I’ve been advocating a stronger approach to privacy for some time now. My biggest concern is that we share so much private information using social media, that identity theft and other security issues are only just beginning to become apparent. Aside from this, we are caught between the need to take advantage of the social networks that the majority of our peers share and simply giving in to the terms and conditions that come as part and parcel of these services.
No ad to show here.
Most notably, all of the content that you share over a social networking site suddenly becomes transparent to many third-parties outside of your own control. There are ways to encrypt data before you share it, but most of these are too complicated for the average user to do easily. As a result, we all give up and just accept that everything we say and do is open to anyone to see.
Some years back, a fantastic plugin for Firefox found its way onto the Net. FireGPG used an open-source key-based encryption technology to encrypt and sign any online communications performed through your web-browser. Unfortunately, FireGPG was discontinued. One of the problems that the developer was struggling with was that the way in which it integrated with particular websites was actually very complicated, and keeping up to date with changes was simply too time consuming. Fortunately a new contender has arrived on the block. Scrambls plays the same game, it just does it better.
Scrambls
Scrambls also uses a key-based encryption technique, but this time around it uses its own custom algorithm to perform the encryption on your behalf. When you post content to any website, Scrambls encrypts the information before it is submitted. A copy of the key that was used to encrypt the data is sent to the Scrambls server, so that anybody with the correct permission to access the message can do so. Setting up permissions is pretty easy, on the Scrambl site, you create groups to contain a list of people who are able to decrypt your message.
There are a few options here; one is to list email addresses for individuals who are able to access your content. Another is to specify a whole domain name (for email addresses sharing the same domain name) if you are dealing with a group of individuals from a particular organization. You can also specify a ‘shared secret’, so that anyone who knows the password that you used to encrypt the message is also able to decrypt it later on. There are a bunch of nifty features, such as group expiry, so that you can set dates for when members of a group will still be able to make sense of your message.
Scrambls works with nearly any website. I’ve tried it out on Gmail and in the Memeburn comments and it works pretty well. There is a plugin for nearly every major browser and there are even Scrambls apps for iPhone and Android. There seems to be no reason that you shouldn’t use it. However, there are a few things that do bother me about the service. Firstly, it depends on the survival of the Scrambls servers. If Scrambls disappears, your data seems to be permanently encrypted for everybody else.
Furthermore, it is somewhat disconcerting to be entering email addresses from your addressbook onto the Scrambls’ website. No matter how well-behaved they are, they can’t guarantee the security of that data in the long-term. You also have the problem that many people have multiple email addresses and may sign into Scrambls using any one of those addresses, knowing which one someone will use to subscribe to Scrambls is close to impossible, so the easiest solution is to always depend on a pre-shared key. Finally, Scrambls only works for text encryption, which is fine in most cases, but I would also like to see the option to encrypt binary data such as images and other file uploads.
Perhaps the biggest hurdle facing a service like Scrambls is the problem of convincing all of your friends to create accounts with Scrambls and install a plugin into their browser. That just seems like an uphill battle. There is nothing that appears next to your Scrambls text to inform friends that they might be able to decrypt a message if they would only sign up and install the plugin for their browser. Adding friends and organizing your groups needs to be a whole lot easier if this has any chance of taking off.
I’m not shooting Scrambls down before it even gets started, it certainly looks like a good way forward, but I think it has many things that it needs to deal with first. A much easier approach is actually available.
Encipher.it
Encipher.it simply relies on a preshared key in order to function, but it’s a whole lot easier to use and its much easier to convince people to take advantage of it. Sure, it can’t offer the same level of security that Scrambls can, but if you’re just out to keep your data from the average voyeur or from the clutches of third-parties like Facebook or Google, it’s a great way to get into the good habit of protecting information from prying eyes. With Encipher.it, all you need to do is add a bookmarklet to your browser. As soon as you type some text into a text area on a website, click on your bookmarklet and you will be prompted to enter a passphrase that will be used to encrypt your message. Once you’ve done that, the text is encrypted. Furthermore, a link to the Encipher.it website is provided for instructions on how to decrypt the message.
Decryption is just as simple. On any web page where you see an encrypted piece of text, you click on your Encipher.it bookmarklet and you will be prompted for the decryption passphrase. Once you’ve entered it, the message is displayed in plain text again. That’s as simple as things can get. Encryption uses an automatically generated key using the AES algorithm, but once again there is a slight downside. The encryption code is hosted on the Encipher.it website, so you’re dependent on its survival in order to keeep using the service. That said, the code is in plain javascript, so it can pretty much be ported to anywhere.
The good thing to know is that Encipher.it doesn’t really have any of the tools that could be used to decrypt your messages in the future. Without your passphrase, nobody will be able to read your messages. Furthermore, Encipher.it is not storing any data about you or anyone you know, other than possible web server log entries that get generated when you visit their site. Its a lot more appealing due to its incredible simplicity.
Still, there are a number of downsides to this tool as well. Firstly, I tried it out on Facebook and the decryption option just seemed to get confused and was unable to find the message that I had posted. That was fine, since I just had to copy the text from the message, revisit the Encipher.it page and paste it into the test area to be able to decrypt it. Not ideal. What I’d really like to see is the option to highlight an encrypted message and then to decrypt the highlighted text. Another problem, which actually faces both products (if you choose to use a preshared key on Scrambls) is that you need to somehow share your key passhprase with the people who you trust beforehand. Sure, you can send via email or IM or whatever, but anyone who intercepts your message en route will be able to decipher all of your messages. These are not big issues, but they are things to be aware of.
Whatever you decide to do, consider using one of these two tools to facilitate your private communications if you are going to use a public platform to message from. It’s still a far cry from full-blown privacy, but its a step in the right direction.