Cloud-based services require that you give up all of the private details of your life in order to gain access to your favorite software. It’s basically an accepted fact that once you start using an online service you may as well post the data you provided to them on your front door, because it’s out there now and it’s never coming back.
For the most part, I think your average person is fine with quietly ignoring this. Afterall, the benefit of using Snapchat far outweighs the cost of Snapchat’s employees, the NSA, and any potential hackers knowing who you sext on a regular basis.
There are strong-minded people, however, that are wary of the SaaS model because they don’t want to give up their precious data. YNAB, one of my favorite companies, is finally modernizing its software by taking it into the proverbial cloud. I was stunned to see how many of YNAB’s current users were disgusted by this decision, begging that desktop-only versions continue to be supported. I suspect these sentiments will get more and more common as high-profile data breaches occur more often.
This, along with some conversations with friends about bettrnet‘s data, sparked me to rethink the SaaS data-storage model.
Let’s use YNAB’s new cloud service as an example. It’s a relatively simple budgeting software that requires a few key inputs (e.g., your income, your budget allocations, your expenditures, etc.). YNAB The Software needs your data to do its job, but YNAB The Company does not need your data to do its job. If it were up to The Company, they might wish with all their hearts that they did not have to take, store, and protect your data so that you could use The Software that they build and you love. It’s a hassle to them, and more than that, a liability.
(Note: I am well-aware that most companies see your data as an asset that they can learn from or sell—my hypothesis is that as we go into the future many companies will see the risk of having your data, and the cost customers incur by being forced to give up data, as an expense as much as an asset).
The Company really would like to make the users’ of The Software feel in control of their own data. Sure it wants to use the data, but it also wants as many customers as possible, including the ones that would prefer a desktop application. In an ideal world, users might provide YNAB with access to a personal database server; The Software would connect to each individual users’ database server to store that user’s data. If ever the user decides they no longer trust The Company then all they have to do is revoke access to their personal database.
This idea isn’t entirely practical, however. So, instead, we are working on a web service to give that same power to users without requiring SaaS companies to completely alter the way they store your data.
submarine is an open-source project that does one simple job: take a user, return a random key. When you sign up for YNAB The Software, YNAB The Software makes a request to submarine for a unique key on your behalf. submarine creates a unique key and stores it in its own database, completely separate from your YNAB data. submarine also notifies you via email about this key, and gives you access to manage it.
YNAB The Softare uses the key that it has been given to encrypt your data before storing it in its database. Whenever you log back in to YNAB The Software to look at your budget, YNAB The Software asks submarine for your key. It uses the key to decrypt your data and do its YNAB magic, thus making you a happy customer.
Six months later, let’s say you no longer trust YNAB The Company with your data. You go to submarine and remove the key that was created for your YNAB data—that data is now as good as deleted.
Any prying eyes from employees at YNAB The Company, or any analysts at the NSA, or any anonymous folks at Anonymous, who sneak a peek on YNAB The Software’s data will forever see something like this:
�/���L��в" ���sZ�\r��:t��Ob*���Y@. YNAB locked up your data and you threw away the key—it will never be unlocked again.
Now, there are some obvious hurdles to this plan. For one, YNAB The Company has to be extremely committed to making submarine work in its infrastructure. Certainly we don’t envision that submarine will be used to encrypt all of users’ data—but perhaps a company could use it as an extra layer of security for some particularly sensitive aspects of its data—maybe another company can use submarine to assure its users that their data is stored in an anonymized way.
It’s my belief that companies selling software services should (and will) give more power and responsiblity of data back to the users’ to which it belongs. submarine‘s goal is to offer a service to help service builders make that decision. Checkout submarine on github to contribute and try out one of the sample applications that uses submarine to protect its users’ data.