Twitter’s Whisper Systems Buy Nets Security Experts

Twitter’s acquisition of Whisper looks like a talent grab targeting Moxie Marlinspike and Stuart Anderson

Twitter acquired Android security start-up Whisper Systems, according to a note on Whisper’s Website. Financial terms of Twitter’s first security-focused deal were not disclosed.

This appears to be a talent acquisition, not a technology buy, as Whisper Systems consists of two employees, Moxie Marlinspike and Stuart Anderson, and none of its products have released beyond beta test.

Mobile focus

Marlinspike and Anderson launched Whisper Systems last year to improve security and privacy for mobile devices and released various encryption products focused on safeguarding data stored on mobile devices, network connections, backups and calls and text messages.

The applications include WhisperCore, a hardened version of the Android operating system that encrypts all data stored on the mobile device and allows users to selectively revoke permissions for applications, and TextSecure, which encrypts text messages. Marlinspike also released Convergence for the Web, a system aimed at bypassing the certificate authorities altogether in order to determine which Websites should be trusted.

“The Whisper Systems team is joining Twitter starting today. As part of our fast-growing engineering team, they will be bringing their technology and security expertise to Twitter’s products and services,” Twitter said in a statement.

The Whisper Systems blog said the acquisition would bring the “technology and our expertise into Twitter’s products and services”. Twitter settled with the US Federal Trade Commission in March over charges that the site did not adequately safeguard user privacy and misled users about its security practices. Under the terms of the settlement, Twitter has to establish and maintain a comprehensive information security programme, which is subject to an independent audit every two years.

In recent months, the site has seen an increase in Twitter spam and malicious links. Twitter has implemented several controls, such as technology that scans links as they are posted to try to determine their safety.

Sceptical reception

It may be that Twitter is interested in beefing up its security offerings both online and on mobile devices, but some are sceptical. Privacy researcher Christopher Soghoian noted that the microblogging site was not known for providing secure communications tools to end users. “It still doesn’t even use HTTPS by default,” Soghoian wrote on Twitter.

While Twitter has implemented HTTPS on its site, it is enabled only by default on the official Twitter mobile application. Users have to manually opt in to turn on the HTTPS setting on the Website.

After the acquisition was announced, no applications from Whisper Systems were listed on the Android Market. RedPhone service, which Whisper Systems originally launched in February to provide protesters inEgyptaccess to free end-to-end encryption for voice calls, has been taken offline. Users of Whisper Systems’ FlashBack encrypted cloud backup services have a month to pull any backup data before the service also goes offline.

All the software “as our users know it” is expected to be available after a brief downtime for the “transition period” as Marlinspike andAndersonjoin Twitter, according to the blog post.

Soghoian and others wondered whether Twitter would release the code for RedPhone so that it could be hosted elsewhere, especially considering how it is being used by protesters and activists in more turbulent parts of the world.