Finally! An app to turn the ordinary person into a criminal

Via this recent piece in Wired, we are introduced to a breakthrough in technological services that could make everyone’s home or office immeasurably less secure and give almost everyone with a cellphone the opportunity to become a burglar.

Extra dividend: the purveyors of these services think they’re doing the world a favor. Maybe they are, but there are obvious downsides.

We’re talking about key-duplication services that allow anyone to take a smartphone picture of a key, upload it at a street kiosk or email it to a service provider, and get a workable key in return.

The services, including New York-based KeyMe and San Francisco-based KeysDuplicated, say they’ve eliminated the problem of getting locked out of your home or office, or the difficulty of getting a key to a friend or neighbor to enable emergency access.

As Wired’s Andy Greenberg writes:

The services “let you upload your coded chunks of metal to the cloud, where you can access and duplicate them, or even email them to a friend staying at your place.

“Such services also enable jerks like me to steal your keys any time they get a moment alone with them.”

He’s right about that. The services tout their security safeguards, but these have glaring limitations.

KeyMe requires you to set up a verified email-enabled account; KeysDuplicated keeps an audit trail of your keymaking tied to your credit card. Both say they don’t keep information linking your key orders and your address. That might reassure you that the companies themselves won’t be the source of illicit duplicating, but those safeguards don’t prevent unauthorized persons with even a couple of minutes’ access to your keys from making copies.

And how often is your keychain out of your control? It could be very often. You leave your keys with valet attendants, drop them on your office desk and wander off to a meeting, leave them lying around when the cleaners are in the house. For starters.

The services say only high-quality scans of keys will work with their systems, but those can be obtained with almost any smartphone today. Accordingly, both services advise that security is, essentially, your problem.

“Keep your keys out of sight,” KeyMe CEO Greg Marsh advises in a blog post. “Whether it’s your pocket, purse, or drawer, don’t let anyone you don’t trust see them. Wearing keys on the outside of your pants, placing them on a table top in plain view, or giving to a valet provides the potential for unauthorized access.”

KeysDuplicated similarly advises, “It’s always dangerous to leave your keys unattended. Someone could imprint them on clay or measure them with a key gauge then copy them at a hardware store.”

But this advice misses the point. These keymaking services, as Wired’s Greenberg observes, “have democratized the security threat.” They make it seem like a quaint luxury to have been able once upon a time to take your eyes off your keys for even a moment. Do that now, and you’ve given almost anyone near you the opportunity to invade your home or office.

KeyMe’s CEO, Greg Marsh, says people should be treating their physical keys with the same care they treat their passwords. (Let’s hope they give them more care.) “We’re increasing awareness of best practices,” he told me. He added that, compared to other duplication risks, such as making a clay imprint of a key and taking it to a locksmith, “we’re a much less attractive option,” because KeyMe will have a user’s credit card, email and (if the customer uses a street kiosk) even an authenticating fingerprint.

But he says there’s no way to close the biggest security hole: proving that a user has valid access to the key being duplicated. “Not possible,” he says.

This isn’t a unique problem. Technology has empowered other invasions of our privacy that are unavoidable and even legal. Think about the privacy shroud that once protected you from unwelcome phone calls, even when your number was listed: Anyone could obtain your phone number, but in most cases they’d have to know what town you lived in, either to call the correct directory assistance number or to track down your local phone book.

That went by the boards once phone directories moved online; now any old acquaintance can track you down from his or her desktop. Technically, your phone number isn’t less secret than it used to be; it’s just easier to find. And that is, in fact, a big difference.

So, yes, as KeysDuplicated says, your keys always were vulnerable to being misappropriated and copied. But it’s much easier now. As at least for the moment, while these services are still novel, the audit trails that allow them to connect individual keys with the customers who ordered them won’t do much to help people whose homes have been ransacked--who would even know to ask KeyMe or KeysDuplicated if their keys have somehow gotten into their databases?

It’s unlikely these services will institute better security safeguards without pressure from regulators. They’ll have to figure out how to ensure that every key order comes from an authorized owner. Are there ways to do that? Make them responsible for damages caused by unauthorized copies, and they’ll find a way.

It’s also possible that locks and keys will themselves have to change--incorporating electronic chips, say, that prevent them from being duplicated without authorization. It’s technology, and it marches on.

Keep up to date with The Economy Hub by following @hiltzikm.