Here’s the thing: for all the talk about her email server, Hillary Clinton did not get hacked. “I’ll go on record with that,” says Giri Sreenivas, the founder of Helm. “Podesta was a Gmail user. He got phished.”
The subject of email privacy and security has never been more relevant. Not just in the wake of Russian hackers breaking into email accounts from Clinton’s campaign chairman and the DNC, but in light of everything that’s unfolded in recent months revealing how easy it can be for web giants like Facebook and Google to accidentally expose huge amounts of personal information on us.
It would be better if we knew for sure that our information was being kept private. So that’s what Sreenivas set out to make with Helm: a personal server that handles your email, calendar, and contacts, without sending the information off to anyone else. The data is owned by you, protected by Helm, and kept right inside your home.
It’s an idea that I suspect will appeal to a great many people worried about their privacy right now. But privacy isn’t everything; and whether Helm can ultimately compete with the security of Gmail and other popular email services will be a critical question as it seeks to replace the email service you already use with something more personal, but also more complicated and expensive.
Here’s how it works: Helm sells you its device, the Helm server, for $499 — that includes a one year subscription, and every year after that costs $99 more. The device looks like a funny router, and when you plug it in, you’ll use an app to get through a short setup process that quickly configures the server to work with the domain name of your choice. Then you just need to set up a way to access your new accounts.
Unfortunately, Helm has no web presence, so you can’t check your email or calendar from a browser, like you can with Gmail and Google Calendar. Helm doesn’t have apps of its own, either. Instead, it uses standard protocols, so that you should be able to use your accounts with any number of email and calendar apps — you’ll just want to pick ones that work locally, so that the data isn’t synced back to some company’s cloud. On an iPhone, Helm will automatically plug into Apple Mail after setup.
Those problems can be worked around, but they are inconveniences: if you want to use Helm, it’s very possible that you’ll have to switch apps and get used to a new way of checking your email account and calendar on all your devices.
Helm secures those accounts in a few different ways. Your administrative account, which controls the server, is protected with a password and one of those six-digit two-factor authentication codes, generated by a local app. Email accounts don’t use two-factor; instead, they require a per-app, single-use password. In theory, that prevents hackers from signing into any device without generating a new password. It also means that if your password leaks because of some app’s bad security practices, or if you get phished like Podesta, your account should still be safe.
But keeping your password safe is only part of the battle. Every device can be hacked, and it’s on Helm to keep these servers secure. Helm’s annual fee allows the company to keep adding new features (a password manager and file storage is coming) and updating its servers, but the company has nowhere near the resources of a competitor like Google, which can dedicate huge teams to keeping its data safe. There are just 12 people on the entire Helm team.
“Google does have a great security team,” says Sreenivas. “They also have a very large target.” Because Helm users are isolated in separate servers and locations, Sreenivas believes they’ll be less appealing to hackers, who are often trying to obtain huge amounts of data at once. “Very large, high concentrations, big targets — this is what hackers go after,” he says. “We believe we can make the internet more secure by decentralizing these services.”
Of course, that doesn’t mean the server is completely secure. If someone is targeting you specifically, all that matters is whether they can find a flaw in Helm’s software. And Sreenivas says that plenty of people regularly scan the web to find servers, so it’s not as though your Helm server will be hidden from the world just because it’s in your home. Helm itself has some amount of data, too, since it helps route traffic to and from the servers and stores an encrypted backup of your email, in case your local storage ever crashes.
So while the privacy benefit is there, you have to ask whether you trust Helm to keep your data secure, whereas we’ve always assumed that Google, Microsoft, Apple, and so on are pretty good at that.
Running a private server is not in itself a new idea. Large organizations often choose to host services themselves as a way to better control their network. Individuals could do this, too — it’s just difficult, and it’s certainly not easy enough for everyone to set up.
Helm succeeds in making that very easy for individuals. And the product is coming at the right time, weeks after a major Google+ flaw was exposed and a Facebook hack showed just how vulnerable these companies can be.
But as with all these services, the ultimate question here is around trust. Helm has the advantage of selling a service that has no interest in taking your data. If it can convince people the server is safe and secure in all those other ways, too, then it may have the privacy solution that many have been waiting for.
