Almost exactly one year ago, MegaUpload unexpectedly went down in flames. Now, Kim Dotcom's new venture, plain old "Mega" is rising from the ashes, and we've taken you inside for a sneak peek. But things will be different this time. Why? Dotcom's prepped this baby against all manner of attack, and its encryption is the first line of defense, for him and for you.
Sure, Mega is at a domain registered outside the United States this time, placing it outside the pesky jurisdiction that cause MegaUpload so much trouble last year, but that is by far the least interesting part of the puzzle. Thanks to HTML5, Mega utilizes in-browser, symmetric key encryption. That's the key to the new Mega, if you'll pardon the godawful pun.
Mega hasn't launched quite yet, so the practical details are a little sparse. And even after launch, chances are Mega will want to play most of the details close to its chest. But here's a rough rundown:
The new Mega is designed around a "see no evil" principle. All your uploads are encrypted on their way up to the server, and downloads are encrypted on the way down, only to be opened afterward. While they're out there floating around in the cloud, they're encrypted using the private seed you and only you have: your password.
Don't lose your Mega password, because you won't be getting it back; Mega doesn't have it. The service's carefully calculated ignorance hinges on this point. Your password is—indirectly and complicatedly—used to generate your login credentials and to encrypt all your files on their way to the cloud. Mega won't know so much as the file names, and neither will anyone else ever again if you lose that password.
Once the files are up, you'll be able to share them via link—just as with plenty of other competing services—but this too relies on a cryptographic key. Every file or folder you upload will have its own key, again generated in part from your password. When you go to link to your files, you can generate a link in one of two main flavors.
First, you can generate a plain, vanilla link. People who have this link will be able to download your data (if Mega doesn't lock them out entirely) and then...nothing. They'll have exactly what Mega has on its servers: a lump of encrypted garbage. And if they want a lump of decrypted goodness, they'll have to come to you for that file-specific key, that only you have. Your second option is to just generate a link with the file-specific cryptographic key just straight-up bolted on to the end of it. Suffice it to say, that's a less secure option, kind of like old school MegaUpload.
If you choose the second kind, you can share around with anyone and everyone. But if you choose the first, you can put that link wherever you want—shout it from the rooftops—but access is still restricted to people who have the file-specific key, which you have to give them. And there are a few important parties who won't be in that crowd, like Mega itself, copyright holders, and of course, johnny law.
The end to end encryption means that Mega pretty much can't narc on you, no matter how much pressure it's under. It won't know what you're storing on its servers, by design.
Beyond that, two pieces of a link are harder to find than one whole one. If someone wants to DMCA one of your links (rightfully so or not), but the link isn't one with the key tacked on the end, the rightsholder is going to have to hunt down the key just to see/prove/make any reasonable guess as to what's actually inside. Maybe I just named my family photo album "DJANGO UNCHAINED: FULL DVD RIP." No crime in that.
It's all about the plausible deniability. Mega doesn't know what you're uploading. I mean, everyone knows people are doing shady stuff, but Mega doesn't—hell, can't—know the specifics of a given file without its key. Mega isn't so much securing your files for you as it is securing itself from your files. If Mega just takes down all the DMCAed links, it will have a 100 percent copyrighted material takedown record as far as its own knowledge is concerned. It literally can't know about cases that aren't actively pointed out to it, complete with file decryption keys.
Mega's encryption also makes it trivial to place pirating blame squarely on users. No only is Mega blissfully ignorant of what you're uploading, but it also encrypts your upload, making it de facto private off the bat. One could argue Mega's even being proactive about copyright protection that way. You're the one sharing file keys; Mega couldn't share your keys even if it wanted to. Mega is ostensibly a "cloud storage service." You're the pirate. Remember that TOS you agreed to, scumbag? Oh, and your personally identifying information like name and IP? Those aren't encrypted.
- Mega didn't invent encryption or anything. It's not the first cloud storage service to use it either. It just happens to be implementing it on a wide scale, and in a particularly savvy fashion.
- It's not like there's no way you could get screwed. In fact, there are more than normal. If someone gets your password, they'll have access to your everything. and if you lose your password, you'll lose your everything.
- This won't protect big-time "share it with the world" pirates. People who go around sharing links and keys at the same time are just as vulnerable as they are anywhere else.
All in all, Mega's bound to shake up the file-sharing scene in a number of ways, and may very well be the harbinger of more wide-spread encryption use in web services everywhere. Mega is a big name, even before launch, and whatever Dotcom throws his support behind is bound to make waves, even under the intense scrutiny of rightsholders everywhere. But how well is this encryption going to protect you and Mega itself? Well, we'll find out very soon.