The server-side software running in the cloud is built on PostgreSQL and node.js, Oberman explains. "Typically, you would have the indexing and searching done in the cloud. With Crypton, this is all happening on the client. The data structures we use make this happen fast," he says. "The cloud is just used as a dumb storage medium, storing and retrieving data it can't read."
This works by dividing information into data and metadata and taking advantage of the fact that metadata in data-intensive applications such as photo storage is typically less than 1 percent of the underlying data. "Our browser-based client can retrieve metadata very quickly. Then, when you want the real file, it can download it," Oberman says.
Using this approach, a hacker or government agency can't do a mass compromise of user data. Accessing a given user's data would involve compromising that individual's client device. Even if that's possible, it's not an approach that can be easily scaled to compromise a large numbers of users.
Is Browser Secure Enough for Running Apps?
Ramon Krikken, a security researcher at Gartner, says that, done properly, a privacy-oriented Web application platform such as Crypton will be highly attractive to developers. They want an easy-to-use framework with standardized, validated code.
The key question, then, is whether Crypton is really as secure as Oberman hopes. As an open-source project, the code base is open to scrutiny from any eyeballs that care to look at it - including the NSA's, of course. That, in itself, doesn't guarantee that the code is not flawed. For this reason, Oberman says SpiderOak plans to pay an as-yet-unnamed security outfit to review the code.
To that extent, Krikken says Crypton's prospects are promising. "SpiderOak seem to be doing all the things that you would hope [it] would do: making the code open source, getting it validated and using standardized components," he says.
It's too early to say if Crypton will succeed, as the platform is still at version 0.0.1. The security audit is due to take place this October, though, and more stable code may be available as early as the end of the year, Oberman says.
Sign up for MIS Asia eNewsletters.