Skip to content

Thoughts on getting Privly adopted by a ‘significant’ number of people

More notes from my recent conversation with my friend – this one – totally devoid of the technical side and all about driving adoption.  How many people could potentially use this.  How many of those might want to if they knew about it?  How many are needed to form a critical mass of support?

My friend’s back of the envelope estimate was 3 billion people worldwide interacting on the internet by 2020.  Ive seen estimates as high as 5 billion by then.  That’s a lot of people.  The likelihood that Privly becomes the next Facebook / Google / ??? with huge percentages seems unlikely.  So the questions become What is doable?  How big is big enough to be a self-sustaining core of support?  What are the possible segments to be looked at? Should Privly try a broad strategy – many platforms / target markets or a more narrow focus?

Our conversation ranged wildly on a large nuumber of topics, but one key thing we agreed on at the end were desktop computers and laptops with full operating systems and mainstream browsers are a large market, but aren’t growing anywhere nearly as fast as the tablet / smartphone markets.  The older demographic finds computers challenging, but with the advent of the iPad and other tablets, they find getting online easier.  Younger folks are more likely to spend more of their ‘social sharing’ time on a smartphone or tablet also.  So – while an initial approach of desktop / laptop browsers may not be bad, consideration should certainly be given to support for other devices.

The current Privly strategy is to go open source and try to recruit enough community developer support to be able to support a wide range of browser options – FireFox, IE, Chrome, Safari and Opera.  This doesn’t sound so bad on its face – but when you add in all the versions, and OS versions and configurations, and security policies that might be in place, there are a huge number of combinations that would need to be tested.  Maybe its doable, maybe restricting the range of what is supported makes more sense.  Maybe implementing security on a backend server and minimizing the browser based code might make maintenance easier. With an HTTPS connection to the server, the security decrease is small.  Possibly offer this as an option?

Another thread of conversation we had that didn’t really get fully formed was what’s the compelling reason to use Privly.  The first take we took on it was a who is likely to use it.  We broke that into 3 types of folks.  First, crypto-geeks who like encryption for its own sake and having a relatively easy way to use it daily jump at the chance.  Second, privacy enthusiasts – either in general (ACLU, EFF, etc.) or for specific reasons (concerns about certain friends, partners, company relations finding out what they are doing).  Third, folks who aren’t particularly interested – but want to communicate with someone who is, so they participate for the sake of the person who is concerned.  Later in the conversation we added that there might be some services that do not want to be held accountable for the content users post on their servers.  The service providers then might encourage users to encrypt in such a way that the provider actually can’t provide any information on the posts.  A recent article described Twitter in just such a sticky situation.

One potentially compelling reason would be to prevent something that was posted from being taken out of context and coming back to haunt the person years or decades later.  Another would be to make it harder to be persecuted for your beliefs.  Perhaps protection from the service provider (wherever the posts are) knowing too much about you.   GMail ads are based on content of your emails.   GMail’s info on their ad policy includes – If “you’ve recently received a lot of messages about photography or cameras, a deal from a local camera store might be interesting” so that ad is more likely to be served.

There is definitely a critical mass issue here.  If I’m not particularly interested, and one friend of mine tries to convince me I should put forth some effort, I may or may not – even if the effort seems small.  On the other hand, if 2-5 of my top 10 people I communicate with use this, I’m very likely to join in – just to make it easier.  The network effect definitely plays here.

So perhaps the correct question is not how to get Privly adopted by a significant number of total people, but by a significant number of people in a particular market segment?  Then the obvious follow up questions become what is that segment?  How do we identify it? expand into it? and dominate that one area?

 

 

.   While the initial Privly focus is browser extensions that

How much security is ‘enough’?

Another area from the recent conversation I had with my friend was how much security is enough?  Obviously, that begs the question – what are you trying to protect against?

Luckily for Privly, the answer is protect against casual eavesdropping, automated cataloging of information and ‘non-determined’ attackers.   What do I mean by this?  If someone has hacked into your wireless network (or you post via a typical coffee shop free internet connection) and can monitor your packets you should be protected.  Further, the posted data should be protected in such a way that web crawling indexers for search engines can’t glean any sensitive information.  Finally, if a company in competition with yours, or a jilted lover tries to break in to see what you’ve posted you should be OK.

So what doesn’t this include? – mostly three letter agency type attacks, or others with similar dramatic resources, and motivation to attack your encryption.  Chains break at the weakest link.  By the time you move from casual or even serious attacks, to adversaries with dramatic power (both computing and real world) it’s a different game entirely.  Surveillance of you (watching over your shoulder as you enter passwords), physically accessing your computing device and modifying it to report to them, physical or legal coercion on you or any of your recipients are all very possible attack approaches that could be taken – that Privly or any software cannot address.

Note that encrypting everything means that extra-ordinary measures would need to be taken to index your information even if it was gathered.  So if you are concerned that a government agency is monitoring all internet communications and recording them and storing them for later analysis, using something like Privly would mean that your data would show as encrypted, but further detail wouldn’t be available without more work.  As long as enough people encrypt enough content, and as long as there is no other reason for you to be ‘noticed’, your content itself won’t flag you anywhere.

Bottom line – there’s no point putting a $5,000 lock on a $20 door.

 

Key Management Issues – how long do I need to save the key?

What’s tough for Privly (and all encryption schemes) is key management.  I had a long talk with a friend of mine last week and this was one of the issues we discussed at length.

See the big problem is when I encrypt something I need to use a key to secure it.  Then, I need a key to unlock it later.  And if I want to share data (like Privly is intended for), I need to be able to make sure my friends have a key to open the posts they are supposed to access.  So far, this doesn’t seem too bad, but here’s where it gets tricky…

How long do I want to save my data for?  If it’s just for a single session, I don’t have to worry about key preservation.  I still need to make sure I have some way of getting a secure key from me to whomever I am communicating with, but that’s very manageable in a case like this.  So, a Skype call needs a password for the length of the call.  After that, the password can safely be discarded, never to be used / needed again.  The same thing applies for an HTTPS session.  It only needs to last while i’m communicating to that server.

BUT – what if I’m encrypting pictures / videos of my kids.  I want to save that for a long, long time.  In addition to normal data failure (dead hard drive, accidental delete, lack of format support, etc.) I now need to add all the possible encryption failures – corruption, and for our purposes here – loss of key.  Do you still remember your high school locker combination?  What if you used unbreakable encryption on family memories and then forgot the password and couldn’t recover them?  Heartbreaking.  If you encrypt your computer files today – will you remember your keys 30 years from now?

The thought for now is that Privly will target more transient data – facebook status posts, twitter messages and similar things that you may not care if they are preserved for the long term or not.  So maybe key retention isn’t a big issue, or maybe it is.  Perhaps longer retention items just won’t be part of the Privly target market.

Interesting questions that I need to give more thought to.

 

Another take on Why Privly.

Why aren’t people demanding that all their electronic communications be encrypted? 

Mostly, I believe it’s because they have an illusion of privacy and until something happens that startles them and forces them to confront the lack of privacy they really have, they will continue to believe in the illusion.  Also, privacy, while not hard, does take some work, so unless you are really concerned about it, most folks just don’t bother.

And I’m like that too.  I don’t bother with encryption much these days – I played with PGP in the early 90’s, but these days it seems too hard and just not worth it.  That’s part of why I got interested in the Privly project – its goal is to make it easy to share privately.

You have a right to your privacy.  When you go to the bathroom, do you shut the door?  Everyone goes to the bathroom, there’s nothing unique about you.  Why do you prefer to be alone?  It’s part of our culture – it’s one of our activities that we generally expect to do privately.  Are there exceptions, sure but as a general rule we consider that a private moment.

You have a right to your privacy.  When you talk with your husband or wife in your house, you expect the conversation to be private.  You don’t expect hidden cameras or microphones spying on you.  Well, at least here in the United States we don’t.  Perhaps there are other places where you don’t expect privacy in your own house.

There are many many situations in the physical world where we have an expectation of privacy and generally those expectations are met.  In the online world, it’s a bit different.

Online, it feels like you are doing private things, because you sit in your home, or your office or whereever you might be and no one else is looking at your screen.  But all your communications go through wires (or wireless) to your internet connection and whomever owns (or can access legally or not) that router can see your packets going through.  Your ISP can see everything.  The upstream folks who interconnect between the ISPs can see the data.  Now realistically, many folks who are capable of the spying don’t bother looking, but the point is they don’t have to avert their eyes.  If they want to look they can.  And in addition to random individuals with access, sometimes the companies themselves may have an interest in montiroing you.  Or perhaps government agencies.

My concern isn’t that during a criminal investigation that with proper procedures followed that authorized law enforcement officers will search your materials.

My concern is that if we don’t do something, the lack of general privacy and the low expectation of privacy and teh understanding of how little privacy protection we operate under will be the norm – and spying / monitoring us will be considered normal.

When was the last time you read 1984?  Perhaps it’s time to read it again.

Benefits of helping out on the team

One of the nice benefits of volunteering for the team – even before we are ready for an Alpha test – I got access to the latest development code and got a chance to play with it.  Nice…

So far so good – I got the latest code downloaded and tried it in FireFox.  I’ll experiment more tomorrow and update on how it goes then.

The weekly IRC chats have begun

Now that I’m back and working on this again, it was perfect timing – the project team started  a weekly IRC chat.

The developers are coding away, the web site is up and stable (team members are entering their info into the People pages).

It’s off to the races.

Now I only wonder where the finish line is, or perhaps even where is the first turn.  There is a huge amount of work to be done, and no overall schedule.  Well I got that put on the agenda for next week.

Catching up

I’ve been buried with family issues the last couple weeks and am just getting caught back up now.   Expect some more updates later today…

%d bloggers like this: