Major online security and data hacks exposing sensitive user information have become commonplace in the digital age thanks to criminals and governments alike, but researchers at MIT think it’s time to change that.
“Really, there’s no trusting a server,” MIT researcher Raluca Popa told MIT Technology Review while describing Mylar — a system capable of building Internet services that keep user data encrypted everywhere at all times, until safely being decrypted on a personal computer.
“You don’t notice any difference, but your data gets encrypted using your password inside your browser before it goes to the server,” Popa said. “If the government asks the company for your data, the server doesn’t have the ability to give unencrypted data.”
Mylar software works with the popular Internet building tool Meteor and runs inside of a browser to process and present information, as opposed to traditionally running through an outside server somewhere. It also lets users share data with other users by including an encryption key that can’t be picked up by servers or potential third party communications monitors.
Another browser add-on protects a server from stealing the data encryption key in the event of a hack or malicious software takeover, and Mylar can also search for encrypted data stored on its servers to recover data previously saved on a file storage service.
Mylar is already undergoing its first test at Newton-Wellesley hospital in Boston, which has begun using a website built with the software to download medical history records. Information uploaded by patients is only decrypted when viewed by patients and their doctors, and after the testing is deemed a success, Mylar will begin more widespread distribution.
“All they had to change is 28 lines of code out of 3,659 to secure their application,” Popa said of the hospital program – one among the many applications including chat, photo sharing and calendar Internet services built by Popa and her MIT team to test the security of Mylar.
“It would be a watershed moment if any of these types of systems actually got deployed to millions of users,” University of Pennsylvania researcher Ariel Feldman said while describing the numerous secure features in Mylar that have never been combined before. “The real obstacles to adoption are usability and the business case for deploying them.”
According to Feldman, using a system like Mylar means losing a password could mean losing access to your data permanently – though developers say there’s an optional password recovery. Other obstacles included the added business expense of building more secure networks, and the loss of revenue from being unable to analyze user data to sell targeted ads.
“Enterprises or governments may be willing to pay for extra security,” Feldman said.
Popa believes Mylar could go much farther, and cited full server data encryption software she led development on that is now deployed by Google and business software company SAP.
“I think Mylar will be at least as useful, if not more,” Popa said.
Popa and her team will present their research at the Usenix Symposium on Networks Systems Design and Implementation in April.