Why I love PRISM

If you drink poisoned water thinking it’s safe you’re a victim. If you drink poisoned water knowing it’s poisoned you’re an idiot.

In that context, I have been a complete idiot.

  • I’ve stored unencrypted financial information on companies which I’ve been researching on Dropbox
  • I’ve used Gmail
  • I’ve used Skype
  • I’ve used Google for search
  • I’ve surfed the Net without a VPN

It’s all true, and I’m ashamed not because I’ve used this stuff, but because I knew it was unsafe and I used it anyway!

I’m ignorant about many things my fellow bipeds don’t seem to be…the Kardashians bowel movements, the debate raging over the name of the latest royal sprog, Lindsay Lohan’s rehab schedule… amongst many other things.

On the topic of data security however, I actually should have known better. You see, this is a trend only a blind man could miss. The need for data security in the world of the ever-expanding Surveillance State, which Mark alluded to in his post I’ve Got Nothing To Hide, has led me to searching for companies providing privacy solutions.


My initial concern was mistakenly hackers. In my minds eye I envisioned geeky, pimple faced, energy-drink-laden, pizza guzzling 20-somethings who haven’t seen sunlight in months, hunched over their laptops, working away feverishly in grandma’s gloomy basement.

Their prize in my case would have been gaining access to business plans – likely never understood – financial statements which would have bored them to tears, stack decks and term sheets with enough legalese to put an elephant to sleep.

Pimply-faced teenage hackers may well pose a threat to our data security, but governments are the undeniable leader of the “hacking” pack.

When looking for investment themes which encompass massive trends in motion, the protection of data all of a sudden became very interesting to Mark and I. How could we as capitalists participate in this sector?

Hackers, meh!

“Oh Chris, you must have known the government are capturing this stuff not hackers…surely you knew that?”

I knew those psychopaths were out there, and rest assured they absolutely are psychopaths. In truth I never realised the extent of it, in fact I’m sure I still don’t. Nobody does…most likely including Mr. Snowden, who seems to know a thing or two about this stuff.

My only consolation and the only defense I can offer for my stupidity is that I have always refused to have a Facebook page. Updating “friends” on my status, “Going to the bathroom now, and heading to Jo-Jo’s for a long black after…” strangely, failed to appeal. Weird, I know.

Nor, thankfully have I ever put my or any of my families photos or personal information anywhere except encrypted hard drives held in my physical possession.

In addition, I have steadfastly refused to buy a smartphone. Want a personal tracking device masquerading as a phone? Nah, I’ll pass thanks!

Still, even though I knew Leviathan was on the loose, why wasn’t I more careful?

Simplicity and ease of use. Yep, I took the easy route. I deserve to have my ass kicked for it really, but it’s the same human nature that has caused “free” cloud-based services multiply like kudzu. Humans, a category I count myself in – though some might disagree – are lazy.

Laziness, ignorance and a love for anything “free” is the carrot that has drawn so many of us into using these products. This won’t change any time soon. Try convincing Aunt Emma and Uncle Jonathan to use PGP and watch for the blank stares. No indeed, change takes place with those who are intellectually curious, active and informed. For the vast majority change will just not happen. Pareto was right.

This article is dedicated to the former rather than the latter.

The Slippery Slope

On the macro front the key ingredients are in the pot. Sweeping laws have been, and are still being ratified that allow for mass collection of data. In fact, I recently read the following on the BBC:

The US House of Representatives has narrowly voted to continue collecting data on US phone calls, in the first legislative move on the programme.

Where laws do exist to protect data and privacy, governments are subverting these laws anyway. Laws, after all only apply to the hoi polloi.

The data we hold and transmit is an open book. This the reality of the world we find ourselves in. Some knew it existed, many others are still finding it hard to believe it’s as bad as it is. Then some others, complete fools to be sure, see no reason to be concerned about this reality. “If you have nothing to hide, then you needn’t worry.”

If you’re in that crowd I suggest reading some history – quickly – to better educate yourself.

Companies such as Microsoft, Google, Dropbox, and Amazon to name but a few, have marketed the idea that customer data is secure with them.

ms pp

Numerous cases of hacking make these assurances laughable. Now of course we have learned that these same companies have been cooperating directly with governments around the world. Providing “back doors” into their “secure” networks and storage. So much for “Your privacy is our priority”. What an insult!

Government, being not much more than a Mafia with a limitless checkbook, are out of control and on the loose. The track record which accompanies previous Surveillance States is horrifying in its historical record of persecution, genocide and atrocities.

This is fact not opinion.

That said, fighting an enormous out-of-control government via the electoral system, or campaigning your elected “representatives” is asinine at best. Protesting and marching, even talking in the wrong crowd will increasingly get you on a “person of interest” list. None of these options particularly appeal unless you’re a fan of windowless rooms and black bags.

According to a number of sources, including this from the Guardian, the NSA revelations are finally directly affecting the profits of US-based companies in this space…in a negative way. Good!

This is a natural and perfect example of the market solving problems. What is clear is that providing the technology to keep communications and data secure and private is no longer a simple “nice to have”, but both increasingly essential and increasingly in demand. This ensures those providing solutions will likely be very profitable.

What, therefore can we do about it?

Profit of course!

Late last year Mark and I, together with our CPAN members invested in a privately held company providing a solution to in-secure cloud storage options. Little did we know the gift Obama’s administration was about to bestow on them.

Given the current Surveillance State we find ourselves in, I thought it timely to reach out to Nathan Brumby, the CEO of Lockbox to provide a far more eloquent explanation of their technology than I could muster up.

As a background, the Company was founded by a small group of highly talented entrepreneurs who first built bouncycastle.org, an open source cryptography platform now used by multinationals around the world. They then turned their attention to developing what is possibly the strongest and pre-eminent client-side encrypted cloud storage technology out there.


Chris: Nathan, can you give me the quick and dirty download on what Lockbox actually is and does?

Nathan: Lockbox quite simply is a locks and keys company. It empowers the owner of any content via client side encryption to encrypt (locks), select and allow (keys) who they share content with. There is no middle man.

Chris: For sake of comparison can you explain how Lockbox differs to say Dropbox, and in fact that of your other competition in the encrypted space?

Nathan: It is well understood that companies like Dropbox and Box, etc have built very successful businesses on the basis of allowing sharing of files in a very elegant manner. There are also numerous examples of very strong and robust server side encryption companies that can lock down an environment and ensure security and privacy. For years the assumed wisdom has been that you can be very good at sharing or very good at encryption and privacy, but not both simultaneously.

Lockbox has been able to solve this incredibly complex challenge. With Lockbox you can share but more importantly you can share in a secure and private manner. This is a very significant paradigm shift.

Chris: Can you explain to me what would happen if a government, or in fact anyone, wanted to obtain access to user files…would they be able to?

Nathan: Specifically because Lockbox enables a locks and keys relationship between an owner on the client side and who they choose to share with, no one but that owner and and their trusted relationships has access to the locks and keys. This is truly decentralized key management.

Anybody outside that trusted relationship including Lockbox itself has no access and would be required to go directly to the parties involved to seek access. This is fundamentally different to how things work today and in what is evidenced with PRISM. In those scenarios owners were not required, as centralized locks and keys simply meant the interested party simply had to go to the provider.

Chris: How can I as a user trust Lockbox…or, don’t I need to trust them?

Nathan: Simply because the Lockbox solution is decentralized and the control is with the client, Lockbox does not need to be trusted. Secondly and more illustratively, because Lockbox has no access to anyone’s content it does not require the complex and all powerful Terms and Conditions that the majority of companies use today, which completely takes ownership and removes the concept of privacy.

Chris: Cyber theft in Bitcoins is one of many examples of insufficient security practices. How can people learn which companies operating in the Cloud are secure and which simply say they are secure but could be lying?

Nathan: This is incredibly challenging for a consumer as the marketing hype and misdirection is rampant. The most simple way would be to review the Terms and Conditions. If they in any way suggest they can access or use your data, and or state all care and no liability, this is a pretty good sign they are not particularly secure or private and really should be avoided.

Chris: From your experience in the industry, what is the most common concern people have when using the Cloud, and do they follow through to ensure that this concern is addressed?

Nathan: The consistent concerns have been security, availability and sovereignty of data. However since the economic collapse of late 2008 people have tended to not always observe these concerns, and it really is only just recently that the concerns, and the realities of those concerns, have become more overt.

Chris: Thanks Nathan!

Nathan: My Pleasure Chris.


There you have it. One option for those serious about protecting sensitive data.

As I was putting the finishing touches to this post I came across the recent news that Lavabit, an email encryption firm allegedly used by Ed Snowden has abruptly shut down all operations.

“I have been forced to make a difficult decision: to become complicit in crimes against the American people, or walk away from nearly 10 years of hard work by shutting down Lavabit.”

“This experience has taught me one very important lesson: without congressional action or a strong judicial precedent, I would strongly recommend against anyone trusting their private data to a company with physical ties to the United States.”

You can read the full statement on the companies website here.

The Obama administration is actively destroying trust amongst consumers, and as Dylan Grice so eloquently points out:

“Distrust is a brake on prosperity, because distrust is a brake on exchange.

Putting a brake on exchange puts a break on the economy and increases social stresses leading to domestic and/or external conflict. This is where these psychopaths are leading us…economic ruin, servitude or both!

Silent circle, a company I’ve been in discussions with regarding their products, and who I just recently decided not to engage due to their being headquartered in “Washington DC”…ummm, have terminated Silent Mail, which WAS their encrypted mail product. According to Jon Callas, co-founder:

“We see the writing the wall, and we have decided that it is best for us to shut down Silent Mail now.”

“We have not received subpoenas, warrants, security letters, or anything else by any government, and this is why we are acting now.”

Government is quickly closing ranks and stripping its citizens of all protections. Yet, here is why I thank Obama!:

“I will also hold myself as president to a new standard of openness …. Let me say it as simply as I can: Transparency and the rule of law will be the touchstones of this presidency.”

“Thank him?” Yes. In short because he is easily the most transparent liar in American history. His breaking of every imaginable law and trampling of the US Constitution is unprecedented. Yet, as hard as it might be to imagine, this too will create opportunity.

There is a saying in financial circles…”Don’t fight the tape”. Well Folks, I’m not fighting the tape on this one. As a capitalist, sadly something that has become a dirty word in our politically-driven world, I choose to take my stand by investing in and supporting solutions to problems. This is a BIG problem.

Disclosure: Not that it really should be anyone’s business, but in the interests of transparency – NO, not the sort Obama promises – Mark and I, together with our CPAN members participated in an early stage equity raise in Lockbox. Since the Company is still private and the equity round closed, readers cannot invest in Lockbox at this time. Regardless, this is not a recommendation to do any such thing.

Furthermore, I’d like to thank the NSA, the FBI, Google, Microsoft, Verizon and the many, many spineless companies and bureaucrats who have assisted Lockbox and companies like them in achieving accelerating demand for their product and helping us get richer…because after all, that’s how we capitalists roll.

– Chris

“it is astounding that so many consumers put private information in the hands of a ‘free’ service that essentially shares that data with the provider. That free service brings a lack of security, privacy and control where a provider has access to any and all data that is uploaded and that data can be used for whatever the provider deems fit.” – Peter Long, Co-founder Lockbox


This Post Has 5 Comments

  1. plato

    My biggest concern with third party privacy services is poisoned code.

    Lockbox TOS references CA law, and the Lockbox domain is registered to a CA company. So Lockbox presumably must comply with US law.

    What does Lockbox do if they receive court orders and/or gag orders to “help catch a terrorist” ordering them to serve a different set of javascript code to a particular set of targets?

    This ‘poisoned code’ would be a modification of the normal Lockbox client with sneaky modifications. Presumably users have to download the client code from Lockbox, whether on first use or every time they use the service. So you (and/or spooks) should have plenty of opportunities to send malicious payloads to the targets.

    This is what happened with Hushmail. My guess is that Lavabit received similar orders. Silent Circle expected similar but doesn’t want to play ball.

    How will Lockbox defend against this attack?

  2. Jon Eaves

    Hi all, very interesting article and really great to see Lockbox doing neat stuff. However I just need to clear up something and that is that while Lockbox may have used Bouncycastle and had one of the Java developers working there, not all of the Bouncycastle developers were employed by Lockbox initially and definitely not all of them are now. Also, some of the founders of Lockbox have nothing to do with Bouncycastle at all.

    For specifics, I’m not associated with Lockbox in any way, have never been associated with Lockbox, yet I’m a founder of Bouncycastle.

    However, I do wish them all the best in what they’re doing as Australian companies, especially tech companies have a pretty hard road.

    1. Chris MacIntosh

      Thanks for clarifying Jon. I could have been more specific and in hind sight probably should have.

  3. Jon Eaves

    No worries at all Chris. Nothing negative intended. Just had a couple of my mates link me this going “you worked on Lockbox??”.

    All good.

  4. Peter Long

    A couple of quick comments – Lockbox was fortunately to have a couple of very smart, very experienced BCers to kickoff the process and without whose expertise we wouldn’t be were are today. We, of course, used Bouncy Castle as the basis of our cryptography and are grateful to them and the whole community for their efforts.

    Secondly,as we’ve posted elsewhere, we agree that any encryption tool must be open for scrutiny. I want to state that there are no back-doors, poisoned code or such like, and unlike many server side solutions, our signed java (not javascript) application is delivered client-side, which means that it can be examined to satisfy any concerns that people have.

    Finally, our US entity is a reseller, and doesn’t not have access to code, developers etc – so can’t be compelled to “help” by the US authorities.

Leave a Reply