Patrick Lambert looks at the hype and criticism surrounding Kim Dotcom's new website, Mega. Does it really offer perfect privacy through encryption?
Unless you have been unplugged from news sources in January, chances are you noticed the articles about the brand new Mega site launched by Internet celebrity Kim Dotcom. The site caught the attention of the Internet because of several factors. First, Dotcom himself is the subject of one of the largest copyright infringement suits ever, with the U.S. Government claiming that he made millions of dollars facilitating online piracy, a crime for which it seeks to extradite him to the States. Then, the fact that Dotcom has been so public about the whole deal, hyping that MegaUpload would be back with a new and revolutionary site called Mega, brought a lot of people to try and see whether this was such a new concept as Dotcom claimed. Besides the hype, what is most interesting to those in the IT community is a discussion about the security behind Mega. Is it as secure and private as the team at Mega claims, or is it filled with holes as some other articles have pointed out?
Now that the initial hype has died down, we can sit back and look at what is really going on behind Mega, and see whether it is worthy of notice. So, how does Mega work and what makes it so unique? The way the site describes it, when you sign up for an account at Mega, the password you use is also used as an encryption key, which will be used to encrypt a public/private key pair and keep everything you do on the site secret from everyone, including the Mega team itself. This is important because it's different from how most other sharing or file repository sites work. If you store something on DropBox, SkyDrive, iCloud or any other popular file backup service, even if they offer encryption, typically they can always decrypt your data, because they are the ones doing the encryption, and as such, they have to have the keys. The only way to provide true protection is to use a desktop client which allows you to do the whole encryption routine locally, something few services offer as an option.