NEW YORK -- Encryption to most people either just happens, or it doesn't. A select few have the skills to fiddle with keys, code, and command prompts needed to secure emails and documents, but the vast majority rely on tech titans like Google and Dropbox instead to do the hard work.
In the aftermath of the global surveillance leaks, Nadim Kobeissi wants to give ordinary people on the street the keys to their own kingdoms: by making encryption easier to use.
The 24-year-old developer, now living in Paris for his PhD program, spent most of his formative teenage years working on end-to-end secure chat client Cryptocat, as well as miniLock, a passphrase-based encryption standard. A little less than a year ago, Montreal-based tech investor Vincent Drouin tasked him to forge something out of the fire of his previous successes. After Kobeissi carefully crafted an eight-person team, the Peerio app was born.
Peerio is an encrypted messaging and file storage app for Windows, Mac, and the Chrome browsers that takes the likes of Gmail and Outlook, HipChat, and Dropbox to task. The app puts its users in the privacy driving seat, clearly marking for the lay user when something is encrypted.
On Monday, the team unveiled a significant update: a revamped, cleaner user interface, improved synchronization across devices, and an early-April timeframe for its mobile apps. Since launch, the company has seen extraordinary growth, from 50 users in initial testing to 15,000 users in a month after its mid-January debut.
"We're offering all the tools you need to get work done, but also doing so with a level of encryption that most services just simply do not bother to implement," Kobeissi said on the phone.
The app aims to be simple. According to Kobeissi, "There's nothing new to learn," Indeed, the user interface is easy -- with features like Gmail's "compose" window and Dropbox's drag-and-drop functionality included. The user interface and overall experience is a particular focus for the team. Security and privacy shouldn't be difficult, but encryption software has a bad rap for making it so.
What sets this app apart from most other messaging and file storage services is the enabled-by-default end-to-end encryption, which lets users hold onto the keys. The aim is to make the data unreadable and useless to anyone who might succeed in snatching it. "We're trying to combine all the reasons why people use PGP . . . into an app that makes sense," Kobeissi said.
PGP, or "Pretty Good Privacy," is an encryption tool that reportedly still causes headache for the National Security Agency, according to leaked documents by whistleblower Edward Snowden. With more than two-decades of trust and reviewed public scrutiny behind the project, it's world-renowned as the best cryptographic privacy standard. But it's clunky and difficult to use. Even with tools like the Gnu Privacy Guard (GPG), a friendlier version of the software that aims to make the privacy tool more mass-market, only a select few who truly understand how it works can use it.
Perhaps a controversial decision in some circles, Peerio does not use PGP for its cloud-based file storage and messaging service.
"If anyone asks for our user's information, we aren't capable of giving them data, their messages, or their files. This is Peerio's purpose."— Peerio developer Nadim Kobeissi
"There's been a lot of talk about how PGP is basically an architectural dead-end for developing new applications," Kobeissi explained.
Simply put, PGP may be lauded as offering the best security available, but it's almost impossible to use without considerable user experience roadblocks.
The Peerio team, needing a better security engine, turned to miniLock, an open-source standard, developed by Kobeissi and released in mid-2014.
Kobeissi admits the standard is still in its infancy, but trumpeted its successes.
miniLock uses passphrase-based security, instead of traditional passwords. Peerio enforces that phrase, which Kobeissi says any brute-force search would "essentially take forever." It also means the user can take that passphrase-based identity to any machine as if it were their own. As the beating heart to Peerio's encryption, miniLock's code has been peer-reviewed and verified by the security community, and remains in the public domain so it can be continuously and independently analyzed, audited, and scrutinized by the security community. Kobeissi also had Peerio audited by a third-party security firm to ensure the code was secure and ready for a public debut.
PGP may have decades-worth of trust to its name, but Peerio has just months. Kobeissi argued that because the app's encryption code is open-source, it makes it near-impossible to include backdoors into the code. That takes Kobeissi and his team out of the trust equation, he said, putting the trust squarely "in the math and the programming."
That open-source model makes it difficult to make money. But thanks to a donations drive that exploded last month, the program's sole developer staved off sunsetting the program. Kobeissi said the team wants there "always" to be a free version, and will offer tiered cloud storage subscriptions so individual users can benefit from the service while larger companies and enterprise customers can pay for more storage.
Encrypted files are stored in Peerio's private cloud, based in a Canadian datacenter. The team is not naive to the dangers of cloud storage, particularly in the wake of the Snowden leaks that equally implicated Canada's government in the global surveillance ring. Kobeissi said the decision to set up shop in Canada was for the developers' convenience because the datacenter was a short drive away.
That may change in the future should the global geopolitical situation change. When the Cryptocat service was under threat, Kobeissi relocated its servers to Sweden, known to be a safe haven for technologists and even pirates, like The Pirate Bay which evaded authorities for so long.
"If the servers were to be challenged in Canada, we should respond to the challenge that sets an example and a precedent for data privacy in Canada," he said. "If we got an unreasonable request for server information, we have committed as a company to respond to that request in a way that's legally compliant."
He said the only information he could hand over was the time when someone logged in, and the computer's Internet address that was used, hinting that the data is as good as useless.
He was clear that Peerio would "make a stand" for upholding data privacy laws in Canada.
"We could be forced to hand this data over, but to be clear, we are an encryption software company, and we are not going to be able to give over your data," he said.
I asked him if the NSA, or the FBI or any other intelligence agency could force him to hand over a user's data. Kobeissi chuckled at the thought: "We never have access to any encryption keys."
"They have to go to the users, then?" I asked.
"They have to go to the user. In every way, we are unable to hand over the [encryption] keys," he said.
Kobeissi wants Peerio to expand, and is optimistic about the future. Peerio is a for-profit business, unlike Kobeissi's former projects, Cryptocat and miniLock. But he's committed to open-source, free software, and the simple principle that easy and simple-to-use encryption should be available to everyone.
With an eye on the enterprise customer, he was cautious about the immediate future. "We think our technology is better. We offer security guarantees that others can't offer," he said. "Maybe we're too small right now to handle the support requests of a larger company," he admitted.
Kobeissi sees small-to-medium-sized businesses as a realistic prospect in the near-term.
A company that's made its entire front-end app, its innards, and its encryption open to the public to inspect, to download, and to use for free doesn't traditionally make for a strong business model.
But Kobeissi sees it differently. He hopes Peerio's openness and transparency is "more of a sign that we are deserving of a customer's investment."