Advertisement

For post-Snowden cloud startups, privacy proves a hard sell

By Steven Melendez

In the two years since Edward Snowden's revelations about pervasive government monitoring of the Internet first made the news, developers have worked to build hardware and software to help Web users reap many of the benefits of cloud-based services while retaining personal control of their data.

But while recent studies indicate that plenty of consumers wish their online activities were more private, even the creators of many of these privacy tools acknowledge that all but the simplest of them are still too complex to win over the majority of the Internet-using public.

"Unless you understand everything from the ground up, it's really, really hard to own your data," says Alex Payne, the creator of a free, open-source, private-cloud toolkit called Sovereign. It equips a stock Linux server with open-source alternatives to standard cloud offerings, including email, calendars, a Dropbox-style file hosting, and even an Instapaper-style Web bookmarking tool.

Alex Payne


Payne, who was previously a cofounder and the CTO of Simple, the online banking service, says he created Sovereign in 2013 as a cheaper and more private alternative to Google Apps.

Since it's a privacy-oriented project, he says he hasn't looked very deeply at who the users and open-source contributors are. But Payne believes the project—which has a GitHub page heavy with technical acronyms and command-line transcripts—probably isn't used much by the general public.

"I don't think that this is a realistic solution for most people," he says. "It's technical folks who want to use this for themselves, their businesses, their families and [if] they feel like they can kind of confidently administer a server that's set up with Sovereign, I think it's great."

It's really, really hard to own your data

Even some makers of commercial private-cloud tools have had difficulties winning the public's attention and getting their products to market.

"We believe that government and corporate snooping are the biggest threats to personal liberty and democracy that we're facing," wrote the creators of the Community Cube, a privacy-focused personal server and firewall project that successfully funded a Kickstarter campaign this month.

Scheduled to ship to backers this fall, the Community Cube is a customized Linux machine designed to boost users' privacy on some existing Web services and replace others with private, encrypted alternatives. Its creators, based in Spain and Germany, say the cube will provide services similar to toolkits like Sovereign, bundling personal, open-source alternatives to commercial cloud services. But unlike other purely software packages, their product comes on a preconfigured computer, ready to be plugged in and connected to the Internet.

The Community Cube


Recent research indicates that the Community Cube's creators and backers aren't alone in their concern for privacy, but suggests that consumers feel there's just little they can do about the matter. A University of Pennsylvania report released this month called the notion that consumers deliberately trade access to their data for free or discounted online services a fallacy, arguing that the public is, instead, simply resigned to losing their privacy.

"Rather than feeling able to make choices, Americans believe it is futile to manage what companies can learn about them," the authors wrote. "Our study reveals that more than half do not want to lose control over their information, but also believe this loss of control has already happened."

Some consumers have migrated to digital services that pledge not to track their users' online activities: privacy-centric search engine DuckDuckGo has seen steady growth since Snowden's leaks, and secure messaging service Wickr has raised $39 million in funding and claims millions of users around the world.

But neither of those technologies has yet become a household name, and recent reports show that giants Google, Microsoft, and Yahoo still control upwards of 90% of the online search market, and familiar names like WhatsApp, Facebook Messenger, Skype, and China-based QQ dominate digital messaging.

For many Internet users, boosting online privacy may still be a daunting task. A Pew Research Center report released in March found that more than half of Americans surveyed said it would be "somewhat" or "very" difficult to find ways to boost their privacy on the Internet and their cell phones.

At the end, the result is that we have a product that is a competitor of everybody— Google . . . Gmail . . . Dropbox . . . Skype.

The Community Cube team hopes to change that. "At the end, it seems like we have a good recipe with the best ingredients to make that open source easy to use," says Enrique, a Community Cube developer. "We have open hardware and open software device that can offer people the alternative they need, with the privacy and security."

Community Cube Web traffic will be routed over a peer-to-peer anonymizing service I2P, and email will be encrypted by the open-source webmail tool Mailpile before being sent through users' existing providers like Yahoo or Gmail, its creators say. Video chats conducted through the device would be routed over a direct, encrypted connection instead of through services like Skype and Google Hangouts, and a distributed, encrypted storage-and-backup system called Tahoe-LAFS would be the devices' answer to Dropbox or Google Drive.

"At the end, the result is that we have a product that is a competitor of everybody—a competitor of Google, a competitor of Gmail, a competitor of Dropbox, a competitor of Skype," says Enrique.

Of course, no security solution is 100% foolproof—given enough time, money, and resources, skilled government or even private hackers can probably find their way around most safeguards—and Enrique acknowledges not all users will even want to use all of the features of Community Cube. The system, he says, will warn users if they take actions that could compromise their privacy, like logging into a mainstream webmail provider's site, but ultimately the choice will be up to the customers, he says. (The company's motto: "The Spooks Hate Us.")

There are some people that said, I don't understand what you're trying to sell. There are some other people that say it is too much technical.

"I used to make risk analyses [for] companies, and some companies say, you know what, I assume the risk: it's my budget; it's my way, and I cannot put more controls to safeguard that asset in the company, so I assume the risk," he says. "If they assume that risk you cannot say, no, you cannot assume that risk."

But so far, while the Kickstarter campaign did exceed its $55,000 goal, and the team's thinking of launching a second campaign on Indiegogo, the project has had some trouble convincing the public and the press. Marketing consultants suggested sending free Community Cube prototypes to tech journalists for review, but the company didn't have the funds for such a campaign, Enrique says.

"There are some people that said, I don't understand what you're trying to sell," he says. "There are some other people that say, it is too much technical."

Earlier this year, the Manchester, U.K., creators of a similarly privacy-focused personal file and email server called the Wedg raised about $200,000 in an IndieGogo campaign of its own, which did draw widespread media coverage. Since then, though, the creators have said the product's scheduled launch is indefinitely on hold, due to an intellectual property dispute with a former Wedg developer's employer. Wedg's creators didn't respond to emails requesting comment for this story.

Wedg


Wedg isn't the first crowdfunded privacy-focused project to face setbacks. Last fall, a project called Anonabox had its Kickstarter listing suspended after allegations the creators misrepresented which parts of the project were original creations. A similar fate befell an earlier project, TorFi, and another effort, called Cloak, failed to reach its funding goal.

Other, more successful, private-cloud projects have drawn attention beyond technical circles. One project, called Mail-in-a-Box, is intended to relatively simply convert commodity Linux servers into relatively private and secure email servers. Joshua Tauberer, a developer and government transparency advocate perhaps best known for the legislation-tracking site GovTrack.us, says he created the project as much to be a starting point for other engineers who wanted to tinker with the intricacies of email as to be a tool for privacy.

But while the project's been the subject of a technical blog post by hosting provider Digital Ocean and a few active Hacker News discussions, it was also a semifinalist for last year's Knight News Challenge grant competition, attracting attention from journalists and others looking for more control over who has access to their email. And Tauberer says that as the software gets easier to install, he hopes it continues to reach a wider audience.

"When I first started working on this two years ago, you really had to be an expert to set it up," he says. "Only now in the last month is it possible for someone who's not technical, or at least not particularly technical, to set it up."

Still, even the technical audience on Hacker News freely admits having difficulties understanding the intricacies of the alphabet soup of programs and protocols surrounding email, from spam filtering to sender authentication, so it's easy to imagine a less savvy user struggling to understand and trust even a simple version of Mail-in-a-Box or a commercial private cloud tool.

Photo: Flickr user Ben Salter


Ultimately, suggests Julia Horwitz, consumer protection counsel at the Electronic Privacy Information Center, the real privacy solutions may have to come from the law, not from hardware or software.

"I'm often asked the question about what consumers can do to protect their privacy, and I think really the answer is, it shouldn't be up to the consumer to try to protect his or her own privacy," she says. "There should be a robust enough legal framework in place that would be incumbent on the company to comply with the law, rather than on the consumer to shop around for the most privacy-protecting service, when by the nature of the service, the consumer's not going to have all of the relevant information."

That ultimately applies to both privacy from corporate data gathering and from government surveillance, Horwitz says. "I think both kinds of surveillance are unfortunately too present currently, and both need better checks from Congress."