Is Mega the Second Coming of Megaupload?

The Supreme leader and his lady soldiers.

When Kim Dotcom celebrated the launch of his company’s brand new service called “Mega” this past weekend at his home in New Zealand, he threw an insanely extravagant party wherein he staged a dramatic reenactment of the real life raid on his home a year ago. While standing in the middle of a stage, surrounded by models dressed as soldiers, in front of giant screens with the Mega logo glowing and spinning behind them, he commanded a troupe of fake, heavily armed policemen and a circling police helicopter to, “Stop!” adding afterwards: “Let’s all be friends!” After that, Kim broke into a techno dance routine with the girls in military get-ups.

That pageant was part of a larger, almost 90 minute press conference that is entirely viewable on YouTube. It’s by far the most opulent event, and corresponding piece of video content, to ever accompany the launch of a file-sharing website.

Mega is not, however, the second coming of Megaupload. That’s obvious for a couple of reasons. For one, with Megaupload you were able to upload a file without making an account. If someone wanted to distribute a copy of a film they made, that user could upload their film to Megaupload without needing to create a profile on the Megaupload itself. With Mega, before someone can even use the service, they need to create an account by providing Kim’s company with a name, email address, and password. After that, the user is given an unique encryption key. However, Mega says they do not store any of this information in decrypted form. They claim they are completely blind to everything that is stored on their servers thanks to this encryption that every user is granted.

This encryption system is the root of what makes Mega very different from Megaupload. When a user uploaded a file to Megaupload, they were given a link to that file that could be shared with many other people. You would just simply need to post that link on any website, with an explanation of what the file was, in order to share that file with a large audience. Click the link, download the file, you’re done.

Now, with Mega, to share a file that you’ve uploaded to Mega, you will need to share both a link and the encryption key, so that the person on the other end can decrypt the file you’re sending them. The encryption key can either be implemented into the URL of the file itself, or you can send that encryption key separately. Either way, sharing files with Mega feels a lot more like a scene from Mission Impossiblethan a simple transaction on Napster or Bearshare.

Before you even upload a file, Mega generates a custom encryption key for you.

Gizmodo has taken the time to explain how Mega’s encryption works, and they bring light to the fact that the encryption keys Mega generates for each account and each file are based “indirectly and complicatedly” on the user’s password “to encrypt all your files on their way to the cloud.”  The site also explicitly warns users, when generating links for any of the files they upload, that “MEGA's cryptographic security model depends on the confidentiality of the keys displayed above. Avoid transmitting them through insecure channels!” Even if Mega’s encryption is airtight, it doesn’t seem like a wildly smart move to start uploading copyrighted material to share on a widespread basis across the internet using Mega, unless the material you’ve uploaded has been placed into a dummy account registered under an alias, without any other personal files shared inside it. So far, I haven’t seen any type of organized piracy outlets start-up built upon Mega links, but that may just be because the site has been so slow and almost unusable lately. However, Mega does seem to be set up in ways that Megaupload never was, in order to discourage widespread file-sharing as much as possible.

A very large part of Megaupload’s popularity is due to sites like the now defunct Ninjavideo. Ninjavideo provided a TV Guide-esque interface to users on a daily basis, that directed its audience to Megaupload links for all of the latest, pirated copies, of TV episodes and movies. Megaupload had nothing to do with the organization or facilitation of Ninjavideo, they were simply the primary storage facility. And, as Wired reported last November, Megaupload “assisted U.S. prosecution” of Ninjavideo which led to the incarceration of Ninjavideo’s founder, 27 year old Hana Beshara, who is still serving out a 22 month prison sentence.

Megaupload cooperated with this investigation by granting the U.S. government access to Megaupload servers in Virginia. The warrant for this investigation, that Wired is hosting here, details a list of Megaupload accounts and corresponding email addresses that belonged to Ninjavideo administrators. The Department of Justice was after “All records stored on [Megaupload servers] relating to [Ninjavideo’s] accounts” and it certainly seems like they got what they wanted.

While this cooperation between Megaupload and the U.S. government was documented by Wired, and even though this warrant to search Megaupload’s servers came about a year and a half before the Megaupload mansion was raided, this part of the story has been largely forgotten or unconnected to recent reports about the Mega launch or even the closure of Megaupload itself. With all of the chest beating that Kim Dotcom does in public about the failings and inadequacies of the U.S. Government, the MPAA and RIAA, he surely was willing to help them out before, and there are certain individuals in the pirate community who see this action as a betrayal of pirate ethos.

The question then becomes, since Mega has all of this extra encryption key tagging, will prolific copyright violators who are eager to start sharing files with Mega put themselves in a position where they are somehow more vulnerable to jail time? Could the U.S. government subpoena Mega to hand over the user accounts behind the encryption keys that they find in widespread links to copyrighted material? And, if they could do that, would Kim Dotcom and friends hand over user information as readily as they did when the D.O.J. came knocking about Ninjavideo? The answer to all of that is not 100% clear, but what is evident is that Mega does not save the passwords of users. If you forget your password, too bad. Mega doesn’t have it. This may be the same with the encryption keys. If Mega is as secure as Kim Dotcom says it is, they might not be able to do any reverse look-up on an encryption key to discover the account holder behind it.

However, given that your encryption key is somehow based off of your password, could that algorithm be reverse engineered? If so, that would be a cataclysmic betrayal of privacy and failure of security. So then will Mega, through it’s somewhat complex method of encryption, be the catalyst for a flood of impossible to trace links to pirated material? So far no, but as the service speeds improve in the coming weeks and more people learn how it works, that might just change.

Follow Patrick on Twitter: @patrickmcguire

More on Megaupload and file-sharing in general:

We Read the Megaupload Indictment Papers So You Don't Have To

Are Canadians About to Be Prosecuted for File-sharing?

We Talked to the Founder of the Swedish Pirate Party about America's Ongoing Infowar