On Tuesday, word came out that the Equifax CEO Richard Smith was retiring, following his company’s bungling of news that extremely sensitive data about 143 million people had been stolen by cybercriminals. To put that in perspective, there are 152 million working people in America, according to the Bureau of Labor Statistics.
Regular people might be starting to realize that there’s a reason we should be concerned about so much information about our lives sitting on the servers of large companies. Two veteran entrepreneurs are running a little startup built around making it easy to build web and mobile applications from day one that make data impossible for a digital trespasser to read. In fact, it encrypts data in such a way that even if you use some company’s service, that company can’t see what you’re doing with it.
This new company is called Keybase. Its mission: to make encryption mainstream. With two years of big breaches topped off with Equifax, the time may be right for them to get loud with their message of locking down data.
Maxwell Krohn and Chris Coyne co-founded the company. Previously, they were best known for founding the breakout hit of early free dating sites, OKCupid (co-founded with Sam Yagan and Christian Rudder). They left the dating site in 2012, after its acquisition by Match, and it’s no accident that they started an encryption business. The duo told Fortune that this project is something of a penance after watching millions of people go ultrasonic TMI inside their product.
You texted that dude about the weird thing you like to do with silicone ice trays and that admission will remain in the bowels of the Match Group forever.
Encryption isn’t new. ‘Pretty Good Privacy’ has been around since 1991, and—as far as anyone knows—no one has busted it. Encryption isn’t new for Krohn, either. He’s a math kid who has always been a math kid. OKCupid is famously based on math. As an undergrad, he studied practical applications of math. As an intern, he built a system to listen in on cell phone calls, proving the need for encryption. Then he did his PhD at MIT on security while building OKCupid, a decidedly unencrypted site, but one very much based on math.
But though encryption is old, it’s not especially user-friendly. That’s what Keybase has been working on for the last two years, a system that protects people but isn’t difficult to implement.
‘I think a lot of people who work in tech must feel a little apprehensive about typing in some of the things they type in Slack’
Their next hurdle is even higher: Convincing the public that it should demand products that secure their data. Encryption has always been the digital world equivalent of eating your vegetables. Keybase wants to make them into nicely roasted vegetables, with a light honey glaze.
“Maybe four years ago, no one would have cared so much, but I think nowadays it’s just really top of everyone’s mind,” Krohn told the Observer, during an interview inside the Financial District WeWork where the company is headquartered right now. “I think people have really started to understand that whatever leaves your computer, first of all, can never be deleted, is one of the scary things.”
“Everyone” could be a strong term. Ask your parents what their email passwords are sometime to see how deeply security consciousness has sunk in.
“My mom has never understood what I was working on. I’ve tried a million times, so it’s kind of an issue,” Krohn admitted. Still, regular people have started to take measures. We have long, weird passwords. We download Google Authenticator and use it when we log into GMail and our password app.
But the password and two-factor authentication are just the lock on the door to the house. When an attacker gets inside a digital house, the treasures it stores don’t even have to be taken. They can just be copied. With weightless assets, it’s not enough to lock the door. The goods need to be locked down inside, too—they need to be encrypted so that even if someone gets past the door, it’s not enough.
“The Facebook style is: just trust us,” Krohn says. The company just promises its users that they can have all these private conversations on the service, create extremely revealing data trails and Zuckerberg will spend so much money on security that no one will be able get inside and read them in plain text (which didn’t work out so well for the most famous people on Facebook-owned Instagram). A reporter writing for The Guardian confronted the enormity of her data trail inside Tinder when she requested and received all of her data from the company. Even the thought of some worker at the company skimming her readout as they packed it up mortified her.
Most companies today look to make money off monetizing your data, so they will naturally resist encryption, but let’s imagine a company that’s fine with encrypting in theory. It has a different problem. From a user perspective, encryption can make using a service a pain.
The hard part about encryption is the keys. The keys are pieces of data that make it possible for people to exchange secret messages.
One key is public and the other is private. It’s best if that private key never touches the internet, so how can a user move their private key from (say) their laptop to their mobile without the internet? Keybase’s solution: don’t.
Keybase believes it has improved user experience by making a public-private key pair for every device a user authorizes. Then it creates a database of public keys, so that anyone who wants to build end-to-end encrypted apps has a fast way to find keys for a new user. Rather than encrypting data to just one private key, it encrypts it to each device associated with a user’s account.
In order to give everyone confidence that the people shown in the Keybase are who they say they are, Keybase encourages users to attest to their identity cryptographically on social media. Keybase is its own social network, but it’s not one for sharing pictures of food or sad status updates. It’s a place for Mary to say “This really is Bill” and for Bill to say “this really is Mary.” With enough attestations like that, it becomes really hard for people to pose as someone they are not.
Last year, Twitter verified the account of the (recently deceased) wrestling superstar Bobby “the Brain” Heenan. With a system like Keybase’s, people in communities verify themselves. That may not quite have the cachet of Twitter’s corporate checkmark, but it would be vastly more reliable.
“We are trying to solve the identity problem in a way that’s cryptographically secure,” Krohn says. “We want to build this graph of who everyone in the world is.”
But to prove that encryption really helps, Keybase has to give people something to do with it before developers will invent things to do with it. It built a messaging app, but there are a million messaging apps already. That’s a slog to scale.
So it’s rolled out its alpha version of Keybase Teams, which is an encrypted answer to Slack. Slack is the intra-office bulletin board built with extra design TLC.
“I think a lot of people who work in tech must feel a little apprehensive about typing in some of the things they type in Slack,” Krohn said. “Like if you work with other engineers, you’re probably transferring a lot of API keys.”
API keys are basically the same as passwords. It could potentially let an attacker get right inside a company’s product or one of their critical accounts at another company, and it’s all sitting there in plain text on Slack’s servers, viewable by at least some people inside the company. That’s dangerous.
In fact, we recently covered how developers building Slack-bots were accidentally leaving API keys in their code on Github, potentially giving hackers the keys to their company accounts.
Krohn said, “It’s very hard to delete data once it gets into a database. And it’s scary for people to think that whatever they write today will be infinitely compromiseable.”
That data gets backed up, copied and analyzed all over a company’s servers. How can a user know it’s jettisoned if they quit a service? Case in point: cyber-activists hacked Ashley Madison specifically because it was not erasing data that it told users it was erasing. The only sure bet is for a company to never have access to sensitive data is if they never have it.
So Keybase believes it has a selling point for companies that want to use something like Slack but don’t like the Slack staff seeing their chatter. “The advantage of using a system like Keybase is that we just never have plaintext data sitting on our servers. Everything we have is encrypted, so we can’t read it,” Krohn said.
In truth, Keybase has built Teams to convince engineers that its structure works smoothly. Then, they hope, developers will tap it to build other encrypted products.
“This is basically a low level utility that we think other things can be built on top of,” Krohn said. With a big repository of keys, other products become easy. Encrypted Dropbox. Encrypted Stitcher. Encrypted Maps.
We asked him if there was a way to do encrypted online dating, and it definitely seemed like Krohn was very ready to never talk about online dating ever again. Nevertheless, he told us that—while it’s complicated—someone determined could probably build it. Academic cryptographers are doing things even he can barely follow now, but the potential is there.
Keybase isn’t the first company we’ve covered that’s facilitating a better user experience for end-to-end encrypted services. Virgil Security is encryption-as-a-service. Blockstack tucks encrypted data away on existing cloud infrastructure. When lots of entrepreneurs get interested in building to solve a problem, that can be a leading indicator that the public is close to ready for their solution, but someone has to be willing to take the risk of not just building the key system, but also building some product that actually works, based on those keys.
“I think before yesterday,” Krohn told us on the day after the public release of Teams, “we didn’t really feel like we were there. We felt like we still had a lot of work to do. Now we feel like we’re getting so much closer to something people could use.”