Even Secure Websites Do Their Own Spying

Old school security, private key only.

Old school security, private key only. Adam Jones / Wikimedia Commons

In March 2014, Google made it impossible to use Gmail without an encrypted connection (“HTTPS,” in your browser’s URL bar). This year, Gmail raised the visibility of encryption by implementing icons on each message that showed when users were communicating with someone whose email provider didn’t encrypt messages.

Mountain View may have done more to improve email’s security from third parties than any other company (though its efforts might not stop state snooping, as two researchers reported last fall), but its users’ privacy from the company’s snooping is a matter of internal policy, rather than something consumers can control.

“It’s sort of like saying I’ve installed locks all around town, but I have the key to every door,” Dmitry Dain, one of two co-founders of Virgil Security, told the Observer at Tech Day 2016 in Manhattan.

The D.C. suburbs-based startup provides software-as-a-service to make any app or website end-to-end secure by default. The Observer previously explained how to implement homegrown end-to-end security using PGP, a cumbersome (and leaky) way to send emails that neither your service provider nor the NSA can read.

End-to-end security means that the keys to encrypt and decrypt data are held exclusively by the participants in the conversation (usually, on the physical device used to view the file). In other words, that email, photo or spreadsheet might pass through one or a dozen other services, but it will look like gibberish to each of them, until it reaches its one intended recipient, and only that person will be able to make it comprehensible.

“Prior to Snowden,” Mr. Dain explained, “there was no proof that there was a third party in between.” People might have been uneasy but basically comfortable about the cloud-based services they used being able to look over their data, but, once it became clear that governments were also looking, “there was a market change,” Mr. Dain said.

Dmitry Dain and Michael W. Wellman, co-founders of Virgil Security, at Tech Day 2016.

Dmitry Dain and Michael W. Wellman, co-founders of Virgil Security, at Tech Day 2016. (Photo: Brady Dale for Observer)

That shift in sentiment (rather than some tech breakthrough) made it feasible to found Virgil Security, a company that provides a low-cost tool that can power the encryption component of a new service at a price that startups can afford.

Michael W. Wellman, a Lucent Technologies alum and Mr. Dain’s fellow co-founder, explained that software developers don’t tend to be cryptologists. “Security has always been something they added whenever they were done solving whatever they found interesting,” he said. “Cryptologists are more academic, and software developers are just trying to build things that work.”

Virgil Security clients can still focus on the fun part. “Because we’ve simplified it—in many cases to a single API call—they don’t have to put energy and expenses in to do it,” Mr. Wellman said.

There is a cost to these companies beside’s Virgil’s fees, though. Using end-to-end encryption means that they sacrifice the opportunity to mine users’ data. Microsoft is fighting the U.S. government now for the right to inform its customers about instances when the government uses a warrant to search those users’ data on the company’s servers, as the Observer previously reported. Those warrants would be useless, however, if the Seattle computer giant enabled end-to-end security for its services.

On the other hand, a solution that makes data secure even from its hosts actually improves the business case for apps in certain spaces, such as health and finance, Mr. Dain explained. No one could subpoena Fitbit in divorce proceedings if the company stored that information in a format that it can’t read.

End-to-end encryption could be a literally life-saving feature in the coming crush of the Internet of Things. We recently warned that we may see some real disasters in an era where every traffic light and car engine is connected to the internet. The worst might be averted, though, if each device had its own public-private key that enabled it to authenticate every command it got from every external device.

Many of us don’t like the thought of tech companies understanding us better than we understand ourselves, but we also don’t want to have to complete a college-level course in encryption to keep our business secure using protocols that only work if we can convince our friends to use them.

Consumers could come to demand that such security gets baked in, though. WhatsApp just implemented end-to-end security. Other companies, including Snapchat (which would seem to be a natural fit), may be considering a similar move.

In other words, the votes of confidence in an end-to-end feature have begun to tally up. According to the co-founders, Bloomberg Beta has backed the venture, and two significant companies have begun working to implement their technology: one of the littlest unicorns, Twilio, and LED-lighting company, Soraa.

Supporters have begun to line up for a future where we don’t have trust our service providers not to look through our digital things too closely anymore. They just won’t be able to read them.

Even Secure Websites Do Their Own Spying