organizing a program to intercept mobile application data… The project’s requirements come from “the regulator” (which I assume means the government of Saudi Arabia). The requirements are the ability to both monitor and block mobile data communication, and apparently they already have blocking setup. [Thoughtcrime.org]According to Marlinspike’s email exchange with the Mobily representative, the eavesdropping initiative is part of an effort to curb communications related to terrorism. Unfortunately, a program with this kind of breadth would also result in massive privacy violations for anyone on Mobily’s network. And while Marlinspike claims their level of sophistication is pretty marginal, he also acknowledges Mobily has enough resources to make it happen.
Their level of sophistication didn’t strike me as particularly impressive, and their existing design document was pretty confused in a number of places, but Mobily is a company with over five billion in revenue, so I’m sure that they’ll eventually figure something out. What’s depressing is that I could have easily helped them intercept basically all of the traffic they were interested in (except for Twitter—I helped write that TLS code, and I think we did it well). They later told me they’d already gotten a WhatsApp interception prototype working and were surprised by how easy it was. The bar for most of these apps is pretty low.Had Marlinspike not been approached, odds are nobody would ever know about this eavesdropping effort. And that’s kind of creepy. We no longer live in a world where default channels guarantee our personal data will remain private. But a good VPN can. So let this story act as a reminder to take your personal privacy and security seriously!