As FTC adds encryption to its website, government remains unsure on corporate use

The Federal Trade Commission’s website just got a whole lot safer for people to peruse after the government agency said Friday that it now supports HTTPS encryption. While it used to provide secure transport for the parts of the website that dealt with sensitive information like complaint data and email subscriptions, this is the first time that secure browsing covers the entire site, the FTC said.

When a website is secured through the HTTPS communication protocol, all data passed between the site and the person who is accessing it will be encrypted through the use of either the SSL or TLS encryption protocols. Basically, the person’s browser initiates communication with the locked-down website and through the exchanging of encryption keys, all information should be scrambled from prying eyes.

In theory, this process works fine, but as the latest FREAK bug demonstrates, there can be some holes in the system, especially if the browsers or devices in questions use ineffective security protocols to speak to websites. In the case of FREAK, Android browsers using the OpenSSL protocol, Safari browsers using the Apple TLS/SSL protocol and now all supported versions of Windows that use the Schannel security package (sorry IE users) are vulnerable to hackers who can essentially weaken the encryption that takes place.

Still, many sites use HTTPS as it is one of the most common tools to prevent eavesdroppers from snooping into website sessions. In the case of the FTC, it may seem like a no-brainer to add encryption, but the U.S. government hasn’t always showed support with encryption technology, especially when it comes to tech companies and mobile-device makers who use the tech to mask data.

Both the U.S. and U.K. governments have made it clear they feel that companies using encrypted communications can impede government investigations and even the Chinese government has jumped on the bandwagon with a proposed law that would require tech companies to hand over their encryption keys.

Ironically, a leaked U.S. report on cyber threats explained that encryption technology is the “[b]est defense to protect data,” which shows that the U.S. government hasn’t quite made up its mind on where it sees encryption technology. If it protects consumers from spying eyes as in the case of the FTC website, then that’s great, but if the government perceives that the technology may prevent it from doing its job, it’s a no-go.

Either way, the corporate sector shows no signs of slowing down when it comes to developing new businesses around encryptions, with recent funding rounds for encryption-centric startups like CipherCloud and Ionic Security.

The U.S. government, as well, still has a long way to go. Many .gov domains like whitehouse.gov, the U.S. Department of Education, the U.S. Department of the Treasure and NASA’s website remain unencrypted. So expect this tug-of-war between the need to protect and the government’s need to scan encrypted company data in the case of investigations to continue.

Leaked US report says encryption “best defense” to protect data

A newly leaked document courtesy of Edward Snowden revealed that some U.S. officials are encouraging the use of encryption as a means to protect data, which contrasts with British Prime Minister David Cameron’s recent statements against encrypted communications, according to a report by The Guardian.

The 2009 document penned by the U.S. National Intelligence Council, which supports the U.S. Director of National Intelligence and acts as the middleman between the intelligence and policy communities, explained that companies and the government are prone to attacks by nation-states and criminal syndicates “due to the slower than expected adoption…of encryption and other technologies.”

The report detailed a five-year prognosis on the “global cyber threat to the US information infrastructure” and stated that encryption technology is the “[b]est defense to protect data.” Encryption makes it possible for documents and messages to be unreadable to people who don’t have the appropriate cryptographic key.

The authors of the document also encouraged the use of multi-factor authentication, which adds another step to the security process beyond simply entering a password; [company]Microsoft[/company] added this feature to its Azure cloud in 2013.

British Prime Minister David Cameron has made it clear that he does not support encryption in the case that the technology could hamper government or law enforcement investigations, and he’s reportedly set to egg on President Barack Obama to support his cause.

Both Attorney General Eric Holder and FBI Director James Comey have also been vocal against aspects of encryption technology that they feel lets criminals conceal their nefarious activities.

Encryption is no doubt a hot topic in the security space with the recent Sony hacking and the subsequent leaking of countless corporate documents taking a toll on the entertainment company.

Companies have been pushing for better encryption technology to secure what they deem are confidential files, and there’s been a wave of security startups focussing on encryption scoring millions of dollars in investment in recent months.

Veradocs and CipherCloud landed $14 million and $50 million respectively in November and Ionic Security just brought in $40.1 million this week.

Despite political push back, it’s clear that companies won’t slow down on implementing encryption any time soon, so long as large-scale data breaches continue to occur on a seemingly weekly basis.

Ionic Security rakes in $40.1M to encrypt your documents

As large-scale data breaches become more commonplace, Ionic Security is betting that encryption is the way to go for enterprises to protect themselves, and its taken in a $40.1 million series C funding round to prove its point. The startup now has a total of $78.1 million.

The basic premise behind Ionic Security is to secure company data — regardless of file type — through encryption so that an organization’s information can remain safely scrambled from prying eyes in case of a break-in or document leak, explained Ionic Security founder and CTO Adam Ghetti.

The Atlanta-based startup’s technology platform is “all about protecting data in such a way so unauthorized users shouldn’t be able to do unauthorized things,” said Ghetti.

Ghetti didn’t go into details on how exactly Ionic Security’s technology does this, citing that the company is still in stealth mode and plans on explaining more of its platform once the product hits general availability and formally launches in the first half of 2015.

Ionic CTO and founder Adam Ghetti

Ionic CTO and founder Adam Ghetti

He did say that Ionic Security is different from other encryption-centric security startups out there like Veradocs (which took in $14 million in a November funding round) in that the company wants to make sure that its encryption technology can play nice with the majority of document and file types in existence; organizations should be able to use Ionic Security’s encryption platform regardless of what operating system or device they want to safeguard.

“Ionic is a platform that doesn’t care about the construct of the data itself,” said Ghetti.

Users have to install a small on-premise component that houses their encryption keys (Ionic doesn’t hold those items), and the rest of the encryption technology is delivered as a software-as-a-service, Ghetti explained.

Meritech Capital Partners drove the funding round along with Kleiner Perkins Caufield & Byers, Google Ventures, Tech Operators and Jafco Ventures. Meritech Capital Partners’s managing partner Mike Gordon will be taking a seat on Ionic Security’s board.

Bitcasa CEO: Unlimited storage “a wildly money-losing proposition”

In an interview with Gigaom, Bitcasa CEO Brian Taptich explained that removing unlimited storage was not a pleasant experience but necessary for the company to get back on track financially. Bitcasa simply could not afford to keep unlimited-storage users as customers.

Ruling gives irked Bitcasa users more time to move their data

If you want to hold onto your Bitcasa infinite-drive data long enough to move it somewhere else, you’ll need to pay Bitcasa $99 for an additional month, according to an order from U.S. District Judge William Alsup at a hearing in San Francisco on Wednesday.