We’ve received multiple inquiries regarding our product, expressing concern about some of the finer points of how our software works, comparing it to other encryption solutions such as PGP, and so felt it was important for us to clear a few things up.
Firstly, we do not keep anything like a key bible, key server, or any other outside keystore. Key generation is a stand alone function of the software occurring only on the BlackBerry® device – keys are in no way predetermined or preset. The software does not come pre-programmed with predefined keys, we do supplement the keys, and we do not backup the keys. Key sets are generated randomly and are stored only on the BlackBerry device, embedded in the system and protected under multiple layers of encryption and encoding. Unlike some secure service providers like Hushmail, or software developers likeMicrosoft or Kapersky Labs, we could not access, duplicate, or in any other way provide user keys, even under pressure. This is why key recovery is absolutely not supported by, or possible with, eCrypt.
Secondly, the “eCryptPrivateKey” and “eCryptPublicKey” entries that users see in their Contacts are only encoded representations of the protected keys, not the keys themselves. The key entries in Contacts could not be used to decrypt eCrypt encrypted emails on a desktop, they can only be used to decrypt eCrypt encrypted emails on the BlackBerry® device and only using the version of eCrypt software that is licensed to that device.
Thirdly, we do not use the public/private key system the way that it is used in other encryption solutions, including PGP solutions – we use a proprietary process, very different from other peer-to-peer encryption solutions. Unlike other encryption solutions we do not have a universal key server or anything like it. eCrypt is unlike, and so not comparable to, other encryption solutions currently available.
Fourthly, we found through extensive research that user defined key sets, like user defined passwords, are susceptible to repetition and other habits that compromise overall privacy and security. This is why we designed the software to automate the process.
Fifthly, we use a combination of multiple military strength encryption algorithms.
When we embarked on developing the software, we established a very specific criteria:
- Effectiveness – It has to offer the highest level of security available
- User control – It has to be solely within the user’s control. Not a just a little bit, completely
- Ease of use – It has to be easy enough to be used by everyone, regardless of their proficiency with technology (encryption or otherwise)
- Transparency – It has to be unobtrusive
- Independence – It has to function independently of us. Outside of license authentication, the software does not depend on us for anything
- Accessibility – It has to be accessible to everyone, regardless of economical status (has to be affordable), or location (except to embargoed destinations identified in the EAR)
To meet this criteria, we realized very quickly that we have to look outside of what others have done and are doing, approach development with an “out of the box” attitude, and engineer the solution from the user back. We looked to our experience and research and established a development philosophy that revolves around the individual user’s needs, abilities, and desires. It’s the only way for us to achieve our goals.
Just one more thing: we’re still young, this is our first product to market. We’re dedicated to continuously working on developing our software, adding features to enhance both security and user experience, and will be releasing a second generation version in 2010. We welcome, value, and encourage your feedback. Tell us what you like and don’t like about eCrypt software. Tell us what you like and don’t like about other encryption solutions. Tell us what else you would like to see developed to aid you in protecting your privacy. We’re all ears!
The BlackBerry and RIM families of related marks, images and symbols are the exclusive properties and trademarks of Research In Motion Limited.