Own Your Encryption

Introduction

Until recently, privacy was not a topic of great concern. In most people’s minds, protecting their privacy meant having a set of keys to lock a few doors and cabinets; maybe storing some valuables inside a safe in the closet or at the local bank.

Today, our most intimate data lives in servers and databases beyond our reach. Our every move, email, text message, and post captured by smart devices or shared online is ingested by the likes of Facebook, Google, Twitter, and Amazon.

And it's all for sale.

Almost all aspects of our lives have been repurposed into exploitable goods—turned against us to better empty our wallets, manipulate our actions, and influence our thinking. “But not to worry,” they tell us. “We’re just sharing metadata.” As if nothing of consequence could be extracted from the mountains of intelligence mined from us over the years. And let's be perfectly clear, they are hawking more than just metadata. ^{[1] [2] [3]}

Today's dredgers and custodians of our private matters hide their true intentions behind legal jargon. They make it hard, if not impossible, for users to change their accounts’ (weak-by-default) privacy settings, confident that most people won’t adjust them. And even if they do, it isn’t much guarantee of anything. ^{[4] [5]}

When first questioned, the companies claimed their practices were benign and necessary for them to stay in business. When these assertions were challenged, they promised to change their ways. They didn’t, not really. Truth is, these self-appointed superintendents have time and again proven themselves fickle, unreliable, and untrustworthy. ^{[6] [7] [8] [9] [10] [11] [12]}

Then, there's the role of government. Depending on where you live, privacy laws and their enforcement have been lacking at best, nonexistent at worst. While more than 150 national constitutions mention the right to privacy (the US Constitution isn't one of them), most world governments have been slow, if not unwilling, to create or update privacy-related regulations that meet today’s challenges.

When, in the early-2000s, Google adopted the motto “Don’t Be Evil”, we cheered them on. With good reason. When Facebook a few years later pledged, “We do not and will not use cookies to collect private information from any user,” we believed them. Why wouldn’t we?

As we signed up and joined fates with them in digital bliss, ours became a marriage of convenience. Later, things began to change. First in baby steps, then in giant strides, they proceeded to plunder and peddle our data; we went on to surrender our privacy. “I have nothing to hide,” we assured ourselves. ^{[13] [14] [15] [16]}

Turns out corporated greed, inadequate governmental protections, and our own complacency stirred up a recipe for disaster—a volatile, foul mixture that ended up exploding in our faces. Google’s devious harvesting of personally-identifiable information, Facebook’s Cambridge Analytica political scandal, and Amazon’s Alexa privacy controversies are but a few early examples. ^{[17] [18] [19] [20] [21]}

People are sobering up to the fact that their trust was misplaced, their privacy mishandled. The abuse and the gullibility—both need to stop. It’s time for people to regain control of their privacy.

But how?

The Problem of Complexity

In pursuing sensible solutions to privacy issues, one important hurdle is complexity.

Digital privacy and security rely on math and cryptography. One major component is encryption: a process of encoding information so that only authorized parties can access it. Encryption is a highly technical affair. Both common sense and industry best practices indicate that it’s wiser to leave such complicated matters to the experts. When it comes to encoding communications, one excellent solution is end-to-end encryption—a system that doesn't require user intervention. However, end-to-end encryption doesn't solve every problem. ^{[22] [23] [24]}

Responsible, law-abiding citizens deserve effective means to directly protect their privacy.

Just as companies have the right to protect their investments and make an honest profit; just as governments have the duty to protect the rule of law; individuals have the right to protect their privacy from unchecked corporate greed and unwarranted government intrusion. Not to mention meddlers, bad actors, and foreign intruders.

A New Tool, a Novel Approach

To this end, we are launching a new online tool to help people get some measure of control over their privacy. One that is as simple as it is effective.

It’s called Amaca^®.

Amaca (by Amaca Tech, LLC) is a web-base application that empowers individuals to easily and securely create their own encryption keys, and to encrypt their written content for safekeeping and sharing. To encrypt written information, a user simply enters a unique keyphrase, then types or pastes the text to encrypt, and clicks.

In granting non-expert users full control over the encryption process, Amaca tackles potential risks in secure, novel, and effective ways. Among them:

• Simplifying to the fullest extent the user experience and processes without sacrificing underlying security and efficiency.
• Encouraging the formulation of long, secure encryption keys that are extremely easy for creators to remember but nearly impossible for others to figure out.
• Providing clear and practical protocols for the safe creation and transferral of keys.
• Facilitating clear parental control guidelines.
• Freeing users from having to download and/or purchase apps that require them to register and login, to the detriment of their anonymity.
• Liberating users from having to rely on apps and platforms that control and store their encryption keys and encrypted written content.
• Executing all encryption operations in users' own devices without ever transfering sensitive data to/from outside servers, thus minimizing or eliminating the potential of so-called man-in-the-middle attacks. ^[25]
• Never requiring users to register or sign in, thus protecting their anonymity.
• Never tracking user activity with persistent cookies.
• Never storing user data in Amaca or third-party servers.
• Leveraging two unique security features:
  
     - Amaca’s “HuGe” Randomness
  
     - Amaca’s Herd Immunity Effect

Amaca’s “HuGe” Randomness

In the encryption process, the first step is creating the encryption key—a long string of numbers constituting the components of a formula used to encrypt and decrypt data. In cryptography, randomness is important because the more random a cryptographic key is, the more difficult it is to break—even by costly computer-generated attacks. When creating encryption keys, it is standard to use computer algorithms that generate random or pseudo-random numbers. ^[26]

However, for the creation of its encryption keys Amaca doesn’t use computer-based generators that result in impossible-to-remember keys. Instead, Amaca users themselves determine a “keyphrase” (a long, written phrase made up of any characters from any language or writing system, even emojis) that makes complete sense to them, but not to others.

How can such a user-created keyphrase be random to any safe degree?

First, Amaca keyphrases have these qualities:

• Keyphrases can be as lengthy as the user wants.
• Keyphrases can be written using any language, alphabet or writing system, regardless of the alphabet being used in the text to be encrypted.
• Keyphrases are then turned by Amaca into a long (512-bit) string of numbers which, after further security-strengthening processes, become the components used for encryption.

Second, Amaca encourages users to be thoughtful and get creative, and to come up with all kinds of things that are incredibly easy for them to remember, but practically impossible for others (or even keyword-breaking algorithms) to guess.

Amaca’s Herd Immunity Effect

The term “herd immunity” comes from the field of medicine. It refers to a form of indirect protection from infectious disease that occurs when a large percentage of a population has—through vaccination—become immune to an infection, thus providing a measure of protection for individuals who are not immune. ^[27]

Similarly, the Amaca herd immunity effect (or Amaca effect, for short) offers indirect protection to those users who may not have been sufficiently careful and responsible during the encryption process by, for example, using an easy-to-guess encrypting keyphrase.

When a large company or organization stores extensive amounts of valuable data, they spend millions of dollars protecting their networks and servers. Breaking into these systems requires equally colossal resources. If malicious hackers consider that the potential bounty extractable from a system is valuable enough, they might be willing (and able!) to allocate gigantic amounts of money, time, and resources trying to break in. Such a system under attack constitutes a single point of failure because, if the attackers are successful, they could potentially gain access to all the data contained therein and jeopardize the security of millions of people. All in a single blow. Think of the damaging attacks done on credit reporting firm Equifax in 2017, and more recently on the facial recognition technology startup Clearview AI. ^{[28] [29]}

In contrast, if thousands of individuals use Amaca regularly to create thousands of encryption keys and encrypted messages that they themselves store, the risk of an attack gets widely dissipated.

No user data is ever transferred to—or stored in—Amaca or third-party servers, so there’s no single-point-of-failure to attack there.

The time, money and effort it would take a malicious attacker to figure out a single encryption key or decrypt a single message would still be considerable due to the strength of Amaca’s secure algorithm.

But even if an attack on a key or message were successful, the attacker would be gaining access to only a single key or message, from one individual. In the mind of a malicious hacker, would an attack rendering such a potentially minuscule bounty at a potentially huge cost be worth their trouble? Probably not.

Use Cases

Here are a few examples of how Amaca can help people take back control of their privacy…

Conclusion

Into the future, protecting people’s right to privacy will require an ongoing and deliberate effort...

• From privacy advocates and watchdogs: Monitoring and exposing entities who deceivingly collect or misuse personal data, violate existing laws or their own privacy policies, erode the public trust, or threaten or damage the rights to privacy of individuals.
• From governments: Establishing reasonable and enforceable privacy laws and protections that meet today's ever-evolving challenges.
• From privacy-focused tech companies: Developing effective, user-friendly, accessible tools that solve specific privacy-related problems and strengthen individual privacy.
• From the general public: Waking up to the seriousness and urgency of the privacy-loss problem; acting more responsibly as they adopt and use technological tools and resources; demanding greater privacy protections; assuming ownership of their privacy.

Amaca aims to be one small but effective piece of this vital privacy puzzle. We hope the public finds it useful.

For more information, please visit: https://amaca.tech