Just days after two secure email services shut down over fears of US government pressure, secure file storage service SpiderOak is to launch a pilot program to accept bitcoin.
The company, which enables users to store their files securely while retaining control of their own encryption keys, offers a standard free service providing 2GB of secure storage for life. This pilot will see it offer 25 account upgrades to its 100 GB service for a year, according to spokesperson Daniel Larsson.
“The potentially anonymous and proof-centric nature of cryptographic currencies certainly ties into our overall messaging. Based on all of the above, it seems rather natural to at least start experimenting with cryptocurrencies as a form of payment,” says Larsson, adding that the pilot is designed to gauge interest in a potential fully-developed bitcoin API for the system.
The company has been privately promising a blog post launching the pilot for several days. It was delayed over the weekend due to the news that Silent Circle would be shuttering its secure email service.
That company, founded in part by Phil Zimmermann, the father of the renowned PGP encrypted communication technology, operated a service that enabled users to send secure emails without having their private encryption keys managed by a central service. Silent Circle cited concerns that the Internet protocols underpinning its mail service were too insecure to guarantee the privacy of information sent that way. "Email as we know it with SMTP, POP3, and IMAP cannot be secure," it said. There’s an interview with Zimmerman here.
Silent Circle shuttered its service in response to the closure of another secure communications service, Lavabit, allegedly used by whistleblower Edward Snowden as recently as March. Lavabit owner Ladar Levison decided to shut down after ten years, explaining that he was legally prevented from talking about why, and promising to defend the Constitution in the Court of Appeals. All of this led the Electronic Frontier Foundation (EFF) to suggest that government pressures and gag orders were involved, and to call for more transparency.
SpiderOak is different from Silent Circle and Lavabit, in that it only offers file storage, rather than secure email or other forms of secure, private communication. But they all have one thing in common: their key selling point is that they couldn’t decrypt your data, even if they wanted to. SpiderOak and Silent Circle don’t hold a user’s private encryption keys centrally. Instead, they allow the users to control the keys on their own local devices, which is important, because it makes security more decentralized.
If data is encrypted by a service provider that also holds those encryption keys centrally, then there is a danger that a third party could force that service provider to give up the keys, enabling it to decrypt your data. Security researchers have criticized mainstream service Dropbox for just this reason.
Lavabit did handle private keys centrally (see archived explanation here), but it encrypted the keys themselves using the user’s password. That meant that if a third party was able to intercept communications between its network and the user (or even compromise the user’s computer) and obtain the password, it could potentially decrypt the user’s data, because it could descramble the centrally-encrypted key.
These are not theoretical concerns. All of this comes at a time of heightened tensions over government interference in online services including social networks and email. Snowden went public with information about PRISM, an NSA surveillance operation said to involve many large online service providers, including Google, Microsoft, and Apple.
“I think a lot of people, at least before the PRISM news broke, lived with the belief that the Internet was just 'too big to police' and felt a somewhat false sense of security that as long as they 'did nothing wrong', they were still anonymous,” says Larsson.
“For the general public, the realization that any data they store or transmit online can and likely will be intercepted and at least indexed by government agencies is likely something that will fuel a newfound interest in security and privacy technology.”
The idea behind marrying bitcoin with a service like SpiderOak is that, managed properly, a user could not only completely encrypt the data, but also use the service entirely anonymously.
And, while two anonymous communications services closed last week, there is another alternative: Bitmessage, the secure communications network based on the Bitcoin protocol. Demand for this service is increasing. This chart shows hourly messages processed by the network since July 16 until midnight on August 12. The first big spike occurs around August 6, a couple of days before Lavabit’s Levison publicly pulled the plug.
As decentralized secure communication services begin disappearing, those with a reason to use them will flee to the few still available. The question is, if more of them begin using decentralized systems for communication, will authorities be able to compromise them, or force them out of operation? The less centralized the system, the more difficult that will be.