A company can encrypt customer data at all times, but if served with a subpoena, it still has to hand that info over to the government. In an attempt to address this issue, Aaron Levie, CEO of the popular cloud storage service Box, is mulling the idea of giving encryption keys to Box’s customers. That way, Box would have access only to unintelligible data.
Levie talked about the plan on Tuesday at the InformationWeek Conference in Las Vegas. He said:
If you gave the encryption key to your collaborators, you could absolutely encrypt data before it goes to Box and then your collaborator could decrypt that data as they download it. We would then never have the unencrypted data in the process. The challenge, of course, is most average business people and enterprises are not going to go through that experience because our differentiation as a company is to take security and combine it with a very simple user experience around working with information.
Basically, what he’s saying is that encrypting and decrypting on the user side would make it trickier to use Box, which is designed for ease of use. For most customers, this trade-off probably wouldn’t be worth it. But enterprise customers who prize security might be thrilled to hold their own encryption keys.
This is not a new idea for Levie or the wider data security community, though Box would be implementing it on a particularly large scale. Last September, Levie told Ars Technica, “We are exploring ways that in the future our customer would be responsible for its keys, and that’s something we may make available to some of the largest organizations.” Back then he didn’t want to provide a solid timeframe, but now he is talking about offering such a service by the end of the year.
Similar services include WatchDox, a company similar to Box that has a little-known option for users to control their own encryption keys, and CipherCloud, a third-party service that works with Box to provide encryption options to the user. But even with some competitors out there, Box could still have a major impact on the space—if it hits the right balance of security and usability. The average individual (mom or not) probably won’t be able to, or want to, manage their own encryption keys any time soon. But the more the technology is developed on the enterprise scale, the easier it will be to see whether mainstream customers want it.
But honestly, how can you not trust your data to a company whose CEO has a high jump like this?