Regular readers (both of you) will recall my previous scepticism regarding IT "security" company Scentrics. TL;DR - they're pushing the idea that a key part of "secure" email is sending a copy of every email to a central server, encrypted with a key that only gives access to a trusted party - your local government, for instance. Singapore seemed very interested in their proposals, for reasons one can imagine.
Out of idle curiosity, I thought I'd check the Scentrics accounts for 2016-2017. Well, gosh.
|30 June 2017|
|30 June 2016|
|Property, plant and equipment||6,463||8,618|
|Cash at bank||893,815||2,793,822|
|Creditors within 1 year||(893,718)||(893,232)|
|Net current assets||1,051,653||2,947,617|
|Total assets less current liabilities||505,072,218||2,976,690|
|Provision for liabilities||(99,546,235)|
|Capital and reserves|
|Called up share capital||130||130|
How would I read this? They spent £1.9M of their cash on various things during the year; about half of that on medium-to-long term debt servicing, and the rest presumably on overheads (salary, office, patent office fees, other professional service fees). This is clearly not sustainable, and indeed last year they had a net worth (retained earnings) of minus 2.8 million pounds. How could this be fixed?
Well, they've just gained £504 million in intangible assets. The associated notes indicate a "revaluation" of their intangibles happened, which changed from £22K to £560M. There was a 10% amortisation charge ("spreading out") over the year, taking them down to a measly £504M. That's quite a change, what was involved?
Patents and licences were valued on an open market basis on 20 August 2018 by the DirectorsThere's also the useful information:
Patents and licences are being amortised evenly over their estimated useful life of ten years.But there's no obvious licence revenue in the company accounts that I can see, and there's still only 4 employees (the directors) so they're not doing anything substantial with the resources, so I'd bet this £560M change is an evaluation of the worth of their patents. Let's look at these, shall we?
The main Scentrics patents pivot around the previously discussed system where a client (mobile, in the most recent patents, but there's nothing specifically "mobile" about them) talks to a centralised mail server to obtain encryption keys to safely send messages to it for routing onwards a destination, and then separately sends a copy of the message (asynchronously! wow, there's some modern thinking) to a "monitoring" server using a different encryption key.
Basically, it's a system for a company or government to enable scanning of email sent by its employees/citizens - as long as they're using its mail application, of course. If the employees use Outlook.com, Gmail, or any number of other public webmail services, they are sunk. So companies will block all the webmail applications by restricting the web browsers in their corporate devices, forcing use of the corporate mail server (Outlook, most likely) which they can snoop on. They don't need Scentrics' patents. Governments would need a willing population to live with the (likely) crappy, unreliable custom email application and not look elsewhere for their email needs. Even China struggles to keep up with restricting their population to approved websites, and they're a gosh-darned communist dictatorship.
It's not impossible that Scentrics reckons they can get a major corporation or government to licence their patents, but I'd have to rate it as unlikely at best. Why would someone pay £500M for it, rather than (say) £5M to get a moderately competent cryptographer to design a better system? The patent is extremely dubious to defend in my personal technical opinion; there are alternative strategies such as encrypting the message with a randomized key, encrypting that key with a) the recipient's key and b) the monitoring service's key, and enclosing both encrypted keys in the message. Then the client only has to send one message, and the monitoring service can store it and decrypt it on demand. But hey, what do I know.
Guru Paran Chandrasekaran and Andrea Bittau - happy to bring you gents up to speed on the state of modern cryptography, if you're interested. No charge!
(They've finally fixed their https problem. Guess it got a bit embarrassing.)
Update: Looks like Andrea Bittau was killed in a motorcycle crash last year. Nothing sinister, just terribly sad - 34 years old.