How secure is wickr?

Discussion in 'Security, Privacy & Anonymity' started by Robfromga, Feb 15, 2019.

  1. Robfromga

    Robfromga Member AnabolicLab.com Supporter

    I ask all this because I really don't know...
    Where's the server?
    How does the data transfer from a wireless device, to the wickr server, etc
    Can inbound/out bound traffic be monitored?
    Are these questions for @CensoredBoardsSuck ?

    I don't really use it for much . Low level stuff that isn't really sensitive .
     
    88GENERAL88 and T-Bagger like this.
  2. Iron Vett

    Iron Vett Member AnabolicLab.com Supporter

    I’m subbed. You’ve got me curious as well.
     
    Robfromga likes this.
  3. T-Bagger

    T-Bagger Member

    FAQs

    When Does Wickr Provide Law Enforcement with Details on its Subscriber Accounts?

    Wickr cooperates with law enforcement by providing information related to its users’ accounts only when properly served with legal process or in life-or-death situations.

    What Kinds of Information Does Wickr Turn Over on Those Accounts?

    Wickr can provide non-content information describing an account such as: date of its creation, the date of last use, the total number of messages sent and/or received, the type of device on which the account was created. See our Legal Process Guidelines for the full list.

    When Does Wickr Provide Law Enforcement with Subscriber Content?

    Never! Our system is designed to protect our users’ privacy such that we never have access to our users’ decrypted message content so can’t pass it on to anyone else.

    July 1, 2018 Reporting Statistics [1]

    [​IMG][1] Wickr is committed to sharing information about the requests it receives for its users’ account information. Above is a table detailing requests received for our users’ information from January 1, 2018-June 30, 2018. Our next report will present data from June 30, 2018 through December 31, 2018.

    [2] Wickr notifies users of requests for their information including providing a copy of the legal process, unless required by a non-disclosure order not to do so or when disclosure is not practicable or would not be fruitful such as when a user does not exist, a request is withdrawn, or in an emergency situation such as a missing person investigation or where there is a danger of death or serious physical injury.

    [3] “Warrants” are used to obtain information which may be similar to information available to a requestor through a subpoena or court order except that requestors often seek the content of the communications through the use of a warrant. Therefore, in order to get a warrant, law enforcement must demonstrate ‘probable cause’ to a court that the requested information evidences a crime.

    [4] “Orders” are signed by a judge and may include the following: Non-Disclosure Orders requiring us to keep private a request for users’ account information, 2703(d) Orders under the Electronic Communications Privacy Act (the federal law that regulates law enforcements’ access to customer data and content) in both civil and criminal cases, as well as Pen Register Orders which provide for real-time disclosure of non-content data.

    [5] “National Security Orders” includes orders authorized and issued under the Foreign Intelligence Surveillance Act (FISA) and National Security Letters authorized by the Stored Communications Act (SCA).

    As of the date of this report, Wickr has not received an order to keep any secrets that are not in this transparency report as part of a national security request.

    [6] “Other Requests” may include Preservation Requests, Emergency Disclosure Requests, and Civil Requests including Subpoenas. Preservation Requests are requests by law enforcement for preservation of a users’ non-content account information for up to 90 days until such time that it serves the proper legal process to receive such information. Emergency Disclosure Requests are requests from a government agency in exigent circumstances involving life or death. We review and process emergency requests upon a showing that the information provided will help save lives.

    [7] “Non-U.S. Requests” include formal legal processes deriving from foreign governments. We require that any such requests conform to the Mutual Legal Assistance Treaty (M.L.A.T.) or letters rogatory process.
     
  4. T-Bagger

    T-Bagger Member

    Wickr Messenger is a free app that provides end-to-end encryption of text, picture, audio and video messages. Senders control who can read their messages and when they expire. Encrypted messages are stored on our servers and are deleted after they are downloaded to the recipient’s device(s). We do not have plaintext copies of messages exchanged through our system or the keys to decrypt user content. We can’t read any of the messages sent through Wickr Messenger, nor do we know who our users are, or with whom they communicate.

    Contents of Communications Are Not Available
    Requests for the contents of communications require a valid search warrant from an agency with proper jurisdiction over Wickr. However, our response to such a request will reflect that the content is not stored on our servers or that, in very limited instances where a message has not yet been retrieved by the recipient, the content is encrypted data which is indecipherable.

    What Must Be Included in Account Information Requests?
    Law enforcement or government requests for user information must include:

    • Identifying information of the account for which information is requested, such as User ID or phone number (please note that phone numbers will only yield responsive information when the user has enabled ID Connection)
    • A description of information being sought
    The descriptions should be as narrow and specific as possible in order to avoid misinterpretation and/or objections for overly broad requests. Wickr will construe received requests narrowly to maintain users’ privacy and ensure that any information disclosed does not exceed the scope of the request.

    Further, Wickr requires law enforcement and/or government agencies to include the following information so that requests for user information may be validated:

    • Requesting law enforcement/government agency
    • Requesting agent name and badge/ID number
    • Valid agency e-mail address and physical return address
    • Phone number of requesting agent, including extension when applicable
    • Response due date
    • A copy of the court order, warrant, or subpoena
    Will Wickr Notify Users of Requests for Account Information?
    Wickr’s policy is to notify users of requests for their account information prior to disclosure including providing user with a copy of the request, unless we are prohibited by law from doing so or if there is danger of death or serious physical injury. As soon as legally permitted to do so, we will notify our users of requests for their information.

    What Information Does Wickr Store?
    Wickr has the following information about user accounts on Wickr Messenger:

    • Date an account was created
    • Type of device(s) on which such account was used
    • Date of last use
    • Total number of sent/received messages
    • Number of external ID’s (email addresses and phone numbers) connected to the account, but not the plaintext external IDs themselves
    • Avatar image (if user elected to provide one)
    • Limited records of recent changes to account settings such as adding or suspending a device (does not include message content or routing and delivery information)
    • Wickr version number
    Wickr has the following information about user accounts on Wickr Pro:

    • Network affiliation
    • Wickr Pro ID (email address)
    • Phone number, if provided by network administrator as a second form of authentication
    • Date an account was created
    • Type of device(s) on which an account was used
    • Date of last use
    • Total number of sent/received messages
    • Avatar image (if user elected to provide one)
    • Limited records of recent changes to account settings such as adding or suspending a device (does not include message content or routing and delivery information)
    Wickr has the following information about network administrator accounts on Wickr Pro:

    • Administrator ID (email address)
    • Network membership
    • Payment-related information
    • Network-wide settings including limited records of recent changes to network settings (i.e. enabling or disabling federation)
    For Wickr Pro, the configuration of each network may vary depending on the enterprise needs. Thus, the information Wickr may be able to provide in response to a lawful request for user information will vary as well.

    Emergency Disclosure Requests
    Wickr may provide information to law enforcement in response to a valid emergency disclosure request.

    We review emergency disclosure requests on a case-by-case basis and evaluate them under applicable law (e.g., 18 U.S.C. § 2702). If we receive information that gives us a good-faith belief that there is an exigent emergency involving the danger of death or serious physical injury to a person, we may provide information to law enforcement to prevent that harm, if we have it.

    Law enforcement officers can submit an emergency disclosure request via email:legal@wickr.com.

    Emergency disclosure requests must be on law enforcement letterhead and include all of the following information:

    • Identity of the person who is in danger of death or serious physical injury;
    • The nature of the emergency;
    • Wickr ID (user name) of the subject account(s) whose information is necessary to prevent the emergency;
    • The specific information requested and why that information is necessary to prevent the emergency;
    • The signature of the submitting law enforcement officer; and
    • Any other relevant details about the circumstances that we should take into account.
    Preservation Requests
    Upon receipt of a valid preservation request from law enforcement under applicable law, we will temporarily preserve the relevant account records for 90 days pending service of legal process. We will only disclose preserved records upon receipt of valid legal process.

    Preservation requests should be on law enforcement letterhead, signed by the requesting official, and include a valid official email address. Preservation requests may be submitted via the methods described above.

    Responding to Civil Subpoenas
    Account Content

    Federal law does not allow private parties to obtain account contents (e.g., messages, attachments, etc.) from electronic communication service providers through civil subpoenas. See the Stored Communications Act, 18 U.S.C. § 2702.

    Parties to litigation may satisfy party and non-party discovery requirements by seeking the contents of an account directly from the user.

    Wickr does not preserve account content in response to a request from a private party.

    Customer Records

    Wickr may provide customer records in response to a valid subpoena issued by a federal or California or New York court where the requested information is indispensable to the case and not already within a party’s possession. It is Wickr’s policy to give affected account holders prior notice before complying with such subpoenas.

    Parties seeking basic subscriber information must specifically identify accounts by Wickr ID.

    While electronic service is preferred, process may also be served by mail or courier to:

    Wickr Inc.
    Attn: Legal Department
    20 California street
    #250
    San Francisco, CA 94111

    If opting for electronic service, there is no need to serve duplicate hardcopy process on Wickr to the address above.

    Production of Records, Authentication
    We provide responsive records in electronic format. We reserve the right to seek reimbursement for the costs of producing records where appropriate.

    Wickr does not provide expert witness testimony. However, all substantive responses to legal process requests will be accompanied by a signed Certificate of Authenticity of Business Records, which should eliminate the need for the testimony of a custodian of records.
     
  5. T-Bagger

    T-Bagger Member

    Emergency disclosure requests must be on law enforcement letterhead and include all of the following information:

    • Identity of the person who is in danger of death or serious physical injury;
    • The nature of the emergency;
    • Wickr ID (user name) of the subject account(s) whose information is necessary to prevent the emergency;
    • The specific information requested and why that information is necessary to prevent the emergency;
    • The signature of the submitting law enforcement officer; and
    • Any other relevant details about the circumstances that we should take into account.
    How would they know of emergency situations if they can’t decrypt our messages?
     
  6. Robfromga

    Robfromga Member AnabolicLab.com Supporter

    So in other words, not secure .
     
    T-Bagger likes this.
  7. MindlessWork

    MindlessWork Member AnabolicLab.com Supporter

    Only the CONTENT (your conversations) is secure but the account info is not. If you use Wickr, I'd suggest not use it for really sensitive communications even if you set the message destruct to one day. There are other options out there for that.

    I am sure LE is familiar with Wickr and other encrypted chat apps.
     
    T-Bagger likes this.
  8. T-Bagger

    T-Bagger Member

    They seem to be talking in circles. They say the messages are held and encrypted until the recipient gets them and that there is nothing that can decrypt the messages.

    Then they say if there is a life or death situation and court order, they can intervene. How can you intervene And know if something is a life or death situation if you can’t decrypt messages?
     
    MindlessWork likes this.
  9. MindlessWork

    MindlessWork Member AnabolicLab.com Supporter

    As the conversations are encrypted Wickr doesn't have the keys to decrypt. Only your device does.
     
  10. T-Bagger

    T-Bagger Member

    So how do they know of something is a life or death situation?

    It appears to be secured according to the crap I posted and once the convos are gone, they’re gone with no way to recover them.
     
    MindlessWork likes this.
  11. MindlessWork

    MindlessWork Member AnabolicLab.com Supporter

    Yes, they are gone once the time's up (default is 6 days before the messages get deleted).
     
  12. T-Bagger

    T-Bagger Member

    And the Wickr says they cannot produce conversations, so if LE wants them, they can’t have them. Supposedly.
     
  13. MindlessWork

    MindlessWork Member AnabolicLab.com Supporter

    Exactly, according to their FAQ. LE will only get your basic account information upon presentation of a valid warrant/court order.
     
    T-Bagger likes this.
  14. T-Bagger

    T-Bagger Member

    Ok, so *technically* we’re good to use it.
     
  15. MindlessWork

    MindlessWork Member AnabolicLab.com Supporter

    Of course being smart in using it (or any other secure chat app) will be a big help.
     
  16. Robfromga

    Robfromga Member AnabolicLab.com Supporter

    If it's on the server, it can be recovered. They'd cave to a subpoena. I don't trust that it's not hackable. Secure email is much better
     
    T-Bagger likes this.
  17. grey

    grey Member AnabolicLab.com Supporter

    No sir...

    The crypto is the barrier here. The can grab the unencrypted file, but even if you attracted the NSA's attention, they won't be breaking the crypto anytime this decade.

    This is why these agencies are so interested in endpoint corruption, your endpoint decrypts for them and it becomes simple to grab the plaintext.

    This is also why politicians keep whining about mathemagically impossible "backdoors' for strong cryptosystems and also why the US loves to prosecute people for exporting strong cryptosystems.

    Secure email is not only not more secure, it is literally the same thing. Servers storing encrypted files. The crypto is the protection. Nothing else is relevant regardless of jurisdictional concerns.
     
    Logan44551 and T-Bagger like this.
  18. Robfromga

    Robfromga Member AnabolicLab.com Supporter

    But where are wickr's servers? And they have already stated they'd cooperate
     
  19. T-Bagger

    T-Bagger Member

    They will only cooperate when specific conditions are met as well as only giving them general info about the account. They can’t give the conversations.
     
    Robfromga likes this.
  20. grey

    grey Member AnabolicLab.com Supporter

    Anyone can cooperate and if your providers control the portal into which you input your private key (password) it is trivial to redirect an IP of interest (or even an account name of interest) to an altered portal that changes what happens when you type in your password to capture your key.

    Apps on a phone require somewhat more fiddling and intervention to make that happen (because the hashing is done on a portal in your hand) but can be done.

    Location is a difficult thing to rely on for security. The only actors likely to not cooperate with LE are providers residing in rogue states or Switzerland (and the Swiss cooperate more than is advertised).

    Good crypto, content deletion, account switching/deletion, etc are the real defenses.

    Politics of location are simply too subject to change.

    *edit: fucking typos.