Brussels / 4 & 5 February 2023


Whom Do You Trust?

Privacy and Collaboration in CryptPad

The level of privacy awareness once reserved for messaging applications is reaching other forms of online collaboration such as office suites. Many companies, including "big tech", claim that their platforms enable users to privately collaborate. However, the definition of what privacy actually means varies widely. While there are no ways to verify claims made about proprietary software, the impact on users is very tangible.

CryptPad is an end-to-end encrypted open source collaboration suite. It seeks to reconcile collaboration and privacy. Users make changes to documents and these are encrypted by their client (web browser) before being sent to the server for real-time synchronization. In this talk I will detail CryptPad's privacy definition and introduce the assumed threat model of an honest-but-curious server. While users have to trust the server to not actively attack their privacy, they can nevertheless protect themselves against a passively sniffing server. I will show why end-to-end encryption is not enough, but must be combined with open source to achieve reasonable privacy in this model.

I am an R&D engineer who joined the team a few months ago with a focus on cryptography. I quickly realized that security and privacy in CryptPad rely on much more than just algorithms.


Photo of Theo von Arx Theo von Arx