Peerio is a chat and storage service with big security claims

A Canadian outfit called Peerio has put its eponymous secure messaging and cloud storage app into public beta, promising a much more usable alternative to PGP email and file encryption.

Peerio was released on Wednesday for Windows, Mac and Chrome (which also gives Linux users an option) – apps for Android and iOS are in the works. It’s not quite perfect just yet, but it’s an intriguingly user-friendly take on secure cloud communications and storage.

“Our goal is for Peerio to succeed PGP in the use-cases of mail and file sharing,” co-founder and lead cryptography designer Nadim Kobeissi told me via a Peerio encrypted conversation. “We’ve developed a system built on foundations that are more modern, stronger, and simpler than PGP. Anyone who uses Peerio for a few minutes will quickly see how it’s years ahead of using PGP with Thunderbird, and never go back.”

Open-source and audited

The two-decade-old PGP is certainly a pain to use — at least, if you want to get it right — largely because of the complexity of PGP key management. Rather than requiring users to have their private key file to hand, Peerio requires them to create memorable (and long) passphrases that are then used to locally generate private keys for each session. The passphrase is used to log into Peerio for the first time on each new device. After that, a shorter, easier-to-type password can be created for that device, and two-factor authentication is also available.

Peerio incorporates the encryption technology of Kobeissi’s Minilock file encryption app. Users have usernames rather than email addresses and their client-generated, abstract avatars are used to verify their cryptographic identity (the client can automatically detect changes.)

From a functionality perspective, Peerio is a cross between email (albeit without the universality) and instant messaging. Files can be attached to messages, and conversations are threaded and searchable. There’s no draft functionality at the moment, which can be a pain when jumping between conversations mid-message, but Kobeissi said this will come soon and drafts will be safely encrypted.

Kobeissi, a PhD student in applied cryptography, is best-known as the creator of the Cryptocat chat app, which had a nasty security scare in 2013 (a bug left group chats vulnerable for months). However, this time round his co-creation has been audited by “expert cryptographers and system penetration testers” (Germany’s Cure53, per Wired). What’s more, the client code is open source and available on Github for scrutiny by whoever can offer it.

Metadata issue

Kobeissi seems pretty confident about Peerio’s security. When I asked whether it was tough enough to be a secure channel for leaking information, he replied: “I think people doing something like leaking state secrets should not depend on the internet at all, personally. But I would say that Peerio can protect the content of people’s communications, even if they’re operating from a highly surveilled context.”

However, the service’s end-to-end encryption only protects the contents of communications, not the metadata about who contacted whom and when. Peerio’s Canadian servers still hold users’ contact lists, the number of files and messages sent, and message timestamps. Kobeissi told me access to this metadata is “quite minimal and well-guarded” and he and his colleagues “pledge to fight any overreaching government requests”, but still, the information is there and, unlike the contents of messages, available to Peerio itself. Will Peerio create a way to encrypt this metadata? “One thing at a time,” Kobeissi said.

Peerio’s team includes four permanent staff, but numbers 12 with hired contractors – the outfit has $250,000 in seed funding. The plan is to make money by charging for premium features such as more than a gigabyte of storage, and by targeting the business market at some point.

For a product just entering public beta, Peerio seems admirably clean, functional and user-friendly. As long as people don’t find nasty vulnerabilities – and the firm deals with its metadata-related issues — it could be a viable mass-market encrypted communications and collaboration service. (A minor warning, though: If you import a contacts list, Peerio will send out an invite to everyone on it.)