Raluca Popa, a researcher at MIT, is working on a way to make online services more secure: by allowing data to be encrypted on the user's computer, rather than on a distant server. But it's still far from a perfect security solution.
"Really, there's no trusting a server," Popa told MIT's Technology Review. What she means is that no matter how trustworthy a company or person may be, your security can't be guaranteed when they hold the means to decode your data.
And make no mistake, services "in the cloud" can see much of the data you send using their services: Gmail infamously offers advertisements based on the contents of the mail you're reading. Your data may be encrypted while you're not looking at it — but when you log in, it's Google's servers doing the decryption of your data, not your computer. It's this step Popa hopes to change.
A new Web development tool called Mylar moves that decryption step from the servers you're communicating with to the computer you're using. With Mylar, the server knows what encrypted data to send you, but doesn't know what that data actually is.
This way, companies can't be pressured to give up user data on demand, and even the NSA, snooping via PRISM or another program, would see nothing but encrypted gibberish passing between you and the server. They could, of course, tell when and where you're accessing data (the valuable "metadata") but the content would remain hidden — unless, of course, they've hacked your computer, too. But that's a whole other challenge.
One other caveat: Since the server doesn't keep a copy of the decryption key, if you forget your password, your data is gone — forever.
The idea has been around for years, but Mylar is meant to be easily integrated with today's Web apps — though it hasn't been used by any major service yet. Popa hopes ongoing trials at a Boston hospital will show the tool is worth adopting.
