Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Former NSA employee looks to make email more secure

Jeremy Kirk | Feb. 3, 2014
Email, perhaps still the most widely used Internet application, has about the same level of security as a postcard. But unlike postcards, it's widely depended on by businesses.

The key is discarded at the end of the session. If Virtru's credentials were obtained, either by a hacker or through court orders, "someone would not be able to decrypt past communications," Will Ackerly said.

Another key point with encryption products is who holds the decryption keys. As configured now, Virtru uses its own centralized key management server to distribute the keys to recipients so they can decrypt the content.

That raises questions of how fiercely Virtru would go to bat if it received a government order, such as a National Security Letter or law enforcement request.

Virtru has put funds aside for such a battle and is prepared to fight "bulk" data orders or ones not based on a standard of probable cause, said Timothy Edgar, a paid advisor to Virtru and an adjunct professor of law at Georgetown University Law Center.

"We hope we don't have to do that," said Edgar, who is also a privacy expert.

Plans are in the works to allow organizations to run their own key servers using Virtru's software, relieving administrators of the anxiety that comes with someone else managing their keys.

A central key server offers advantages: a Virtru user can block access to a message by revoking its key, although a recipient could always quickly take a screen shot of a message during the period in which they had access. The key revocation feature also allows senders to set messages to expire. Also, people who are forwarded a message wouldn't be able to read it unless they are authorized.

Virtru's basic features, such as email encryption, revocation of messages and the ability to control forwarding will always be free, said John Ackerly. The company hopes to make money by licensing its key management software to businesses, as well as offering other management and access visualization tools for encrypted email. Mobile clients are in the works as well, for Android and iOS.

Will's background with the NSA might raise some eyebrows. He worked in data security there for eight years, leaving about 10 months before the first Snowden leaks in June 2013.

"I think the heritage of the company is something we are very aware of," he said.

To overcome suspicions, Will said Virtru will release the source code for its extension and key management software. It also has outlined an open source strategy on its blog for other software components.

Joseph Lorenzo Hall, chief technologist for the Center for Democracy and Technology, a think tank, said the people within the NSA, including code breakers and those figuring out how to undermine security, are also in the best position to build more secure software.

"That's the only hope we have," Hall said.

 

Previous Page  1  2 

Sign up for CIO Asia eNewsletters.