Of course there is some self-interest behind SpiderOak's decision to sponsor this open source platform, as applications built on Crypton can use storage supplied by SpiderOak. But these apps aren't tied to SpiderOak, and developers can choose another cloud resource for storage. (There is one important caveat: If the target storage service isn't free and open source, then developers have to purchase a commercial license to use Crypton.)
Crypton makes cloud 'dumb storage medium,' doesn't read data
The server-side software running in the cloud is built on PostgreSQL and node.js, Oberman explains. "Typically, you would have the indexing and searching done in the cloud. With Crypton, this is all happening on the client. The data structures we use make this happen fast," he says. "The cloud is just used as a dumb storage medium, storing and retrieving data it can't read."
This works by dividing information into data and metadata and taking advantage of the fact that metadata in data-intensive applications such as photo storage is typically less than 1 percent of the underlying data. "Our browser-based client can retrieve metadata very quickly. Then, when you want the real file, it can download it," Oberman says.
Using this approach, a hacker or government agency can't do a mass compromise of user data. Accessing a given user's data would involve compromising that individual's client device. Even if that's possible, it's not an approach that can be easily scaled to compromise a large numbers of users.
Is browser secure enough for running apps?
Ramon Krikken, a security researcher at Gartner, says that, done properly, a privacy-oriented Web application platform such as Crypton will be highly attractive to developers. They want an easy-to-use framework with standardized, validated code.
The key question, then, is whether Crypton is really as secure as Oberman hopes. As an open-source project, the code base is open to scrutiny from any eyeballs that care to look at it - including the NSA's, of course. That, in itself, doesn't guarantee that the code is not flawed. For this reason, Oberman says SpiderOak plans to pay an as-yet-unnamed security outfit to review the code.
To that extent, Krikken says Crypton's prospects are promising. "SpiderOak seem to be doing all the things that you would hope [it] would do: making the code open source, getting it validated and using standardized components," he says.
Case Study: How NASA Helped Open-Source Cloud Take Off
It's too early to say if Crypton will succeed, as the platform is still at version 0.0.1. The security audit is due to take place this October, though, and more stable code may be available as early as the end of the year, Oberman says.
Krikken remains optimistic about its prospects as a useful open source tool. "The creation of a platform like this is good. It drives privacy forward," he concludes. "Projects like Crypton are definitely helpful for developers and anyone concerned about privacy."
Read more about development platforms in CIO's Development platforms Drilldown.