How a Dublin teenager is helping you bring your secrets to the grave
Shane Curran’s winning qCrypt project offers solution for private data storage
When Boston College had the notion of creating an archive of testimonies from individuals involved with the North’s troubled political past, its greatest challenge, after persuading possible participants, was always going to be ensuring their anonymity during their lifetime.
Given the nature of this valuable historical project – capturing the memories and perspective of former paramilitaries – people could be prosecuted, or at risk of death, if sensitive recordings were prematurely released.
What might go wrong with such a project quickly emerged when the PSNI used the US courts to force Boston College to hand over some of the testimonies. Pressure continues for more to be surrendered.
Why weren’t recordings encrypted to put them beyond reach? And why weren’t they stored in an international jurisdiction more inclined to refuse court demands?
In truth, it isn’t that simple. Encryption, even at the very highest standards, still requires the encryptor to have a private algorithmic key that unlocks the file. Laws may demand that an individual surrender the key.
Or, a person might die before arranging to pass on the private key, meaning the information is lost forever. Or, somebody trusted with the key, or even parts of the key, might prove untrustworthy, or be forced to disclose the key.
The 17-year-old winner of the 2017 BT Young Scientist of the Year Award, Shane Curran, tackled just these big issues in his winning project. His qCrypt is an extraordinary attempt to offer a sophisticated, yet simple-to-use solution (as a relevant aside here, just using encrypted email programs is too confusing for most people).
For his project, Curran, who attends Terenure College in Dublin, had the Boston tapes in mind: if you have a secret and wish to keep it a secret until your death, how do you guarantee its cryptographic integrity until that time, especially with computing advances that could make today’s state-of-the-art encryption crackable? And how do you enable the secret to be released, but only after death?
When his win was announced, I was delighted that a complex computing project had taken the top prize, especially this one. Curran’s project falls right into several of my own overlapping interests, such as information security, data privacy, encryption, surveillance, and the challenging legal conundrums around them.
I knew I had to ring him for a chat. Not least, to try and better understand how qCrypt works. He talked me through it with patience and enthusiasm, but the finer details defeated me. You would definitely need expert knowledge to really dive in.
The summary version is this. Curran’s data storage system works on three levels. First, he has come up with a key-exchange system that double-encrypts data, which he believes would make it invulnerable even to the as yet unrealised promise of quantum computers. His encryption process also runs 40 per cent faster than current systems, he says.
To make the data invulnerable to any state demanding a private key, the encrypted data is also broken into multiple “shards”, with each shard being sent to a server in a different jurisdiction (at least 20, he says). He’s thinking of the long game here.
“If a secret is being stored for a lifetime, or even decades, the laws in a country can change. You can’t even rely on a state being around for a very long period of time,” he says. Absolutely.
The third element is key handling. The key cannot unlock the data from a single, much less several shards. A pre-determined quorum of shards is needed. Key segments could be digitally hidden in an image – a holiday snap, say – using an approach called steganography. Different people could hold different images and hence parts of the key. Images could be sent them before or after the death of the encryptor.
How is death determined? He suggests using a system that would ping the individual with regular emails. If the individual failed to respond for a period of time, death would be assumed, and the key or key fragments sent to designated recipients.
Such a system could have myriad uses for business, organisations or individuals, for data that isn’t necessarily a “secret” but private data needing “until death” protection: a person’s encrypted laptop, a will, a personal journal.
Or it could be data needing protection for a period of time: say, cabinet documents held secret for a short while before entering the public domain, records of business or state negotiations. Or maybe just personal data that, in a changing political landscape, an individual wants to put securely beyond the reach of governments and surveillance agencies.
Of course, it will take time and expert testing to see if Curran’s highly ambitious project works as he says. If it does, the commercial (or indeed non-commercial) applications are intriguing.
“Commercialisation is definitely on the agenda,” he says.
It wouldn’t even be his first business. Check out Curran’s LinkedIn profile (and his age when he set up these enterprises). These BTYSTE winners never fail to impress.