Cloud storage provider Box is moving closer to its goal of giving ownership of encryption keys for its service directly to customers, and could release an offering this year. CEO Aaron Levie told the InformationWeek Conference this week “I think we’re looking at this year, probably,” according to Ars Technica.
Leaving the encryption key with the data owner would effectively block “blind subpoenas,” by which government agencies can demand access to customer data without the customer’s knowledge. Without the keys, Box could only hand over the data in encrypted form, while getting it in readable form would require going through the customer with the keys.
Knowing whether or not its data has been accessed may provide some measure of comfort to businesses, but more importantly, if they are aware of an action they may be able to challenge it legally.
The challenge for Box is that its role as collaborative cloud storage service requires it to hold the encryption key in order to provide the unencrypted data to different tools or collaborators.
“We are working on an encryption key solution right now. We’re still figuring out the exact details of how we want to integrate it with a customer environment. We do see that for very large or sensitive organizations that this is going to be an important solution for them,” Levie said.
Levie also said that Box has never been served with a blind subpoena. Details on data requests are largely unavailable or incomplete, but it is clear from disclosures earlier this year by CloudFlare and AT&T among others that requests are numerous and that companies often don’t know when their data has been accessed.
One potential wrinkle in Box’s plan to provide better protection of client data is that the NSA has been specifically working to break encryption techniques like those used by cloud storage companies, and so in theory may be able to decrypt it without the keys.