It has recently come to the attention of the ThinkPrivacy and PrivacyTools teams that Wire, the popular end-to-end encryption messaging platform had been sold or moved to a US company. After a week of questioning, Wire finally confirmed they had changed holding companies and would now be a US based company in a move they called “simple and pragmatic,” as they worked to expand their foothold in the enterprise market. This also came alongside the news that Wire had accepted more than $8 million in Venture Capital (VC) funding from Morpheus Ventures, as well as other investors.
Morpheus Ventures holds a portfolio including companies in healthcare, voice AI, life insurance, and retail customer data analytics: All sectors that have historically used invasive data collection methods to survive. Why would a VC with a portfolio centered on consumer data want to invest in a company whose mission claims to protect that very same information?
Earlier this year, Wire announced they had entered a partnership with FedResults, in a move that would bring Wire’s secure messaging platform to US federal agencies. This raised a few eyebrows, but did not alarm the privacy community as Wire remained Swiss based and beholden to Switzerland’s strict privacy laws. Today however, while much of Wire’s business will continue to be run out of their Swiss offices, with new US-based ownership it is not entirely clear how much jurisdiction the United States will have over Wire data.
This is alarming because it is well known that Wire stores unencrypted metadata for every user.
In an interview with TechCrunch, Wire CEO Morten Brøgger said of privacy laws: “We are in Switzerland, which has the best privacy laws in the world” — it’s subject to Europe’s General Data Protection Regulation framework (GDPR) on top of its own local laws — “and Wire now belongs to a new group holding, but there no change in control.”
Even if he is correct, the move and statement do bring up further questions. With Wire now being a US company with contracts partnering it with US federal authorities, will those authorities now have leverage to compel Wire to give up metadata on users? Wire has investors to answer to and will not be able to risk losing large deals with clients like the US federal government. This is of course a hypothetical situation, but one to be considered nonetheless as we decide which services to recommend on PrivacyTools.
Yet another red flag, and one of the more important ones to us, was is that Wire decided not to disclose this policy change to its users, and when asked why, Brøgger was flippant in his response, stating: “Our evaluation was that this was not necessary. Was it right or wrong? I don’t know.”
We feel we do know, and the answer was that it was wrong. Privacy and security are not built solely on strong technology, but on trust. Yes, we can review Wire’s open source code on GitHub, but we can’t ever be sure that code is the same exact code that runs on their servers in practice. Yet, we have trusted them in the past because Wire had built a trustworthy reputation for themselves. We now feel that Wire has lost this reputation. By deciding to withhold information regarding its ownership and policies from its users, Wire has broken the trust our community has placed in it, and worse yet sounds almost dismissive of the worries voiced by the privacy community that had long held them in high regard.
Because of these ongoing concerns, and this break in trust in Wire’s organization, we have made the decision to remove Wire from our recommendations. It is worth noting that does not necessarily mean Wire is unsafe, but we believe it is our duty to recommend products that we as a team feel comfortable standing behind. We need to believe in the security, privacy, and integrity of our recommendations, and we no longer feel we can do that with Wire at this time.
This article was originally published to PrivacyTools on November 19th, 2019.