skip to primary navigationskip to content

TRVE Data: Secure and Resilient Collaborative Applications

Cloud-based collaboration tools such as Google Docs, Evernote, iCloud and Dropbox are very convenient for users, but problematic from a security point of view. At present, most such services are provided by companies through a centralised server infrastructure, which is vulnerable to operational mistakes by the service provider, security breaches, and cyberattacks.

The goal of the TRVE Data project (pronounced “true data”) is to build the foundation for the next generation of collaboration software, providing stronger security and resilience than the current practice. We are developing algorithms, protocols, and code that allow real-time collaboration and data synchronisation across several devices without relying on central servers. Our research is based on the following principles:

End-to-end encryption

Today's Internet services typically process data in unencrypted form on their servers, and employ encryption (e.g. TLS) only for communication between servers and end-user devices (such as laptops or smartphones). Hence, users depend on the cloud provider to prevent unauthorised access and to maintain integrity of the data. A security breach of the provider could have disastrous consequences: a hacker who gains access to the servers, or a rogue employee, can potentially read and tamper with vast amounts of sensitive data.

In contrast, we are designing systems to use end-to-end encryption, which secures data all the way from one user's device to another user's device. In this approach, servers only ever handle encrypted data that they cannot decrypt. Thus, even if communication networks or servers are compromised, the confidentiality and integrity of sensitive data are protected, giving users better ownership and control over their data.

Making servers optional

At present, services typically transmit all data via a central server. Even if the communicating devices are in the same room, their data might be sent via a server on another continent. This approach is not only slow and wasteful, it also makes the system susceptible to disruption: if the server is blocked or subjected to a cyberattack (e.g. a DDoS attack), or if the operator goes out of business, the software stops working.

To improve the resilience of applications, we are using peer-to-peer communication where possible, sending data directly between collaborating devices, and utilising fast local networks when applicable. Servers may still be used, but the software continues working if servers are unreachable. Using local storage and local networks further improves users' control over their own data.

Open source and open standards

All software developed in this project is made freely available as open source, so that it can be easily adopted by application developers.

We have implemented this approach in Automerge, a JavaScript library for building collaborative applications. Automerge allows users to read and modify data even while their device is offline, and it performs data synchronisation and automatic conflict resolution when a network connection is available. Unlike most existing data synchronisation systems, Automerge does not require data to be sent via a centralised server, but rather allows local and peer-to-peer networks to be used, and it is compatible with end-to-end encryption protocols.

 

Dr Martin Kleppmann
Department of Computer Science and Technology, University of Cambridge

 

About us

The Trust & Technology Initiative brings together and drives forward interdisciplinary research from Cambridge and beyond to explore the dynamics of trust and distrust in relation to internet technologies, society and power; to better inform trustworthy design and governance of next generation tech at the research and development stage; and to promote informed, critical, and engaging voices supporting individuals, communities and institutions in light of technology’s increasing pervasiveness in societies.

Find out more > 

Mailing list

Sign up to the Trust & Technology mailing list to keep up-to-date with our news, events, and activities

Sign up to our mailing list >