John Ackerly is the cofounder, CEO of Virtru Corporation. He spent the earlier part of his career working as the lead policy adviser on technology issues at the White House, and Policy Director at the Department of Commerce. Ackerly and his brother, Will Ackerly, founded Virtru in late 2012, with the aim of giving people what he calls “real control” over their personal information, and over corporate information for enterprises.
Congress Reintroduces the Email Privacy Act
Privacy has been a big issue for a long time, and finally, there is public awareness of its importance, said Ackerly. It is an issue that needs to be solved, and we finally have technology tools, such as Virtru, that can actually provide real data privacy to individuals and organizations, he said.
“The debate is shifting from the tradeoff between privacy and security, to privacy being at the core of any secure system.”
The increasing attention to data privacy is the silver lining to the recent data compromises, and we are at that tipping point where people and enterprises are taking action, Ackerly said.
Virtru’s John Ackerly explains the benefits of a simplified encryption platform
We started with email, because email is still the big unsolved problem in terms of information security, said Ackerly. It is the place where information is shared, and is growing in value due to its convenience. We started with how to enable people share data with the confidence that they are always in control. People should be able to share their health information, personal information, tax information or whatever it may be, knowing that it’s theirs, and only they and their trusted recipient have access to it.
This has been our founding mission from the beginning – pre-Edward Snowden, pre-Sony and pre-election. When we first started, encryption was a somewhat exotic topic, really only understood by computer scientists. Now, it has become a real societal issue – how do you get encryption and Zero Trust architecture deployed in a way that individuals and enterprises can have confidence that no third party can gain unauthorized access to private content – whether it’s a state actor, hacker or recipient who might not be taking the necessary steps to configure their own inbox.
In 2013, we started scaling the business and building the encryption platform, which included the initial integration into the Microsoft and Google ecosystems. We built our API, authenticated third parties to add our encryption to their own platform, and raised capital from multiple parties. We now deploy to both individuals and very important enterprises, including financial institutions, hospitals and government agencies.
Users have exclusive control over their content. As such, if you deploy Virtru, we never see the content – and neither does Google nor Microsoft. We have an offering where an individual can also run their own key server, and we also offer on-demand encryption, where users can turn Virtru on or off with the click of a switch. The program is designed to run rules in the background, so if a user mistakenly types in a social security number, the user is warned within the browser. It’s like spell check for security and we take privacy very seriously.
This has been a big failure for most solutions, which basically sit blindly in the background while things are happening on the client side. Virtru runs continuously to add value and an extra layer of security for customers.
Virtru vs. Other Encryption Solutions
Unlike most of the other encryption solutions, Virtru integrates directly into the tools that people love. Users also have the ability to revoke an email, control forwarding, set an expiry date on an email, and execute important administrative and policy controls around data loss prevention. Users have the ability to control their own keys. Virtru is easy to use and gives users the most control. There are other great companies out there, but they don’t provide any of these solutions and they require users to install their client. They also require the recipient to install the client, or also install software, and this brings people out of their usual workflow, which is difficult for both the sender and recipient.
We take a very strong position that backdoors are the wrong answer. They are bad for security and for privacy. That is also the consensus view in government, and we take this issue very seriously. We are very transparent in the sense that we are anti-backdoor, and are really about giving the public control over their personal data. We work with the privacy community and feel good about our stance.
Trusted Data Format (TDF)
The trusted Data Format was developed by my brother while he worked for the NSA. It is an open format, meaning it’s available for anyone to use – which is really important in the light of achieving scale, with the TDF becoming the default standard for data-centric security. It’s a very flexible format and works to enable any kind of information workflow. It ensures authenticity and data integrity, which are very important use cases, well beyond email. It also ensures that only the right analytics systems and machine systems are able to decrypt content.
We are collaborating with a number of companies who are working in the autonomous vehicle space on this issue. Just like you want to ensure that only the right humans are able to decrypt an email, you also want to ensure that only the right systems are assimilating data and acting upon it.
TDF is at the core of what we are doing, and it is a novel concept. When it comes to our cryptography and key management, we embrace open standards, because that’s really the only way to get mass scale and trust. Third parties can ensure that it’s built in the way that customers want.
Enterprise Email Accounts Can be Retroactively Accessed in the Event of an Audit
It’s important for any regulated industry or government agency that you can support ediscovery. Any law firm would require this if there is a court ruling or something similar. Following due process, you want to be able to access the information of an employee or an administrator. That sort of control is really important. The main point is that it is up to the enterprise itself, and not the vendor, to decide who should have access to their own content.
In the context of individual users within a corporation or government agency, it is up to the administrator to decide who can access their content. We are not involved in that decision, and there is no third party storing this content. That gives the enterprise exclusive control, and the opportunity to meet any regulatory requirements they might have. It is another differentiator for Virtru.
Virtru Helps Clients in Regulated Industries Meet Compliance Requirements
This is a fantastic use case for us because Virtru helps doctors, psychiatrists, law enforcement officials and others with regulatory needs meet HIPPA and CJIS compliance, all with a simple addon to their existing workflow. The compliance requirements have been a big driver of Virtru adoption, with complete privacy underneath to protect data when you share it with third parties. You need that additional layer of trust and protection to meet your regulatory needs. There are a whole slew of regulatory challenges that we have solved for our customers.
Virtru Provides a Layer of Protection Against the Activities of State-Sponsored Actors
We are a critical component to the Zero Trust architecture, which we think is the ultimate solution. When you look at those affected by the Sony hack, you will find that it includes the employees and anyone who ever shared an email with Sony – including the Snapchat CEO, who was sharing inappropriate material with a board member. This sort of thing happens all the time, and if you have true object level encryption on your device, then your content is encrypted while the device is at rest, in transit and on the recipient’s device. If Sony had deployed Virtru at the time, their damage would have been greatly minimized, because all those files would have been encrypted. As such, when the infiltration occurred, the files would have been unreadable.