In the wake of the voluntary shutdown of two secure email services this past week to prevent the NSA from obtaining information about their subscribers, Internet bad boy Kim Dotcom’s cloud-based file hosting service Mega is stepping up.
The company is working on a secure, encrypted email service that will extend the end-to-end encryption and contacts functionality the site already provides for documents, Mega CEO Vikram Kumar confirmed to ZDNet.
“Encryption is just one component of the overall security framework,” Jason Thompson, director of global marketing for SSH Communications Security, told the E-Commerce Times. A workable system for the general public would require “a high level of technical knowhow across their own personal networks and devices” among users in general, and “that is not really practical.”
It is possible that Kim Dotcom is seeking to paint himself as a white knight riding in to save the masses from wide-ranging and deep governmental surveillance of their communications.
“Now is a great time for marketing to exploit fear,” remarked Randy Abrams, a research director at NSS Labs. “I would put more credence in this being a marketing move than a solution.”
What Mega Claims to Be Doing
Mega will offer end-to-end encryption, which will make email search more complicated than it would be if emails were stored in plain text or available in plain text on the server side, Kumar reportedly said. When email is encrypted end to end, all the functionality has to be built into the client side, which is very difficult.
Email communications with unencrypted contacts will pose another problem.
Mega is doing cutting-edge work to solve these issues, Kumar reportedly claimed. That includes taking advantage of technologies such as Bloom filters, which weed out false negatives.
Bloom filters are used to search large databases of chemicals, as well as by the Google Chrome Web browser to identify malicious URLs. Bitcoin also uses Bloom filters to verify payment. Google BigTable and Apache Cassandra use them to reduce the number of disk lookups for database queries.
Mega is also working on ways to remain secure even if SSL and its successor, TLS, are compromised.
Mega did not respond to our request for further details.
The Holes in Mega’s Ideas
If the origin or destination of a message is compromised, encryption isn’t going to help, NSS Labs’ Abrams told the E-Commerce Times. “Security is risk management; there’s no such thing as 100 percent security.”
Further, “Conspicuous systems probably aren’t the best defense against government,” Abrams continued.
It’s likely that governments “would simply change tactics and start targeting the machine the client is installed on” if Mega puts security functionality on the client, SSH Communications’ Thompson suggested. Mega’s solution “might slow [governments] down, but it won’t stop them entirely.”
Remember those advanced persistent threats that security experts warn against? Those long-term persistent attacks? Well, the NSA “can effectively undertake an APT against any terrorist group, entity or individual — it has the capabilities and resources to do that,” SSH Communications’ Thompson pointed out.
Privacy Seppuku as Protest
Samurai used to commit seppuku — honorable suicide, also known as “hara-kiri” — as a form of protest, and Mega’s Kumar has described the closure of the two secure email providers — Lavabit and Silent Circle — as privacy seppuku.
This grew out of the corporate seppuku pledge developed by various parties, including private cloud service provider CryptoCloud. The idea is that committing privacy seppuku and turning to the courts if the NSA retaliates may help expose some of the secret surveillance activities of that organization.
However, “this is going to depend a lot on where you live,” SSH Communications’ Thompson suggested. It might fly well in Germany, where people “are very concerned about privacy,” he said, but here in the United States, privacy concerns are balanced out by national security fears generated by events such as 9/11 and the Boston Marathon bombing.