The very openness of the early internet fueled its growth worldwide. Packet-switched networks, borne of a Cold War era fear of nuclear devastation, were built to be easy to set up, and resilient to outages and failures.
We’ve come to learn that thieves, governments, and corporations have exploited this openness to amass (what was thought to be) private data on an enormous scale. And while we must use these open networks to participate in today’s connected society, it doesn’t mean that we must relinquish our expectation of privacy when we use them.
So we use encryption. Encryption has a storied history, dating back to Spartan armies scrambling messages passed on tablets. Like all forms of encryption throughout history, the idea is that a secret message is hidden somehow in a manner that can be transmitted openly, but only a trusted few can understand.
With packet-switched networks, that encryption needs to be in two places — in transit, while the data is being communicated to the server, and in storage, when the data is “at rest” (so to speak) in the cloud.
In transit, your data is protected with SSL, which is a great start. SSL works as sort of a system of trust based on certificates — people typically will purchase a certificate for their server, guaranteeing that server is who it’s representing itself to be. With certified servers on both sides of the data transmission, that data is secure and encrypted while it’s in motion.
It isn’t perfect. An error in an SSL library caused the famous Heartbleed bug, which affected millions of servers across the internet. The library is maintained by a small group of people with limited funding, but now has much more attention from large companies and organizations that have a vested interest in a secure internet.
When your data isn’t moving around, there are a variety of ways it can be encrypted on the server — all revolving around the idea of private key cryptography. Here’s a great video that explains it with paint. The basic idea is that you can secure a file with two keys, a public key and a private key. A public key is like a really strong lock, which can’t be opened unless you have the private key. You can even give away copies of the lock so other people can encrypt things for only you. Others can close the lock, but only you have the private key to open the lock.
This isn’t perfect either. First, you have to be certain you’re the only one in possession of the private key. If you make copies of that key, everyone who has a copy can access your data. Other storage providers, like Google and Dropbox, keep a copy of your key. They say this is for convenience, but oftentimes with cryptography, convenience leads to insecurity. Since privacy is so important to us, Sync doesn’t keep copies of your private key.
The combination of these two methods of encryption keep your data away from bad actors who want to capture and exploit your personal data for their own ends. Thieves stealing passwords through phishing, corporations mining your data, and governments reading your emails all rely on the fact that not every communication is encrypted with both methods. The more plain text they can harvest, the more powerful they can become.
Platforms like Sync, along with other technologies like VPN, Tor, secure email (with PGP, and now Dime), local file system encryption, and strong passwords can all work together to form a patchwork quilt of security. Legislation (like HIPAA) can encourage companies to take more care with private data. But what is really needed is a stronger, more cohesive technical shield around your information.
For these more protective networks of the future, Sync believes all data must be encrypted by default — from source to server to destination — to keep private information private. Along with Sync for storage, security researchers, motivated by recent events, are just now beginning to develop other platforms to do that.
