THREAT MODEL
In this section we will describe the threats
Cryptee is and is not designed to guard against.
We believe that unencrypted storage and productivity services or productivity tools have three major weaknesses in terms of security, and these are the core three issues we tried to address with Cryptee.
№ 1 TRUST
Unencrypted storage and productivity services authenticate you with your email & password; your files aren't encrypted in any way. There are multiple negative consequences of this approach.
- The company whose product you're using can see the contents of your files.
- The company can run bulk-analysis on your files and sell your data for advertising.
- Governments can use mass-surveillance techniques to see the contents of your files.
How is Cryptee different?
Imagine having printed private photos, giving these photos to your friend and saying "Please keep these photos safe for me, and don't let anyone else see them." Your friend assures you that nobody else will see the photos. Your friend can still see these photos, make copies of them, or even sell copies of them. This is exactly how unencrypted file storage and productivity services work. Based on trust.
With Cryptee, imagine putting your private photos in an impenetrable box and securing that box with a lock that takes millions of years to crack. Now if you hand this box to your friend, your friend can keep the box safe from others, but more importantly, your friend can't see what's inside. This is one reason why Cryptee is inherently safer: not because of trust, but individually verifiable encryption. Your files never leave your devices unencrypted.
Here's a relevant XKCD comic about most storage services.
№ 2 FORCEFUL ACCESS
In the field of cryptography, there's a concept called "Rubber-hose cryptanalysis". This is a euphemism for extracting someone's cryptographic secrets by means coercion or torture —such as beating that person with a rubber hose— in contrast to a mathematical or technical cryptanalytic attack.
Say you're in an abusive relationship, and your partner asks you to unlock your phone or face the consequences. Situations like these arise from power asymmetry, a situation in which you are forced to lose privacy, "or else..." More and more, we are entrusting pieces of our lives to our devices. Our phones, computers, and online accounts all absorb bits and pieces of our identities, leaving us with limited privacy. More companies are asking for access to their employees' social media accounts, and emails, people can force their partners to reveal financial information or photos, and certain groups are unfairly targeted by law enforcement.
Cryptee is designed with humans and in-person deniability in mind. Our Ghost Folders feature allow you to temporarily hide any folder, and it is only possible to bring back (summon) a ghost folder if you know its name. This provides the user with ultimate deniability under duress; if a third party gains access to your account by means of coercion, they can't prove that you have a ghost folder unless you choose to reveal the name of this folder.
We also designed Cryptee to make sure it works in mobile browsers like a native app when you pin it to your phone's home screen. We know that having Cryptee show up in your app downloads history could potentially put you in trouble, making deniability harder. Being able to use Cryptee like a pinned web app means that if you erase your browsing history and unpin the app, you can more easily deny having used Cryptee, should you ever need to.
Here's another relevant xkcd comic.
№ 3 EASE OF USE
There are more and more services providing very complex means of securing your private data and communications. We think that data security and privacy is everyone's right, so it should be easily accessible to everyone — not just experts. We strongly believe that even our non-technical grandparents should be able to use Cryptee to keep their old photos, videos or documents safe. So if your grandparents find it hard to use, reach out to us.
SCENARIOS
№ 1 UNAUTHORIZED BACKDOOR
The most relevant attack vector for Cryptee is an attacker somehow gained access to Cryptee's servers without us noticing. Such an attacker could conceivably change Cryptee's code to send malicious pieces of code to the user's browser, which would either allow the attacker to get users' unencrypted data directly or have the users' encryption keys sent for future use in a MITM attack, which we'll talk about below.
Cryptee has implemented multiple safeguards against this threat on both the organizational, server and application level.
At the organizational level, all our servers are protected with physical & digital cryptographic keys, multi-factor authentication, and biometrics where applicable.
At the server level, we rely heavily on a micro-service driven architecture where possible, reducing the attack vector significantly by not having a single point of failure. In addition, we have independent and distributed monitoring services that constantly scan for our served public code, and notify us immediately should they detect a change in our code.
At the application level, once installed, our apps check for the hashsums of each new version release, and if there is a mismatch for any reason or a release isn't publicly reported, our apps simply don't download new updates, and continue using the last safely downloaded update.
An attacker could still hypothetically gain control of our servers, gain control of other independent monitoring tools' behaviors, and modify the software all without anybody at Cryptee noticing. The odds of this being successfully executed are very very low, as it involves compromising multiple independent servers and monitoring tools in harmony.
№ 2 COMPROMISED USER DEVICE
This is the most relevant threat vector you should be worried about. Even if you use the world's most secure storage service or productivity tool, advanced encryption is not going to help you if there's a keylogger on your computer or phone recording all of your keystrokes, or a virus that can access your files / screen. Cryptee does not and can not guard against a compromised user's device.
№ 3 MAN-IN-THE-MIDDLE (MITM) ATTACKS
This is a rare attack where an adversary will sit between the user and Cryptee servers and tamper with the data being relayed between them. However, because your data is never transmitted unencrypted, the attacker wouldn't be able to see the contents of your data by simply listening in on the communications. The only way the attacker can get the encrypted contents of your files is if they send a modified version of the Cryptee website, which may secretly pass your encryption key back to the attacker. This is a much more sophisticated attack that can typically only be executed by a very strong adversary (like a government) and is generally a very targeted attack. It cannot be easily used on a large scale to perform mass surveillance. To clarify, all unencrypted storage/productivity services are even more vulnerable to much more basic versions of this attack.
RECOMMENDATIONS AND USE CASES
PRIVATE CITIZEN WITH PRIVACY CONCERNS
Cryptee is perfect for individuals or corporations that do not want the government to have access to all of their documents, photos or videos at any time, and does not want Google, Microsoft, Apple, Facebook, Dropbox, Evernote or Amazon constantly scanning and archiving all of their personal data. With Cryptee, and our strong encryption, the barrier of entry for mass surveillance is high enough that it is simply not practical.
If you have sensitive personal documents, files, photos, videos or business information that you want to make sure is protected from competitors and other malicious parties, Cryptee is perfect for you.
PRIVATE CITIZEN WITH POWER ASYMMETRY
Cryptee is designed for users who are in a lose-lose, power-asymmetry situation. Our unique Ghost Folders feature allows users to have ultimate deniability in situations where our users are required to grant access to their accounts and comply, and refusal to comply might end up putting them in harms way.
This could be if you're in an abusive relationship, where your partner is forcing you to log in to your account in front of them;
Or if your employer/boss wants you to log in to your account in front of them or give them access;
Or if you're at an oppressive security checkpoint, where you are either asked to log in to your account in front of a security professional, or told to hand over your passwords;
Or if you regularly have to access your files in front of others, and you simply would not want them to see all your files and folders.
Cryptee can protect you in these moments.
LAWYERS, DOCTORS, PSYCHOLOGISTS
If you're a lawyer, doctor or psychologist who needs to keep their patients' or clients' names or information secure, or a self-employed person hoping to keep your work safe, Cryptee is just what you need. Our strong on device encryption, and zero-knowledge storage makes us a perfect and compliant solution for your needs.
NOT RECOMMENDED
If you are Snowden, or planning on being the next Snowden and taking on an intelligence agency or government head-to-head, or have a life & death situation that requires privacy, we wouldn't recommend using Cryptee.
CONCLUSIONS
We would like to conclude with a few thoughts about privacy & surveillance in general. We often hear that if you are not a criminal, or have nothing to hide, there is no need for privacy. To those critics, we quote what the wise people at ProtonMail said: "Does that mean that only criminals have curtains over their windows?".
Over the years of building Cryptee, we have heard from numerous critics that by building Cryptee, we are providing a powerful tool for criminals. To those critics we would like to remind that, you can go to a kitchen store and buy a knife. You can either cook & feed your family with that knife, or hurt someone with it. This doesn't mean kitchen stores shouldn't sell knives. This also doesn't mean law abiding parents, wanting to feed their family should feel guilty for using a potentially dangerous tool for good.
There is no denying that Cryptee is a powerful tool that provides a high level of security and privacy for everyone. This may one day include criminals. All tools and services can be used for good, or for bad. But one has to remember that the world does not consist entirely of criminals. There are also dissidents, and democracy activists living under authoritarian regimes where freedom of speech is not respected. Then there are the rest of us, law abiding private citizens, who simply want control over our online data. We can either choose to live in a world where everybody is under surveillance, or a world where everybody (criminals included) has privacy.
We believe that the right to privacy is a fundamental human right, and we are willing to fight and work towards protecting that right.