Despite the fact that the latest round of the decades-old Crypto Wars has been relatively silent for a few months, there’s still much doubt over how the future of data privacy will unfold. Government agencies continue to push for more “transparency” on the part of tech firms, which boils down to baking backdoors into their products that would allow the feds to pry into encrypted communication.
On the other end, tech companies are doubling down on their stance to protect consumer privacy (and their own bottom line), and continue to roll out software and apps empowered with end-to-end encryption. However, since there’s precedence of tech giants secretly handing over large amounts of consumer data to government agencies, it’s fair to say that the fate of the debate is yet undecided.
The volatility of the crypto-debate, and the uncertainty of whose favor it will eventually tip toward has led developers and innovators in the tech community to take matters into their own hands and come up with new ideas to protect consumer privacy regardless of the deal that governments eventually cut with tech firms.
Michael Pawly and Angus Mclean, two young programmers from Canada, are developing a browser extension called Cyphor, which adds a layer of encryption over data being transferred through your browser, thus making sure that if some day your online service provider’s repository is breached by hackers or if it willingly hands over your data to government agencies, your information remains secure.
“When a user sends a message or email,” says Pawly, “their private information is stored on a company server that is out of their own control. We find it unbelievable that a person’s private information is in the exclusive control of companies.”
“With more and more of our personal data being stored in the cloud,” Mclean adds, “there are many ways that we could get hurt by parties with malicious intentions.”
Their goal, as they explained over a telephone call, is to enable users to take control of their privacy and avoid being affected by hacks or changing policies while at the same time being able to continue using their favorite social media, email and messaging platforms.
The software, which is being tested as a Chrome app, acts as an invisible layer over all social media and email webpages, intercepting select data being submitted by the user and encrypting it in the browser before sending it to the server. “No unencrypted message ever touches the internet,” explains Mclean, “and all encryption/decryption takes place on the user end.”
Cyphor uses the American Encryption Standard (AES) with 256-bit keys randomly generated on the user’s computer. “At 1018 keys per second, it would take 50 supercomputers 3×1051 years to exhaust the 256-bit key space,” Mclean further elaborated.
The keys are stored in the Cyphor server and the encrypted text is sent to the social media or email server, which means neither end has enough data to restore your information even if it’s breached or accessed by unwanted parties. “We strongly believe in absolute user privacy,” Pawly says.
To further improve security, Cyphor makes sure that no key-related information is stored in the context of the host application’s webpage, thus mitigating the threat of malicious on-page scripts extracting and exfiltrating critical information to unwanted destinations.
On the receiving party’s end, the app parses the rendered DOM and searches for the encrypted message, which it decrypts with the key it receives from the Cyphor server after going through an identification and authentication process. The decrypted message is an i-frame element using message passing technique in order to protect your data against Cross-Site Scripting attacks (XSS) and make sure that decrypted data does not leave your computer. This is the same techniques used in sites that involve payment transactions and information.
The developers have added a few extra features to Cyphor, including setting expiry dates for keys and limits to the number of times they can be accessed for message decryption. They also plan to add a custom key feature, which combines a key stored in the Cyphor server with a custom string mutually agreed between users. “This way, restoring messages in channels will require three pieces (encrypted message, Cyphor key and the custom string), one of which is never stored anywhere,” MacLean says.
Pawly and Mclean have developed the app with ease-of-use in mind and have tailored it to give a seamless experience to users. “Our aim is to provide users control of their privacy without altering their online experience,” they explained. A video demo of the app shows that users can use social media platforms such as Facebook and Slack as before, and only have to click on the app’s icon and initiate a secure channel for threads they wish to encrypt.
Cyphor will be released in a free and paid version, the latter sporting some additional features. Pawly and Mclean also plan to delve deeper into the privacy protection business and will eventually launch a complete business package that will include encryption of emails, messages and files on all popular platforms.
In many ways, Cyphor is a prelude to what the future portends for consumer privacy, as tidings continue to remain unpredictable. More crypto apps and personal encryption solutions will emerge in order to protect data and critical information when all else fails. The bottom line is that encryption is here to stay: People like their privacy, and they will go to great lengths to preserve it.
Watch the Cyphor demo here: