Tech Companies and the Long Tradition of Lying About Encryption
When we saw that Mashable included encryption in their 11 Technologies to Watch in 2017 , we were thrilled, but I also thought about the misuse I’ve seen around this term over the past decade. Cloud vendors have been quick to toss it around and unfortunately, it is misleading for the majority of customers.
At the heart of the issue is the difficulty for end users to decipher the encryption terms cloud vendors use to describe their security. Doing so would require discrimination between:
- Transport encryption,
- Data encryption,
- Metadata encryption,
- Encryption at rest vs. in motion, and then most importantly
- Evaluating key management and access.
This vocabulary is foreign to most folks. And vendors often exploit the inaccessibility of these topics to make a series of statements that, while often factually correct individually, together create a false sense of privacy.
In 2007, when SpiderOak launched an online backup product for Linux, Mac, and Windows, the competitors were companies like Xdrive, Mozy, Carbonite and SugarSync. Each competitor claimed that customer data was fully encrypted. Even the most credible journalists writing for well funded publications with fact checking budgets were fooled and repeated these misleading claims to end users.
In 2009 when Dropbox launched, they made misleading claims about the encryption of customer files and their internal ability to access customer’s data or provide that data to 3rd parties, leading to a well publicized FTC deceptive trade practices complaint. The deception had been so effective that leading software engineers were shocked to discover Dropbox had full access to the data they had stored online.
In response to customer requests on one of their forums, Mozy explained why it would be “impossible” for a storage service to protect users’ privacy by encrypting the file and folder names customers store in a way Mozy could not read. SpiderOak customers had been enjoying the impossible for years.
Recently Slack made the unbelievable claim on Twitter that their service includes end-to-end encryption (it doesn’t.)
Lately, there’s a new phrase “customer managed keys” used by cloud providers, which sounds really great, but is typically just elaborate hand waiving that ultimately allows the vendor and their staff the same level of data access as if it were not encrypted.
Over the years, we’ve found ourselves frequently explaining, “We don’t know the names of your files, the names of your folders, the date they were created or last modified or accessed, their size, their checksums or hashes…in short we know nothing about your data except how much you store.” So we started using the phrase Zero Knowledge as a headline to this long explanation.
Cryptographers have pointed out through the years that SpiderOak’s marketing term Zero Knowledge is inconsistent with the academic definition. Maybe it doesn’t mean what we think it means? SpiderOak was the first company to use this phrase commercially and the need has only grown stronger.
It’s important to recognize that cryptographers already understand encryption and the terminology is intended for everyday folks. When I’m speaking with a technologist about how SpiderOak products work, I would typically use the phrase end-to-end encryption. But to my knowledge, no company has yet been shameless enough to deceptively use the term Zero Knowledge, which is why we use and own it in our marketing. Our goal is to let our customers know they are 100% safe and in control of their data at all times.
MAKING END-TO-END ENCRYPTION MAINSTREAM
When consumers like you demand more from tech companies, you are able to change the status quo and drive innovation. If we want to end mass surveillance, the only way this can happen is through viral adoption of end-to-end encrypted products and services! We’re glad to see WhatsApp and iMessage has helped make this concept more mainstream, and more companies are sure to follow.
Meaningful encryption is hard to do, but we believe it’s critically important, and a trend we will continue to see in 2017 and beyond.
What do you think? Send us a comment on Twitter.
Originally published at SpiderOak.com on January 4, 2017.