Saturday, November 18, 2006

More critical am I

Perhaps it's just the winter, but I as I erect more startups, I find myself growing more critical as to what is worth pursuing. Here, after all, is a perfectly interesting idea I conjured up today that I nevertheless toss out as a throw-away:

1) A form where a user enters in a recipient's name, physical address (perhaps), and a message.

2) A encryption key is produced randomly and the message is encrypted in his browser via javascript. The encrypted message is transported to a database on our server and the user is presented with a link, and next to it, the encryption key. He may then include this link and encryption key in an email to his friend.

3) His friend clicks on the link and lands on a screen explaining that, in order to see the message, he must first prove his identity. To do this, he must sumbit a payment of 9 cents via Paypal. Passing this, it is requested that he paste in the encryption key. Then the encrypted message is transported to his browser, and it is decrypted by means of the encryption key he pasted.

Three things (alphabetically):

A. Why this is reasonably secure.

B. Why it is a pretty good idea.

C. Why I am throwing it away.

A. The javascript/html code involved in this process is auditable. Security experts may look at the code, and even set up automated processes to detect any differences in the code. If we tried anything nefarious, we would quickly be spotted. The message is never made available to us in raw form. We cannot read it without the encryption key, which is transported by a separate medium (email is suggested, but other methods, like the telephone, are available). In order to access the encrypted message, the supposed recipient must prove that he has access to the actual recipient's financial instruments---a pretty good indication he is who he portends to be. Moreover, he must have the encryption key. And remember, all encryption/decryption takes place in the browser--this is, again, auditable. In order for us to read the encrypted message, we would have to be involved in a conspiracy with his ISP, his email provider, or perhaps his cell phone company. Rather unlikely, except for the more paranoid (who really ought to be using PGP and operating HAM radio to broadcast their public keys, I guess).

B. While geeks and advanced users may find other ways to communicate securely, there are many people who find the annoyances of PGP, well, annoying. Think of system adminstrators sending passwords to casual users, business people communicating plans and intellectual property, as well as lawyers sending sensitive documents to their clients. These people could really use such a simple method of encryption over the Internet: it's certainly better than what they're doing right now, at least. Note that the business model is sound. Paypal offers a micropayments option costing 5 cents plus 5%. That's a profit of 3 or 4 cents per message, which could amount to a great deal. Also, there is a decent viral marketing potential to this idea: it forces brand experience because it is a product of communication itself. It is just like HotMail in this regard. Finally, to make things all the sweeter, its a damned easy idea to implement. John Walker (is that really his name?) has graciously provided a free-to-use-and-modify javascript encryption/decryption engine. It's pretty cool, check it out.

C. This idea is bad mainly for marketing reasons. Geeks probably won't pick it up, since they know there are "better ways" to communicate securely (even if they actually don't use them). So getting across to the initial audience will be difficult---how do you reach business people and lawyers on a matter of communication security, when the geek community won't even back you up? Perhaps a company with a large marketing budget could do it, but certainly not us. There are some user annoyances which add to the difficulty. People don't like paying for anything on the net, and paypal in particularly has a rather irritating interface. Perhaps a startup with more capital could overcome this by opening their own merchant account. In any case, sending somebody a message which they can only read by paying is well, rather gauche, isn't it?

So go ahead, prove me wrong. It'll make me less "pessimistic." But if you've got the cash to market it---to do it right---well, you might just end up proving me right.

1 comment:

barney said...

Totally agree with your point 3 here. I've gotten part way through too many ideas before seriously taking this kind of thinking on. Learnt loads about the technology, but possibly wasted months in the process.