INTERVIEW. With cloud computing being the sector developing most in the IT industry, close to all Europeans have their data hosted by a cloud storage service. Surely a high percentage of this article’s readers already know that in reality there is no magic cloud, instead just other people’s computers. But not all computers are the same – some are more secure than others. This also means that some cloud services are, privacy-wise, a better option than others. What makes the difference and how do these differences impact the cloud user? I spoke to Istvan Lam, co-founder & CEO of Tresorit, the end-to-end encrypted file sync & sharing company.
Why Tresorit as it is?
In the beginnings of the project, Istvan wrote parts of Tresorit’s encryption code. He is a cryptography engineer, computer scientist and entrepreneur. In the present, Istvan focuses mostly on the company’s strategy and business decisions. I wanted to know first why did Tresorit choose to differentiate themselves from other cloud storage solutions. Istvan explains:
We started Tresorit seven years ago because we couldn’t find a cloud storage service that we trusted. We saw that the cloud is a convenient way to store and share files. However, we also knew how easy it is to get access to the data stored online. Shortly after we started working on Tresorit, our fears proved to be real: Edward Snowden revealed how easily global authorities can get access to tons of user data. Also, numerous mega breaches showed that hackers are increasingly after the information stored in the cloud. Our goal since the beginnings has been to respond to the growing demand for privacy and security and create a service that enables users to fully control what happens to their data due to the built-in end-to-end encryption and other security and control features.
Lost in Translation
For non-technical heads like me, many important differences between Tresorit and other solutions are not understood because of terminology. Looking through the company’s webpage, I stumbled upon “client-side encryption” and “zero knowledge protocols” and I got stuck. So I asked: What do these mean?
Client-side, or end-to-end, encryption means that we encrypt the user’s files on the user’s device before they are uploaded to the cloud. The encryption keys to encrypt and decrypt these files are never sent to the cloud in a readable format, so our servers never have access to them and to the user’s file contents. This ensures that we have “zero-knowledge” of the file contents: we never see files in plaintext, unencrypted format. This technology guarantees that files are readable only for the sender and the recipients, and no third parties beyond them. Even if a hacker or a surveillance body accesses our servers and the encrypted files, they cannot read them.
Businesses and average users
A-ha! It makes much more sense know. Tresorit makes sure that, even if they wanted to, it would be impossible for them to access users’ stored files. End-to-end encryption allows for these files to be “sealed” even before they leave one’s computer, on their journey to the cloud. As Tresorit is aimed mostly at businesses and freelancers, I wondered what does it mean to choose Tresorit as a business solution.
Tresorit’s end-to-end encrypted approach provides more privacy and security because it is impossible for us and other third-parties to read the files. Other services use server-side encryption, which means they do the encryption process in the cloud on their servers and can so access encryption keys and the readable files. An analogy that might help showing the difference: with end-to-end encryption you store your credit card and PIN code completely separated from each other, while with server-side encryption you keep them in the same pocket of your wallet. With the upcoming EU data protection regulation, the GDPR, companies need to make sure that they manage the data of their employees and customers in a secure way. Tresorit helps them in this.
As 25th of May 2018 is around the corner, a hosting cloud solution that keeps companies storing practices in line with GDPR might be really helpful hand. But what about the average user? Is end-to-end encrypted file sync and sharing worth considering for personal use?
Yes, I believe that end-to-end encryption should be the default way how digital services handle user data in the cloud and all users should have automatic access to this technology. I’m happy that thanks to huge services like WhatsApp or iMessage, end-to-end encryption is already used by billions of users worldwide, maybe even without knowing about it. Privacy is crucial for all of us: it is not about protecting something we want to hide but about practicing our fundamental rights. If only those people used end-to-end encrypted services who are at risk, for example NGOs protecting very sensitive data from hackers or surveillance, simply using these services would serve as a red flag and become suspicious. We shouldn’t use secure solutions only when we try to protect something sensitive but all the time.
The “nothing to hide” argument has been displaced several times, especially in the wake of Cambridge Analytica scandal. When we strip ourselves from privacy, we give unknown entities immense powers. On one hand, avoiding transparency puts individuals into an unfortunate suspicious light. On the other, being transparent about how data is stored and handled is very important in maintaining trust between a cloud storage provider and its clients.
Even if our end-to-end encryption guarantees that it is technologically infeasible for us or for hackers to get access to the files stored with Tresorit, we work hard on building and maintaining our users’ trust in our service. To maintain our users’ trust that we handle all data with utmost care, we published our transparency report where we detail what data we access and how we handle them in case we receive government data requests.
In the wake of scandals as the one mentioned above and new data protection regulation in Europe, 2018 is a crucial year for privacy advocates. What does Tresorit plan for this period?
Our short-term goal is scaling up our processes to help even more teams and businesses work securely. We’re always developing new features to meet our customers’ requirements in terms of data control features and compliance. At the same time, we’re also working on finding new ways to make Tresorit’s encryption even more accessible to users all over the world – but this project is still stealth mode. Besides, we have just started a crowdfunding project to generate discussion on how end-to-end encryption could help build a privacy-first social network after #DeleteFacebook story. Our goal is to see whether there is a real demand for a privacy-first service like that.
Istvan Lam is one of the speakers at this year’s European Data Ethics Forum. The event is held in Copenhagen on the 28th of September 2018.
Read more in this series of short interviews:
Spiir’s Working with Anonymization, Security and Trust – An interview with Christian Panton
Jitsi Video Conferencing – Open Source and Privacy enhancing – An interview with founder Emil Ivov