Who should own the keys to your digital assets?

Who should own the digital keys to your private files and who can you trust as cloud file hosting struggles with archaic legal precedents and laws? Surprisingly Michael Chertoff & Kim Dotcom appear to agree: you should control encryption...
Written by Oliver Marks, Contributor

The contrast between Kim Dotcom of Megaupload fame and Drew Houston, the now very wealthy CEO of DropBox, is largely shaded by perceptions of legality and repute, but there is little to technically differentiate their two file hosting services

'Data at rest' is the term for inactive data which is stored physically in any digital form: despite all the dizzy marketing messaging about information flying around the planet, it's the digital filing cabinet destination resting places that are so important from a planning perspective.

The momentum for moving data to the cloud is motivated by perceptions of cost savings and to cope with the huge increases in speed of business change for both individuals and businesses.

The Megaupload video embedded above was uploaded to youtube this time last year and features various participating popular entertainers including will.i.am, Mary J. Blige, Kanye West, Estelle and Diddy - it immediately drew the ire of an infuriated recording industry and taken down. It's currently back up and this particular version has been viewed over 14 million times. 

Megaupload of course was subject to major US legal action in January of this year with accusations that they facilitated millions of illegal music, film and other data with claims this cost copyright holders in excess of $500 million in lost revenue. Extradition proceedings are underway from New Zealand to the US for Mr Dotcom and colleagues and it's an interesting legal case to put it mildly. (In contrast here's Mr Houston of Dropbox being interviewed for something called tech4obama.com innovator series , a far more low key, conservative bit of business success pablum which has 38 views so far).

Megaupload is arguably the Napster outlaw of the Social Media/2.0 to Dropbox's establishment iTunes, but there's a much more fundamental issue at play here, and that is encryption. This is all fundamentally about the keys to access your data and your ability to control who can see it, whether it is your financial records or your illegal recordings of copyrighted long playing records, which is essentially how the music industry still views digitally published or copied media.

Dropbox holds the keys to encrypt and decrypt your data on their servers, according to another digital entrepreneur Marco Arment, so you shouldn't use it for anything valuable.

Richard Falkenrath, who was the Deputy Homeland Security Advisor from 2002 to 2004 and Paul Rosenzweig are now principal and advisor respectively at the Chertoff Group. ( Michael Chertoff was the second United States Secretary of Homeland Security under President George W. Bush and co-author of the USA PATRIOT Act).

In an op-ed post titled 'Encryption, not restriction, is the key to safe cloud computing' at nextgov.org, Falkenreth & Rosenweig argue that 'Just a small application of technological magic through encryption at rest can dispel concerns about data’s location.'

….A system of encryption where the customer controls the encryption keys solves many of the security problems that have bedeviled public clouds for the government. It would eliminate the need to insist on U.S.-only location for government cloud data centers and support personnel. All that is required is to implement an architecture that enables customers to apply encryption to data at rest before that data is transitioned to the cloud and for their customers to be the sole holders of their own encryption keys. This sort of architecture is not technically difficult; many cloud service providers do it now.

This logic also applies from your individual perspective,but the reality is that most file hosting company business models are set up to profit from your materials.

Falkenreth & Rosenweig:

...encryption with customer controlled keys is inconsistent with portions of (cloud) business models. This architecture limits a cloud provider’s ability to data mine or otherwise exploit the users’ data. If a provider does not have access to the keys, they lose access to the data for their own use. While a cloud provider may agree to keep the data confidential (i.e., they won’t show it to anyone else) that promise does not prevent their own use of the data to improve search results or deliver ads. Of course, this kind of access to the data has huge value to some cloud providers and they believe that data access in exchange for providing below-cost cloud services is a fair trade.  

Also, providing onsite encryption at rest options might require some providers to significantly modify their existing software systems, which could require a substantial capital investment.

Marco Arment says he doesn’t put anything in Dropbox that could potentially be harmful or embarrassing if it were leaked, because he has no control of the keys:

...Dropbox isn’t just online backup, it’s a collaboration tool.  In order to offer public file sharing features, they have to be able to decrypt data that is stored on their servers.

They also need to be able to decrypt data for legal reasons – if they get a DMCA takedown notice or a subpoena from the US government requesting certain files, servers, or even racks of servers [1].  And because Dropbox hosts data for 25,000,000+ users, some of which are undoubtedly doing very bad things, the likelihood of being served with a subpoena is far greater for them than for an individual person or organization.

For similar reasons, public cloud services are more likely to be hit by hackers because they are high value targets and, by definition, accessible over the Internet.  Also worth noting – you don’t get to decide who Dropbox hires and which employees have access to encryption keys.

Various 'legitimate' businesses (and individual employees and groups) were taking advantage of Megaupload to store work materials and had their digital assets frozen after the US raids, and the monolithic business frankensuite vendors are licking their chops at supplying 'reputable' file hosting as part of a larger feature set…but of course the whole reason for the explosion of cloud vendors in the first place was to provide a solution to the cost of overpriced frankensuites.

Add in the ownership and privacy rights to your self published digital data on social networking sites such as Facebook and Twitter and you have a situation where 1986's US Electronic Communications Privacy Act is woefully inadequate and out of date to protect your digital rights and in urgent need of bringing up to date.

When you have the strange bedfellows of Kim Dotcom and Michael Chertoff's business arguing for file encryption you know cloud file hosting empires are being built on less than stable foundations....


Editorial standards