I just got this cross-selling email from Basecamp today. I was thinking about it in the context of providing great outsourced workflow management in a package that is easyto use because it’s controlled and relatively narrow: you can customize it a bit but you can’t really build it out or add features and you certainly can’t deploy it on your own server.

This model, of course, works for most people. However, there are organizations where privacy and security are more important for any number of reasons, from client promises to competitive pressure to regulatory requirements. These groups can not easily use webapps like this because the security and data privacy issues are fuzzy at best, in the absence of particularized licensing agreements, which is pretty much antithetical to the concept of webapps! (Perhaps this post will uncover some completely specialized services that are built to solve these problems, like garbage companies that agree to keep your garbage private, in part so that you have an expectation of privacy and the police can’t legally go through it without a warrant.)

One way to resolve the dilemma, in a way that would work for someone using a single computer to access the webapp, would be a plugin, perhaps using something like Gears to maintain some level of persistence, that encodes certain of your data that you enter into the webapp as a layer in-between your keyboard/browser and the http packets going back and forth.

Aside: I do specifically mean encoding here, substituting a whole word or sign (like “ketchup”) for the plaintext (like “Rick Colosimo”). This practice would allow you to not worry about the security at the webapp, or even of the traffic after it leaves your browser (both things hard to control) in favor of having to secure your laptop (maybe not easy to do but certainly easier to control).

Example: I type in, on my Basecamp page, something like “Buy 1000 shares Illumina for Rick Colosimo.” The plugin turns that into “buy rabbit shares of denver for fox.” That is what gets sent to the webapp and what it stores. Anyone else accessing the data, either through the servers directly or via the web, gets my encoded message. Using the plugin, though, I get back my correct message and should never, in fact, even see the coded version. Just like on-the-fly translation, I never see the other words. But this doesn’t require AI or huge amounts of processing power because the code structure (vs encryption) is a relatively static set of substitutions.

So now I can keep, for example, student records from my son’s school on a webapp, easily accessible by parents, while not worrying about whether I’m violating FERPA or HIPAA (or even whether I have to comply!).

Sure, this solution in the way I’ve described it doesn’t replace a fully secure, private, webapp. But it does so better than the non-secure, non-private webapp does today! Could it be extended, or tweaked to allow for online access to code cheatsheets? Sure. It might be very easy to include the code words within a series of obfuscated plaintext or html files, or even inside a photo on a website using steganography to protect it.

Please share your tips for increasing webapp privacy & security in the comments.