At Liquid Machines, a Harvard Dean’s Invention Plugs Document Leaks

Leonardo da Vinci, the most productive and free-ranging mind of his generation, filled his notebooks using a mirror script that no one else could read. Thomas Jefferson, while serving as Washington’s Secretary of State, invented a wheel-cipher device to protect his diplomatic correspondence from prying eyes. So perhaps it’s not such an unusual irony that the new dean of the Faculty of Arts and Sciences (FAS) at Harvard University—an institution with a deep commitment to freedom of expression—is the inventor of a software technique designed to keep unauthorized people from reading electronic documents.

Liquid Machines, a Waltham, MA, startup founded in 2001 by Harvard’s Michael Smith, showed up on our radar a couple of weeks ago when the company announced a $10 million Series D funding round, led by a New York-based IT venture fund called RRE Ventures. I scored an interview last week with CEO Michael Ruffolo, who explained that the company has raised a total of $37 million in venture backing, has had products on the market since 2005, and has tripled its sales in the last year. And all that progress is founded on a clever idea pioneered by Smith—who is a professor of computer science and electrical engineering at Harvard, in addition to leading FAS—that the company calls “application injection.” The technology takes over word-processing programs, e-mail software, and the like, automatically encrypting digital documents and then decrypting them for authorized users without requiring users to exchange passwords or cryptographic keys or attend to other special chores.

“Our technology and our patents are really around how we’re able to persistently control information across file types and from origination to file-sharing and all the way through to archiving,” explains Ruffolo, who, to illustrate the costs of not controlling sensitive corporate information, cites a recent public-relations debacle at Eli Lilly. An outside lawyer for the pharmaceutical giant inadvertently e-mailed a confidential document about Lilly’s reported $1-billion-plus settlement negotiations with the government over faulty marketing of its antipsychotic drug Zyprexa to a New York Times reporter, who, naturally, published the information—resulting in a huge embarrassment for the company.

“Tens of billions of e-mails are sent each day,” says Ruffolo. “Just ask yourself, how many of those have proprietary information, and how many of those are sent erroneously? You look at that, and you start to say, ‘I need something to control the flow of information that’s leaving my company.’ The most dangerous breach is the one that you’re not aware of.”

I won’t comment on how useful those occasional breaches can be to curious journalists. Instead, I’ll turn back to application injection, which is essentially the process by which Liquid Machines’ main product, called Liquid Machines Document Control, fuses itself into and takes control of virtually any other program that can play or display digital content—such as Microsoft Word and Adobe Acrobat. The “injection” happens at the moment the display program is loaded into a computer’s active memory. Once the Liquid Machines software has taken over the program, it gives it the ability to decipher specially encrypted files on the fly. It holds the decrypted version in memory, and can send the information to a printer or a display, where the end user can read it.

Because the Liquid Machines system intercepts and controls all of the information passing into and out of the original application, it can prevent that information from going anywhere else without first being re-encrypted. For example, a user of a protected Word document could copy and paste information from that document into a non-protected one—but the second document would then automatically be saved in encrypted form.

Not only does this approach to document protection prevent unauthorized access—the goal of all digital-rights management technology—but it has the huge advantage of being portable and independent of the applications that handle specific types of content. In a company with Liquid Machines software, in other words, employees don’t need special, secure versions of Word or Outlook or Acrobat or Visio or SolidWorks or any of the other software they use to generate and exchange knowledge. They just need the Liquid Machines application installed on their computer or handheld device (it also works on the RIM Blackberry, in addition to Windows desktops and laptops).

“Most security technology forces people to change they way they do their work, which is a bad thing, because it inhibits productivity,” says Ruffolo. “Having been a CIO, I know it’s difficult even to get people to change their passwords, let alone upgrade every application they use so that it’s secure. We have really solved the ease-of-use problem for customers who want to promote security but not reduce productivity.”

Organizations like Goldman Sachs, Philip Morris, Symantec, Dow Chemical, and the United States Marine Corps have adopted Liquid Machines’ software to control internal documents and prevent accidental (or intentional) breaches. Typically, Ruffolo says, a company will run a small pilot test within a single department, then scale up to multiple departments—and then, in a growing number of cases, licensing the product for use across the entire company, as Goldman Sachs has done, buying seat licenses for 42,000 employees.

Companies appreciate Liquid Machines’ technology, Ruffolo says, because it doesn’t interfere with employees’ everyday work. In fact, with application injection, a user of Microsoft Word or Adobe Acrobat would normally never notice that Liquid Machines’ software has stepped in to oversee the flow of information inside the computer (except for the special control panel called the “policy droplet” that lets the creator of a document specify who is authorized to access it).

“We think our technology is going to become like car seats—just a common-sense way to protect information that needs to be protected,” says Ruffolo. “It’s ironic, but law firms tend to be the slowest to adopt document protection technology. They hide behind the disclaimers at the bottom of their email. It’s their clients”—including, perhaps, a red-faced and incensed Eli Lilly—“that are forcing them to act.”

Wade Roush is a freelance science and technology journalist and the producer and host of the podcast Soonish. Follow @soonishpodcast

Trending on Xconomy

By posting a comment, you agree to our terms and conditions.

3 responses to “At Liquid Machines, a Harvard Dean’s Invention Plugs Document Leaks”

  1. Don says:

    Liquid Machines is hardly a unique ERM solution – there are several other startups such as Authentica, SealedMedia and InstaSecure offering similar capabilities at a much lower price point and with stronger leakage prevention features…for instance, Liquid Machines has no capability to block screen capture software where as all of the above provide this security aspect as well. Also, the “injection” method that Liquid Machines uses can easily be cracked by any other plug-in that is also injected at the same time into the native application…

  2. Kevin says:

    All the encryption in the world won’t help drug companies hide their lies. There will be honest researchers who will expose them no matter what.

  3. Anuj says:

    There are also companies like Seclore which can not only use the application injection method so that passwords are not required but can also authenticate with pretty much any authentication service available like Active Directory, Google Accounts etc.