The Washington PostDemocracy Dies in Darkness

Mobile ISP Cricket was thwarting encrypted emails, researchers find

(Courtesy Cricket Wireless)
Placeholder while article actions load

Some customers of popular prepaid-mobile company Cricket were unable to send or receive encrypted e-mails for many months, according to security researchers, raising concerns that consumers may find that protecting their privacy is not always in their hands.

The inability to send some encrypted messages on Cricket's network was discovered by software engineers from the digital security and privacy firm Golden Frog. The company mentioned the issue in a July filing to the Federal Communications Commission, and the tech publication Techdirt published an article on it earlier this month. But neither Golden Frog's filing nor Techdirt named the mobile Internet service provider.

Golden Frog told The Washington Post that Cricket customers were unable to send encrypted messages and said its testing found that the problem ended shortly after the TechDirt article was published. It is unclear how long or how many customers were affected.

Cricket did not address repeated questions about the issue and did not alert customers, many of whom rely on Cricket as their sole Internet service, that they would not be able to protect their e-mails from prying eyes. AT&T, which absorbed Cricket when it acquired Leap Wireless last spring, did not respond to a request for comment.

Cricket said in a statement to The Post that it "is continuing to investigate the issue but does not intentionally prevent customers from sending encrypted emails."

Digital encryption allows computers — in this case, the mail servers that send and receive e-mails — to speak to each other in code. The service has been under a spotlight lately as consumers have become concerned about protecting the tremendous amount of information they send across digital networks. Encrypted e-mails were, for example, how NSA contractor Edward Snowden first communicated with journalists about the intelligence community's bulk data collection.

In simple terms, encrypting an e-mail typically works like this: User X's mail server asks User Y's mail server if it is willing to receive an encrypted, or coded, e-mail. If the server says, "yes," the encrypted version of the e-mail is sent. If the server says, "no," an unencrypted version is sent instead.

But Golden Frog says that in Cricket's case, when the sending e-mail server asked if it might transmit an encrypted e-mail, the network simply scrubbed the request before the receiving mail server had a chance to hear it.

"The server on the other end doesn't realize that it was asked to speak privately. So it doesn't speak privately," said Andrew Appel, chair of the computer science department at Princeton University.

Golden Frog, which sells privacy-focused software that includes an encrypted messaging service, said it discovered the problem because one of its software engineers living in rural Texas relied on Cricket's mobile Internet service. The engineer had configured his e-mail program to allow his e-mails to be sent only if encrypted.

When the company noticed that it was not receiving the employee's e-mails, it began looking into why. Golden Frog found that its engineer was trying to send e-mails through a virtual doorway known as Port 25. That portal has been used to send e-mails for years, but some Internet service providers recently began blocking it because they were concerned that it was dominated by spammers. Still, the system is popular among some tech experts, who use it to operate their own mail servers.

Cricket allowed customers to send and receive e-mails through Port 25 software, according to Golden Frog, but stripped the traffic of the encryption request, known as STARTTLS.

It is unclear whether the lack of encryption was limited to this system or how many Cricket customers were affected.

In its FCC filing, Golden Frog said it was concerned that Cricket's practices violated the spirit of net neutrality, or the idea that Internet service providers should allow Internet traffic to move freely across their networks.

"Any time an Internet service provider is interfering with a user's ability to protect their privacy it's very concerning to us, and to all Internet users," said Sunday Yokubaitis, Golden Frog's president. "If ISPs can force users' choices about encryption, where does that put us?"

Despite law enforcement complaints, consumers are relying more on digital encryption. Apple and Google recently moved to encrypt by default more of the services built into the iOS and Android operating systems. Those moves, the FBI has argued, will make it difficult, if not impossible, for law enforcement to do its job.

According to Google -- which has called unencrypted e-mail "as open to snoopers as a postcard in the mail" -- about half of the e-mails received through Gmail in October have been encrypted, up from about 30 percent in January.

Tom Lowenthal is the staff technologist at the Committee to Protect Journalists.  "It is poor practice and obsolete to send and receive mail without using robust encryption," Lowenthal said. "Journalists who rely upon secure communications, and anyone else who doesn't want their personal messages to become public, should expect their e-mail providers to offer encrypted connections by default."

Cricket was founded in 1999, and its parent company Leap Wireless was acquired by AT&T earlier this year. (AT&T's network, according to Golden Frog, allowed the sending of encrypted e-mails.) The Golden Frog engineer first noticed the behavior in September 2013 on a network used by AT&T prepaid phone provider Aio. Cricket replaced Aio as AT&T's pre-paid service after the acquisition was completed in March, and Golden Frog said the encryption practices continued for prepaid customers. Cricket's data plans start at $35 a month and do not require a contract.

John Levine is a senior technical adviser to the Messaging, Malware and Mobile Anti-Abuse Working Group, an organization with member companies including Apple, Google and Verizon. While it is unclear whether Cricket intentionally prevented its customers from encrypting e-mails, Levine said, "the result is exactly the same."

More and more people are taking steps to protect themselves from spying eyes, Levine said, "and if you're going to interfere with that, you need a really good reason."