Box seeking to offer end-to-end encryption - report

Box to follow Apple's lead on encryption - but will it bring it into direct confrontation with the authorities?

The row over the FBI's demand that Apple decrypt an iPhone belonging to a terrorist responsible for a multiple shooting in San Bernadino, California has brought to a head issues that have been simmering away on the back burner for some time now.

The subject of encryption has set many tech companies against government agencies, and both are seeking to play the situation to their advantage.

Stung by Edward Snowden's revelations that they were colluding in the mass surveillance activities of the NSA, US tech giants have been looking to regain the mantle of "good guy" ever since.

In 2014 Apple announced that the iPhone 6 would provide end-to-end encryption, meaning that not even Apple can break the code as the private key is maintained by the user. This is not the case with the San Bernadino phone, which we understand is an iPhone 5.

Now the cloud storage provider Box has reportedly said that it will follow suit. Chief information security officer Joel De la Garza has said that Box intends to make it impossible for its staff to access its customers' data, according to Reuters.

"Our goal is to achieve a zero-knowledge' state where our customers have total control over their data," he said.

While there are other cloud storage companies that offer end-to-end encryption, such as Tresorit, most of these are in Switzerland or Germany, countries that have a long tradition of safeguarding privacy.

US companies offering similar encrypted storage services do exist, such as SpiderOak. However, Box is a much larger player than either of these, and a business-oriented one too, so if this report is correct and Box can see its promise through this could be a major development.

However, Box would be setting itself directly against elements in the US (and many other) security services that are determined to compel technology companies to introduce back doors into their encryption products and services.

In a leaked email last August, intelligence service lawyer Robert S. Litt stated that while the environment is "very hostile today ... it could turn in the event of a terrorist attack or criminal event where strong encryption can be shown to have hindered law enforcement".

Therefore, he went on, the authorities should be "keeping our options open for such a situation". It could be that the San Bernadino shootings have given the FBI an opportunity to re-engage in its battle against encryption.

As a US-based organisation, Box would run up against such legislation as FISA 702, which allows the US government to install surveillance apparatus inside the data centres of US companies.

These interventions are covered by the Espionage Law, and anyone revealing their existence could face jail. Meanwhile, Executive Order 12333 (EO 12333) grants surveillance powers to US intelligence agencies, and the Patriot Act enables the US authorities to intercept data on the servers of any US company, regardless of where it is based.

Presumably end-to-end encryption would make it very hard for the authorities to intercept data via these mechanisms, however.