Call it the Edward Snowden effect. Privacy was a theme bubbling under the surface at the Mobile World Congress tradeshow — even more so than last year when Silent Circle and Geeksphone grabbed attention with demos of a privacy-centric smartphone called Blackphone.
This year they were back with a sequel device, Blackphone 2, and a plan to release a tablet, under the moniker Blackphone+. Now wholly owned by Silent Circle, the Blackphone team was also touting a suite of enterprise-focused encrypted apps and services, flush with $50M in new financing.
Geeksphone co-founder Javier Agüera, who has now moved over to head up innovation for Blackphone, said SGP Technologies’ priority now is scaling up — by targeting the enterprise market.
“I wouldn’t define Blackphone as a social enterprise but there’s definitely a component there as towards making the world more secure and protecting people’s privacy. So it’s a big opportunity and we’re now focusing on making Blackphone grow,” he told TechCrunch. “Now in the second year we’re stepping up.
“We’re entering into the converged space with the tablet. We are re-exploring how enterprises use this kind of device. We don’t expect every single enterprise to take a Blackphone+ into a meeting room, so into vertical use, that’s why we make it available in different forms and flavors so we can adapt and cater to the different needs.”
While the original Blackphone was marketed at prosumers, and they remain a secondary target, Agüera said the big growth opportunity for Blackphone’s pro-privacy hardware and software is in the enterprise space, driven by the consumerization of enterprise IT and the BYOD (bring your own device) trend.
“The perimeter of security is no longer inside the building it’s outside. So that’s why we’re focused on enterprise,” he said.
Blackberry, the erstwhile encrypted email enterprise darling, did not even have a booth at this year’s MWC — although it did briefly tease a new device it has in the pipes for release later this year, showing that while its fortunes are undoubtedly down it’s not entirely out of the mobile game. And with security rising up the enterprise agenda Blackberry may feel it has reasons to be cheerful.
Still, it’s clear the years of Blackberry owning enterprise mobility are over. Which means more room for newcomers, like Blackphone, to elbow in with fresh solutions.
Security, privacy and geopolitics
“This is privacy. Security’s part of that. Privacy is security and policy,” said Agüera, talking generally about the scope of the Blackphone project. “It’s not only how secure is your device, but also what do you do with your device? And we help users and companies figure out how to protect their personal data in a real-world scenario. So we know people will install Angry Birds in the phone, we just help companies create the policies so that Angry Birds is totally isolated from their [work content].”
Another relative newcomer to the smartphone space, Finnish mobile startup Jolla, also had some security news on the slate at MWC, announcing a partnership with SSH Communications — to create a security hardened version of its Sailfish mobile OS. That’s likely not arriving til next year but the trajectory is tellingly similar, with Jolla also pointing to businesses and governments as potential customers of hardware running Sailfish Secure.
“All of the devices at a certain point will have a security client,” Jolla co-founder Marc Dillon told TechCrunch in an interview, explaining how Sailfish’s security credentials are going to be burnished. “So they can have secure communications peer to peer, device to device. Then in conjunction with SSH we can also offer solutions to enterprises so that if banks, hospitals, things that require high levels of security and want to be able to freely communicate peer to peer they can.”
Jolla has also now got a tablet in the works, and since launching its first device at the end of 2013 has made a point of emphasizing how its business model does not involve selling user data to third parties — making privacy protection a highlighted point of differentiation between Sailfish and Google’s Android. So it’s also now pushing privacy plus security.
“We’ve had a lot of interest from governments,” Dillon added. “We’ve been talking to the European Union. We’ve been talking to the Russian government… They’ve come to us. They’ve been talking about this in the news.”
Jolla’s European origins explains the regional interest from Russia. This is post-Snowden geopolitics being played out via non-U.S. mobile platform preferences, giving regional players some potential business uplift.
Blackphone, meanwhile, has ties to the U.S., with offices and investors there, but has chosen to be headquartered in Europe, in Switzerland, a country which enshrines a right to private communications and email in its constitution. And it’s forked Google’s Android — creating a security-hardened version of the platform, called PrivatOS, that’s loaded onto its own brand hardware (assembled and security signed in Madrid, Spain), with Google services replaced with its own suite of secure apps.
Its business is also software as a service as well as hardware — extending Silent Circle’s original portfolio with a suite of encrypted communications apps and services that run on other devices, including iOS and Android. The company is positioning its business to reach broadly across the mobile space to serve enterprise customers of all stripes.
Agüera says Blackphone already has government agencies using its services — including in the U.S. “We sell worldwide, in all regions of the world. Latin America, Middle East, South East Asia, South Korea, everywhere,” he added. “We have companies from Fortune 50, Fortune 1000. Some corporations use us across the company, some for just the top executives. Even some corporations, they don’t use us but they have us as a back-up solution — because for example when Sony was broken into, how do you manage that crisis?
“In Sony they had to take the old Blackberrys, like they had in the warehouse, five-year-old Blackberrys… We’d rather our customers use us as a daily phone, but that’s part of it. Each corporation has different needs, and we have to cater to those needs.”
Elsewhere on the MWC show floor a Brazilian startup called Sikur was showing off a Blackphone-a-like privacy-focused handset called GranitePhone — touting encrypted text messaging, voice, group chat and email, along with Android and iOS versions of its software — so buyers of its devices aren’t locked into talking to a limited circle of just GranitePhone users.
The Brazilian government has been highly and publicly critical of U.S. intelligence agency surveillance programs, so it’s no surprise that a homegrown startup has followed Blackphone’s lead and is pitching counter-surveillance technologies of its own.
Trust and transparency
Open source company Mozilla, which makes the HTML5-based Firefox mobile OS, was also talking privacy in Barcelona this week — promoting an ongoing collaboration with German carrier Deutsche Telekom, which it announced at MWC last year.
Media reports initially got the wrong end of the stick, thinking the pair were about to unbox a dedicated privacy phone. That was not in fact the case. Instead they discussed an ongoing collaboration that’s aiming to bake privacy thinking into Mozilla’s Firefox OS — in order to “bring data privacy closer to customers”, as they put it when they announced the initiative last year.
While not as instantly tangible a concept as a ‘privacy phone’, it’s further evidence of privacy concerns filtering down into business practices — and being used as “a point of differentiation” to attract customers, as Denelle Dixon-Thayer, Mozilla’s SVP of business and legal affairs, couched it during an on stage panel.
The session also included Dr Claus Ulmer, group privacy officer for Deutsche Telekom.
The pair said the business imperative to come up with privacy solutions boils down to building user trust — and that brand trust has been converting into improved revenues for Deutsche Telekom, said Ulmer.
“We always try to put the user first,” added Dixon-Thayer. “Users are fearful about what’s happening to their data. Who has access to their data. What’s happening if the entity gets access to the data… We need to have those users trust the ecosystem. If we get them to trust the ecosystem we’re going to generate more interest, more support from them, and we’re going to get more out of it… If users understand the value exchange.. they’re more likely to feel comfortable sharing their data.”
One area she said Mozilla has been working on is making its privacy policies more accessible and intelligible for mobile users — by, for instance, writing them using a ninth grade reading model and using bullet points to condense and foreground key points, to offer a digested and accessible summary ahead of the full T&Cs. They also actively size policies to fit on small mobile screens.
Dixon-Thayer said a lot more needs to be done generally in the digital space to get technology users reading and understanding the implications of what they are agreeing to. She called for more creative approaches to engage users by making privacy policies “simple and interesting enough” — perhaps using contextual alerts, or pictures to help convey the implications of data sharing in a more immediately graspable way.
“The next step requires more user engagement,” she argued. “In Firefox OS… we’ve really tried to do something differently. We have created space for privacy policies for all of these different parties in the transactions, and some folks have wanted to include theirs in our OS.
“Part of it is that I think the challenge is we need to do it more contextually — so it’s in context for the user, so the user doesn’t just agree to something at the outset and then not really understand what that means later. Because that’s part of the problem of not engaging them in that value exchange… We need to be creative about how we do it. I think alerts by the phone is one way we can do it.”
Deutsche Telekom’s Ulmer said the aim of the privacy collaboration with Mozilla is to help users understand “what’s going on with their device”, and also give them more control, so they can influence how or what kind of data is flowing — perhaps via offering varying degrees of data obfuscation.
He gave the example of a location blur feature which lets users choose how specifically (or otherwise) they want their location to be transmitted.
“For what reason does a weather app need to know exactly where you are at this moment?” he asked. “This solution will offer you the ability to blue your location to a radius of 10km or to a country or have a random solution for that. These are quite intelligent solutions that really help all of us to have a better future in the mobile world. And they also help the companies to sell their products because as long as we have the trust of the customer we’ll also succeed in the business.”
The two both made the point that more collaboration is needed among players in the digital industry generally to pro-actively work on baking privacy by design into their business processes — to avoid the risk of having regulators step in and do it for them.
“All the participants in it need to be comfortable about being transparent, and today not everybody is — because they’re concerned that if they’re transparent what if their competitor’s not and then they look like they’re doing something bad when in fact it’s the industry really doing it,” Dixon-Thayer noted. “So we need to be better as a group and collectively say this is where we want to go, how can we get ourselves there?”
“It’s only going to get worse for all of us to operate in this space if we don’t actually take on some self-regulation and do it ourselves,” she added.
IoT as a privacy opportunity
Intel’s Brian Hernacki, chief architect of its New Devices Group, which includes wearables, was also speaking during the session — and he looked past mobile to consider privacy in an age of myriad connected devices, which he argued amps up the risks in multiple ways and therefore requires a new approach.
“You’ve got people who make coffee pots and belt buckles and shoes. They don’t live and breathe technology, they don’t live and breathe privacy law. They don’t necessarily even have a legal department to help them digest the privacy law that’s out there. The space itself is also much more prone to sensing, collecting data,” he argued, adding: “It almost inherently creates more risk.
“We want the value that comes out of these great devices that collect our information and make recommendations to us… And the devices themselves are more challenging; they need to share. They have very tiny little processor, very tiny little memory, very tiny little battery, they need to ask that smartphone or that cloud service to help them accomplish the task that you want them to do.”
At the most basic level, wearables’ tiny screens clearly aren’t suited to displaying or otherwise delivering lengthy privacy policies. Some connected devices don’t or won’t even have screens. So how will IoT device makers even be able to meaningfully gain user consent for data processing?
There were no clear answers during the session on how to fix that specific issue, but Hernacki argued there is a business opportunity at this “nascent point” in the development of IoT to advocate for privacy by design, and for others to come along and sell “pre-designed”, “pre-integrated” pro-privacy technologies and platforms to the smaller entities who are building connected devices.
In other words IoT startups could be sold privacy services and expertise — such as technologies that automatically encrypt or safely transmit data, to relieve every OEM in the space from having to “go build a TLS stack” themselves, which Hernacki asserted is “never going to happen”.
“We need to understand that IoT means thousands, or 10,000 OEMs, who are not necessarily deep technical players, who may not have deep legal partners, there has to be an aggregation capability. Someone has to provide pre-designed technologies, so that when somebody goes to build that bracelet or that smart shoe, or that wireless charging IKEA table, then every one of these companies doesn’t have to think through and then resolve these problems.”
“There are a lot of OEMs out there without deep resources to really invest individually in this. And the more best practices and core capabilities that we can bring in, pre-integrated platforms to those manufacturers, the better chance we have of covering the market with the kind of privacy-centric design that we want. We’re not going to be able to rely on 10,000 OEMs to all do it right,” he continued. “A lot of the traditional techniques, education, transparency, accountability, choice, are absolutely great beginnings, but they’re not enough. We’re going to need more than that.”
“Don’t get me wrong, this is still a very hard problem. There are still very challenging technical barriers. But we’re at the right moment in time to do it. We’re well educated to do it. And I think, when I talk to people in the industry, we’re all motivated to do this well,” he added.
“There’s a great opportunity. A lot of the companies here are looking at building these pre-packaged technologies… to enable this explosive growth. To enable the kind of capabilities that we want to see out of wearables and IoT.”