Revelations about how the NSA tracks users online, the growth of malicious hacking and a general move towards people wanting more privacy in their online interactions have all contributed to a surge of apps that offer users ways to control how the content they create is used online. One of the latest of these services, Virtru, designed to work with cloud-based email services like Gmail and Yahoo Mail, is today announcing a round of $6 million that it will use to continue to build out its service.
Roots in the NSA and the corridors of the White House
Virtru is notable for a few reasons. The first of these lies in the co-founders of the startup, and how they came about the business in the first place. Brothers John and Will Ackerly both cut their teeth in Washington, DC, where the startup is also now based — with Will an engineer at the NSA (yes the same one that tracks users) and John working as an advisor to the White House on technology issues, after that leaving to work in private equity before going the founder route.
“We had talked about starting this service for a number of years,” John, who is the CEO, tells me. When I was at the White House I focused on digital privacy issues, and I saw a lot of decisions being made after September 11,” he recalls. “The morning of 9/11 we were preparing a briefing on privacy and President Bush was going to take a much stronger stance. But after that day, we saw instead a big move to national security.”
Independently, Will’s time at the NSA, where he worked for nine years, was focused on cloud security work and trying to help the federal government lock down their information.
“He saw early that it was important to focus on network security,” in contrast to security on individual devices. “He saw a lot from the inside very early on, which gave him great insight into just how insecure data was. Part of that is a surveillance issue, and part is hacking and ID theft, and part of that is that some people simply want the convenience of cloud email.”
Among his work, Will wrote a paper for the intelligence community that was the foundation of the government’s data format. “At that time we began talking about this and how the expertise should be applied to individuals and to help protect their privacy. This was in 2009, he notes, “much earlier than the Snowden revelations.”
Fast-forward to 2012, and the two brothers got together to figure out how to do just that.
How do you make encryption extremely easy?
At the core of their challenge, the Ackerly brothers were fixated on one idea: making things like email secure so far had proven to be too difficult for the average user to do. “Encryption has actually been around for 20 years, but things like PGP is just too hard to use for the average person, and Lavabit was fundamentally flawed,” John says. “We wanted to have something that the public could use at scale to take better control of their personal information.”
So what Virtru offers is an extension, currently available for Firefox and Chrome, which integrates with many of the most popular cloud-based email services to offer “true end to end encryption.” Users can turn on Virtru either as default or just before sending an individual message. They’re given options to set how long the message can live before being deleted, and can specify whether a person can forward it.
On the receiving side, if you are a Virtru user you can open and respond within your own email service, or you are given the option to download the extension to do so. Otherwise you read the message on a secure web page and reply there.
“The core here is true end-to-end encryption,” John says. “It’s impossible for a third party to track the encryption code.” The company uses 256 bit encryption.
The key with what Virtru does, apart from making encryption work on most ordinary cloud email, is that it works across different platforms, something that is largely a gap today, and is basically “where the government or any third party can very easily have access to you data,” he says.
John admits that there are more secure ways to collaborate and communicate, but on the other side, they are extremely hard to use or expensive. “Our selling point is not that we’re the most secure but that we are the easiest and we add that to the tools that everyone uses everyday.”
Virtru quietly launched its core email product — “core” being the operative word here, because I think they may have plans to add more to the mix going forward — in January of this year and while they are not revealing user numbers, their growth has been in the “tens of thousands,” he says.
It’s telling that the company has picked up, in addition to BVP, a number of interesting angel investors, including Chase Coleman, one of the leaders of Tiger Global management, and Bob Pittman, the head of Clear Channel. “Two names among several others,” John tells me.
David Cowan, the founder of Verisign who is now at BVP and is joining Virtru’s board, explains the attraction to the company like this:
“Email is the dominant form of serious communications today, with 180 billion messages sent everyday. Before Virtru, no one has ever secured email in a way that is both universal (i.e. cross platform) and easy to use. Email security has to be universal, because we all communicate with people on disparate email systems. And it has to be easy so that normal people can use it,” he told me in an email when I asked him what sets Virtru apart from the rest for him. “For example, PGP is universal but too difficult for anyone but technical experts. Apple just announced that it will roll out encryption, but only for users of Apple devices. In addition, encryption is not enough. Our files and messages should belong to us, but we lose control of them as soon as they are sent. Anyone who has accidentally hit Reply All appreciates the importance of message revocation! Virtru gives the sender full control, retroactively, as to who can read or forward the message, and when.”
The idea for monetisation will be for Virtru to continue to give away its core product for free to individuals and to charge small businesses and enterprises for wider usage, and potentially to sell more value-added services in future, too.
The Ackerly brothers are all too aware that while their background gives them some credibility, it could also paint them with the brush of skepticism from those who may well ask if you can take the engineer out of the NSA but not the NSA out of the engineer, and so on.
Indeed, the company currently employs 11 full-time engineers but actually also has a team of 20 more who work on the product, with many of them still employed by the NSA and doing this in their spare time providing extra cryptography expertise.
“We are spending a lot of time also engaging with privacy groups,” he says, including Privacy International and the EFF. “Building and maintaining trust is so core to our business, and given that we have such a heavy U.S. government group here, the onus is upon us to do that.”
He says the company is committed to filing a quarterly transparency report, and giving access to its code through open source databases. “We know the bar is high, but so far so good,” he says. “People have been willing to give us the benefit of the doubt and we think about that every day.”