U.S. Customs and Border Protection (CBP) is deploying the Amazon-owned encrypted chat app Wickr across “all components” of its operations, Motherboard reported on Tuesday, citing procurement documents from the agency.
Whereas previously CBP had signed a contract worth $700,000 with Wickr, the new agreement is valued at around $900,000. According to Motherboard, the documents on the contract date to Sept. 18 and state its purpose as “to renew and procure additional Wickr software licenses and professional support to deploy a secure instant messaging platform for multi-purpose applications across all CBP components.” While Wickr offers a free version of its app, it also offers various paid services to the private sector and the government, including Wickr Pro, Wickr Enterprise, and Wickr RAM, the last of which is designed for use by the military.
Wickr uses end-to-end encryption, meaning messages and calls sent via the app are fully encrypted in transit and can only be decoded by the devices involved in a conversation. Short of the discovery of a flaw in the encryption protocol, this effectively makes them impossible for a third party to intercept and view. Motherboard noted that Wickr RAM, which the company advertises as providing “complete security from both foreign and domestic cyber threats,” claims to be accredited by the Department of Defense. Wickr also says that RAM is “the only collaboration service with full functionality to meet all security criteria outlined” by the National Security Agency. Wickr also touts a feature allowing all messages sent via the app to be automatically destroyed after a set period of time, after which they can supposedly never be recovered by any method.
CBP previously declined to identify to Motherboard which product was involved in the $700,000 contract.
Amazon Web Services (AWS) announced the acquisition of Wickr in June. Previously, its only real entry in the messaging space was Chime, a videoconferencing software that doesn’t have end-to-end encryption.
However, AWS has moved aggressively into contracting for federal police and intelligence agencies, as well as the military. It’s no stranger to doing business with CBP or its sister agency Immigration and Customs Enforcement despite the protestations of immigration rights activists, as well as its own employees, many of whom demanded AWS stop doing business with Peter Thiel-owned ICE contractor Palantir in 2019. Many Amazon workers and some shareholders have also protested the company’s sale of its face recognition software, Rekognition, to police.
Current face recognition technology is inherently riddled with racial and other biases. In response to widespread, nationwide protests against police brutality and racism in 2020, Amazon conceded and imposed a moratorium on police sales of face recognition tech to cops, which it recently extended “until further notice.”
Amazon also operates what has been described as the U.S.’s largest civilian surveillance network via its Ring smart doorbell cams, which police and fire departments in at least 48 states have taken advantage of by joining an Amazon program to share recordings with government officials. AWS tried to win a massive cloud computing contract for the military named JEDI, but the program was scuttled in July 2021 amid a long-running fight with fellow bidder Microsoft that had dragged on so long the Defense Department declared the plan obsolete. Instead, the military is soliciting bids from both companies for another cloud computing initiative, the Joint Warfighter Cloud Capability.
While CBP sees the need for technology like Wickr, federal agencies like the FBI have attacked end-to-end encryption for years, claiming it enables criminals to hide their activity from the cops. On numerous occasions, the feds have tried to force companies to build surveillance backdoors into their products to enable wiretapping, a practice that security experts are virtually unanimous would create major security vulnerabilities.
More recently, federal authorities have aimed to simply undermine confidence in encrypted communications with operations designed to send the message no platform is trustworthy. In June, the Department of Justice announced a massive bust of drug traffickers and money launderers it had tricked under a program called “Trojan Shield,” in which it used an informant to create a honeypot app (ANOM) posing as an encrypted messaging platform. Acting U.S. Attorney Randy Grossman said during a press conference that authorities had aimed “to shatter any confidence in the hardened encrypted device industry with our indictment and announcement that this platform was run by the FBI,” adding to anyone who believes they are “operating under an encrypted cloak of secrecy, your communications are not secure.”
“Today, public sector customers use Wickr for a diverse range of missions, from securely communicating with office-based employees to providing service members at the tactical edge with encrypted communications,” Stephen Schmidt, AWS vice president and chief information security officer, wrote in a statement after Amazon’s acquisition of Wickr. “Enterprise customers use Wickr to keep communications between employees and business partners private, while remaining compliant with regulatory requirements.”