Transcription performed by Leah Hervoly
[START OF RECORDING]
JACK: I’m mad. I’m honestly really upset about the current state of our mobile phone options. I want privacy and security when it comes to my communication devices, and I often lie to myself and say that’s the single most important feature of a phone. I don’t want anyone eavesdropping on what I do when I’m on my phone, but the reality is, every single thing I do on my phone is being recorded and sent somewhere.
Apple collects your account information, device information, contact details, browsing history, search history, and your location. This is not privacy. On top of that, there are so many apps and websites out there that are fiendishly trying to get all my data, and the phone’s operating system could do quite a bit to stop my data from just leaking out, but they don’t do enough. Like, I can’t stand using normal text messaging anymore or a standard browser on these phones, because neither are private. But that’s all fine and good. Actually, I don’t even care if Google and Apple does that. But here’s the part where I’m mad; I’m mad that there’s no good options for privacy-focused phones out there. You can’t walk into any of the mobile phone stores and say hey, I want a phone that actually respects my privacy.
None of the mobile phone stores carry privacy-focused phones. We are currently facing [MUSIC] an all-out war, and we’re losing. The war is all about our privacy. Marketing companies want to get to know us intimately so they can run targeted ads just for you. If you have a death in the family, the OfficeMax marketing team will take note, and if you get pregnant, Target will send you coupons for baby items. But how does Target know that you’re pregnant? Well, it’s because they saw you buying unscented soaps and lotions, and yeah, they have statisticians watching your buying habits, and some stores track your phone’s Wi-Fi signals and watch where you stop and look at certain items or sections of the store.
Yes, when your purchase things at stores, they will store all the items you buy and create a whole dossier on you and your buying habits and likes and wants and desires. That’s just retail stores. There are actual adversaries that we have that are all trying to find our private information, too. It’s an all-out war. When a war like this is waged, the very last thing I want is for my own device that’s in my pocket to be on the enemy’s side. One of the first things you learn about when you’re getting into information security is the CIA triad, and this stands for confidentiality, integrity, and availability. These are the three main pillars of security, and I believe that both Android and Apple violate our confidentiality the entire time the phone is on, and sometimes even when the phone is off.
But I lie to myself when I say that privacy is the most important feature when it comes to buying a phone, because I always end up buying one of these phones that logs, collects, and sells my data instead of one that’s actually private. So, if I’m being real, features and functionalities really are the most important aspect of buying a phone for me, even though I’m so privacy-focused. But I’m still mad that there’s a lack of options out there for an actual secure phone that’s for me, one that’s stable, updated, works good, and just has some basic features that respect my privacy. There are some privacy-focused phones out there, but unfortunately these privacy-focused phones have some dark secrets.
(INTRO): [INTRO MUSIC] These are true stories from the dark side of the internet. I’m Jack Rhysider. This is Darknet Diaries. [INTRO MUSIC ENDS]
JACK: Now, I’m not the only one out there who wants a secure phone. There’s quite a market for this type of thing, and because of that, there are companies that make private phones. One of the first popular ones to show up on the scene was a phone called Phantom Secure.
JOSEPH: Yeah. Phantom is certainly the first major one. There were others potentially slightly earlier or at least around about the same time which were particularly popular in Europe.
JACK: Oh, and for this episode, I have the legendary Joseph Cox to give us a tour of the world of encrypted phones.
JOSEPH: I’m Joseph Cox, Senior Staff Writer at Motherboard, which is the technology section of Vice.
JACK: Joseph has done amazing investigative journalism work in this area, getting deep into the world of encrypted phones. He’s spoken directly with insiders, users, he’s acquired these phones himself when he can, and he’s combed through so many court cases. He’s the perfect tour guide for this. So, what is Phantom Secure?
JOSEPH: Phantom Secure was a so-called encrypted phone firm started in the mid-aughts. All they would do, essentially, was take a BlackBerry, load it with sort of custom PGP-encrypted e-mail software, and then sell that to clients. They also introduced a feature where you can remotely wipe what was stored on the phone. Of course, we all know about Apple and iCloud, and apps like maybe the Find My phone feature or maybe wipe your phone remotely. This was more, if it lands in the wrong hands, our company will take care of it for you.
JACK: Those were the only two features. Let me say them again; a way to e-mail people securely using PGP and a way to remotely wipe the phone. That’s it. These phones couldn’t even text someone or make a phone call. In fact, Phantom Secure phones were physically modified so that wasn’t even possible.
JOSEPH: Yes, they removed the microphone, the GPS, and the camera. That’s what a lot of these companies do, and of course they vary case by case, but they do try to lock them down in some way, in both software and in hardware.
JACK: Actually, now that I think about it, I kinda like the idea of no microphone in my phone. I don’t like making phone calls, and it gives me the peace of mind that my mic can’t spy on me. Okay, but when you have a phone that has no mic or camera and the only thing you can do is e-mail someone, that should mean it’s really cheap, right?
JOSEPH: Exactly the opposite. These phones could go for anywhere between $1,000 to $2,000 to $3,000 depending on the company, and that’s for a yearly subscription to the service. These people aren’t just selling a piece of hardware or a phone; they’re also selling basically your spot in the network. If your colleagues, for lack of a better way of putting it, are using a Phantom Secure phone, well, you need to be on a Phantom Secure device as well, and you need to buy your way into that network.
JACK: Oh, yeah. Explain that a little bit more. So, could people without Phantom Secure phones communicate at all to people with Phantom Secure phones?
JOSEPH: So, originally, a lot of these companies did allow phones to communicate with each other, so maybe you’d have a Phantom device and you could communicate with – just hypothetically – another one from a company called Sky, let’s say. Eventually though, some of these companies did decide to lock each other out.
JACK: [MUSIC] Okay, so this is worse than I thought. You can’t just e-mail whomever you like. You can only e-mail other users of Phantom Secure. I wouldn’t even call this e-mail at this point; it’s just a device that has a secure way of messaging other people who have the same device.
JOSEPH: The person who created Phantom Secure was Vince Ramos. He was a business man from Canada. He worked for a phone company. Family members I spoke to earlier said that he won employee of the month awards. By all standards, he was just an upstanding guy trying to make a buck, basically. But of course, he wanted to be something of an entrepreneur and he came up with this idea for Phantom Secure, making these secure devices themselves to then sell. He starts doing this. He sells them just by word-of-mouth, really, in the Canadian nightlife scene. So, maybe VIPs would get them, some athletes, some rappers.
Apparently, according to people who sold the phones at the time, that’s what they told me. It grew from that into a larger business. So, it started as this word-of-mouth thing, but eventually it found a new market, specifically in Australia. This is just where Phantom really took off. It exploded across the country. It got introduced to organized crime elements there and they just went crazy for it. They were buying these phones, but of course, eventually Ramos realized that criminals were buying these devices, but he didn’t do anything to stop it, and that may have been his failing decision.
JACK: If privacy was my top concern, I think I would consider a phone like this. But it’s just lacking too many features for me. But let’s be clear; there’s nothing illegal about making or selling or owning a secure phone. It doesn’t even matter if criminals use it or not. I mean, criminals use iPhones, right? So, can you charge Apple with a crime? Apple has to know that there must be many criminals using their phones, right? So even if they’re aware that criminals use their product, it still isn’t illegal to sell it to them. The same with Phantom Secure; even though they were selling these encrypted phones, no police or criminal investigation was taking place to find the owner, Vince Ramos, because everything was legal, until there was a crime committed where Phantom Secure hindered the investigation.
JOSEPH: [MUSIC] One of the earliest published cases of this actually happening was where a Phantom Secure device was implicated in the assassination of somebody in a biker gang there. Law enforcement weren’t able to get information because this sort of device had been used. But as you say, selling a phone is not illegal. Making a secure communications device is not illegal. What happened though is that when investigators dug in, they found that at least some of the distributors knew that they were providing encrypted communication devices to criminal entities, individual criminals or larger organized crime groups.
JACK: So, the police discovered this Phantom Secure phone that was part of this assassination and started to investigate the company a little closer. What are these phones? Who’s selling them? Who’s buying them?
JOSEPH: Yeah, it’s Australia and then also the Canadians started to notice they were bumping into the phones as well, presumably in the local crime market, obviously where Phantom Secure and Vince Ramos were from in the country. They also encountered it, and then it seems the Americans started finding the phones themselves in their own investigations as well.
JACK: How were they encountering this?
JOSEPH: It’s usually when they will bust somebody. They will go and they will try to grab the phone. They want to gather evidence and see who else they’ve been communicating with or of course, their own incriminating texts, perhaps. They go to the phone and it’s already been wiped. Somebody has wiped it. In these cases, it’s going to have been Phantom Secure. Someone has contacted the company saying hey, my phone has been seized by the feds. Please, could you wipe it? Phantom Secure, as part of their business, offers that. At one point, the Royal Canadian Mounted Police actually went undercover and they pretended to be a drug trafficker whose phone had been seized. They said very explicitly, hi, there are discussions of drug deals on my phone; please remove them, of course showing that Phantom Secure was willing to destroy evidence, essentially.
JACK: Ah, there it is; the Canadian authorities posed as criminals, telling Phantom Secure hey look, I’ve got some criminal activity on my phone and I need you to wipe it. Can you do it? Phantom Secure was happy to do it. That means Phantom Secure knew they were destroying criminal evidence. That’s a sticky situation for them to be in. I mean, imagine you’re working at a grocery store and someone wants to buy a lighter, and they specifically tell you as you’re ringing them up that they’re gonna use this lighter to go burn the building down across the street.
Do you sell them the lighter? Because that’s what a store does; they sell lighters. Or do you refuse because they said they’re going to commit a crime with it. Perhaps a grocery store is protected in this way, but what if someone you know asks to borrow a lighter from you to burn a building down? You could be in trouble for giving them a lighter if you knew that’s what they were going to do with it. In this case, where the Canadian authorities asked Phantom Secure to delete criminals’ evidence, it’s hard to know if this was enough to prove that Phantom Secure knowingly was helping criminals.
It wasn’t enough for the Royal Canadian Mounted Police to arrest him, because years and years go by, and the company continued to operate and grow without a problem. The team was growing, too; as the phones were entering more countries, they needed more distributors to pass the phones out in those areas. Over time, more criminals were being arrested in Canada with Phantom Secure phones on them. But here’s the thing; in Canada, even if you’re selling phones to criminals and marketing it to them and you know they’re committing crimes with your devices, there isn’t a law in Canada which they would be violating.
JOSEPH: No, as far as I know, and I don’t think he was really breaking a law in Australia, either. I’ve spoken to Australian lawyers and Australian lawyers who defend people involved in the encrypted phone industry in that country, and they’ve told me this business is legal. Same in Canada. As we’ve said, the Canadians didn’t just arrest Vince Ramos there and then.
JACK: But it’s not legal to knowingly aid and help criminals in the USA. Once some phones started showing up in crime scenes in California and the US authorities started investigating the company, that’s when things started to unravel for Phantom Secure.
JOSEPH: When they saw the phones, my understanding is that one of the people implicated told them hey look, this is how we get the phones. This is how the business operates. That triggered something of a light bulb in the San Diego FBI, and then that’s when they started much more earnestly looking into Phantom Secure and in their eyes, realizing it was an actual criminal organization that they should target in and of itself.
JACK: [MUSIC] The FBI was not happy about these encrypted devices and wanted to learn more. That’s when they started investigating this company and found heaps of evidence suggesting that Vince Ramos and Phantom Secure knowingly met with buyers who would say they’re going to use the phones to commit crimes.
JOSEPH: Particularly, Phantom was not vetting its distributors or its resellers enough. So, it would give these people power to sell the phones to whoever they want, and then it would turn out there would be criminal elements buying them, right? Then when this is brought to Vince Ramos’ attention, he kind of – either he doesn’t do anything with it or unfortunately puts his fingers in his ears and sorts of – sort of turns a blind eye to the issue as well.
JACK: As more crimes were committed by people using Phantom Secure, it frustrated the authorities even more.
JOSEPH: Australia and Canada, they basically set up a plan which is that well, it’s all well and good if people say that criminals are using these phones, but we need to show that the CEO, Vince Ramos, also knows that and potentially will lean into that market as well. So, a confidential human source, a CHS, in the FBI and the DOJ’s turn of phrase, someone close to Ramos who was a distributor, convinces the CEO to come to Las Vegas for a meeting, saying I have these guys who are really, really big. They want to buy a large order of phones. So, they set up a meeting in a Las Vegas hotel suite. Vince Ramos goes in, and these drug traffickers are sat there and they’re saying, we know you removed the GPS functionality from the phone, but we have a problem with snitches, basically, right?
What if, they hypothesized, could you maybe also turn the phone into a tracking device if we needed to kill one of our snitches? They didn’t say it exactly like that; I’m paraphrasing, but when you read the transcript, that’s the quite clear context of what’s going on. Ramos doesn’t seem to really push against that idea. But the key thing that really seals Vince Ramos’ fate is when the drug traffickers say we don’t know you. We don’t know if we can trust you. Why should we trust you? In so few words. Vince Ramos says well, look, look; I know you don’t know me, but this is what I made it for. I made it exactly for this, apparently meaning drug trafficking, is how the FBI said. That was it, basically. After that quote, prosecutors and the FBI would be able to say look, he has no problem selling to drug traffickers deliberately and knowingly. They had what they needed, basically, on tape.
JACK: Around this time, it appears that Vince Ramos met with members of the Sinaloa Cartel, which is a major drug trafficking cartel in Mexico.
JOSEPH: On February 8th, 2018, it appears that Vince Ramos is just traveling for business and he’s just had a meeting. He’s sending a text message to one of his associates and he says, we are fucking rich, man. I swear, you better go fucking appreciate it. Get the fucking Range Rover, brand-new, ‘cause I just closed a lot of business. This week, man, Sinaloa Cartel; that’s what up, and my boy is Punjabi cartel. Lol. So, this text message does seemingly suggest that he met with people from the Sinaloa Cartel and either offered them phones or did sell them phones or something like that, but this is one of the key pieces of evidence that later appears in the criminal complaint against him, a screenshot of the text message.
JACK: So, by this time, the FBI has enough information to arrest Ramos. But they sort of wait a year before they do anything, perhaps to collect even more information. My theory is that the FBI wanted time to think about what to do with these encrypted phones. One option is to try to arrest Vince and take down the whole company. Another option though might be to try to find a way to infiltrate the network so they can read the messages and have a jump on criminals using it. These phones were sort of a watering hole for criminals and would be a major source of information if they could somehow get access to the messages or customer data. But eventually one of the FBI agents posed as a drug trafficker and invited Vince Ramos out to Las Vegas, Nevada to discuss business.
JOSEPH: But this time, when Ramos walked into a hotel suite, it’s – there aren’t drug traffickers waiting for him; it’s the FBI and the attorney’s office. They tell him what’s happening, obviously. We have charges ready for you, but we want to make you an offer. We want you to put a backdoor into Phantom Secure. We want to see who the customers are and what they’re saying. That is the ultimate goal here, right? They could try and take down the company, but law enforcement really wants to see what’s actually going on there so they can prosecute the end users. Vince Ramos declines. Some people I spoke to said it’s because he puts the privacy of his clients first. Others said that well, actually, he didn’t have the technical know-how to do that because that’s the CTO’s job. [MUSIC] He is more the business guy. Regardless, he refuses and doesn’t put the backdoor in.
JACK: Now, this is a part of the story which gets weird for me. Vince actually traveled to Vegas with his wife and child who were staying in another room in the same hotel. This meeting with Vince went on for a long time. They didn’t quite arrest him, and he was cooperating with them by talking openly about Phantom Secure and how the company operated. But there was something the FBI wanted and didn’t want to let him go until they got it. There were four or five agents there. Some were FBI, some were international agents. They ordered food to the room and he could use the toilet there. Vince and the FBI agents spent the entire day together, all in this hotel room.
At night, they even let him go see his wife and child and say goodnight, and then bringing him back to the room for more questioning. Eventually, Vince and a few agents fell asleep while one or two agents stood guard all night, making sure Vince didn’t leave. Then the next day, after breakfast was brought to the room, Vince was questioned more by the FBI agents. This is just so weird for me, for the FBI to question someone for days in a hotel room. Like, why not take him down to the police station and question him there? Why keep him trapped in this room without officially arresting him?
JOSEPH: I think it was because they really wanted or were hoping that this would be a more live operation. This wasn’t the end of it. This wasn’t let’s arrest him, let’s get a confession or whatever we can and let’s prosecute the guy. They were hoping, it seems, that this could live on for a little bit longer, and they needed him out. They say they did eventually get a backdoor into Phantom Secure. They needed to not raise suspicion. He needed to be out. He needed to be free to talk to people, eventually, if they did get a backdoor in.
JACK: So, the FBI continued to pressure him to give them a backdoor into Phantom Secure. I presume that they showed him the evidence that they had on him and gave him hardball-type options of like hey, look; you’re either gonna go to prison or you’re gonna let us in. Even though he wasn’t letting them in, it seemed like the FBI really wanted to get in. So, instead of arresting him and taking him to the police station, they just kept interrogating him all the way through the night into Day 3. They gave him more breaks to see his family down the hall sometimes. His wife said he looked like a ghost, and maybe this is why he was talkative and cooperative, because his wife and kids were just down the hall and he didn’t want to lose them.
The FBI continued to try to persuade him to give them some kind of access to the network. They wanted to see who the users were and any data Phantom Secure had on them, because this phone did have the remote-wipe capability, so it was able to interact with the customers’ devices in some ways. But Ramos still didn’t give them access. [MUSIC] Eventually, the interrogation went into the third night and into the fourth day. Vince fell asleep in the suite and the agents were so tired at this point, they all fell asleep at the same time, too. But Vince woke up during the night, and he got up and looked around the room, and saw everyone was asleep.
JOSEPH: When all of the agents were asleep, Ramos, he sees a moment to escape and in a seemingly quick change of heart, he flees the hotel. Embarrassingly for these agents who have been guarding and talking to this guy for days now, the guy they’ve been hunting for years has left. He’s out the door.
JACK: He stopped in one last time to say goodbye to his wife and contacted an associate who picked him up by car, and the two of them were gone. Vince immediately tried to get to Canada, and he thought he wouldn’t be able to get through airport security, so they decided to drive from Nevada all the way across the country to Washington state. When they got to Bellingham, Washington, about twenty miles from the border of Canada, Vince parted ways with his driver and was preparing his last leg to get across the Canadian border.
JOSEPH: He was on the run. He was trying to evade law enforcement for some time until eventually they caught up with him in a cafe. Apparently it was a very unceremonious scene. They spoke to the cafe owner who said that several serious men – serious-looking men came into the cafe, they seemingly saw Vince Ramos sat in the corner, they went outside, made a phone call, and then a large group of men arrived, go up to Vince, and he doesn’t fight. He just stands up, puts his hands behind his back, and he’s led into the police car. That is finally the end for him, at least.
JACK: Vince was arrested and brought to court in the US under RICO charges. RICO stands for Racketeer Influenced and Corrupt Organizations. The case hinged on whether they could prove that Phantom Secure was knowingly helping criminals. But the prosecutors had ample evidence showing that Vince knowingly sold phones to criminals and was helping support them. Vince told the judge, quote, “I would be lying if I said I wasn’t aware of what’s going on. The reality was that I turned a blind eye and didn’t want to face reality. I was making money and providing for my wife and children.” End quote.
JOSEPH: At least according to one estimate from the Royal Canadian Mounted Police in 2016, they believe that Phantom was making something like $32 million from the sale of these phones. Then eventually, I believe another estimate from the FBI was closer to $80 million in selling these devices. Vince Ramos, they bought apartments, cars, cryptocurrency as well. So, they were making a lot of money from this operation.
JACK: The courts found Vince guilty and sentenced him to nine years in prison. Not for making secure phones, but for helping criminals commit crimes with them.
JOSEPH: [MUSIC] I think he could have gotten more than that, but he did cooperate somewhat and this was his first offense. The judge even said that he appears to be a very upstanding person, a successful businessman, but he applied it to the wrong industry, ultimately.
JACK: We’re gonna take a quick break here, but stay with us because there’s more to these encrypted phones that I think you’d be interested in hearing about. So, Phantom Secure started somewhere around 2006, and the feds took it down in 2018, but Phantom Secure phones did little in the way of innovation in those twelve years, sticking mainly with secure e-mail as their main feature. As technology was exploding, people wanted secure phones that did more than just e-mail. So, in 2016, a new encrypted phone company sprung up. This one was called Encrochat.
JOSEPH: Encrochat was another encrypted phone company, but it was more clearly based on Android, and it had some of the more bells and whistles and features that Phantom was lagging behind on, so it was much more of a instant messaging platform when you used these devices. It also had a wipe functionality.
JACK: Okay, this one might be more my style. I like the idea that you can do more things with it. But now, my problem is I’ve never heard of this company. Their phones aren’t in my local mobile phone shops, and there aren’t many trustworthy reviews of the phone online. That’s because Encrochat seemed to want to get these into the hands of criminals, and they weren’t meant for widespread adoption. Encrochat phones were getting distributed in Europe and in the UK, and authorities were starting to see these phones turn up in investigations, so much that the UK police were coming up with procedures when arresting people who had Encrochat phones on them.
JOSEPH: They’ve encountered these devices and they’ve got smart to the fact that they need to deal with them very, very quickly. So, they’ll grab the Encrochat device. If it’s open, they will immediately start taking photos of the text messages, the images on there, almost manually archiving the material before it gets wiped, and then they will also put it in some sort of Faraday bag ‘cause they’re basically against the clock when it comes to, well, we don’t know if somebody has reported this phone to Encrochat – is in the hands of law enforcement and a wipe command could be coming at any time. The cops really have to act super quickly to try to grab evidence before it disappears entirely.
JACK: Criminals were using Encrochat more and more in Europe to communicate between other criminals to facilitate drug trafficking and assassination plots.
JOSEPH: The UK police, the National Crime Agency, they had been investigating Encrochat ‘cause they keep coming across these devices in their own investigations. The French police are then looking into the company as well because it turns out at least one of the servers of Encrochat is actually located in France on a – in an OVH data center. The French come up with what I think is a highly-controversial plan. [MUSIC] They decide to – rather than just try to identify the owners and shut down the company, they want to push malware to the end points, to the actual Encrochat devices themselves.
JACK: So, these Encrochat phones did receive updates to patch security issues and introduce new features, and one of the servers used to update the phones was located in France. So, the French police got a warrant to access the data center and Encrochat’s server. They got into it and made an exact copy of it, and they left the server running untouched. This was the secret mission that they didn’t want Encrochat knowing about. They took their cloned copy back to the lab to study it.
They learned how this server sends updates to Encrochat phones, and this gave them an idea. What if they could put their own update on the server that all phones would download? This could result in the French police having hooks in Encrochat phones. So, that was the plan that the French police went with. They studied this clone and figured out how the updates worked, and wrote some malware and even tested this with their clone to make sure that the phone got the updates and sent the data to the police.
JOSEPH: They figured that out, they then went back to the server, I believe, and then pushed this malicious update to the Encrochat devices.
JACK: French police were successfully able to plant malware on thousands of Encrochat users’ phones.
JOSEPH: Now, this piece of malware, it would silently send copies of the messages sent and received. It would potentially grab GPS locations, but it sort of depends on well, did this device actually have GPS? Did this one not? That sort of thing. But the main thing, of course, is that it captured message content, and that would include the username of the person who sent this message, and of course, all of the discussions about drugs and money laundering and assassinations and Bitcoin laundering as well.
JACK: What the French authorities did here is astonishing. They hacked into the servers of this company to spy on its users. [MUSIC] Well, yes, you can point out that most of the users were criminals. I still think this is controversial. Just because a company makes a privacy-focused secure phone doesn’t mean it’s just for criminals. Like I keep saying, I want a phone like this because I find the current eavesdropping done on my phone today to be disgusting. I want peace of mind knowing that my messages are not being snooped on and they are only going to who I want them to go to. There’s nothing illegal about having privacy. Yet, the French police have violated the privacy of Encrochat’s users because they thought this would give them an advantage while stopping crime.
JOSEPH: It was probably the first time that law enforcement had really infiltrated one of these companies into the content of the actual communications on a really global scale. I mean, the French, they hacked into phones everywhere, and obviously they didn’t just limit the malware distribution to inside France. They did it to all Encrochat devices around the world.
JACK: In case you were wondering how the police were able to see these secure messages, well, they had their malware on the phone itself, so when the phones send and receive messages, it has to be unencrypted so the person can read them. That’s when these messages were copied and sent to the French police. But I’ve really gotta hand it to the French police, here. This is some impressive high-tech police work; to be able to reverse-engineer how a server sends updates to phones and then create the update for it and push it out, and not just any update but a full, stealthy spyware toolkit, and then create a collection server to receive all this data captured from the phones, then to put this malware back onto the server and push it to users? This is amazing work that they did.
JOSEPH: Yeah. Exactly, pushing a malicious update, it brings up all of these arguments of well, maybe we can’t trust updates, which of course we need to do to remain secure, and of course Encrochat is an unusual case. This is not a mainstream popular consumer device, but it does still show the lengths to which law enforcement will go. I mean, here, yes, it was French law enforcement, but it appears that the law used, at least in some capacity, was a national security law and it was the military – sort of the police arm of the French military that was involved as well. So, as court cases have come out and obviously defendants have tried to get information, the French basically aren’t talking because they use the national security exemption to not release any information about the malware.
JACK: Right, yes. To this day, the French haven’t disclosed any details about how they did this, and have kept it quiet. But that’s kinda getting ahead of ourselves. When they were doing this, they had to be extremely stealthy and secretive to not tip their hands that they were in these phones, snooping on people, and it worked. [MUSIC] As soon as they pushed the malware to the phones, they immediately started seeing chat messages coming into their servers. Eventually, they would collect millions of chat messages this way. Not all of their users were French citizens.
These were chat messages from people all over the world. I think it’s pretty crazy that the French police were planting spyware on phones all over the world and collecting private messages from users who weren’t even in France. Well, the internet doesn’t have physical borders, so I can see why this is a difficult problem to solve. But reports show that the French police infected 50% of all Encrochat users worldwide, which is still thousands of users.
JOSEPH: So, the French figure out how to distribute all of these messages they’ve been getting, and without getting too technical, they have to navigate a load of European laws. We give it to the Dutch and then we give it to the British and they basically join some sort of task force or group so we can share the data. But the long and short of it is that they give the content of these messages to various law enforcement agencies around the world, and they start digging through them. The things that are immediately flagged are threats to life. If any sort of system that the cops are using detects this person may be threatened soon or may even be potentially assassinated soon, here’s information we can act on immediately, whereas the rest is more used to build up cases. I’ve seen some of these documents from Encrochat cases.
They’re not really court documents available in the public docket; they’re more available to the prosecution and the defense. But it’s extraordinary how detailed they are. There is, this person spoke to this person about this shipment of cocaine. Here’s a whole paragraph of them discussing well, we need to get our Bitcoin guy involved to launder the proceeds. Here’s another paragraph about where we’re storing the cocaine. It’s just, they were essentially looking over the shoulder of organized crime in their real time. This would be fascinating to see even if it was just a ordinary phone tap, as it used to be, but here it’s the proceeds from malware. Clearly, these people, these alleged organized criminals, thought they could speak with such impunity that they – some of them barely even used code words. It’s like, here’s the coke. Here’s all the drugs. Here is where we’re hiding it. It’s just extraordinary how blatant it is.
JACK: Still, Encrochat was unaware that their phones were infiltrated. Business and crime went on like normal, which is just what the French police wanted. But when some of the more serious crimes were being planned through these chat messages, the police in the UK started arresting some users.
JOSEPH: Operation Venetic, I think, is – they – the NCA was already doing sort of organized crime busts under that name, and then when the Encrochat data came in, I believe they put it under that umbrella as well, but hundreds of people arrested. That really follows the whole gambit of criminal hierarchy; you’ll have individual dealers and sort of mid-tier up to allegedly the higher levels as well. It’s a big thing in the UK for their gangsters to leave the country, and of course, a lot of them go to Spain which is very popular, or increasingly Dubai as well. Of course, those phones were potentially compromised as well. So, you don’t just have people on the ground in the UK being investigated by the UK police, but potentially some of the higher-tier people overseas as well.
JACK: After some arrests started happening, Encrochat suspected something was wrong and began looking at their infrastructure for clues.
JOSEPH: So, Encrochat, or the owners of Encrochat, actually discover that something odd is going on on their network. [MUSIC] They do seem to discover some sort of malicious activity, so they push out a message to their user base saying there’s been an unauthorized takeover of our domain, probably by law enforcement. We recommend that you essentially destroy your device and were exploring what to do next. I saw that message pop up on some crime blogs at the time, and then somebody else sent me the same message, and that helped verify it.
That’s when I got into the story, and I thought I’d reach out to somebody I know connected to Encrochat, and they sent a very lengthy statement. I think it was one whole page saying that we’re a legitimate company, we’re been unfairly targeted, and we’re going to see what we can do about this. We didn’t hear back from them after that. We don’t know exactly what the owners are doing now, and the French police actually said we’ve been unable to identify the owners of Encrochat. If you are that owner, please come forward. I don’t know if that person has come forward.
JACK: It just seems kind of surprising that they can’t figure out who makes these phones, because you just find well, where do I buy them? Okay, there’s this dealer. Where are you getting them from? Oh, I can’t say, or…? No, here I get it from this guy here. Then you go to that guy and say okay, who’s giving you the phones, right? You just go – you just follow the phones.
JOSEPH: Yeah. We published a piece after the shutdown with some leaked e-mails I got which do name several people involved with Encrochat. I think it names the various companies involved in the corporate structure. We didn’t name the person who is mentioned in the e-mails because of course, they could potentially face threats or harm because if they were heavily involved with Encrochat and all these people have been arrested, we don’t want to contribute or amplify that name in case of harm. But yes, I find it unlikely or doubtful that the police don’t have any sort of leads on the owners of Encrochat. I mean, if we can get e-mails about it, imagine what law enforcement can do.
JACK: So, once Encrochat discovered someone was in their network and phones, they shut the whole thing down. A few days after it was shut down, in the summer of 2020, that’s when the French police announced themselves that they’re the ones who infiltrated Encrochat. But still today, we don’t know what happened to the owners of Encrochat. But if they are arrested, it will be interesting to watch what happens, because once again, making an encrypted phone is legal. It all comes down to whether or not they knowingly were selling to criminals.
JOSEPH: I still think it’s controversial for law enforcement to deploy malware en masse, you know, and beyond their own borders. There were just so many factors at play, which is that [MUSIC] we don’t know necessarily where all of these devices are located. Maybe in this case they did, but generally speaking, you may not always know that, especially because it’s all hidden. You don’t necessarily know if all of the users of these devices are criminal in nature, and the French prosecutors admitted that later when they said that only 90% were believed to be criminal. What happened to the other 10% of people who were hacked, you know?
JACK: Oh yes, very interesting. I bet there were many legal disputes about whether this kind of data-collection was legal. Criminal cases in the US can be thrown out if the police illegally obtain evidence. So yeah, what about the people who weren’t criminals that got wrapped up in this and spied on? Do they have a case on their hands that they could claim that their privacy was violated by the police? Maybe, but citizens going up against governments like this rarely ends in favor of the citizen, and it definitely isn’t going anywhere when the person who got spied on isn’t even from France. There are more encrypted phone companies out there. Another one I find fascinating is called Sky ECC.
JOSEPH: Sky is one of these encrypted phone companies, again, which kind of tries to position itself more as a platform. They’ll have messaging and potentially other chat functions as well; your e-mail. They were particularly popular all over, really. Whenever you’re looking into these encrypted phone firms, Sky often comes up among criminal elements.
JACK: Sky’s website doesn’t look like it’s marketing to criminals. Like, it doesn’t even use a dark theme on it. It’s got a nice blue and white look, and it just feels friendly and modern. The website lists the features of the phone, saying it’s got a self-destruct messaging capability, group chat, and can even do audio messages. There’s even testimonials from customers. In no way when I look at this website do I think it’s marketed towards criminals.
JOSEPH: Yeah, a guy called Jean-Francois ran Sky. Some people call it Sky Secure, some people call it Sky Global. It sort of depends where in the world you’re buying it with all these distant distributors and agents. But the San Diego FBI, after Phantom, they start looking at Sky as well. They’re clearly highly motivated to investigate these sort of companies.
JACK: Not only was the San Diego police investigating Sky, but other European police agencies were too, because once again, these encrypted phones were showing up at crime scenes over and over. So, the police started tugging at the threads to see where these phones lead.
JOSEPH: [MUSIC] Then we start seeing some very strange stuff coming out of Europe and Belgium, more specifically, that authorities there are claiming that they’ve managed to decrypt or crack – it really depends on which translation you read, but they’ve managed to get the content of messages from Sky phones.
JACK: Whoa, the Belgian police were somehow able to see the contents of these secure messages that the Sky phone users were sending? That’s huge. How could they – how did they manage to do that? It wasn’t clear. We didn’t know. But the Belgian police were starting to make arrests of people based on messages they were seeing on the phones. In fact, the Belgian police said they intercepted 500 million messages from Sky users, and arrested forty-eight people. So, Sky began investigating to try to figure out what happened. They did not see any signs of infiltration, so they issued a statement saying it’s not possible that the police did this, and there’s no evidence of infiltration. They told their customers that they’re not working with the police in any way.
JOSEPH: But then the reporting comes out and I speak to Sky itself, actually, [MUSIC] and what they say is that somebody introduced fake Sky devices to the markets in Europe. So, these weren’t actually the quote, unquote, “real” Sky devices. They were ones that had some sort of fake or malicious app that then gathered the text messages and provided them to authorities.
JACK: The details are scarce on this, but if I were to connect the dots, I would guess that the authorities got ahold of some brand-new phones, then installed their own versions of the secure chat apps that would collect chat logs and send that to the police. These weren’t the official Sky chat apps that were supposed to be secure. Instead, it was the police’s version they made and just disguised it to look like the Sky chat apps. Then they somehow gave these phones to Sky distributors to sell to their customers. I would call this a supply chain attack.
Phones were somehow intercepted between where they were made and the customers who were buying them, which is a wild and scary attack; to think that the person you’re buying these devices from might be selling you a phone that was compromised by the police and didn’t even know it? So, if I’m putting one and one together here, Belgium said they infiltrated part of the network and arrested 160 people, and Sky is saying somebody’s putting out fake phones or fake apps to – that has some sort of malware or something on it, it sounds like the Belgian police may have been the ones who did that.
JOSEPH: Potentially, yes. But honestly, we just don’t know at this point. It’s so unclear and it’s one of the cases we probably know the least about even though it’s one of the more popular encrypted phone companies, for sure.
JACK: I think this is a sign that the police are becoming pretty sophisticated at fighting crime. The French authorities are advanced enough to be able to put malware on thousands of people’s phones, and now potentially the Belgian police are doing supply chain attacks? It’s a wild new world we’re in. Well, after this incident, the US Department of Justice indicted one of the owners of the Sky encrypted phone company, which means the DOJ believes they have enough evidence to bring this person to trial and prove they have violated RICO laws.
JOSEPH: I contact a source at the company and I say hey, can I just get a comment on this indictment? They say sorry, what indictment is that? I send them the PDF and they go silent. Clearly I was the one who told them there was this indictment against their company. We don’t speak for a little while. Eventually Jean-Francois comes out with a statement, provides it to us that they really vehemently deny the charges against the company and about him specifically, and they’re gonna fight it. According to their statement or one of the most recent ones, they are really actually gonna try and fight this in court. So, completely different to the Phantom Secure case; they’re not cooperating and really thinking that it’s an unjust charge against them.
JACK: Once again, that court case is going to hinge on one thing, whether Sky knew they were selling to criminals to help them commit crimes.
JOSEPH: Yes; the way that the US will prosecute one of these under RICO is if they can prove that Sky or anyone else sold these phones deliberately to facilitate criminal activity and knowingly did that. We honestly have no idea if the DOJ has that sort of information. I’m gonna guess the DOJ wouldn’t file an indictment based on absolutely nothing, but we have to see what evidence they have eventually, [MUSIC] and we haven’t seen that yet, and Jean-Francois is gonna fight the case, is my understanding.
JACK: So, we looked at Phantom Secure, Encrochat, and Sky ECC, but there’s so many more encrypted phone companies out there. They’re all coming and going. It’s hard to keep track of them, which means there’s no lack of wild stories that happen with these companies. Another story I find fascinating is one that comes from an encrypted phone company called Ennetcom.
JOSEPH: So, yeah, Ennetcom was one of these early encrypted phone companies that were using BlackBerries. Pretty popular at the time, especially in Europe, and this was sort of the first – for lack of a better word – takedown of an encrypted phone company that I saw and I reported on at the time. In this case, Dutch police were able to get the content of the messages which was very unusual at the time.
Eventually it came out, it appears that there was some sort of misconfiguration with how Ennetcom encrypted these communications. Authorities managed to get hold of the server, and I think it was potentially – the keys were also stored on the server, and they were able to decrypt the communications like that. So, it advertises itself as end-to-end encrypted, but that wasn’t really the case if they were able to get hold of the server and then actually obtain the contents of communications that way. It was an implementation issue, basically.
JACK: Wow, again, the European police are really blowing my mind here with their attack capabilities. To find an implementation flaw in Ennetcom’s communication network and to exploit that to be able to relay messages back to the police is really incredible work. This resulted in the Dutch police collecting and decrypting three million messages sent over Ennetcom’s devices. Ennetcom must have been furious over this [MUSIC] but were quiet about it.
JOSEPH: We didn’t hear much at all. I mean, I think the authorities, they shut down the network themselves at the time. I remember the owner of Ennetcom had some very expensive-looking lawyers when I went to their website and tried to chat to them for a bit. But no, they kind of fizzled out and they kind of faded into obscurity along with the owner. Meanwhile, everybody moves onto the other companies as well at the time. There’s still business to be done for these guys.
JACK: Yes, this is offensive operations being carried out by the police. They are actively hacking into and infiltrating networks, servers, and phones in order to collect evidence on criminals. This is way different than what I previously imagined the police were doing in regards to computers, which I thought they were doing more forensic-type computer work, trying to look through the logs of a seized device to figure out what someone did, and that’s totally different work than hacking into a network covertly, placing malware on it, and collecting user data. So, the police must have had to put a lot of time and effort and resources just into building the team which would be capable of doing this.
JOSEPH: Yeah, totally. This must be a real thorn in their side if they’re willing to contribute this time, resources, expertise to disrupting or shutting down or ultimately getting to the contents of the communications of these phones. As I mentioned, while everybody’s been looking at Facebook, Messenger, and WhatsApp, this is the real stuff that’s been going on with the organized crime people.
JACK: Clear that up for me. What do you mean? What is everyone looking at Facebook and Messenger…?
JOSEPH: Sure, so – sorry. I just mean very generally that when we have the so-called going dark debate among law enforcement and civil liberties, advocates, and just your privacy advocates, that sort of thing, a lot of the commentary is on popular consumer devices. You know, the San Bernardino Apple case where the DOJ tried to legally force Apple to unlock the phone, the case where the DOJ tried to secretly get Facebook to somehow bug an encrypted communication, and then various laws potentially impacting the security of WhatsApp. There’s a lot of discussion around that, and then more recently, a lot of stuff around child sexual abuse imagery and catching people [MUSIC] who are using consumer devices for that sort of thing.
I mean, in my opinion, the so-called going dark debate is really happening with these encrypted phones. This is where law enforcement are being very aggressive with their techniques, both in a legislative sense when it comes to RICO and using that, and in a technical sense when they’re deploying malware en masse. If we’re gonna have this conversation around what sort of access should law enforcement have to private messages, what sort of messages should be available to authorities, what’s off-limits, what’s on-limits, I don’t know what the outcome of that discussion is, and as – my place as a journalist is not really to say where it should go, but I do think that people should be including this sort of stuff in that conversation, because it’s real-world case studies of this going on.
JACK: There’s another encrypted phone company called MPC, and this one is crazy.
JOSEPH: MPC is, in my opinion, the most interesting encrypted phone company. We’ve had these stories of tech entrepreneurs or just business people deciding to make these encrypted phone firms. Maybe they want the money, maybe they care about privacy, maybe it’s a mix, whatever. Here, MPC is a company made by organized crime for organized crime.
It’s run, as we found talking to multiple sources in and around the industry, that it’s run by two serious top-tier gangsters, colloquially known as the brothers from Scotland. They deal with a lot of the drug trade going into Scotland and then obviously beyond its borders as well. They did use Ennetcom for a while, but then they decided to – well, no; we don’t want to trust our security to this company. Why don’t we make our own? They did that with MPC, but they also see an opportunity; if people want to work with us, they need to use our phones. So, they’ll sell the devices as well. It actually became a business opportunity in its own right, and actually running this company to then sell the devices to other organized criminals as well. It’s diversifying their portfolio, essentially.
JACK: Well, nobody really knew who was running it at first, but because it was run by gangsters, they conducted their business differently than the others. For instance, they didn’t like the competition that was in the encrypted phone market, so they started threatening their distributors who also sold their competitors’ phones.
JOSEPH: [MUSIC] One of the people I spoke to was threatened to be killed because they were selling a competitor’s phones in the same sort of area that MPC was also involved in. At least one person was slashed, my understanding, where you take a knife and you slash their cheeks so their mouth has a very large cut on it. That’s the sort of violence that these people were perpetrating as well as intimidating phone calls and that sort of thing.
JACK: At some point, MPC messaged Joseph out of the blue.
JOSEPH: They were asking me hey, do you do reviews of encrypted phones or anything like that? Just what anybody would do with an iPhone; you know, a sort of normal tech outlet where they send you the new iPhone and you review it or whatever. I don’t do that. That’s just not the sort of work I do. I said if you send me the phone, I’ll look at it, but I’m not going to be paid for a review, ‘cause they were offering payment and obviously that’s unethical. I said sure. They never ended up sending the phone, but they were clearly trying to establish some sort of legitimacy in the space by getting journalists or anybody else just to write what they thought about the device. I should say that the MPC did say just do an honest review or whatever, but that’s a very unusual dynamic to then – for a company you then later find out is run by top-tier organized crime.
JACK: The police started investigating MPC and they also said this is very unusual for an organized crime group to create their own encrypted phone business. But the story gets even darker after that.
JOSEPH: [MUSIC] So, one of the other ways beyond trying to get reviews from journalists that MPC was trying to get marketing was just sort of these brand deals. There’s a fairly famous former-criminal-turned-blogger-turned-sort of-journalist in Amsterdam called Martin Kok. He’s out of prison after murder convictions and he writes on his blog called Butterfly Crime. There, he makes a lot of enemies. He will name people, he will say what various crime elements are up to. There were lots of attempts on his life. You can go on YouTube and you can check out – the Dutch police showed a car bomb that was targeted against him, and it’s a truly huge explosion that they – they do a controlled explosion just to get rid of the bomb. Anyway, MPC worked with Martin for some branding. It’s like hey, just tweet some photos of you wearing this MPC shirt and the phones, and we can run adverts on your website, that sort of thing.
Eventually, MPC say well, let’s keep this business relationship going. Why don’t you meet with one of our associates? Him and the associate, they go to a sex club on the outskirts of Amsterdam. There’s CCTV footage of Martin Kok walking around with somebody down the streets of Amsterdam, and a man in a hoodie runs up behind him, puts a gun to Martin’s head, and for some reason, he – Martin isn’t shot. Maybe the guy freaks out, maybe the trigger jams or whatever, but he points the gun; it doesn’t work, and then he runs away. That’s the first attempt on his life that day. Then when they eventually leave sort of blurry-eyed from the sex club and Martin Kok is getting into his car, a man jumps from the bushes and shoots him and kills him. We were told shortly after that or some time after that that this was an assassination with the consent and the help of MPC, the phone company, and by extension, the brothers who ran that company.
JACK: Whoa. Now, that’s scary. I suppose it means you can’t trust an encrypted phone company that’s run by criminals. It also means that MPC is clearly breaking laws, while some of these other phone companies, it’s not so clear. Which, yeah, it’s going to cause them to be investigated by the police, and they’re gonna want to probably shut this company down. So, the police started investigating MPC to figure out who’s running it, and this did lead them to find out it’s being run by some known criminal brothers in Scotland, and this revealed their identities.
JOSEPH: Yes, so my source provided the name of the two brothers beforehand; James Gillespie and his brother as well. Then, the police do announce that. They announce the two names of them and their various associates as well. Later on, they arrest one of the associates in South America, I believe. But at the moment, it seems that the brothers – at least from my understanding – are still on the run. Yeah.
JACK: Ah, so they went into hiding.
JOSEPH: Yes, yeah. There’s some reporting on crime blogs that they’re also in South America, but there’s – it’s hard to say. These people may move around. These are highly-technical, highly-resourced individuals, right? I doubt they’re gonna stay in one place for too long.
JACK: But when one secure phone company goes down, it just seems like two more pop up.
JOSEPH: A constant theme with these companies is that one – once one shuts down either of their own volition or law enforcement hacks them or otherwise carry out – carries out an operation against them, these criminal users or users in general, they still need a phone, so they will go to another one. So, when Encrochat was closed, another company called Omerta did a sort of discount offer where you could either get phones cheap or buy one get one free, or something like that. Presumably, maybe some people went over to that. When Phantom shut down, a lot of the user base was absorbed by Sky, and then also by Ciphr as well. Ciphr is still going. It’s probably the biggest or at least the most established and longest-living encrypted phone company that is still going right now. But is Ciphr being investigated? Probably in some capacity, right? It’s been going on for so long that maybe they could be the next target.
JACK: There’s another encrypted phone out there that looks really promising. It’s called ANOM, kind of short for anonymous, and it has a cool dual-boot thing. Check this out; when you boot it up, it asks for a pin to unlock it. That’s normal, right? If you type it in, you see normal apps like Instagram, Facebook, Tinder, Netflix, even Candy Crush. But if you try to click on any of these apps, they just don’t work. They’re just dummy apps to make the phone look normal. What you need to do is reboot the phone, but this time enter a different pin code. When you enter the second secret pin, it unlocks access to a secret area of the phone. But there are only three apps in this secret area, and at first glance, they look boring. One is a clock and the other is a calculator. The third is device settings. The secret is to open the calculator app which then asks you for your ANOM ID and password. Once you get in there, you can send and receive encrypted messages.
This phone is slick and stealthy, and more clever than you realize. ANOM started up in I think 2019 and it was first introduced in Australia. Specifically, people who typically distributed encrypted phones were getting these and passing them around. People were slowly adopting them and using them. Eventually, they made their way into other countries. Criminals, yeah, they like these phones, and started using them. [MUSIC] But ANOM had a secret. It wasn’t what people thought it was. It was a honeypot created entirely by the FBI to snoop, spy, and gather incriminating evidence from criminals. They worked with the Australian law enforcement to spy on Australian criminals, too. But this posed some massive challenges for the FBI. What are the legalities of marketing and selling spy phones like this? How do you even create a shady underground encrypted phone company without it being so good that it goes mainstream? Clearly, the FBI wanted in Phantom Secure phones, but didn’t get in. This may have been where they got the idea.
If they can’t find a way in, they can make their own phone. This was dubbed Operation Trojan Shield in the FBI, and their ANOM phones were able to collect 27 million messages from its users. We don’t know how many arrests this resulted in, but it’s yet another incredible amount of resources that law enforcement has spent to try to infiltrate encrypted, secure phones. But man, now that we’ve taken this tour of the world of encrypted phones, I feel like I can’t trust them. In four of these stories, law enforcement infiltrated the chats. I don’t want the police reading my chats. So many of these phones seem like it’s just for criminals to use, and I don’t want that, either. I just want a secure phone that doesn’t vacuum up all my data, and I’m not a criminal; I just like privacy. There’s got to be some kind of phone out there for me.
JOSEPH: There was Silent Circle, which is of course, is a slightly different user base and that is made by Phil Zimmermann, the creator of PGP. They have this platform where you have silent text which is obviously text messages, and then if you get an encrypted e-mail or something as well, and they had the black phone. This communications platform essentially, they did try to sell to governments. I think I’ve seen some – I believe it was the US Navy contracts and that sort of thing. So, that isn’t the same sort of space, but I don’t know if criminals would gravitate towards that because they’ll see oh, it’s working with the government; then they can’t be trusted. You know, that sort of thing. So many of these criminals will be better off with a fully up-to-date iPhone or a fully up-to-date Android device if it’s a higher-tier one with Signal installed and just use that, or Wickr, or whatever.
JACK: So, Wickr and Signal, and there’s Wire, too. These are apps that you can get on your Android and Apple devices that lets you call and message people, and it uses end-to-end encryption, which means anyone in-between won’t be able to decipher the messages, including the companies of Signal, Wickr, or Wire themselves. If security and privacy is important to you, which it should be, you should move your communications to one of these apps. Signal seems to be the most popular, where you probably already have friends and family using it. [MUSIC] But what about securing the phone itself? Well, I guess we’re gonna have to go with iPhone or Android on this, but you should do things to lock it down. To start with, keep them updated. Updates fix vulnerabilities, and I think what we’ve learned in this story is that authorities will exploit vulnerabilities to gather evidence, and some of these companies just weren’t very good at securing their own infrastructure.
I mean, it sounds like Ennetcom left the keys to their server out in the open, and these little startup companies aren’t going to have the resources to properly secure their networks and devices to be able to withstand attacks from law enforcement. However, a big company like Apple and Google do have the resources to keep things secure from outsiders getting in. Now, if you’re going to get an Android device, I recommend getting the Google Pixel over the other Android phones, since Google makes the Pixel phones and the Android operating system. This means the latest security updates will be available on the Pixel first. These updates can take a long time to trickle down into other makers like Samsung or OnePlus phones. I’ve seen some phones sold in stores that are so far behind on Android updates that the software is already end-of-life on brand-new phones. So, you want to get closest to the source with Android, which is getting the Google Pixel. But one big security flaw still with these phones is SIM-swapping.
This is where criminals will call up your phone company and impersonate you to tell them to move your phone number to their phone. Once a criminal gets control of your phone number, they can get into a ton of your accounts, and it’s a horrible problem to try to figure out. So, because of this, I use an iPod Touch as my phone. Joseph actually taught me this and wrote a great article on how to do this, because the iPod touch doesn’t have a SIM card. It’s Wi-Fi only, so it’s impossible to SIM-swap me. I use a combination of Google voice and other apps to get the iPod touch to be a regular phone when it has a Wi-Fi signal, and this is what I use as my primary work phone. Honestly, the only app I use on it is Signal, which allows me to text and make calls securely using end-to-end encryption. If you want to go even deeper to lock down your phones like I do, I highly recommend the book Extreme Privacy: What It Takes to Disappear, by Michael Bazzell. This is a massive book which is all about how to secure your digital life. It’s fantastic, and I’ll have a link in the episode description if you’re interested.
(OUTRO): [MUSIC] A big thank you to Joseph Cox, senior staff writer at Vice’s Motherboard. There’s always news coming out about these encrypted phones, and Joseph is always all over it. So, you should definitely follow him on Twitter to stay updated. If you like this show, if it brings value to you, consider donating to it through Patreon. By directly supporting this show, it helps keep ads at a minimum, it helps get new people to make the show, and it tells me that you want more of it. So, please visit patreon.com/darknetdiaries and consider supporting the show. Thank you. This show is made by me, the decompiled Jack Rhysider. Editing help and sound design by the cipher-sweet Andrew Meriwether. Our theme music is by the elliptical curve known as Breakmaster Cylinder. In the future, everyone will have fifteen minutes of privacy. This is Darknet Diaries.
[END OF RECORDING]