MW4ALL 2.0 Project Completed: Bringing Identity-less and Secure File Transfers to the Web

August concluded the NGI_Trust-funded MW4ALL 2.0 project, aimed at building an identity-less secure file transfer web application based on the Magic Wormhole protocol. 

Magic Wormhole is a protocol that allows for the rapid and secure sharing of data between two parties without either needing to know the other’s identity. 

Files sent through Magic Wormhole are encrypted on the user’s device and the content is not stored on the provider’s servers (in contrast to more traditional approaches). The security and privacy benefits of this approach cannot be emphasized enough: Relying on centrally hosted information leaves people’s data susceptible to surveillance, commercial exploitation and inadvertent exposure. Moreover, with the product we’re building, neither party registers or shares contact information when sending or receiving files. It is, in other words, identity-less. These two privacy features are central to the privacy values that underpin Magic Wormhole, and ultimately gives users greater control over their data. 

Work on this project aligns with Least Authority’s mission to create usable products that enhance people’s privacy, and underscores our support for free and open source software. The backend magic-wormhole-mailbox-server, magic-wormhole-transit-relay are open source, as is the Web-based frontend (a work in progress that we are currently calling ‘Transfer’). We encourage those interested to use and provide feedback on our code. 

What did we do during MW4ALL 2.0?

Over the 11 months of the project, we made great progress towards building a Magic Wormhole-based secure file transfer web application. The decision to create a web app was informed by a key need we discovered in our first MW4ALL project’s research phase: When sending files, people do not always know if the person they are sending a file to has the right app, device or operating system needed to be able to receive the file. By supporting transfers in a Web browser, people no longer need to worry about these aspects. 

The 2.0 project incorporated six main workstreams, which are outlined in the below table.  

Design iterations Produced wireframes, Figma prototypes and UI working implementations
Needs-finding and usability research with prototypes Conducted two rounds of foundational and usability research to inform the design, development and business planning process
Adaptation for web-to-web Adapted the protocol, servers and client implementations for web-to-web file transfers, including by adding WebSocket support
Improvements for scalability Made the technology scalable by DDoS mitigation implementation and prepared for scalability by investigating implementation options for it
Front-end development Built alpha browser-based implementation
Business sustainability Focused on two options for commercialization, and created a plan for guiding us to the best path forward

One of the most notable accomplishments of the 2.0 project was that we were able to adapt the existing Magic Wormhole protocol and implementation to support transfers over the web. By using iterative design informed by multiple rounds of user testing, we ensured development work was influenced by actual user needs and that usability challenges were identified early.​​

One persistent challenge we encountered in the iterative process has been the need to clearly communicate to users the synchronous nature of Magic Wormhole file transfers. This works rather differently from asynchronous file transfer systems (such as email, cloud storage, or common file-sharing platforms). With synchronous transfers, both sender and receiver need to be online at the same time for the transfer to succeed. In our case this also means that files are not stored on the provider’s servers. In other words, it is about transferring something to someone else in real-time as opposed to ‘send and forget’, where the recipient can get the file whenever it suits them. While some users are familiar with synchronous transfer mechanisms (like Bluetooth or Airdrop) for nearby transfers, for other file transfer usage we face—and expect to continue to face—the challenge of existing mental models. 

What did we achieve and learn? 

We are pleased to have reached an alpha/proof-of-concept state of our original aim: providing secure, easy, and fast file transfers using a Magic Wormhole Web app. While there is still a significant path ahead, being able to easily make Web-to-Web file transfers without revealing identity information, or storing a file on a server, in a matter of seconds, has been very motivating. 

The project has also proven to be a valuable learning experience. Most notably, the breadth of work involved in creating such an application was above our expectation, involving everything from back-end re-architecturing and setting up infrastructure, to recruiting test participants and investigating business models that support open-source tools. Planning and staffing for this was more demanding than we expected when we initially applied for this grant with the less specific aim of bringing Magic Wormhole to ‘all’. This means that our team, which is also involved in other projects across the company, was challenged to achieve all of the goals we previously aimed for, including completing a Beta version of the application. We also came to recognize areas where we still need to invest more effort.

As a company and as a team, we now have a better understanding of the requirements involved in developing a new product, and how to make it a sustainable business without compromising our ideals of privacy enhancing technology products on open source code and protocols. 

Our work on this file transfer web application has not yet been completed. We will post updates on our blog and in our newsletter

EU FlagNGI Trust Logo

This project has received funding from the European Union’s Horizon 2020 research and innovation programme under the NGI_TRUST grant agreement no 825618.