Kim Dotcom's new Mega may not be a pirate's dream

by

comment

Kim Dotcom
  • Andreas Bohnenstengel
  • Kim Dotcom
On Saturday, exactly a year after a Justice Department raid shut down the file-locker service Megaupload (which had been megapopular with intellectual property scofflaws) the site's flamboyant founder Kim Dotcom unveiled a new service simply called Mega that combines cloud-based file storage (not unlike what Megaupload offered) with the promise of a robust encryption scheme. The debut has had the tech media beside itself, which its typically outlandish launch party in New Zealand has only amplified, and presumably pirates who missed the good old days of being able to find an illicit Megaupload link to pretty much any album or film you could ever want were excited too.

So far the site's been overloaded with users, but it remains to be seen if file traders are still going to be as enthusiastic once it's running at full capacity. Mega might become a killer music- and movie-trading app like Megaupload had grown into before it was taken down, but there are indications that it's not quite the pirate's dream come true that it was shaped up to be.

Tech types are just now getting a peek under Mega's hood, and already it seems that it's not living up to all of its promises. For one thing, the method that Mega uses to generate encryption keys is apparently much weaker than it could have been if the designers had implemented a few extra features. Encryption schemes are notoriously difficult to visualize and understand, but what it seems to boil down to, according to Ars Technica, is that it's "easier (not easy, but easier) to reverse-engineer a Mega user's private RSA key than it should be."

There's also the matter of "deduplication." According to Mega's terms of service, "Our service may automatically delete a piece of data you upload or give someone else access to where it determines that that data is an exact duplicate of original data already on our service. In that case, you will access that original data." In plain English that means that if you upload a copy of One Direction's Take Me Home, Mega might automatically scan your upload, determine that there's already a copy of Take Me Home on its servers, and simply delete your copy and replace it with a link to the original upload.

The deduplication process is intended to save space—why should Mega store a thousand copies of Take Me Home when it can just host one copy and link a thousand users to it? That makes sense, but it also would theoretically generate a list somewhere of every user who uploaded or accessed Take Me Home, many of whom would presumably be doing so in violation of copyright laws. In a press conference at the launch party Mega attorney Ira Rothken promised that there is "very robust DMCA takedown process on Mega," and some of the lengthier sections of its Terms of Service is devoted to the service's DMCA compliance. If Dotcom's turned over a new leaf, IP-wise, the deduplication data might be a boon to RIAA and MPAA lawyers.

But even if Dotcom and Mega continue their tradition of thumbing their noses at intellectual property owners, there's no guarantee that its users will be as safe as the promise of AES-128 encryption with a 2048-bit RSA key might suggest. The Justice Department botched the raid on Dotcom and Megaupload a year ago, and its case has suffered as a result. I'm guessing if they decide to hit him up again they'll be a lot more careful and thorough about it. If there's a way into Mega's users' files I'm fairly sure the FBI will figure it out.

Find out how you can help

Add a comment