Twitter has acquired security startup Whisper Systems in what clearly appears to be a talent grab for researchers Moxie Marlinspike and Stuart Anderson
Twitter acquired Android
security startup Whisper Systems, according to a Nov. 28 note on the Whisper Systems
Financial terms of Twitter's first security-focused deal were not disclosed.
This appears to be a talent
acquisition, not a technology buy, as Whisper Systems consists of two
employees, Moxie Marlinspike and Stuart Anderson, and none of its products have
released beyond beta test.
Marlinspike and Anderson
launched Whisper Systems last year to improve security and privacy for mobile
devices and released various encryption products focused on safeguarding data
stored on mobile devices, network connections, backups and calls and text
The applications include
WhisperCore, a hardened version of the Android operating system that encrypts
all data stored on the mobile device and allows users to selectively revoke
permissions for applications, and TextSecure, which encrypts text messages.
Marlinspike also released Convergence
for the Web, a system aimed at bypassing the certificate authorities altogether
in order to determine which Websites should be trusted.
"The Whisper Systems team is
joining Twitter starting today. As part of our fast-growing engineering team,
they will be bringing their technology and security expertise to Twitter's
products and services," Twitter said in a statement.
The Whisper Systems blog
said the acquisition would bring the "technology and our expertise into
Twitter's products and services." Twitter settled with the Federal
in March over charges that the site did not adequately
safeguard user privacy and misled users about its security practices. Under the
terms of the settlement, Twitter has to establish and maintain a comprehensive
information security program, which is subject to an independent audit every
In recent months, the site
has seen an increase in Twitter spam and malicious links. Twitter has
implemented several controls, such as technology that scans links as they are
posted to try to determine their safety.
It may be that Twitter is
interested in beefing up its security offerings both online and on mobile
devices, but some are skeptical. Privacy researcher Christopher Soghoian noted
that the microblogging site was not known for providing secure communications
tools to end users. "It still doesn't even use HTTPS by default,"
Soghoian wrote on Twitter.
has implemented HTTPS
on its site, it is enabled only by default on the
official Twitter mobile application. Users have to manually opt in to turn on
the HTTPS setting on the Website.
After the acquisition was
announced, no applications from Whisper Systems were listed on the Android
Market. RedPhone service, which Whisper Systems originally launched in February
to provide protesters in Egypt access to free end-to-end encryption for voice
calls, has been taken offline. Users of Whisper Systems' FlashBack encrypted
cloud backup services have a month to pull any backup data before the service
also goes offline.
All the software "as
our users know it" is expected to be available after a brief downtime for
the "transition period" as Marlinspike and Anderson join Twitter,
according to the blog post.
Soghoian and others wondered
whether Twitter would release the code for RedPhone so that it could be hosted
elsewhere, especially considering how it is being used by protesters and
activists in more turbulent parts of the world.