Kim Dotcom Wants to Keep Your Virtual Life Private
I spoke to his business partner about their new "encryption for everyone" software.
MEGA co-founder Kim Dotcom with a friend. (Image via)
Setting up your computer to handle encrypted communications can be a real fucking nightmare. Sorting your public and private keys; your OTR plugins for your Pidgin and getting linked up to Tor is a lot of work for someone who doesn't know what they're doing. Which you'll probably empathise with, considering – like me – it's unlikely that you know what any of those words mean or do.
Luckily, MEGA – the company set-up by internet activist-cum-tech celeb Kim Dotcom, among others – wants to change all that, providing a service that allows any activist, businessman or paranoid, Luddite grandmother to send and receive encrypted emails without virtual strangers snooping around in their business. To find out if this was really an important issue at all, I rang up Vikram Kumar, the CEO of MEGA, to talk about the internet today, the business of selling privacy and how a company can promise security in a post-Snowden world.
VICE: Hi Vikram. How has the Snowden case affected the public's understanding of online security?
Vikram Kumar: There has been a massive undermining of trust – we now have to have a default assumption that the internet is an untrusted environment. The number of people who doubt whether US based, Silicon Valley-type companies are able to protect their privacy, even if the companies wanted to, has changed. If you don't know who to trust, you trust no one at all.
Does that mean there's now a gap in the market for reliable communication companies?
There's always been a need for journalists or activists to remain anonymous or to protect their identity and contacts online. What hasn't been there is a perceived need [for internet privacy] by the average person. What's changed is an emerging mass market for privacy.
Right, encryption for the masses. So how does MEGA achieve that?
Right now, MEGA is basically a cloud storage collaboration, but with privacy at its core. Our next step is increasing the communication aspect, which is where email and messaging come in. This isn't about trying to get privacy and security for the tech experts, who can install their own and are happy to do configuration and key management and certificates. We're really focused on how we get privacy for everyone.
When you say "everyone", do you mean everyone who grew up using a computer, or, like, my grandpa?
No downloads, no plugins; everything just has to be automated, no extra steps. The second thing we’ve learned is that people will not accept a compromise in functionality.
No, they won't. So is this for people who want to avoid government surveillance?
No, I don’t think so. If people are under targeted surveillance I don’t think MEGA encryption will stop them.
Why do they want it then?
The analogy for me is that when we send mail physically, we send letters within an envelope. The reason we use an envelope is because there’s an element of protection, an element of integrity and an element of privacy. We don’t necessarily want the person who is delivering the mail to casually read what is written on a postcard. Today, email is like sending postcards, and what MEGA is trying to do is to provide the envelope. The envelope on its own isn’t going to protect you from a determined person, but it absolutely does protect from casual everyday snooping.
Makes sense. Are we going to see a rise of privacy-focused products in the future?
Absolutely, but what worries me is that, just as we had the move towards cloud computing – everyone got into this marketing war where all of these companies decided that they were born-again cloud providers and started questioning and diminishing the definition of cloud computing – I actually see that happening now with privacy. It will become a bandwagon, and there are going to be some pretty dodgy products that claim to be privacy protective and will start arguing the definition of what that means. I think we’re going to have a period of uncertainty.
The big tech companies seem to have missed a trick with this.
We don’t trust Microsoft any more, we don’t trust Google. Well, who do we trust and on what basis is that trust justified? And to some extent, that is a marketing opportunity for MEGA.
Okay, so how are you going to convince people that your product is secure?
MEGA absolutely has to get the security and privacy right. That’s why we do things like end-to-end encryption; that’s why we're looking to open-source some of our code so external experts can have a look at it, and we’re trying to get a whole lot of discussion about what is privacy and security online. The second aspect is perception, and there are a couple of things that we’re doing there. We’ve published our guidance of how we deal with all law enforcement and take-down requests to MEGA. Part of the guidance is that MEGA will never release a person’s information unless it is required to do so, not requested to do so. The rest is a little bit of marketing. Kim is very useful and I think the ideology of the company will help with some of that perception, but perception without objective protection isn’t going to work.
You brought up the laws and requests that you might be forced to deal with by law enforcement. Do you think it's possible that you could ever meet the same fate as the late Lavabit, the secure-email provider that was shut down because of its involvement in the Snowden case?
MEGA is not exposed to laws that would allow a Lavabit-type situation to develop, specifically a requirement that MEGA hand over SSL keys or somehow undermine its end-to-end encryption model, either generally or for a specific user. If such a situation were ever to develop in the future, MEGA would respond appropriately to protect its core value proposition and design. This could, for example, include moving jurisdictions.
So does being in New Zealand help at all in delivering a more secure service?
At the moment, I think it does. But we’re a global company, so if we have to make a trade-off between protecting the privacy of our customers or being a New Zealand company, we will always go in favour of being a privacy company.
Follow Joseph on Twitter: @josephfcox
More on internet security:
- Vice Blog