Skip to main content

Young MIT researcher develops NSA-proof encryption service

If you were horrified by the revelations of the American National Security Agency (NSA) spying on citizens, world leaders, blue chip technology companies and - oh yeah, the pope - then you'll be glad that a young researcher working at MIT has developed a way to encrypt all the data that leaves your computer before spies and hackers can get their hands on it.

Young researcher Roluca Popa developed the system called "Mylar" in collaboration with the Meteor Development Group. Mylar aims to stop websites from leaking data, handing it over due to court orders, or allowing hackers to steal data through incompetence.

The system also allows developers to build applications that are protected from attackers - be they hackers, spies or rogue employees - even if they have access to the server that stores the software.

According to an abstract of a paper on Mylar, which will be presented at the NSDI conference next week, Mylar allows the server to perform keyword searches of encrypted documents, even if the data is encrypted using different keys. And not just that:

"Mylar... protects data confidentiality against attackers with full access to servers."

There's even an optional browser extension, which Popa says can protect against the server stealing the key needed to decrypt a person's data.

The results have been amazing so far, and Mylar's ease of use has scored top points among test studies.

A group of patients at Newton-Wellesley hospital in Boston are currently testing the system for their medical information. According to Popa, the only change needed in the hospital's current system to rewrite 28 lines of code out of 3,659 total.

Performance overheads are modest, too, amounting to a 17 per cent throughput loss and a 50 ms latency increase for sending a message in a chat application.

"You don't notice any difference, but your data gets encrypted using your password inside your browser before it goes to the server," said Popa.

"If the government asks the company for your data, the server doesn't have the ability to give unencrypted data."