Dotcom's 'Skype killer' — the challenges it faces

The Kim Dotcom-founded Mega has launched MegaChat, an encrypted browser based video chat service.

It's bare-bones. There's no mobile version or video conferencing feature, and it's still in a beta test phase.

Still, Dotcom claimed 500,000 MegaChat calls had been made within hours, and that more than 1 million invites had been sent by Mega members.

Even allowing for Dotcom hyperbole, it's easy to imagined MegaChat's key selling point, encryption, will appeal to a segment of the population. Privacy is a big issue, and governments and law enforcement agencies are getting snoopier and snoopier in their monitoring efforts. 

Dotcom has boasted on Twitter that Mega's encryption has never been cracked. A bounty has been on the table for the past two years for any white hat hacker who can point out a vluneratiblity. There have been no takers (Ars Technica and Forbes have both raised what they've seen as security issues with Mega (Ars called it "Megabad", while The Guardian says passwords were stolen soon after Mega's launch. Regardless, if the NSA has cracked Mega's encryption, it's not about to advertise the fact).

A recent article in respected German newspaper Der Spiegel, based in part on Snowden leaks, says the NSA has made vigorous and successful attempts to crack Skype's encryption, and that of other providers.

It's easy to imagine that's the case. Google, Microsoft and Apple are all making newly assertive attempts to encrypt various services; moves that have riled US authorities, and led UK Prime Minister David Cameron to call for a ban on encryption, and lobby US President Barack Obama for support.

ABOVE: A MegaChat session (Engadget)

For a moment, let's assume the Mega crew have perfectly encrypted MegaChat (without any technical details, it's impossible to critique, but let's suppose), and that it has an edge on its mainstream rivals.

That still leaves other issues.

Mega has said it will abide by the laws of every country it operates in. As a registered commercial entity it can barely take any other stance.

And when the FBI so successfully eavesdropped on the Skype chats and instant messages Kim Dotcom and his co-defendants while investigating Megaupload, it did so with a warrant issued by a judge.

What would Mega do if a law enforcement agency in a country its service operates in (that is, anywhere), hands it, or one of its users, a lawful warrant asking for encryption keys? In NZ, it has to live under the Telecommunications (Interception Capability and Security) Act, aka TICS, which gives our government broad-brush powers to demand depcryption keys from a service provider when there is a (very broadly defined) threat to NZ's national interest. This as-yet-untested legislation gives the ICT Minister discretion over who is defined as a service provider. Network operators like Spark, Vodafone, 2degrees are very clearly service providers. It's more of a grey area for the likes of Microsoft Skype, Google Hangouts and now MegaChat - but I'm guessing the Crown won't give MegaChat a free pass. 

There's also the wrinkle that the FBI did not have to serve Skype itself (the events took place before the service was bought by Microsoft); rather, the agency was apparently able to plant spyware on the defendant's computers. If you're listening in via snooping software on a person's computer - or, heck, even a conventional bug planted in their living room - encryption won't help.

It will only take one incident of law enforcement accessing a MegaChat conversation, or one country blocking the service (as Italy recently blocked Mega, albeit temporarily), to make it a whole lot more difficult for the new service to attract users.

Dotcom says Mega is doing well on that front overall. 

In a recent tweet, he claimed 15 million registered users (market leader Dropbox claims 300 million). But, as ever, he did not respond to NBR's inquiry into how may have signed up for the paid version of the service.

As Mega prepares for its controversial reverse-listing on the NZX (this week delayed for a fifth time), private investors and potential shareholders will be wondering about Dotcom's big plan to monetise MegaChat. Microsoft, and other owners, have famously wrestled with the question of how to translate Skype's monolithic market share into profit.

Ads are presumably off the tablen for MegaChat, since privacy-paranoid types will rile at special messages appearing on their accounts, no matter how much Mega reassures there's no tracking. And to get people to pay for calls, Mega will have to persuade customers it can hold warrant-totting law enforcement agencies at bay. Tricky. Lavabit, an encrypted email service used by Snowden, threw in the towel after being unable to convince its users it was immune to snooping, or government pressure. At the end of the day, it's not about technology, it's about trust.

ckeall@nbr.co.nz

Follow @ChrisKeall