A new German cloud storage startup is preparing to launch a service it bills as more secure than Dropbox, thanks to offering client-side encryption (which Dropbox does not). So far so SpiderOak et al.
Yet this startup is also shooting to be as usable as Dropbox — and therefore more user friendly than other security-focused cloud storage services that do local encryption. So yes, this is a ‘cake and eat it’ type claim. And yes, the usability proof of the pudding will be in the eating.
The new kid on the secure cloud storage block is called Peak Drive, and it’s due to launch this September — initially for Mac and iOS — after being developed as a side project last year by a couple of German physics students attending Heidelberg University.
A core focus for Peak Drive‘s bootstrapping team, who came up with the idea for the service back in February 2013 — just before Edward Snowden’s NSA leaks revealed the extent of government security agencies’ digital snooping — is ease of use and accessibility to the average consumer, says co-founder Marius Blaesing.
That’s what will set it apart from similarly secure Dropbox rivals, he argues. The team is also focused on making sure convenient collaboration features, such as the ability to share a folder with one or more users, are not edited out of the service because of its security focus.
“Peak Drive behaves for the user like Dropbox, in terms of it’s a cloud storage where you have files on your desktop device or laptop or smartphone, and every file you put in there is syncronized with our servers and therefore syncronized to your other devices where you are logged in as well,” says Blaesing.
“This is what it feels like for the user — so it feels like Dropbox. But Peak Drive is different because all the data that is stored inside it will be encrypted directly on the users’ devices.”
“The usefulness of Peak Drive over other secure cloud services lies in collaboration,” he adds. “It’s the one cloud storage where it’s kind of easy to set up collaboration — so, a shared folder for example — and therefore we think [the product spreading via] word of mouth will be stronger than for services like SpiderOak.”
Earlier this month NSA whistleblower Edward Snowden slammed cloud storage giant Dropbox as “hostile to privacy” — and suggested web users who care about protecting their data from prying eyes and snooping governments would be better using a ‘zero knowledge’ alternative. Snowden specifically name-checked the long-time security-focused cloud storage service SpiderOak.
‘Zero knowledge’ means the service providers don’t have access to the customer data they’re storing. This is achieved by doing local encryption (aka client side encryption), on the user’s own device, before uploading any data to the provider’s cloud — as Peak Drive will.
The user also holds their own encryption key — again, meaning the service provider can’t decrypt their data, since they don’t have access to the key. That means that even if forced to hand over user data — by a government agency, say – the provider is still only handing over securely encrypted information, so the snooper would be forced to procure the key directly from the user.
In other words, client side encryption puts a stop to sneaky backdoor methods for mass eavesdropping on individual user data by compromising the third party service provider. Ergo it’s a more pro-privacy third party service, given that we know our governments are doing all the digital snooping they can.
Now the problem for individuals wanting to dial up their security to this more secure level has typically been a trade off in usability. That off-putting hump continues to dissuade lots of people from switching from an easy to use service like Dropbox to something that’s more demanding like SpiderOak.
Dropbox made this point when it responded to Snowden’s criticism about its attitude to privacy last week — by effectively saying it had to balance usability and a rich feature-set with security robustness — telling users that want more security to add it themselves, via (yet another) a third party service.
(Services that will locally encrypt the data you store on cloud storage services to make them more secure have sprung up, such as Boxcryptor, but they obviously inject more steps into the process — making it more arduous again.)
“We have data encrypted on our servers. We think of encryption beyond that as a users choice. If you look at our third-party developer ecosystem you’ll find many client-side encryption apps,” Ilya Fushman, head of Product at Dropbox for Business, told the Inquirer last week. “We want to deliver a best in class experience and how to reconcile that with encryption is something that we continually evaluate.
“It’s hard to do things like rich document rendering if they’re client-side encrypted. Search is also difficult, we can’t index the content of files. Finally, we need users to understand that if they use client-side encryption and lose the password, we can’t then help them recover those files.”
Tl;dr Dropbox has bigger fish to fry. And it’s wagering that the average consumer user of its service doesn’t care enough about robust security to bother shifting over to something more secure.
Blaesing singled out Dropbox’s ability to offer users access to their files via a web browser as a big security compromise which Peak Drive will be avoiding — i.e. by not offering that ability. Users will be required to always access their files via its apps, so there is a convenience cost involved. But it’s also clearly a small one, given that using apps is now pretty much the definition of easy-peasy.
“With Dropbox you can access your files through the browser and this is a feature which has very severe implications on how security has to be laid out. Once you can access your files through the web browser on a website this means… that Dropbox sends to you an unencrypted version which you instantly can look at,” he says.
“This means they need to have access to an unencrypted file view. And if they would change their whole model to the same level of encryption where files are already encrypted locally on users devices they wouldn’t be able to provide this access through a web browser anymore.”
And while he notes that secure rivals like the likes of SpiderOak, Tresorit and Wuala have made some steps to improve ease of use for their client side encryption cloud storage services, he argues it’s easier for a newcomer to build usability into a secure service from scratch — rather than try to retrofit it to an existing offering.
Add to that, he argues that using a single secure cloud storage is obviously less of a faff than combining Dropbox with an external security layer — i.e. by making use of one of the third party encryption services. (Although, requiring existing Dropbox users to switch all their stored content over to Peak Drive is also inevitably a bit of an ask.)
Peak Drive also intends to put its code online for others to review, via a repository such as Github — to help verify its security claims. That will also put some more clear blue water between it and SpiderOak, according to Blaesing, since he notes that the latter’s code has not been opened up for review.
Peak Drive’s servers are initially going to be located in Germany, although given the client side encryption process there should be less concern about exactly where the encrypted user data is physically located.
The business model for Peak Drive will be a Dropbox-esque freemium offering which steps up to require payment as you gobble up more of their secure storage space.
Earlier this month Snowden called for developers to build a new generation of tools that embed privacy by design but which also focus on usability and are therefore accessible to the mainstream. Peak Drive is aiming squarely at that widening niche of increasingly security conscious mainstream users so it will be interesting to see how much traction they can get. That’s likely going to depend on whether they can live up to those super simple to use claims.
“We are shooting for great usability — and we want this ease of use compared to Dropbox, so if you install Peak Drive, for example on your Mac, and once it’s installed and you’re logged in you have this one folder on your Macbook and everything that’s put in there is syncronized automatically and you don’t have to configure which folders to sync, in which direction to syncronize and so on,” he adds. “So it’s basically the same experience as with Dropbox.”
The same on the surface – but a lot more secure under the hood.