FAQ

Frequently Asked Questions

PRIVUS® is a Swiss-based company, born out of our experience in real world digital surveillance and the urgent need to bring privacy back under the control of the individual.

PRIVUS Security Services and Policies

Why do I need to worry about privacy?

Article 12 of the Universal Declaration of Human Rights states that “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence”. The right to privacy is one of our fundamental human rights, and reflects one of our principal concerns in both our personal and professional capacities. Privacy, however, has become an illusion in the digital age.

As digital communications increasingly permeate every aspect of our lives, the focus of digital surveillance for political, security, economic and criminal motives has become the individual and his smartphone. Everyone’s digital communications are systematically monitored worldwide. Criminal hacking, identity theft, and corporate espionage are becoming increasingly common, especially as the technology has evolved to lower the costs and skills required to undertake such digital intrusions into our privacy.

The only effective protection against these threats is through the type of end-to-end encryption that we employ at PRIVUS.

Is your service 100% secure?

All our solutions have been developed to protect our clients’ communications against a wide range of attacks ranging from illegal digital surveillance and industrial espionage to sophisticated dragnet interception.

Does that include government entities such as the NSA?

Recent leaks of internal NSA documents in German newspapers clearly state that the type of encryption we use is classified by the NSA as “catastrophic”. Mathematically, with the computational power currently and foreseeably available worldwide, even under ideal conditions our encryption algorithms would take 9×1040 billion years to crack.

If your code is open source, may I have a copy?

The PRIVUS SecurLine app and the underlying network are proprietary. Our PRIVUS SecurLine code, however, is based on open source encryption libraries, which are available to anyone. Nonetheless, we will allow clients to access and verify our full source code.

Is PRIVUS certified?

Yes, PRIVUS SecurLine is certified by an EU/NATO member state for classified communications. PRIVUS also undertakes an ongoing program of independent testing, auditing and certification of its applications and systems.

How can I be sure that you really are using unbreakable encryption and my calls and texts are truly private?

Privacy and security are our core business and our experienced team knows what works in the real world.

We use open source software that has been tested and reviewed by thousands of the world’s best cryptographers and adopted by the most demanding users, including governments for top-level security communications.

PRIVUS undertakes an ongoing program of independent testing, auditing and certification of its applications and systems.

Furthermore, we encourage clients that have the requisite technical skills to verify our claims themselves.

What is “military grade” encryption?

“Military grade” is not an official designation. It is a concept commonly used to describe certain types of encryption considered sufficiently robust to be used by the military for its highly sensitive communications. Our encryption is indeed employed by military services and intelligence agencies worldwide.

Of course. The right to privacy is enshrined in article 12 of the Declaration of Human Rights and is a basic human right in any democracy. Furthermore, our Terms of Service clearly state that services will be terminated if used with any unlawful or criminal intent.

Where are you located?

We are a Swiss company located in Zug. We believe that Swiss privacy laws are an important additional layer of protection for our clients’ privacy.

Is your service available to anyone?

Yes, anyone can use our service as long as they adehere to our Terms and Conditions and don’t use it for any illegal purposes.

Our technology has been developed for those who require absolute privacy and the need for secure communications. Typically, we cater to government entities, businesses, national and international institutions and individuals who place a premium on their privacy.

Do you keep logs?

In keeping with our philosophy, we log the absolute minimum information needed to protect our network and our clients.
We are fully compliant with Swiss law and we currently log minimal metadata information for maximum of seven days, after which we delete the log files definitively. For more information please see our privacy policy.

Will your service work in any country?

Our services work anywhere in the world where there is a suitable Internet connection.

What is GDPR?

The General Data Protection Regulation (“GDPR”) is an EU-wide regulation that came into effect in May 2018, to unify existing regulation across the EU and to strengthen the rights of individuals within the EU over their personal data, regardless of where the company is actually located. This means that even non-EU companies are subject to GDPR as long as they collect any data from EU citizens. Among other measures, GDPR establishes an individual’s right to request the erasure and transfer of personal data, and the requirement for business processes for products and services to be private by design as well as by default. Any company in breach of GDPR can be fined up to 4% of its global annual turnover.

You claim to be fully compliant with GDPR?

Because privacy is the essence of what we do, all our business processes and everything we design has privacy at its core. In addition to our solutions, which are both private and secure by design and by default, we work on the basis of a zero-knowledge architecture, which collects no personal data from our clients. So yes, we are and were compliant with GDPR even before its existence.

Using my PRIVUS apps

How do I know when my PRIVUS SecurLine call is secure?

By default all your calls are automatically encrypted. If you can hear the other side then your call is already encrypted.

When you dial a PRIVUS SecurLine number you will have to wait 1 or 2 seconds while the ephemeral encryption key is negotiated between the 2 devices. Once the key is exchanged you will hear the other party (if the key can’t be negotiated for some reason you will hear no audio at all) and you will see a green padlock around the avatar on your screen indicating the call is secure.

A yellow padlock indicates an encrypted call which has not yet been authenticated through an authentication check (it is still encrypted, just not yet authenticated).

This authentication check is performed by verifying the two code words that will appear on your screen during your first call with a new device. You should both read aloud these two words to each other. If they match click Accept and you’re done. The padlock should now turn green and you don’t have to perform this authentication any longer in future calls between the 2 phones. This one-time only authentication check is needed to protect against a highly unlikely but very sophisticated attack.

To undertake an authentication check at any time, simply press the yellow or green padlock during your call and two randomly generated words will pop-up again on your screen. If you ever encounter a situation where the 2 code words do not match, hang up the call immediately and contact us.

How good is the sound quality of PRIVUS SecurLine?

Our HD audio and video quality is far superior to regular PSTN or GSM phones. The quality of the call, however, depends greatly on the speed and quality of the internet connection of each call participant.

Can I call standard mobile number or a landline from PRIVUS SecurLine?

Not in our cloud solution. For security reasons, our network is completely separate from the standard telephone network. As such, you can only make and receive calls to other PRIVUS subscribers within our network. You cannot call the emergency services numbers from the PRIVUS network.

PRIVUS SecurLine is a smartphone application, however, and does not interfere with the normal use of your mobile phone

Technical Questions

What is open source technology and why does it matter?

Open source software is simply software where the code is available for review.

This is a crucial and defining characteristic of our business model. Many cybersecurity solutions are built on proprietary software, which can, and usually do, hide a number of weaknesses such as “backdoors” and other vulnerabilities.

In our case, our code can be scrutinized to ensure that it contains no vulnerabilities and is encrypting the data properly as promised. PRIVUS relies on open source software for its applications as well as on its secure network to ensure the protection of our clients’ privacy. This is why we chose linphone (one of the first linuxphone open source SIP stacks) as the building block for PRIVUS SecurLine, and we regularly conduct external whitebox security audits to ensure it is secure.

Are you a blockchain company?

PRIVUS was born as a “classic” crypto company. Nonetheless our founder has been a blockchain enthusiast for many years, which is why PRIVUS intends to incorporate blockchain technology into our products. Specifically, as part of our ongoing Perpetual Threat Prevention™ program, PRIVUS is researching the possibility of leveraging the unmatched security of blockchain technology to provide a secure authentication layer to our technology.

What encryption protocols do you use in PRIVUS SecurLine?

We use the ZRTP protocol to negotiate new, ephemeral session keys, only on the client’s device, for each phone call, and we use the AES cipher with 256-bit key sizes, in both CM and GCM modes, depending on whether we are protecting data in motion or at rest on the device. This is the same cipher and key size that the US government itself requires to protect its own Top Secret communications (the highest level of security). Furthermore, we employ classic 3072-bit Diffie-Hellman key negotiation, as well as SHA-384 and Elliptic Curve 25519 (X25519) and the double ratchet protocol for group messaging and file encryption.

Will quantum computers make existing encryption algorithms obsolete?

Notwithstanding the complex and lengthy path to the development of a fully-functioning, quantum-based computer, these are expected, at least in theory, to solve certain problems significantly more quickly than existing classical computers. PRIVUS, however, uses encryption algorithms and key negotiation protocols which are considered quantum resistant; even quantum computers would have a hard time with our existing encryption, but the truth is that no one really knows the real impact quantum computers will have on cryptography, and we assume that if/when they become reality there will also be new quantum resistant algorithms which we can then adopt. As we are firm believers in using tried-and-tested technology that has withstood intense scrutiny from the international cryptographic community, we are not tied down to any specific cryptographic primitives and are able to substitute our existing encryption with newer standards as they become available and prove themselves trustworthy. Protecting against threats from quantum computing is a priority in our development pipeline.

Won’t quantum computers break all encryption? How can you claim that PRIVUS SecurLine is quantum resistant?

Quantum Computers (QC) will be able to break most existing encryption schemes used today, but it is false that QC will break all encryption. Some mathematical problems, like factoring large primes – which is the basis of most asymmetric encryption schemes like PKI that underpin internet security, will be easily solved by QC, thus breaking the encryption. Other types of mathematical problems will continue to be safe against QC. Symmetric ciphers like AES, which we employ in PRIVUS SecurLine, are quantum resistant. The ZRTP protocol we use in PRIVUS SecurLine to negotiate the AES session key is based on the original zfone project and employs a feature called self-healing and key continuity. This means that even if the classic Diffie-Hellman 3072-bit key negotiation we use to establish a symmetric AES256 session key for each call is one day broken by quantum computers, the call would still not be decrypted because of the extra initial secret that’s mixed in to establish a new session key for each call. This is not a perfect solution but it is a powerful method to protect current client communications against QC while we await the emergence of tried and tested post-quantum encryption schemes. Protecting against threats from quantum computing is a priority in our development pipeline.

Frequently Asked Questions

PRIVUS® is a Swiss-based company, born out of our experience in real world digital surveillance and the urgent need to bring privacy back under the control of the individual.

PRIVUS Security Services and Policies

Why do I need to worry about privacy?

Article 12 of the Universal Declaration of Human Rights states that “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence”. The right to privacy is one of our fundamental human rights, and reflects one of our principal concerns in both our personal and professional capacities. Privacy, however, has become an illusion in the digital age.

As digital communications increasingly permeate every aspect of our lives, the focus of digital surveillance for political, security, economic and criminal motives has become the individual and his smartphone. Everyone’s digital communications are systematically monitored worldwide. Criminal hacking, identity theft, and corporate espionage are becoming increasingly common, especially as the technology has evolved to lower the costs and skills required to undertake such digital intrusions into our privacy.

The only effective protection against these threats is through the type of end-to-end encryption that we employ at PRIVUS.

Is your service 100% secure?

All our solutions have been developed to protect our clients’ communications against a wide range of attacks ranging from illegal digital surveillance and industrial espionage to sophisticated dragnet interception.

Does that include government entities such as the NSA?

Recent leaks of internal NSA documents in German newspapers clearly state that the type of encryption we use is classified by the NSA as “catastrophic”. Mathematically, with the computational power currently and foreseeably available worldwide, even under ideal conditions our encryption algorithms would take 9×1040 billion years to crack.

If your code is open source, may I have a copy?

The PRIVUS SecurLine app and the underlying network are proprietary. Our PRIVUS SecurLine code, however, is based on open source encryption libraries, which are available to anyone. Nonetheless, we will allow clients to access and verify our full source code.

Is PRIVUS certified?

Yes, PRIVUS SecurLine is certified by an EU/NATO member state for classified communications. PRIVUS also undertakes an ongoing program of independent testing, auditing and certification of its applications and systems.

How can I be sure that you really are using unbreakable encryption and my calls and texts are truly private?

Privacy and security are our core business and our experienced team knows what works in the real world.

We use open source software that has been tested and reviewed by thousands of the world’s best cryptographers and adopted by the most demanding users, including governments for top-level security communications.

PRIVUS undertakes an ongoing program of independent testing, auditing and certification of its applications and systems.

Furthermore, we encourage clients that have the requisite technical skills to verify our claims themselves.

What is “military grade” encryption?

“Military grade” is not an official designation. It is a concept commonly used to describe certain types of encryption considered sufficiently robust to be used by the military for its highly sensitive communications. Our encryption is indeed employed by military services and intelligence agencies worldwide.

Of course. The right to privacy is enshrined in article 12 of the Declaration of Human Rights and is a basic human right in any democracy. Furthermore, our Terms of Service clearly state that services will be terminated if used with any unlawful or criminal intent.

Where are you located?

We are a Swiss company located in Zug. We believe that Swiss privacy laws are an important additional layer of protection for our clients’ privacy.

Is your service available to anyone?

We do not offer our services anonymously to anyone. All our clients are known to us and are required to go through a KYC process before using our services.

Our technology has been developed for those who require absolute privacy and the need for secure communications. Typically, we cater to government entities, businesses, national and international institutions and individuals who place a premium on their privacy.

Do you keep logs?

In keeping with our philosophy, we log the absolute minimum information needed to protect our network and our clients.
We are fully compliant with Swiss law and we currently log minimal metadata information for maximum of seven days, after which we delete the log files definitively. For more information please see our privacy policy.

Will your service work in any country?

Our services work anywhere in the world where there is a suitable Internet connection.

What is GDPR?

The General Data Protection Regulation (“GDPR”) is an EU-wide regulation that came into effect in May 2018, to unify existing regulation across the EU and to strengthen the rights of individuals within the EU over their personal data, regardless of where the company is actually located. This means that even non-EU companies are subject to GDPR as long as they collect any data from EU citizens. Among other measures, GDPR establishes an individual’s right to request the erasure and transfer of personal data, and the requirement for business processes for products and services to be private by design as well as by default. Any company in breach of GDPR can be fined up to 4% of its global annual turnover.

You claim to be fully compliant with GDPR?

Because privacy is the essence of what we do, all our business processes and everything we design has privacy at its core. In addition to our solutions, which are both private and secure by design and by default, we work on the basis of a zero-knowledge architecture, which collects no personal data from our clients. So yes, we are and were compliant with GDPR even before its existence.

Using my PRIVUS apps

How do I know when my PRIVUS SecurLine call is secure?

By default all your calls are automatically encrypted. If you can hear the other side then your call is already encrypted.

When you dial a PRIVUS SecurLine number you will have to wait 1 or 2 seconds while the ephemeral encryption key is negotiated between the 2 devices. Once the key is exchanged you will hear the other party (if the key can’t be negotiated for some reason you will hear no audio at all) and you will see a green padlock around the avatar on your screen indicating the call is secure.

A yellow padlock indicates an encrypted call which has not yet been authenticated through an authentication check (it is still encrypted, just not yet authenticated).

This authentication check is performed by verifying the two code words that will appear on your screen during your first call with a new device. You should both read aloud these two words to each other. If they match click Accept and you’re done. The padlock should now turn green and you don’t have to perform this authentication any longer in future calls between the 2 phones. This one-time only authentication check is needed to protect against a highly unlikely but very sophisticated attack.

To undertake an authentication check at any time, simply press the yellow or green padlock during your call and two randomly generated words will pop-up again on your screen. If you ever encounter a situation where the 2 code words do not match, hang up the call immediately and contact us.

How good is the sound quality of PRIVUS SecurLine?

Our HD audio and video quality is far superior to regular PSTN or GSM phones. The quality of the call, however, depends greatly on the speed and quality of the internet connection of each call participant.

Can I call standard mobile number or a landline from PRIVUS SecurLine?

Not in our cloud solution. For security reasons, our network is completely separate from the standard telephone network. As such, you can only make and receive calls to other PRIVUS subscribers within our network. You cannot call the emergency services numbers from the PRIVUS network.

PRIVUS SecurLine is a smartphone application, however, and does not interfere with the normal use of your mobile phone

Technical Questions

What is open source technology and why does it matter?

Open source software is simply software where the code is available for review.

This is a crucial and defining characteristic of our business model. Many cybersecurity solutions are built on proprietary software, which can, and usually do, hide a number of weaknesses such as “backdoors” and other vulnerabilities.

In our case, our code can be scrutinized to ensure that it contains no vulnerabilities and is encrypting the data properly as promised. PRIVUS relies on open source software for its applications as well as on its secure network to ensure the protection of our clients’ privacy. This is why we chose linphone (one of the first linuxphone open source SIP stacks) as the building block for SecurLine, and we regularly conduct external whitebox security audits to ensure it is secure.

Are you a blockchain company?

PRIVUS was born as a “classic” crypto company. Nonetheless our founder has been a blockchain enthusiast for many years, which is why PRIVUS intends to incorporate blockchain technology into our products. Specifically, as part of our ongoing Perpetual Threat Prevention™ program, PRIVUS is researching the possibility of leveraging the unmatched security of blockchain technology to provide a secure authentication layer to our technology.

What encryption protocols do you use in SecurLine?

We use the ZRTP protocol to negotiate new, ephemeral session keys, only on the client’s device, for each phone call, and we use the AES cipher with 256-bit key sizes, in both CM and GCM modes, depending on whether we are protecting data in motion or at rest on the device. This is the same cipher and key size that the US government itself requires to protect its own Top Secret communications (the highest level of security). Furthermore, we employ classic 3072-bit Diffie-Hellman key negotiation, as well as SHA-384 and Elliptic Curve 25519 (X25519) and the double ratchet protocol for group messaging and file encryption.

Will quantum computers make existing encryption algorithms obsolete?

Notwithstanding the complex and lengthy path to the development of a fully-functioning, quantum-based computer, these are expected, at least in theory, to solve certain problems significantly more quickly than existing classical computers. PRIVUS, however, uses encryption algorithms and key negotiation protocols which are considered quantum resistant; even quantum computers would have a hard time with our existing encryption, but the truth is that no one really knows the real impact quantum computers will have on cryptography, and we assume that if/when they become reality there will also be new quantum resistant algorithms which we can then adopt. As we are firm believers in using tried-and-tested technology that has withstood intense scrutiny from the international cryptographic community, we are not tied down to any specific cryptographic primitives and are able to substitute our existing encryption with newer standards as they become available and prove themselves trustworthy. Protecting against threats from quantum computing is a priority in our development pipeline.

Won’t quantum computers break all encryption? How can you claim that SecurLine is quantum resistant?

Quantum Computers (QC) will be able to break most existing encryption schemes used today, but it is false that QC will break all encryption. Some mathematical problems, like factoring large primes – which is the basis of most asymmetric encryption schemes like PKI that underpin internet security, will be easily solved by QC, thus breaking the encryption. Other types of mathematical problems will continue to be safe against QC. Symmetric ciphers like AES, which we employ in SecurLine, are quantum resistant. The ZRTP protocol we use in SecurLine to negotiate the AES session key is based on the original zfone project and employs a feature called self-healing and key continuity. This means that even if the classic Diffie-Hellman 3072-bit key negotiation we use to establish a symmetric AES256 session key for each call is one day broken by quantum computers, the call would still not be decrypted because of the extra initial secret that’s mixed in to establish a new session key for each call. This is not a perfect solution but it is a powerful method to protect current client communications against QC while we await the emergence of tried and tested post-quantum encryption schemes. Protecting against threats from quantum computing is a priority in our development pipeline.