One of the easiest to use email encryption apps ever built can trace its roots right back to the laboratories of the National Security Agency.
Exactly one year to the day since Edward Snowden leaked tens of thousands of documents that shed light on the vast scope of cybersurveillance that the agency conducts around the world, former NSA security architect Will Ackerly is using the Snowden-fueled boom in privacy awareness to build a multimillion dollar business.
He sells strong, usable encryption to everyone from moms and pops to big business—and he’s using technology he invented at the NSA to do it.
Virtru, Ackerly’s Washington-based security firm that launched in January, already has one of the best encryption apps available to the public. It’s easy to use, requires no complicated keys, and takes less than a minute to get going. Unlike Google’s forthcoming End-To-End encryption app, you can start using Virtru right now. The program, which has 10,000 regular users after six months on the market, is simpler to use and comes with more features than Google’s extension probably ever will.
Now, to mark the Snowden anniversary, Virtru is releasing its Android app, expanding its service into the a mobile market. Virtru is also available for Apple iOS devices, as a plugin for Firefox and Chrome, and for Outlook and OS X Mac Mail.
Is it secure enough to trust your most sensitive data to? Because Virtru produces encryption keys in their cloud server, it is undeniably not as secure as locally running PGP encryption on your own computer. To be sure, however, Virtru is exponentially better than plain old email.
Furthermore, on the day that the Reset the Net campaign is telling millions of activists that a mass encryption movement is key to fighting global surveillance, the singularly convenient Virtru app has the potential to attract large swaths of users that will likely not learn or use relatively complicated PGP encryption. Virtru can introduce thousands to to the world of securely encrypted communications.
Virtru’s most significant limitation—that keys can only be stored in the cloud—is not a permanent pitfall. Ackerly says local storage is coming, so the program is likely only going to get more secure over the coming months, as development continues.
Above all else, Virtru deftly solves the single most pressing issue in encryption today: Ease of use.
Encryption powerful enough to stonewall cybercriminals and intelligence agencies has been freely available to the public for a long time. But, as far as the general public goes, few want to use it because they are often too complicated for most people to bother with.
“One of the biggest insights I had [at the NSA],” Ackerly said, “was that really good fundamental encryption technology is out there, but if you don’t deploy it in a way that is really easy for people to get their jobs done and so people don’t have to change the way they do their job, then you haven’t really deployed it at all. I want to built it in an easy-to-use tool used every day in your life.”
Based on our tests, the Virtru user experience is so easy and smooth—in that respect, it’s unparalleled in the world of strong encryption—that it really does have mass adoption potential.
In 2008, while at the NSA, Ackerly invented the Trusted Data Format, an open-source file format that enables features that other encryption protocols can’t match. As a result, encrypted attachments, forward protection, access control, expiration dates, message revoking, and message tracking all come with the free Virtru package.
Anyone who has ever sent a sensitive document or photo over email will love the efficient protection offered here.
Instead of PGP (a popular encryption technology), Virtru uses Advanced Encryption Standard (AES-256), a protocol used by the United States government that is believed to be unbreakable. It’s faster and simpler than PGP, but is less secure for personal communications.
Ackerly, who serves as chief technology officer at Virtru, cofounded the company right after an eight-year stint on both the offensive and defensive side of the NSA’s cyberwars. His last two years on duty were spent as a cloud security architect for the spy agency, a job that entails collecting, analyzing, and widely sharing enormous amounts of data within the U.S. government while simultaneously protecting it from global adversaries.
Ackerly runs the company with his brother, a former Bush White House policy maker. Most of Virtru’s employees and contractors have NSA backgrounds as well. These strong connections to the feds understandably raise eyebrows. And while he used the Snowden anniversary as a launchpad for Virtru’s Android app, Ackerly’s feelings on the leaker are less clear cut.
“I’m torn,” he told the Daily Dot when asked about Snowden’s leaks and activism. “I think the NSA has a very important mission. I experienced this particularly working overseas with the army.”
Signals intelligence, the sort gathered by the terabyte by the NSA, is “the biggest weapon to help protect our soldiers,” Ackerly said. “If [Snowden] was trying to help the U.S.A., I think he made the wrong choice. There are some things in the system—the framework of laws and regulations need fixing, but I don’t think he made the right move.”
Virtru is meant to secure your communications most of all against cybercriminals and foreign threats. And the tool’s development began even before Snowden ever spoke up. Ackerly says he saw a rising “trillion-dollar problem” of identity and intellectual property theft that he was uniquely suited to solve.
If the U.S. government, rather than hackers, wants to read your Virtru-encrypted emails without you knowing, the current build of Virtru won’t completely protect you. While a court order to both Virtru and your email provider will not reveal emails you sent or received in the past (because Virtru’s encryption keys are ephemeral and unretrievable), it would open up future communications to eavesdropping. And if gag orders are in place, you’ll never know that your supposedly secure communications have been compromised. That’s the inherent danger of encryption in the cloud.
Virtru has already set up a clever “canary in the coalmine,” Ackerly insists, in order to warn against any potential gagged court orders they receive. If law enforcement forces them to give up a users keys without notifying the user, Virtru says it will stop publishing its quarterly transparency reports. If police fight that subtle signal to users, Ackerly says he has the assurance of the American Civil Liberties Union and Electronic Frontier Foundation that the two organizations will support them.
“At that point, we would fight it all the way up,” Ackerly said.
While the current state of Virtru leaves something to be desired in terms of security, the user experience is unmatched. And Ackerly promises big things for the future of the program, including developments that are essential for the acceptance of this incredibly convenient tool into the world of information security.
Crucially, the code will be open sourced and the ability to store keys on your own computer will be given to all users, potentially creating the easy-to-use, decentralized security tool that so many encryption-advocates have been waiting for. When that happens, Virtru’s vast potential may finally be realized.
In just four months, Virtru has smartly set to solving the problem of getting the mainstream to adopt encryption. The cryptography is strong, the user experience is unmatched, and the legal foundation is solid.
At 10,000 users and growing, it’s clear that the program has caught on. As Ackerly targets businesses big and small, the market potential is clearly there.
However, only when Virtru goes open source and allows for local key storage can the combination of security, convenience, and growing global privacy awareness allow the program to be one of the possible sparks that leads to a real privacy renaissance.
Photo via .Bala/Flickr (CC BY-SA 2.0)