Ex-NSA guru builds $4m encrypted email biz - but its nemesis right now is control-C, control-V

Virtru claims it can prevent leaks, but first it's gotta get out of beta


'Building trust is the core of our business'

Chief exec John Ackerly, who cofounded the biz with his brother Will, told El Reg that while they're big on email privacy, Virtru's technology offered no anonymity. "The focus is on protecting content – not anonymity," he explained.

Their company's software has been audited by iSec Partners, the security firm called in to audit TrueCrypt, the widely used file and disk encryption software.

The Ackerly brothers are working with privacy campaigners such as the American Civil Liberties Union and the Electronic Frontier Foundation. "Building trust is the core of our business," John Ackerly told us. "It's the right thing to do given our mission."

Virtru has rules in place for dealing with g-men who come knocking for a citizen's crypto-keys: its privacy policy is open what the level of privacy its users can expect. The FAQ on how it cooperates with government surveillance requests states:

We won’t provide your keys to anyone without your consent – unless we are ordered to divulge them by a judge with jurisdiction over us. If we are ordered to divulge them, we will fight for you to have notice and an opportunity to object.

Another section states that it won't be a part of internet dragnets, although it may not have a choice in this:

Would Virtru cooperate with broad surveillance orders permitting blanket surveillance by the NSA or other government agencies?

No – we do not think the law requires this, and we would fight an order to cooperate.

All of which sounds upstanding, but we've been let down in this area by other providers despite reassurances to the contrary. It's difficult to be wholly reassured. Asked directly whether they had a backdoor in their product, the Ackerly brothers said "no", as anyone would be bound to say. Both took this blunt question in good humour.

"People will be watching carefully," explained John Ackerly, a former associate director of the National Economic Council and official in President George W Bush's White House. "There's a healthy scepticism. And we want to be transparent from a legal perspective."

Secure webmail is a difficult and perhaps intractable problem given the limitations of the architecture. By default, email is like a postcard, readable by anyone it happens to pass by. And even encrypted email betrays metadata - such as the sender and recipient and the time messages were sent.

End-to-end encryption using cryptographically powerful packages such as PGP are the only way to shield the contents of a message. Webmail services such as Hushmail that touted secure communications have fallen short of their promises in the past – well before users were aware of the lengths intelligence agencies go to to secretly hoover up all internet traffic.

PGP guru Phil Zimmerman's Silent Circle shut down its secure email service in August rather than face the possibility of receiving a secret court order to compromise its users, which happened to the email provider Lavabit used by Edward Snowden.

Since then, Lavabit founder Ladar Levison has teamed up with the peeps behind Silent Circle to form the Dark Mail Alliance, a group dedicated to creating an end-to-end encrypted alternative to email that would guard against eavesdropping. The Dark Mail Alliance is looking to develop an Email 2.0 that offers superior privacy.

What Virtru can offer, however, is the ability to send official documents, such as tax returns, securely online. Its encrypted email capabilities for consumers can loosely be compared with those offered by Hushmail. It's an imperfect comparison, admittedly, but serves to illustrate a more general point.

Hushmail, which offers web-based PGP-encrypted email and file storage, is based in Canada, but users with long memories will recall that Hush Communications was obliged to turn over clear text copies of email messages associated with several addresses back in 2007. This was the result of a court order under a Mutual Legal Assistance Treaty between Canada and the US, as a part of a drug trafficking investigation.

Hushmail's marketing claims at the time stated that not even its own staff could access encrypted email, but in reality, its server-side encryption option did provide a way to recover the plain text of scrambled communication. It's terms of service were updated after the incident.

Where Virtru scores over Hushmail is perhaps in its ability to disable or track forwarding as well as the facility to recall messages, if it manages to nail down those features. All this is of interest to ordinary folks as well as regulated industries that deal with private information, such as healthcare or finance, once enterprise versions of the technology are developed – and shown to be locked down.

Recall to sender

"Virtru thinks everyone deserves real privacy and control over their data, even after hitting the send button," explained Will Ackerly. "This means masking the complexity of encryption and making it dead simple for the everyday user. With Virtru, users gain confidence knowing that only intended recipients have access to messages and that their information is protected from third-parties like advertisers, governments, criminals and Internet Service Providers."

He added: "The Silent Circle app offers top-flight security but you can only send messages to other people who have download the app."

Despite the growth of self-destructing messaging and other trendy mobile communications technology, Virtru reckons email will remain the dominant web communications method. Research from Harris Interactive, commissioned by Virtru, found that 83 per cent of Americans are concerned about the privacy of their email communication, and even more have not yet taken steps to secure their email because they don't know how. Americans worry about being targeted by advertisers based on the content of their private emails (83 per cent) as well as messages being read by unintended recipients (75 per cent).

"Most email users have nothing to hide, but everything to protect," said John Ackerly. "Until now, true email privacy protection has not been available to the average user because it required considerable expertise on the part of both sender and receiver."

Arguably, relying on the user to authenticate with the decryption key store using their email account username and password means a hijacked account could be seriously turned over – with many messages maliciously revoked and restricted. The Ackerly brother argue that email account hijacking is always going to be a big problem and that's why consumers should use two-factor authentication or other approaches to safeguard their sensitive accounts.

The Washington D.C.-based startup has raised $4 million in angel funding to develop its Virtru email privacy product. Over the next few months, Virtru plans to extend its product suite beyond email to allow users to control their texts, posts, tweets, and other digital communications. Additionally, Virtru will be introducing products and services aimed at small businesses and enterprises later this year. ®

Similar topics


Other stories you might like

Biting the hand that feeds IT © 1998–2021