Worldwide Encryption Products Survey

Today I released my worldwide survey of encryption products.

The findings of this survey identified 619 entities that sell encryption products. Of those 412, or two-thirds, are outside the U.S.-calling into question the efficacy of any US mandates forcing backdoors for law-enforcement access. It also showed that anyone who wants to avoid US surveillance has over 567 competing products to choose from. These foreign products offer a wide variety of secure applications­ -- voice encryption, text message encryption, file encryption, network-traffic encryption, anonymous currency­ -- providing the same levels of security as US products do today.

Details:

  • There are at least 865 hardware or software products incorporating encryption from 55 different countries. This includes 546 encryption products from outside the US, representing two-thirds of the total.

  • The most common non-US country for encryption products is Germany, with 112 products. This is followed by the United Kingdom, Canada, France, and Sweden, in that order.

  • The five most common countries for encryption products­ -- including the US­ -- account for two-thirds of the total. But smaller countries like Algeria, Argentina, Belize, the British Virgin Islands, Chile, Cyprus, Estonia, Iraq, Malaysia, St. Kitts and Nevis, Tanzania, and Thailand each produce at least one encryption product.

  • Of the 546 foreign encryption products we found, 56% are available for sale and 44% are free. 66% are proprietary, and 34% are open source. Some for-sale products also have a free version.

  • At least 587 entities­ -- primarily companies -- ­either sell or give away encryption products. Of those, 374, or about two-thirds, are outside the US.

  • Of the 546 foreign encryption products, 47 are file encryption products, 68 e-mail encryption products, 104 message encryption products, 35 voice encryption products, and 61 virtual private networking products.

The report is here, here, and here. The data, in Excel form, is here.

Press articles are starting to come in. (Here are the previous blog posts on the effort.)

I know the database is incomplete, and I know there are errors. I welcome both additions and corrections, and will be releasing a 1.1 version of this survey in a few weeks.

EDITED TO ADD (2/13): More news.

Posted on February 11, 2016 at 11:05 AM • 59 Comments

Comments

DanielFebruary 11, 2016 11:22 AM

Good work. I doubt that this will change minds because in my view the stance of the FBI has been primarily rhetorical to begin with, a red herring for other things that they want. (Ok, so we don't get encryption, now we need HUGE budgets for targeted attacks).

One thing to keep in mind is that using foreign-based encryption is itself metadata and might cause one to be targeted on that basis alone for further investigation.

Kurt SeifriedFebruary 11, 2016 11:46 AM

Has anyone ever surveyed the Open Source encryption software ecosystem to find out where the developers live roughly?

Steve MarquessFebruary 11, 2016 11:56 AM

OpenSSL isn't Australian; the ancestral product (SSLeay) it was derived from was but the OpenSSL team consists mostly of Europeans. Of the 15 current active team members, four are in the U.K., three in the U.S., two in Switzerland, two in Sweden, one each in Australia, Germany, Belgium, Quebec. That's where they currently reside; national origins are even more varied.

I think it's fair to call the OpenSSL project truly international.

Yurii KozlovFebruary 11, 2016 12:11 PM

Hello Mr. Schneier.
Greetings from Ukraine.
In your materials, unfortunately, are listed not all developments of Ukrainian cryptographers.
Meanwhile, Ukraine has its own school of cryptology and much more developers.
I will be glad to share with you this information in a format that is acceptable to you.

Robert GFebruary 11, 2016 12:18 PM

This came across my corporate feed, and I was delighted to see it. Reading the full article, only delights me more.

Because you put the focus on the economic problem first and foremost and made the data very plain and available for everyone to understand. Where the economic problem is intrinsically tied into the security problem (it won't work and it will simply hurt the American economy).


Everyone can understand these arguments, whether they are in tech or something else (like lawyers or cops or voters or consumers). It is not debateable in the slightest.

Unless your agenda is to flatline American technology and the economy tied to it.


If these guys had as their agenda to do exactly that by a foreign intelligence agency, they would get winning scores.

They have the football of the camera and doing all they can to run as far as possible in the wrong direction.

Not rocket science.


Pritish GandhiFebruary 11, 2016 12:41 PM

I work for an IoT company in Silicon Valley and we build an IoT platform (device-mobile-cloud) which OEM/ODMs can use to make connect their product. As part of this solution we offer secure communication for control and datapoint update to and from the mobile App and the cloud. Maybe our product could be added to this list.
The company is called Ayla Networks.

mhogo mchunguFebruary 11, 2016 12:56 PM


Greetings from Tanzania.

Just though i should write to correct an error in the report.

ZuluCrypt is not a fork of TrueCrypt and it does not contain anything from TrueCrypt project.

I started the project from scratch primarily to manage LUKS based encrypted volumes in my linux based system. ZuluCrypt gained support for TrueCrypt and VeraCrypt volumes as a result of one of its users requesting them.

Support for TrueCrypt and VeraCrypt volumes is obtained through independent implementation of TrueCrypt and VeraCrypt on-disk formats.

Norm de PruneFebruary 11, 2016 2:36 PM

Once it was illegal to export strong crypto products. How long before it becomes illegal to IMPORT strong cryptro without backdoors approved of by the TLAs?

ShacharFebruary 11, 2016 2:44 PM

Small correction:

You list rsyncrypto as Linux only. In fact, it is a cross platform tool, available for Windows as well as all Posix platforms. The official page actually contains a binary installer for Windows (as well as MSVC project files in the source, of course).

Shachar

ShacharFebruary 11, 2016 2:48 PM

Also, the list for Israel seems implausibly small. There's a question of where to list products that are developed in one country, but the parent company is in another. Check point is one such company that comes to mind.

Also on the subject of Check point, I haven't seen VPN-1 (the VPN that is part of the FW-1 firewall product) on the list.

CryptoFebruary 11, 2016 3:20 PM

A fantastic work and one that I'm very grateful you took the time and effort to produce.

It also serves as a great reference for the various cryptographic products out there and their commercial status (proprietary, open source etc.)

I eagerly await the revised version 1.1.

Anybody out there who has spotted any mistakes, errors or omissions should leave them in this comments section. Hopefully Bruce will pick them up and add them to the next version.

Nick PFebruary 11, 2016 4:27 PM

@ Yurii Kozlov

The survey is on what's available. Do you have links to specific products or OSS software that do crypto and are made in Ukraine?

Jacob BFebruary 11, 2016 4:56 PM

You haven't included an entire market of remote access boxes for the industrial sector. Typically termed Industrial Gateway or Industrial VPN Router I know of them supplied by Secomea, Weidmuller(Industrial Security Router), Phoenix Contact, Siemens, Moxa, Hirschmann, eWON, NetModule, KEB and many more. The majority of these are manufactured around the world, outside the US.

Bruce SchneierFebruary 11, 2016 5:17 PM

"In your materials, unfortunately, are listed not all developments of Ukrainian cryptographers. Meanwhile, Ukraine has its own school of cryptology and much more developers. I will be glad to share with you this information in a format that is acceptable to you."

All forms are acceptable. E-mail, comments to this blog post...you choose.

Bruce SchneierFebruary 11, 2016 5:17 PM

"You haven't included an entire market of remote access boxes for the industrial sector."

I was limiting this to generally available hardware/software for generic use.

Nick PFebruary 11, 2016 5:27 PM

@ Bruce Schneier

Good presentation. Two corrections I saw glancing at the list.

Sandstorm.io is American, not French:

https://sandstorm.io/about

Cryptocat's founder and lead is Canadian:

https://en.wikipedia.org/wiki/Nadim_Kobeissi

I agree with Steve that on the next iteration you need an international category for OSS projects like OpenSSL. The reason isn't just accuracy: the category definition itself could convey that you can't contain it within borders. Could be a project whose members are from many countries and each keep a copy of the code. So, whose jurisdiction even begins to apply in backdooring it or shutting it down? Such an international category serves your purposes even more than a per-nation list.

Btw, if you want, I can try to dig out at least one solution from every country not on your list. Especially those that may not cooperate with Five Eyes. Then send the results to you for inclusion into the list. Might add to the "too overwhelming & widespread to regulate" effect.

Note: Didn't know my favorite archiver (7-zip) was Russian. Cool.

Note 2: That Seychelles shows up so much was a surprise. Looking it up, it's an interesting little island whose food I can recognize and would probably like. Mostly. Might contact a few of those projects to see why they're springing up over there. Might be potential in such places to seed more interest & activity in security development.

MartinFebruary 11, 2016 6:48 PM

Interesting to see products divided by the population of these countries (in millions). It appears being neutral makes you paranoid.

MarkFebruary 11, 2016 9:01 PM

Unfortunately, the list is far from complete or 100% accurate.

It seems to fail to list or mention, any open source products that utilize scripting languages rather than compiled code, as the programming method.

The DECO - DSGL restrictions here in Australia, will undoubtedly reduce or off shore what is currently listed as being Australian.

http://www.foocrypt.net/

ThothFebruary 11, 2016 10:38 PM

@Norm de Prune
Interesting thought. There are countries like India, Pakistan, Middle East and so on that may have active denial of security products unless approved.

@all
I think the only way out is to push crypto as the following occurs (read link below). Robust platforms for integration of both open source hardware and software security is necessary to make it very difficult for dragnet style attacks and also to attempt to guard against known backdoor in codes (although it does not prevent known backdoors in proprietary systems that the open source tools and products uses).

Warhawk Governments can push for clamp down but they cannot silence everyone if everyone is willing to take do something (at least start PGP encrypt all emails and get friends to use Signal and TextSecure). Referencing Phil Zimmermann's episode with his creation of PGP which got him locked up but eventually led to the relaxation of cryptography restriction and publicity which attracted more civilians to do cryptography and cyber security.

The short term goal is to make wipe spread censorship resistant of common cryptographic toolkits and secure platforms (Bittorrent, Retroshare...) with the authors sign the source codes and put up a warrant canary. Simplifying secure protocols with lesser mess (unlike TLS with all it's headaches) would make developers' work much easier to on-the-fly develop protocols behind restricted environments when bad stuff happens to a particular community.

Of course the higher assurance stuff comes in progressively as we don't want to scare away non-tech potential users who are taking their first step out into cyber security.

Link: http://www.theregister.co.uk/2016/02/10/congress_preps_three_antiencryption_bills/

Markus OttelaFebruary 11, 2016 10:40 PM

@ Bruce: Kudos! Thanks for including TFC.

The Daily Dot's article is currently the top story at Reddit's /r/technology.

This made me smile:

“If U.S. products are all backdoored by law, I guarantee you stuff coming out of Finland is going to make a big deal of that.”

Darren ChakerFebruary 12, 2016 2:09 AM

Back doors are an act of lunacy. It detracts out competitiveness against foreign companies who have 'real' security products, and makes us all insecure. The alternative is simple: use foreign made encryption.

Thank you Steve starting this blog post and the involvement or the fellow bloggers bringing up intelligent points.

Steve MarquessFebruary 12, 2016 9:16 AM

@Nick P

"I agree with Steve that on the next iteration you need an international category for OSS projects like OpenSSL. The reason isn't just accuracy: the category definition itself could convey that you can't contain it within borders. Could be a project whose members are from many countries and each keep a copy of the code. So, whose jurisdiction even begins to apply in backdooring it or shutting it down? Such an international category serves your purposes even more than a per-nation list."

Good point, one I implied but should have stated explicitly. OpenSSL can't be stopped by any one government or even any non-universal set of governments. There are hundreds of complete copies of the source repository worldwide. Even if each of the Five Eyes governments silenced/intimidated/arrested/disappeared the OpenSSL developers residing in, or citizens of, those nations, OpenSSL would continue with the remaining team members and new volunteers who would surely step up to take their place.

We keep our main servers in relatively neutral jurisdictions -- Germany and Sweden -- but losing all of those would only be a short term impediment. We're pretty fanatical about maintaining our independence from any single points of control or dominance, even to the point of turning down significant offers of financial support.

So, "you can't stop the signal". Can it be subverted? Potentially, as any one team member could presumably be compromised. But, the team as a whole would never agree so any backdoors would have to be snuck in past the mandatory team review and survive public scrutiny in the open source fishbowl. No open source project can claim to be totally incorruptable but I think OpenSSL project closely approaches that ideal, and surely there are others.

Douglas GreggFebruary 12, 2016 10:49 AM

@Martin: "Interesting to see products divided by the population of these countries (in millions). It appears being neutral makes you paranoid." I am not sure whether I understand your comment. Would you please elaborate on it?

ArcFebruary 12, 2016 12:54 PM

The Safenet/Gemalto network encryption hardware is actually made by Senetas in Australia, not the US as marked in the data

Are we including other network encryption hardware platforms? There are hundreds missing if so

JacobFebruary 12, 2016 2:55 PM

I think that the FBI (and by proxy, the legislature) are interested only in backdoors in communication products, not in data-at-rest.

In addition, I gather that they are interested in common, ubiquitous products - not in some semi-obscure method available in a European country.

The issue has become a front-page item only after Google and Apple made their end-to-end encryption move with their portable devices.

The FBI and local police main interest is to cover a large swath of the population by automating the collection process of comm devices. And yes, there is also an interest to read some criminal comm in the neighborhood using Stingrays, but penetrating a non-smartphone device belonging to a criminal is not suffcient to press for major change of crypto snooping laws and backdoor mandated legislation.
-----------------------------------------------

Notwithstanding the above, here is an addition to the crypto product list:

- Infineon's TPM chip (Germany), standard bearer of all TPM enabled consumer/office computing devices sold by major vendors (Microsoft, Lenovo, Dell, HP and others, and in motherboards by Gigabyte and Asus and others), comes with their "Professional Package" - a free software that includes PSD (Personal Secure Drive)utility for encryption. This is easy-to-use, highly secure stuff - keys/PW are kept in tamper-resistant chip, and the chip itself is TCG compliant, EAL4+ certified.

And a correction:
gnuPG is not just for email encryption, it is also for file encryption (either by RSA/EC or by the symmtrical crypto routines in it), so it should be marked as "multi".

A final note: As I commented before in this blog, there is no reason to write more crypto utilities by coders since there are so many good ones out there already. But once the legislature starts to mess with the available software, anyone can grab a good C source code distribution (Dr. Brian Gladman's depository, AES competition submissions or a bit more complex Bouncy Castle or NaCl lib stuff), bolts on a GUI and have a secure product for the masses in a couple of days. For message communication, Prof. Ian Goldberg's OTR depository (Canada) would be a good choice.

JacobFebruary 12, 2016 3:02 PM


One more add-on to the list:

the cipher.exe encryption utility in any Windows package.
type "cipher.exe /?" from the command prompt and look at the options.

As in many Microsoft products it has confusing and not-too-smart defaults (e.g. encrypting a folder containing files in the clear will not encrypt the existing files - just new files added to that folder afterward), but if you know the dumb things, it can securely encrypt folders/files.

Lawrence D’OliveiroFebruary 12, 2016 5:03 PM

Doing an

apt-cache search truecrypt
on my Debian system yielded two lots of candidates: zulucrypt and tcplay. ZuluCrypt is already mentioned in the survey, but tc-play is not.

Given that Tails is actively considering switching to one of these, they sound like serious candidates.

JohnFebruary 12, 2016 5:06 PM

Bruce,

You should put your data on GitHub and let others do PRs to improve. Forget Excel.

MartinFebruary 12, 2016 5:22 PM

@Douglas Gregg
USA with 304 products and 323 million citizens (from Wikipedia) have 0.94 products per million people. Germany have 1.4, UK 0.83, France 0.64 etc.

Then you have Switzerland at 3.0 and Sweden at 3.4.

Douglas GreggFebruary 13, 2016 7:20 PM

@Martin: Thank you for the response. It appears I correctly understood your original comment, so below please find my response. Please also consider that even today (despite the high share of foreigners in Switzerland), the U.S.A. still are a more diverse country than Switzerland. This might explain the high portion of security firms located in Switzerland. Also, to be fair, if Crypto AG and Omnisec AG are listed for Switzerland, then Raytheon and Boeing also should be mentioned for the States. (To just mention two U.S. companies.) In that respect, the list is biased.

To conclude: Honi soit qui mal y pense. Or: Ignorance is bliss.

25 encryption products have been listed as originating from Switzerland. In some cases, two products come from one company, e.g. Silent Circle and Blackphone. 10 companies, in my opinion, are not Swiss or have discontinued their product (myENIGMA). ProtonMail - I guess - should be part of the hall of shame rather than the hall of fame. (For allegedly "paying" ransom money.) TrueCrypt is hosted only by two gents in Switzerland but seems to have been developed in the CSSR.

Below my notes.

In some cases, no phone numbers are available, not even in the respective trade register entries. This is highly unusual for Swiss companies.

Blackphone: Now part of Silent Circle, originally from Spain. ==> Not Swiss.

Silent Circle: No phone number available. In phone directory listed as SGP Technologies SA, originally a joint venture between the makers of GeeksPhone and Silent Circle. According to trade register entry CH-660.2.174.014-5, no Swiss national on Board of Directors (BOD). Location: A business center. Probably just mail forwarding service. ==> Not Swiss.

Crypto AG: Only manufactures hardware. Will sell B2B or to governments only.

Omnisec AG: Sells B2B or to governments only.

Diaspora: "Our server are located in Europe - Germany at Hetzner Online AG" (FAQ). Switzerland is not yet part of W/Germany. ==> Not Swiss.

GhostCom GmbH: Trade register entry CH-170.4.013.501-0 lists only Troen Per, Danish national. ==> Not Swiss.

Qnective AG: 26th Jan. 2016: Discontinuation of myENIGMA. ==> defunct

Neomailbox; A service of Trancecrypt Inc., a Seychelles IBC (International Business Company), and "marketed" by Amadeus IT Solutions, Switzerland. ==> Not Swiss.

NoSpamProxy: Belongs to Net at Work GmbH, registered at Amtsgericht Paderborn (FRG / Western zone). ==> Not Swiss.

ProtonMail: Guess no need to discuss. ==> Not a Swiss company.

TrueCrypt / Messrs Thomas Bruderer and Jos Doekbrijder: They are just hosting TC on their website. It is assumed TC was - amongst others - developed by David Tesarík from Prague.

Wire Swiss GmbH: No Swiss BOD member according to trade register entry CH-170.4.011.490-8. Not listed in phone directory. ==> Not Swiss.

Nick PFebruary 13, 2016 8:52 PM

@ Douglass

I'd agree to block defense-only projects but B2B should still be acceptable. The reason is that the goal is preventing threats to national security. Those threats could certainly happen within a business or using a business's gear. For organized crime and nation states, fronts with a good reputation built over a period of time are pretty common. So, they might get Omnisec or Crypto AG's gear.

Whereas General Dynamics and Boeing were clear they weren't selling me any of the high grade stuff as an individual or a business. It was only for defense customers. Didn't bother trying Raytheon or BAE given that.

AnonFebruary 13, 2016 10:34 PM

For LEOs, the conclusion that legally mandated backdoors are useless doesn't follow from the prevalence of foreign encryption software. Assuming it was politically feasible to pass something like CALEA for e-mail/texting/messaging apps, you could also make it illegal to use/possess/sell unauthorized encryption software. Sure, criminals might still use foreign encryption, but then the LEOs could charge them with that without even having to prove the underlying crime.

Wyd NoimquarhoFebruary 14, 2016 4:27 AM

Now that you have given the governement this list of applications that make a "serious security risk for national security", eventually NO ONE using any of these products is safe.

Thanks for the list anyhow. – Did you have any legal request to exclude any application from the list?

SongwinFebruary 14, 2016 5:05 AM

@Wyd Noimquarho: I had a thorough look at the list and I do not believe Bruce has willingly omitted software or was forced to do so. The list seems pretty comprehensive. Above all, it does include the extremely secure software.

SongwinFebruary 14, 2016 5:08 AM

Dear Mr Schneier: You have mentioned Jetico's BestCrypt but listed it as Win only software. In fact, there exists a version for MAC called BestCrypt Container Encryption for Mac v.1.3.

Sancho_PFebruary 14, 2016 7:35 AM

Not sure about the term “encryption products”, but if you mean
“communication products using strong encryption”
this one would be missing (probably you’d call it “message encryption” but that’s only a minor feature of that useful software):

Country: Germany
Product Name: TeamViewer
Company: TeamViewer GmbH
Type: MessageEncryption (?)
“TeamViewer is an intuitive, fast and secure application for remote control and meetings.”
Platforms: Mac/Win/Lin/iOS/And
SW/HW: SW
Cost: Pay (but free for personal use)
PR/OS: PR
URL: http://www.teamviewer.com/en-us/

For security and privacy read (and see the pdf download at the bottom of that site):
http://www.teamviewer.com/en-us/security/

Probably there are a lot of encrypted remote control systems with integrated messenger / meeting system out there, but this one I can recommend.

---
Unfortunately LEO’s don’t want arguments, they want access.

NarratorFebruary 14, 2016 11:41 AM

One article says that US backdoors will drive encryption technology overseas. Not only bad for economy and highlighting the futility of their endeavour, but also potentially increased security risk as foreign nations may start to covertly introduce their own backdoors, which will give them a distinct advantage over US agencies. Oh. Dear.

Same applies to UK, etc. They should just give up this ridiculous public charade and go back to doing what they so best: putting backdoors in covertly. They are spies after all, are they not?

hermanFebruary 15, 2016 12:19 PM

Hmm, pretty much all military products are missing from the list - from all over the world - but that is as much as one can say about it.

Anyhoo, nobody in his right mind uses US military communications products for anything serious.

Daniele RaffoFebruary 16, 2016 6:19 AM

Great work, Bruce. A few corrections:

The correct spelling of EnigMail (Switzerland) is Enigmail. Furthermore, the product - a Thunderbird extension - is available for Mac OS and Linux as well, not only for Windows.

SpaminaFebruary 17, 2016 3:36 AM

Great job! I couldn't image such huge number of encryption products.

However I miss my company in this report, SPAMINA. We develop cloud security solutions for email and instant messaging, encryption and DLP included. Please, taka a look to our website: spamina.com

Please, don't hesitate contact us for more information to include our Cloud Email Encryption in the nex release.

Regards

HandlerFebruary 17, 2016 3:55 AM

Finally, an excellent compilation. Many thanks! Found out about this document via TWIT.tv's Security Now with Steve Gibson (GRC.com) and Leo Laporte. May I suggest adding SOMA Messenger - U.S. based and it works quite well. Currently iOS and Android. SOMA

Peter E RetepMarch 16, 2016 4:06 PM

This intense conflict could result in a collapse of the Security Industry
into a Security as a Convenience Only as an industry.

The acid test that defeated the Clinton Whitehouse's 8 year campaign
for total government decryption of all communications was the
making a felon out of a three year old having indecipherable fun on a keyboard.

If security becomes forced off the primary interface, it may defeat all attempts
at reigning in unbreakable content. That is a rub neither the industry nor the
.gov's want to prompt, because calling that geni creates many more unknown unknowns.

Clive RobinsonMarch 16, 2016 11:06 PM

@ Peter R Etep,

If security becomes forced off the primary interface, it may defeat all attempts at reigning in unbreakable content.

It's a point I've been making for some time now about "communications security".

If the FBI continue on their "holy quest" they will find they are "tilting at windmills" with the more intelligent criminals, or even those that can read and comprehend.

Because at the end of the day "communications security" is about channels (see Claud Shannon) and provided You can secure the end points correctly there is little an attacker can do about attacking message content (it does leave traffic analysis open though).

So let's assume two individuals use devices with mandatory backdoors that the FBI can use. If the two individuals only put encrypted data into the phones by ciphering or coding[1] external to the phones via say paper and pencil, all the FBI's backdoor gives them is ciphertext or codetext, not the meaningful plain text they want.

That is all the individuals have done is move the communications end points one step out, beyond what the FBI etc can mandate backdoors for. It's like a game of Russian Dolls, provided you always have the outer doll you can fully contain the inner dolls.

The likes of the NSA would not be happy with the FBI if people started using such next point outwards endpoints as it destroyes their attack models for Technical Intel Gathering message content as well.

Thus both the FBI and NSA would have to use "traffic analysis" as their information source. Which whilst being of use in gathering Intelligence is of little use in gathering "legaly acceptable evidence".

So Comey is in effect "killing his own 'golden goose'". Which most would agree is fairly stupid.

[1] The reason for differentiating ciphering and coding is important, the use of a cipher produces "random looking" ciphertext which stands out from plaintext. A carefully designed code however still looks like plaintext which makes detecting it's use far harder.

Sergey VinogradovJune 20, 2016 2:38 PM

Too bad that the such review does not contain facilities themselves encryption algorithms. For example, 7-zip encrypts by the AES (USA) and CryptoPro encrypts by Gost 34.12 (Russia).
And not, say, indicated in your report that an unknown program http://relaxtime.8vs.ru/ encrypts by connection keccak (USA) and GOST 28147-89 (Russia). That is generally unimaginable and is gigantic. But it is very diverse for common report.

Elmer EsqueJune 21, 2016 9:08 AM

I appreciated your introductory comments regarding the various encryption tools and, especially, about potential vulnerabilities.
There are many source code analyzers for potential bugs. If I was writing encryption software (and I'm not saying that I am), I would run as many of those tools as I could get my hands on and publish that fact.
So, do you have a notion of what (large) set of analyzers to apply and: wouldn't it be nice to have some reflection of that testing in your data?
I'm not suggesting that you test code yourself, but that we ask the developers to do so.

milsJune 22, 2016 1:55 AM

Thank you very much for your survey.
We studied it with much interest.

Could you please add our company, mils electronic (Austria), to the list? Sorry for not registering sooner.

Our product portfolio includes hardware and software systems for file encryption, e-mail encryption, message encryption, and voice encryption, as well as VPN and bulk encryption.
Since the foundation of the company in 1947, the products have been equipped with the most secure encryption algorithms and the unbreakable 'One Time Pad' method.
For further information, you may write us an e-mail at marketing@mils.com or visit www.mils.com.
Thank you for including our company in a next version of your survey.

Best regards,
mils marketing team

JLalJuly 13, 2016 5:04 PM

Hi

I came to this article today.

I woulndt buy encryption anything from the core EU countries. They work extremely close with the US.

I work for a German company and we are migrating slowly to local German built products.
At least Virus/Notifications/Monitoring and many other applications if available.
We still keep some that are indispensible. And provide decent encryption.

Encryption laws here may not be as clear and may mimic the proposed US law. Who knows.

Sad that US companies are becomeing the victims here. But according to our directors, they want to avoid all exposure if possible. It was not like this until Snowden's revelations.
I am not blaming him, this was already known by us, but not as extensive as it appears to be. Irony isnt?

So I ask, if not late, which foreign appl/product would you personally recommend?

keep up the good posts !!

hay nony mouseJuly 15, 2016 10:07 AM

@ Peter :

    Companies headquartered outside of the US may still be forced to comply to backdooring-requests...

As of a few hours ago that may not be true, if the actual app servers are not within the US jurisdiction.

The result of the Microsoft -v- USG over data held on a server in Dublin in the Republic of Ireland (Eire) will probably have wider reach than the USG Federal Law Enforcement Agencies want (ie they've been told "no global jurisdiction" / reach.

http://www.reuters.com/article/us-microsoft-usa-warrant-idUSKCN0ZU1RJ

Which appart from appeals, will probably mean US Gov Sponsored corporate attacks on democracy and National Sovereignty in other nations via the likes of the Investor-State Dispute Settlement (ISDS) resolution proces of the likes of TTIP, CETA and the older NAFTA.

As Canadian based "Stop the Transalantic Trade Deals" spokeswoman Maude Barlow said last year in the Morning Star Online,

    It's no wonder that a UN expert on human rights recently refered to ISDS as 'An attack on the very essence of sovereignty and self-determination, which are founding principles of the United Nations'"

She has also noted that these supposed trade deals have so little about trade in them, they are not actually about trade at all but,

    They're much more about handing over frighteningly new rights to Corporations that fundementally challenge the way that governments legislate on behalf of ordinary people.

She has also said,

    People should learn from our experiences in Canada and understand that this new generation of trade deals pose a terrible threat to the health of their people, the resilience of their communities, the fate of Public Services, and the protection of their natural resources.

So just the sort of thing to get "extrajudicial powers" through the "tradesman's entrance" / backdoor...

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.