The United Nations became the latest large organization to embrace this collaborative office suite when it used it to replace Google Forms. Here’s what you need to know about the open-source project.
Imagine, if you will, a suite of software that is a real-time collaborative office suite and that has end-to-end encryption. Oh, and it’s open-source as well.
Dreaming? Not at all. Welcome to CryptPad.
Based in Paris, and initially created as part of a 2006 XWiki research project on real-time editing, CryptPad was founded on the principles of privacy, even though its creators seem to have happened upon that angle of the project it while writing other code.
“CryptPad is built by a nine-person team at XWiki SAS, which is a 20-year-old company believing in open-source software and wanting to contribute great technology which anybody can use, while making a living out of it,” Ludovic Dubost explained to FOSS Force in an email. Dubost is founder and CEO at XWiki SAS and business lead for the CryptPad project.
“As our developer was working with researcher’s code, he decided to rewrite an adaptation of the algorithm using client-side code in JavaScript,” he said. “Initially we were doubting the need to rewrite, but we then realized that with this implementation, the synchronization of users’ editing sessions did not require the server to actually do the synchronization. This would allow adding end-to-end encryption.”
Dubost saw this as a significant innovation and disruption, and he and his team decided to keep this approach, launching the website CryptPad.fr as a demonstration of an end-to-end encrypted editing session.
“When we did demos or presented this at conferences, we saw there was an interest in being able to edit documents securely without cloud providers snooping on the data,” he said.
At the end of the research funding, he and his team decided to look for a new way to continue this project. In 2019, they founded the Next Generation Internet program, winning the “Privacy Enhancing Technology Startup” prize. They then got a series of grants, not the least of which was a €50,000 grant from the Netherlands Net Privacy Enhancing Technology Fund.
The grants “allowed us to develop many of the features of CryptPad today such as team drives, sharing, access controls, and the Form application,” said Dubost.
The software suite made news recently when it was adopted by the United Nations. In March, the UN decided to drop Google Forms and use CryptPad Forms to gather endorsements for their Open Source Principles.
CryptPad’s Seeking Sustainability
“While we’ve been quite successful at making XWiki sustainable, CryptPad is not yet sustainable as it relies mostly on research grants,” Dubost said. “Those are unfortunately risky, as we are never sure to get new ones to replace the prior ones. We are currently seeing that the Open Tech Fund just got stripped of its funding by the new US government. This is leaving some open source privacy projects with less funding.”
While it seems these funds might be restored, it shows the lack of long term sustainability.
“CryptPad currently has about 20% of its funding from CryptPad.fr subscriptions and from donations,” Dubost explained. “In order for the project to be fully sustainable we need to reach a much higher level. For this to happen, we believe that we need to continue to make CryptPad known, reaching more users. We currently have two million documents opened per month on CryptPad.fr by 200,000 monthly users and 55,000 regular users with drives, including more than 1,000 subscribers.”
Unlike similar platforms, CryptPad does not offer so-called free services that collect and sell user-data and cash-out for its investors, and its goal is to be fully funded by users through subscriptions and donations. There are no investors waiting to profit from user data (it’s encrypted anyway), and no “exit strategy” since all the code is already in the public domain.
CryptPad is licensed under the AGPL3. Not only does this keep others from taking pieces of the code and embedding them in proprietary software, it’s “also forcing participants who would want to launch services on top of CryptPad to publish their code changes as AGPL3, which is the requirement of the license,” Dubost said. “We welcome competition based on our code, but this should be on equal terms.”
It’s important that the project does not have a Contributor License Agreement, which means they cannot change the license of code contributions. “We have chosen this approach to show our commitment to open source,” he said.
A Look Under CryptPad’s Hood
The platform’s encryption utilizes standard cryptography technologies, with the main selling point being that it’s easy for users to share encryption keys for sharing documents.
There are basically two methods, depending on whether you and your peers have accounts on CryptPad.
The first method — for those without accounts — works like this: When you create a document, a key is generated in your browser and stored locally in your computer or your encrypted drive. When you share this document with a user without a CryptPad account, a URL with a long string after the “#” is sent, containing both the address of the document and the encryption key. What is important is that all content in the URL after the “#” is never transmitted to the server, which means the encryption key stays private.
If you and the person with whom you are sharing both have accounts with CryptPad, you have the additional option to share content using CryptPad’s internal sharing mechanism. This allows sending the document keys in a public-key encrypted box that only designated recipients can open.
This process is not very different from the one used by Google Docs, according to Dubost. But while it’s the same process, encryption is added in the background making it very simple for users. Also, CryptPad is even more private, because an important feature is that anyone who hosts your data will never have access to the encryption keys. This means they can’t look at your data or run either data mining or AI on them.
Does the browser matter?
Although CryptPad’s end-to-end encryption is designed to be browser agnostic, there can be some browser specific performance differences, depending on which technologies the browser supports.
“CryptPad is a heavy JavaScript application and relies on standards, such as SharedWorker, WebAssembly, or Progressive Web Apps technologies,” Dubost said, adding that the CryptPad staff is a small team, which puts limits on the number of browsers that have been tested.
“When Apple forbids other browser technologies on their phone, or decides to strip down or not implement PWA, it makes our work much more difficult,” he added. “This is why we will recommend browsers such as Firefox or Chromium (not Chrome, to avoid the Google tracking technologies).”
Another thing to remember is CryptPad will only be as secure as your computer and browser. If your computer is compromised, then CryptPad cannot protect your data. With that in mind, Dubost recommends adding two-factor authentication, which adds additional protection. For browsers, the CryptPad team recommends being careful with browser extensions or avoid them altogether, as these can snoop in your URLs.
Dubost said that although CryptPad is used in many settings, ranging from companies to activist groups, creative writers, role playing game guilds, education, and now the United Nations, the largest group by far is individuals who are using it for personal reasons.
For more information visit the project’s website. Also, drop by their Open Collective donation page.
Be First to Comment