Introduction: LockBox

LockBox is a set of applications that arose out of Open Privacy's work helping with mutual aid funds to deploy secure infrastructure in the wake of the COVID-19 pandemic. During the March to April 2020 time frame many people, particularly those from marginalized communities found themselves in need of support.

Some community groups reached out to Open Privacy seeking advice on the need to collect sensitive information from people in these communities for the purposes of distributing donated funds. These groups were looking for better privacy guarantees for applicants and their personal information than mainstream hosted alternatives provided.

Open Privacy developed LockBox for this specific purpose: an encrypted, hosted application that allows organizations to collect information via a customizable web form. Data collected via this form is immediately encrypted using public key cryptography, and only by using a second app and a copy of the offline private key can a member of the organization decrypt and view the submitted entries.

If an attacker gets read-only access to the server where the form is hosted (such as via vulnerable co-hosted apps or weaknesses in shared host configuration), they are unable to decrypt the submitted data. Only the private key holder can decrypt submissions, and the private key file can be kept offline and only shared with people who should have access to submissions.

We worked directly with the initial group that requested our help to deploy and administer LockBox, fixing bugs and adding requested features as they arose in real time. The success and continued interest in the software lead us to promote it to a fully-supported project at Open Privacy, and we plan to release a more polished version of its two apps later in 2021, along with supporting material. Privacy International kindly funded the creation of some of these materials, as well as this case study documenting our efforts to bring radical encryption to marginalized communities and helping us to understand and plan the most useful, free, open-source end product we can create. Hopefully others will find it useful or inspiring for similar efforts, as we are a small team deploying small technology to large effect.

In what follows, we will discuss (2.1) the organization that initially requested our advice, (2.2) the needs and threat model that lead to us choosing a custom solution, (2.3) how we developed the LockBox apps and how they work, (2.4) how the organization used the software, and (2.5, 3) our conclusions and future plans for the software.

The latest copy of this document can be found at https://docs.openprivacy.ca/lockbox-case-study.