After eight years of existence, file sharing service Box has built a huge user base—claiming 180,000 businesses, including 97 percent of the Fortune 500—by offering cloud storage and collaboration tools with top-notch security and regulatory compliance.

But while Box may be resistant to most criminal hackers, like most cloud storage companies, it must provide the government with customer data when it is forced to. For the vast majority of Box customers, that isn't likely to change. However, the company is developing a system for the most security-conscious customers in which even Box management would not be able to decrypt user data—making it resistant to requests from the National Security Agency.

Box co-founder and CEO Aaron Levie spoke with Ars last week to promote the launch of a new collaboration tool called Box Notes and answered our questions about Box's encryption model.

While a service like SpiderOak says it provides total secrecy by making data inaccessible to its employees without the customer's password, Box's collaboration tools would be difficult to implement in a model that puts customers in complete control of their data.

"From an architectural standpoint, we are certainly more like a Google or Microsoft in that we are encrypting all the data on both transit and storage, but we obviously have to manage the encryption key because as a collaborative application we have to broker that exchange between multiple users," Levie told Ars. "To make it a seamless experience, it requires us to have those keys."

Avoiding the appearance of selling customers out to the government is an important business concern. Forrester analyst James Staten has argued that US IT firms could lose $180 billion in business over the next few years because of the NSA spying scandal. The label "NSA-proof" may not be achievable by any cloud service, though there are technological steps companies can take to gain users' trust.

Box security chief Justin Somaini recently told VentureBeat that the company would never install a backdoor for the government to take customer data. That doesn't mean it never hands files to the government when it's forced to. "If there is a data request by the government, that's something we generally comply with," Levie told Ars.

Box's security model—featuring armed guards protecting data centers, SSL encryption in transit, 256-bit AES encryption at rest, and compliance with HIPAA and other regulatory standards—is still good enough to cover about 95 percent of companies' security requirements, Levie noted. "But some businesses are either so regulated or so sensitive that we want to make sure we're able to work with them as well," he said.

“More than conceptual”

That's why Box is working on a new idea: letting customers themselves hold the encryption keys. "We are exploring ways that in the future our customer would be responsible for its keys, and that's something we may make available to some of the largest organizations," Levie said.

This is "more than conceptual," he said, when asked if it's just an idea or something actively being developed. He didn't provide any timeline, saying, "There's so much potential for unforeseen stuff" and that "the strategic roadmap is always very dynamic." Nonetheless, "it's something we are actively pushing on."

Box's name hasn't been paired with the NSA in nearly as many news articles as Google or Microsoft, perhaps because of its small size relative to those companies and because its enterprise customers don't tend to be the focus of many terrorism-related inquiries. But there have been requests from some customers to manage their own keys.

"We have [gotten requests]," Levie said. "We've worked pretty closely with a bunch of large enterprises to understand what their [needs are]. This has been going on for over a year. It's obviously increased in conversation in the past couple of months."

It will be difficult to keep Box's collaborative focus when the customer controls its own keys, Levie said. For example, customers today could use local encryption before uploading data to Box if they were willing to deal with some extra annoyances.

"Technically, if you gave the encryption key to your collaborators, you could absolutely encrypt data before it goes to Box and then your collaborator could decrypt that data as they download it," Levie said. "We would then never have the unencrypted data in the process. The challenge, of course, is most average business people and enterprises are not going to go through that experience because our differentiation as a company is to take security and combine it with a very simple user experience around working with information."

Levie acknowledged that "it remains to be seen" if Box can solve all the different security demands businesses make while still providing good collaboration tools. But he thinks Box can come up with something "that makes people very comfortable."

"We are not stubbornly resisting technological solutions to this problem," he said. "We are evaluating every possible way that we can make our customers feel great about the privacy and security of their data, because this is our key differentiator as a company."

If you're expecting NSA-resistant cloud technology to be rolled out to home users or even small businesses, think again. "It's really only going to be aimed at the most conservative and most regulated businesses," Levie said. "This is not something we think we're going to introduce to our entire network. And so it's very, very early in that sense."

Box takes small step into Google and Microsoft territory

As mentioned earlier, Box today is unveiling Box Notes, the company's first stab at a content creation application. Box already integrates with Microsoft Office, Google Docs, and other platforms to let users edit files in their native applications and store them in Box.

Levie said he doesn't want to recreate a full office suite, noting that trying to replace every little feature of Microsoft Office is a losing proposition. Notes, however, will let Box create a new way for people to share work and ideas without being limited by the sharing capabilities of other vendors' tools.

Box Notes is going into a limited, private beta before hitting general availability at the end of this year or beginning of next year. Run in a Web browser, it looks a bit like Evernote or the Google Docs word processor, letting people edit simultaneously. A "note head" feature puts people's faces on the document like "chat heads" do with Facebook. Other features in the beta include commenting, an in-line toolbar, and annotations for leaving edits or hyperlinks to other Box content.

Mobile apps for iOS and Android are in the works. Other planned capabilities include embedding images, video, and audio into notes, version history, and offline editing using HTML5 caching.

Box Notes will be free to all customers, whether they use the free storage tier or have a paid business subscription. Access to the beta can be requested at www.box.com/notes.

E-mailing documents is still the mode of collaboration for many big companies, Levie noted. Small teams might be using Google Docs, but there are still a lot of users within Box's existing customer base that don't use anything like Box Notes, he said.

"We're not really going after the existing Google Docs base and trying to migrate everybody and say that 'this is a better solution for them,'" he said. "We're trying to create a solution that solves our customers' problems."

Box will continue supporting integration with Google Docs, which offers collaboration across a wider set of document types. Users can create a new Google Doc from within the Box Web app. "When the file is opened and is in the process of being edited, it does live in Google—which is how we're able to use Google's document creation tools—but as soon as the file is closed, it gets deleted from the user's Google account and once again lives exclusively inside of Box," a company spokesperson explained.

Box has a similar setup for Microsoft Office but only for the desktop applications. Levie would like to integrate with Office Web Apps, but Microsoft hasn't made that possible, he said. "We think the right solution technologically is a Word document in Box should be opened in Microsoft Web Office. And that depends on the APIs they make available. We want the file format to be coupled with the originating application, so you have the highest-fidelity experience," he said. "We would love to let people open their content in any third-party application, but we are to some extent dependent on and paralyzed by availability of those APIs."

Security and regulatory compliance will remain important selling points for Box as it expands the types of content it hosts for customers. The company puts its money where its mouth is, running almost entirely on cloud services.

"At Box we run on 15 or 20 different cloud solutions," Levie said. "We have maybe a couple of servers that only manage an internal network."

Levie's Twitter feed could be described as "Confucius for tech startup CEOs" with statements like, "Make sure you know the moments when the customer will change for you and the moments when you should change for the customer."

He talks pretty much the same way in person: "In our world, technology is moving to the background, information is moving to the foreground," he said. "We're going to need a new set of tools that power those experiences around information."