There are two ways to respond to criticism of your security product, especially when encryption is involved.

  1. Respond cautiously, openly, and positively as demonstrated last week by AgileBits, the folks behind 1Password.
  2. Do what CipherCloud did.

The TL;DR is that some people over on StackExchange were trying to figure out how CipherCloud works (specifically its homomorphic encryption, which CipherCloud states isn’t actually part of the product). Some public materials were posted, and then the CipherCloud legal team smacked StackExchange with a DMCA takedown notice over screenshots of the product as people tried to figure out how it works. They also issued a takedown request based on “false and misleading statements”, which does little more than fully engage the Streisand effect.

CipherCloud has since issued a kinda-sorta apology and an update that, judging from the few comments doesn’t satisfy anyone. They apologize for the takedown requests and blame their legal department, but barely address the actual issue.

First of all from what I have seen they have a good product which does what they claim it does. I have been briefed and know some large organizations evaluating or using it.

The problem here isn’t the product – it’s their approach. When someone posts potentially unfavorable information about you on the Internet, trying to squash it always backfires. Also, if the posts are mostly trying to cut through your marketing material to see how the product works, that means people are interested in your product and you should treat them with respect.

CipherCloud’s response to the DMCA takedown criticism is to state that the conclusions coming out of StackExchange were wrong and based on an older video demo. That’s totally fine, but they fail to actually fill the information gap with accurate information. There is a little about what they don’t do, the usual platitudes about FIPS-140, and that’s about it. They say they will provide this information to customers, prospects, and partners, but want to keep their IP otherwise out of the public eye:

I understand and appreciate the interest in the market to better understand our technology, and I am happy to discuss additional details around our encryption implementation with our customers, prospects and partners. If you are interested in learning more, please contact CipherCloud directly via our website at

This isn’t how to respond. I know their competitors, and trust me, they all have a good idea of how CipherCloud works. The ones who care set up straw buyers/prospects to get their hands on demos, however unethical that is.

I don’t think they need to reveal everything, but this was a great opportunity to get some additional attention, explain why they feel they are better than the competition, and generate some goodwill among those interested in the product. Instead they look like they are hiding something. 1Password nailed it with their reasoned response to a security concern, and the industry is well trained to be skeptical of security vendors – especially in encryption – who aren’t transparent about their technology.

Also, when you make a mistake like letting loose the legal dogs, you need to sound truly apologetic, not defensive.

Anyway, big companies can get away from this, but now CipherCloud has to deal with negative coverage as the second result on their Google search.

I am not a marketing exec, but that coverage is not good, and they will have to live with it for a while.