To combat government data requests, Box wants customers to own their cloud encryption keys

To combat government data requests, Box wants customers to own their cloud encryption keys

Summary: Will it make it harder for the U.S. government to acquire your customer and business data? Not really. But at least soon it might have to knock directly on your door.

SHARE:
TOPICS: Security
4
Dev-Day-5-1
(Image: Box)

Box is working on a plan that may thwart government data requests — by handing its customers the encryption keys to their cloud data.

Chief executive Aaron Levie told attendees at the InformationWeek Conference in Las Vegas, NV on Wednesday (via Ars Technica) that the company continues to work on a system that would let customers store data in its cloud, but would hand them the keys to their own kingdom.

"In the history of our entire company this has never happened to an enterprise customer," Levie said, explaining that "blind subpoenas" — where governments go directly to the cloud provider for data without that customer being told — remain a risk.

Not for much longer if Levie gets his way. 

The enterprise-focused cloud storage firm's plans reportedly started back in September, Levie told Ars Technica. He said that to make something "NSA-proof" may not be achievable by any cloud storage firm or service, but it's not to say the company wouldn't try anyway.

Box uses 256-bit AES encryption for resting data, and SSL encryption for data in transit. The company is compliant with European data protection standards, and U.S. health privacy laws. But there will still be that portion of its customer base that requires that little bit more. 

The idea of letting customers themselves hold on to their cloud encryption keys was born.

Will it actively protect against U.S. government surveillance? No. But it does help. Simply because, if Box doesn't have the keys to your cloud, it can't hand them over. Customers, however, may get a knock at the door in the middle of the night with a warrant for those keys, but at least the customer will know their data is being requested — instead of being led down the "blind subpoena" path. If the corporate customer knows, it can challenge it in court.

But it won't happen overnight, Levie explained the conference, as there are "a lot of moving pieces."

The likelihood is that the bolstered security feature will be targeted at those who really need it rather than serving it out to the wider general user base. 

(via Ars Technica

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

4 comments
Log in or register to join the discussion
  • Is this also for the "free" box users or

    only paying customers ?

    In the past, the AES encryption was only for paying customers.

    BTW, wuala is already doing this, for ALL customers.
    GrabBoyd
  • Have the "custodian" in a foreign country.......

    ......unknow to LEGAL and the CEO/CIO?
    BRILLIANT!
    kd5auq
  • I'm in favor of this

    After all, private vendors aren't any more trustworthy that government officials are.
    John L. Ries
    • Corporate business requires TRUST!

      Mom and pop accounts don't generate much revenue!
      kd5auq