Mega is running: does it hold its promises?

King Dot Com, the owner of previous MegaUpload, is back.  And he is making the headlines of the Internet and other medias.  Hiimages new baby is the sharing site Mega.   Since Monday, it is online.  Where is the difference with MegaUpload?   You have noted “the privacy company”.

The uploaded data are encrypted before being sent to the server.  Encryption uses AES 128 bit and the encryption key is protected by a personal RSA 2048 bit key.  Every crypto calculations are done in your browser.   Therefore, Mega does not know what is uploaded.  This is safe harbor for Mega, at least in theory.

Furthermore, the Terms of Services are very clear.

Protection against copyright holders.

17. You can’t:

17.3 infringe anyone else’s intellectual property (including but not limited to copyright) or other rights in any material.

Good faith and will with copyright holders

19. We respect the copyright of others and require that users of our services comply with the laws of copyright. You are strictly prohibited from using our services to infringe copyright. You may not upload, download, store, share, display, stream, distribute, e-mail, link to, transmit or otherwise make available any files, data, or content that infringes any copyright or other proprietary rights of any person or entity.

We will respond to notices of alleged copyright infringement that comply with applicable law and are properly provided to us…

It will be interesting how Mega will handle the cease and desist form content owners.  mega is not supposed to know if the claim is legitimate or not.   Blind obedience or nit picking?   The future will tell.

Furthermore, Mega protects itself from its users.

5. If you allow others to access your data (e.g. by, amongst other things, giving them a link to, and a key to decrypt, that data), in addition to them accepting these terms, you are responsible for their actions and omissions while they are using the website and services and you agree to fully indemnify us for any claim, loss, damage, fine, costs (including our legal fees) and other liability if they breach any of these terms.


Of course, with the claims of security, Mega got a lot of attention from the security community.  It seems already that it is possible to get the master key of somebody if you intercept her confirmation email.  Steve Thomas has published a first hack (MegaCracker).  Some other weaknesses seem around.


The blogosphere is no claiming that Mega did a bad job.  Is it really true?  I am not sure.  of course, if you believe that Mega’s purpose is to securely store your data, then it may be true.  I would not recommend to use it if confidentiality is at stake.   If you believe that encryption is just a way to claim safe harbor for Mega and build a new MegaUpload (without taking the infringing risk) then it is another story.  Then Mega does not care to be hacked (by the way, the TOS do not guarantee confidentiality of your data).


In any case, weak security or not, Mega did already an extremely good job of public relation.   The news of Mega launch is all around the world.

Leave a Reply

Your email address will not be published. Required fields are marked *