exceptional encryption for everyone

exceptional encryption for everyone

Monday, September 14, 2015

Never Compromised


surespot is Today's Safest and Most Secure Private Messaging Tool.

Period.


We want to address recent inquiries from reporters and tech news journalists concerning the status of surespot as a company and technology.

As a start-up company with a lean team focused on new development and app improvements, we are focusing our time and energies on providing the most secure private messaging tool on the market today.

We have read every email and are unable to respond to each individually.

We hope the following provides greater clarity.

surespot has never been compromised


The privacy of all communications on our system is secure. The app operates and functions as it was designed to.

surespot is not being forced to shut down or build a back door for authorities to monitor user communications.

There is no Backdoor


surespot protects your privacy and security to the fullest extent possible. We employ proven technology and use the most secure methods of cryptography available today. User accounts are created with no personal information requirements and are not associated to an email or phone number.

Personal information is not needed, nor do we want it.

Collecting and storing personal information puts a company at risk as they are responsible for protecting that information, particularly in the space of privacy technologies.

One example is what happened to the encrypted webmail service, Lavabit LLC, which suspended its operations on August 8, 2013 after the US government ordered them to turn over their Secure Sockets Layer (SSL) private keys.

Surespot will never be in a similar situation for two main reasons:
  1. We don’t collect any personal information that can reveal an individual’s identity, nor does the solution have any technical means of deciphering encrypted communications between users. Therefore, with nothing existing about our users, there is nothing we can provide to an outside agency that can be used to incriminate them, even if legally compelled. The surespot solution was created to avoid these problems all together, and so, will never have to face this ethical conundrum. 
  1. We don’t have your private keys, which only reside on your personal device. Companies that store keys ultimately face a tough ethical decision when they are compelled by law enforcement to relinquish them. 
The code implemented to establish a private and secure communication mechanism uses the ECDH protocol to establish a shared secret over an insecure channel.

This means that communications are fully end-to-end encrypted and we do not hold the keys, therefore, from a technical standpoint, we have no ability to view, decipher or see plain text of any user data as it exchanges between devices.

To verify there is no man-in-the-middle (MITM) attack, a user can always compare key fingerprints with their contact by simply pressing and holding down on the user name of interest and selecting “view key fingerprints.” This brings up a list of hexadecimal letters and numbers that represent a fingerprint of the keys that can be compared with those viewed by your contact. This essentially takes the server out of the equation as the key fingerprints would not match if there was a MITM backdoor in place.

This feature, matched with our fully open source code-base is how we say what we do, do what we say, and prove it.

We take your right to privacy very seriously and will continue to stand in front of competition with the utmost confidence that our total open-source transparency policy speaks for itself. We believe that open source will always be the base requirement standard for solutions in this space.

The surespot Source Code can always be reviewed on GitHub.

Further, we have not been coerced by authorities to change our source code in order to attempt a deciphering of communications, nor can they legally compel us to do so. If any agency attempts to intimidate us for this purpose they will be in direct violation of the law and setting themselves up for a losing battle in court.

Privacy vs. Functionality Decisions


The pure simplicity of surespot’s design and focus on core communication functionality is the reason why it doesn’t need personally identifiable information from users. It is what we refer to as a “zero-content system”. The app-related data we do collect is the base minimum amount required for the service and technology to function properly for the best user experience possible.

Communication technology providers must always make critical decisions in determining the right balance between privacy and in-app features. We, like all companies in the security space, have to continually determine where to draw the line between protecting privacy and what meta-data is needed to execute new functionality that improves user experience (i.e., needing an email address to offer a lost password recovery service, which for increased security, we do not do).

We encourage consumers to educate themselves on the level of privacy vs. functionality offered by each solution in the market before deciding which best fits their needs. There is no single solution that fits all and only the user can decide where their level of comfort lies.

surespot was designed for the more security-cautious consumer that demands minimal cyber exposure and maximum performance.

We believe surespot has the right balance of privacy and functionality for a seamless user experience across devices and that performance and security trump unnecessary bells and whistles. This is why we choose to run a very lean, useable and simple solution that gets the job done fast and secure, every time. These are the type of considerations that go into every decision made by surespot management.

Please review our Threat Analysis to see what information in the form of meta-data is currently used by surespot for the app to function properly.

surespot does not know or collect any information about users that would identify them, their age, gender, location, devices, or any personal contact information. You can deactivate/delete your surespot identity at any time. Once deleted, all messages sent by you will be permanently deleted from the server. Deleted messages and identities cannot be recovered. Deleting messages will also eliminate all cipher text and associated meta-data permanently from the server. This process also automatically deletes the messages from all your contacts’ devices, insuring a true zero-trace privacy experience.

Using surespot for Illegal Activities


We strictly prohibit any use of our app for illegal purposes of any kind.

We ask anyone doing so to immediately find another means of communication.

However, due to the nature of encryption, it is impossible for anyone to monitor or verify allegations or suspicion of unethical or illegal activity. With no ability to monitor the content of user communications, any misuse would have to be determined by speculation or a person’s involvement in some other illegal activity unrelated to the surespot service. This total lack of user oversight is also why the surespot solution cannot be shut down by authorities, as there is no means to verify how the app is being used or by whom.

If one does use the service for illegal activities or if one is suspected of participating in illegal activities, there is always a chance that law enforcement officials may come to us with a court ordered subpoena demanding that we meet our obligations as required by applicable laws to disclose what little data may exist on our servers.

Law Enforcement Guidelines


Our open source policy will always show our commitment to operating in an environment of complete transparency. This policy holds the same for our requirements of law enforcement officials and the outlined procedures that must be followed in requesting information from our company, particularly about users.

Any and all inquiries must be directed to our legal team by emailing our attorneys at legal@surespot.me.

surespot will only respond to valid legal inquiries issued in compliance with U.S. law and no voluntary information about our company or users will be released to anyone including law enforcement agencies, except in response to a grand jury subpoena, warrant or other valid legal process that is supported by probable cause and delivered from an agency with proper jurisdiction over surespot.

We do not respond to foreign authorities as they do not have jurisdiction over U.S. companies. We will never respond to a request voluntarily.

Government Interest


The sophisticated level of cryptography used to protect and execute surespot communications, coupled with the company’s total open source policy that allows it to be independently verified, positions surespot as the obvious choice for users who are serious about keeping their communications private. This positioning, however, also puts us in the spotlight as a tool of potential interest to any authority wishing to track similar individuals. This is an expected reality.

As a company we have no reservations about the prospect of being contacted by law enforcement. Likewise, surespot users have nothing to worry about, as the app is working exactly as it was designed. surespot was specifically built anticipating this eventual possibility. If we ever are contacted it only reassures the following truths:
  1. The app is popular and being used by people of all walks of life.
  2. The app is trusted by its users.
  3. The app is secure, and continually poses a dead end for law enforcement.
If contacted, we will always comply with applicable United States law according to our responsibilities and have no wishes to be in contempt of court. Your communications will always remain safe and secure in all instances, as the technology was designed so that we would be entirely limited in what we have available to provide should we be ordered. You can verify this by reviewing the Threat Analysis on our website.

Transparency Policy


With the rising number of savvy malintent hackers, the vast increase in identity theft victims, and the rampant expanding of government spying and surveillance programs, personal security, privacy and protection have become major issues challenging the most basic of human rights in the modern day. By combating this information free-for-all, surespot is able to return to the individual their due right to privacy. This privacy is what people have entrusted in surespot to keep secure and we intend to honor that trust without compromise.

surespot is the world’s most secure encrypted messaging app available, operating in over 100 countries with upwards of a half million users who have sent over 100 million secured messages.

Our proprietary technology provides iron clad means for people to protect the content of their mobile communications with one another by using the industry’s only zero-content system that is also backed and verifiable through a code base that is fully open source. This approach creates full transparency and invites peer reviewed scrutiny and inspection of security features so you can be confident in our claims.

It is our strong belief that this open source policy should be added to the list of evaluation criteria used by the Electronic Frontier Foundation (EFF) in their annual report, Who Has Your Back. Should surespot have been evaluated in this most recent report, we would have obtained a perfect score earning stars in every applicable category.

For the sake of transparency, please review those report categories and how they relate to surespot on our Transparency Policy.

Back to work


We anticipate this statement will return comfort to our many loyal users and put to rest any rumors that may have raised temporary concerns.

surespot is here to stay!
The company is growing in size, hiring more developers, improving usability and preparing new functionality. The surespot management team is speaking to private investors and several large corporations interested in custom desktop versions of the technology in addition to private labeling opportunities. Time is tight, but we are very passionate about what we do and very encouraged by the progress of our team and industry at large. We look forward to sharing more updates soon and appreciate all of your ongoing support.

We are not honoring requests for interviews at this time as we need to stay focused on meeting new feature release dates, which we are very excited to announce soon.

It is our promise to be here day after day working hard to protect and defend your right to free and private communications!

Sincerely,
surespot management team