As Apple faces criticism from the FBI for refusing to help law enforcement break into iPhones, rival Google is sitting on technology that would upgrade existing mobile devices with an encrypted “digital safe” that secures data, messages, and video and voice calls.
The technology, known as Project Vault, was created by a team led by Peiter Zatko, a hacker and security expert also known as Mudge who has since left Google. This month he called on Google to release the technology to underline its support for Apple’s refusal to open phones for the FBI and other law enforcement agencies. Google spokeswoman Victoria Cassady wouldn’t reply when asked whether the project was still active, but she hinted that there might be updates at Google’s annual developer conference in May. Zatko said he is not permitted to comment on Google’s plans.
Project Vault was introduced at the developer conference last year by Regina Dugan, leader of Google’s Advanced Technology and Projects group and previously head of DARPA, the Pentagon research agency. She showed attendees what looked like an ordinary memory card the size of a fingernail. It contained a tiny computer and storage system that instantly upgraded a device with advanced security features, such as strongly encrypted storage, messaging, video, and voice calls. Two phones were shown using Project Vault prototypes to exchange encrypted messages.
“Project Vault is your digital mobile safe,” Dugan said at the time. She said that it would initially be tested and developed with corporations before being offered to consumers. Google said it was already testing 500 of the devices internally, and it released code and documentation for Project Vault’s hardware and software online.
Were Project Vault to be released, it could pull Google deeper into the argument between the tech industry and law enforcement over encryption technology.
Apple’s faceoff with the FBI was triggered by its decision to build iPhones that encrypt all stored data, and then to refuse to help investigators working on December’s San Bernardino shootings get around that protection. Similarly, the encryption method used by Facebook’s WhatsApp program and Apple’s iMessage service—a system that prevents even the companies providing the services from reading the messages— has angered authorities in Brazil, and is reported to also trouble the U.S. Department of Justice.
Project Vault is designed to upgrade a mobile device with both encrypted data storage and messaging. Because the code and digital keys used to encrypt messages and calls never leave the secure memory card, it could be even more resistant to eavesdropping or hacking than iMessage or WhatsApp, which operate as conventional apps.
Even if Google doesn’t move forward with Project Vault, it may still help other companies strengthen their security because its design is open source, meaning others can use it. Zatko says that some large companies, including financial institutions, are experimenting with pieces of what Google released to protect high-value customers against fraud.
Making the design open source would also help keep Project Vault trustworthy if it is released, by allowing outside experts and researchers to probe its security, says Simha Sethumadhavan, an associate professor at Columbia University who works on hardware security.