A small Swiss app developer has invented what it claims is a way to securely and anonymously transfer files between a browser and a mobile device without having to leave any traces of the user’s identity, device ID or location.
Marketed by creators Bitdrop as a way of defeating surveillance by the NSA and others – “zero knowledge privacy” – users simply initiate transfers from the firm’s upload portal after scanning a QR Code using a dedicated app running on their mobile device.
This code creates a unique and time-limited window for files to be transferred to the user’s mobile (or shared with a third party that has a download code), secured using what the company calls 256-bit “variable encryption,” essentially a way to randomise conventional symmetric keys for each transfer.
The keys themselves are sucked onto the sender’s own mobile device during a temporary connection. Files can’t be accessed by Bitdrop itself or any other authority because the encryption key is stored only on the sender’s mobile device. In the event the files are not moved from the firm’s servers to the mobile by a third party receiver within 24 hours they are destroyed.
The location of the encryption key is critical. They keys are never retained on the sending computer, never sit on Bitdrop’s servers and are never moved to third-parties receiving the files. Only the sender has these keys.
The firm heralds the concept as a way of moving encrypted data around without it being tied to any identity; Bitdrop does not require users to register or reveal their email address. Neither the sender nor receiver can be identified.
What about the security of the mobile app itself? According to Bitdrop, the identity of all contacts using the service is accessible only after entering an access code.
It sounds like complex ‘down the rabbit hole’ security but it should be simple to use with an interesting extra advantage that although the sender needs to install the app to scan the QR code, the receiver does not, making it free of the friction of many secure file transfer systems that require both ends to use identical software.
This is the kind of app that not long ago would have sounded like overkill but that was before the NSA and Edward Snowden alerted the security-conscious to the reality of state surveillance. This might or not bother US or UK users who trust their Governments but what about business users using their mobiles in other parts of the world; do they trust the Russian or Chinese Governments too? Undoubtedly these already have or will soon have systems similar to Prism.
Explaining its architecture, founder 'Markus Kristian Kangas had this to say when contacted by Techworld:
"Bitdrop is a Swiss company with engineering offices in Zurich, Switzerland which gives us more freedom toward US legislation - we are not an American company or affiliated to any American company. We use a flexible server architecture that is not tied to any specific location."
One slight issue is that the launch app is iPhone-only although an Android app is promised, as is a version for web-to-web transfers. The company is also a total unknown so issues such as longevity, support and security must be taken on trust. The app costs $4.99 (£3.20).