Measures that the Hungarian government claims are needed to enhance national security and combat the threat of terror are, say critics, “contradictory”, “very dangerous” and liable to wreck a star home-grown technology start-up that now serves 8,000 customers worldwide.
The government of Prime Minister Viktor Orban, as part of what it sees as necessary tighter laws in light of terrorist bombings in Paris and Brussels, has been preparing legislation that would give its security forces sweeping powers to monitor private telephone and email traffic.
Widely criticised by the political opposition as excessive, leaked details of the plans also led to press reports that the government was even considering a ban on smart phones. But in a clarification of government thinking, Gergely Gulyas, the influential deputy party leader of Fidesz’s parliamentary group, said the real enemy of the intelligence services are secure communications service providers, including CryptTalk, an award-winning Hungarian start-up that promises secure telephony to individuals for as little as $10 per month.
“There is no way that the Ministry of Interior is preparing to ban or restrict the use of smartphones in the anti-terrorism [legislation] package” Index.hu wrote on March 29, citing an interview with Gulyas. The ministry – in the possession of a court order – is perfectly capable of tapping any telephone conversation, Gulyas added.
However, “the National Security Service really cannot cope with such [encryption] apps as CryptTalk, Secphone or Silent Phone. Therefore, the Hungarian Ministry of Interior would [like to] restrict or ban the distribution of such apps,” Index.hu wrote, attributing the words to (though not quoting directly) Gulyas.
For Szabolcs Kun, chief executive of CryptTalk, the news “hit us like a thunder storm on a summer night”.
“If there is a new law forcing vendors and providers to make their systems decryptable, then for CryptTalk and other vendors, I’d guess, it would be technically impossible to comply… we simply do not have a ‘back door’ allowing this,” Kun tells bne IntelliNews, referring to the ‘way into’ a communications system for security monitoring.
But, equally important, any such government move would be “very, very dangerous,” Kun argues. “If you cannot encrypt data transmitted on the internet, or the level of encryption should be lowered in order to support the requirements of law enforcement, then internet users would be much more vulnerable to hackers and the bad guys. If someone says that we should lower the security of internet communication services in order to increase the security of [ordinary] people, well… this is contradictory.”
Equally baffling, Kun protests that if a bone fide state security service provides evidence that a client could be a terrorist or criminal threat, then CryptTalk will terminate the client’s account. “If an [intelligence] agency comes to me with an official court order that someone should be intercepted, then, of course, we would cooperate. This is not about going against the government, this is about providing a service that we have signed with our customers, and this is about their security, protecting them against hackers, against bad guys [eavesdropping into] their [lawful] communications,” he says.
What is CryptTalk, and should any democratic government fear it?
Kun, 34, with a background in telephony and IT development, quietly launched CryptTalk in late 2014, after four years of careful preparation with co-founder Attila Megyeri.
Crucial to his claim of total security, the software employs a ‘key exchange’ system, which generates the encryption key at both phones in a call as a unique shared secret between caller and receiver. This means the caller’s message is encrypted before leaving the phone – and it remains so scrambled until it reaches the receiver – where the application then decrypts the message, and the receiver hears the call as on a normal phone.
Thus there are no servers that can be tapped into, nor any operators that can be bribed or blackmailed to eavesdrop or record the call. Moreover, since the key itself is not transmitted over the network and, once the call is over, it is destroyed and cannot be recovered, neither CryptTalk nor its employees are able to recover the call.
The “soft” launch of CryptTalk’s product was intentional – designed to allow system modifications in the early stages, rather than create a ‘big bang’ which might potentially saddle the company with a tsunami of patch solutions.
Despite the lack of fanfare, and an initial design suitable for only Apple’s iPhones and iPads (with a Windows’ version still in the works), CryptTalk has acquired an intriguing variety of customers, ranging from OTP Bank in Central Europe to a commercial air freight company specialising in transferring diamonds from Africa to Western Europe. Law firms are another growing segment of customers.
“The guys at CryptTalk have been able to find a very elegant, effective method of encryption,” says Arthur Keleti, a Budapest-based cyber-security strategist and founder of the annual ITBN conference held in the city. “Its seamless integration with Apple’s phone operating system… plus the convenience for the average – and not necessarily security aware – user played a major role when it won the innovation award at our conference-expo in 2014.”
Ironically, the Hungarian government’s moves represent an endorsement of CryptTalk’s claims. As Kun puts it: “If they could break CryptTalk, if they could decrypt the calls made using CryptTalk, then they would not be coming for us!”
For now, though, his main worry is the legislation in the pipeline. Asked if he would leave the country if his brainchild were to be banned in Hungary, he stops to take a breath. “Wow! Let me sleep on this. This [trouble] is a brand new thing for me. I’ve just spoken to my mum, and told her I’d made it onto the front page [of Index.hu] – just not in a way that I’d thought for the first time. So I don’t want to make any statements too rapidly.”
In a bizarre twist to this story, the CryptTalk team were awarded the Hungarian Innovation Association's “Startup Innovation Prize for 2015” in a state ceremony in parliament on March 31. Kun, speaking after the award was handed over, called it “rather ironic” that within two days of the government declaring it wanted its products banned from Hungary, the company should receive “the most significant national award you could win” for innovation.
Furthermore, the attack appears to prove the adage that there is no such thing as bad publicity. “No one can say this government does not support start-up companies, because such a marvellous marketing campaign could not have been bought: it's priceless. Since yesterday we have got between 900-1,000 new users, so nearly 9,000 now,” he said. “The government has created a perfect marketing programme.”