File-storing service SpiderOak says it's experiencing a business boom – rapidly nearing one million users and doubling its site metrics in six months – amid a constant trickle of news reports revealing Internet surveillance by the government.
Files stored using SpiderOak are encrypted and their contents unknown – and unknowable – to the company. Sharing such files will soon be "zero knowledge," too, as the company prepares to roll out Crypton, its open source app-building framework, which will be publicly available within the next couple months.
"Essentially what we did was we inverted the Internet," says CEO Ethan Oberman. "We created a world where the server is actually a big dumb machine. It only sees encrypted data blocks."
A free version of the file-hosting service offers 2 GB of storage in exchange for a name, email address, username and password.
"We don't really fact check that information," Oberman says.
The company does know the IP address of users, he says, but IP-masking browsers – such as Tor – can conceal that information as well, making it possible to store files without disclosing any identifying information.
If the government were to come to the company with a valid legal demand for data, Oberman says, "We could turn over the data, but it is literally in encrypted data blocks and not decryptable by us. The only way it's decryptable is if you have the key, which we do not maintain."
Unlike some other cloud storage competitors - such as Dropbox, which has nearly 200 million users - SpiderOak customers cannot reset their encrypted passwords if they forget them. SpiderOak is also unaware of filenames and file types, but does know the amount of storage space being used.
Sharing documents with SpiderOak currently presents a theoretical security concern. Users have the option of creating a "shareroom" to host files, either with or without a password. The rooms are hosted with unique URLs on the SpiderOak website and can be accessed by non-users.
"When you share something publicly with someone, that data has to be known at some level with the server," even if there is a password, Oberman says. "With our new technologies based on Crypton, that won't be the case."
Keys, logs and data for shared files are deleted after 3 days. Oberman says only trusted employees have access to the information, which he says has never been accessed.
Crypton is a "lightweight" version of the existing site software, according to Oberman. It's written in java script and designed to work with popular Internet browsers. In theory it will be used by app developers to build a variety of secure document, photo, video and chatting programs.
"Whereas sharing today means publishing keys to the server so we can expose only those files being shared, very soon that will not be the case and people can benefit from 'zero knowledge' sharing and chat and collaboration," he said.
If shared material is downloaded at extraordinarily high rates, SpiderOak contacts the user and asks for assurances they are not breaching the company's terms of service, which prohibit illegal conduct. That's only happened three times, and in each case, Oberman says, multiple emails were sent during 60-day periods before the accounts were deleted.
If the deleted users had responded and claimed – without proof – they were distributing family photos, he says, the accounts would not have been deleted.
Although the service may seem ripe for exploitation by child pornographers, al-Qaida strategists and other underworld figures, Oberman says the way the company projects itself has warded off the "bad element."
"If we find out al-Qaida or some other bad element was doing something nefarious, we would cut that account," Oberman says. But, he adds, "the Internet is an open, public space and people can find products that they want."
Business clients are increasingly paying for the company's services, Oberman says, with a large telecom company, a software firm, legal offices and academic institutions recently starting, or expressing interest in beginning, paid service.