At Liquid Machines, a Harvard Dean’s Invention Plugs Document Leaks

2/19/08Follow @wroush

Leonardo da Vinci, the most productive and free-ranging mind of his generation, filled his notebooks using a mirror script that no one else could read. Thomas Jefferson, while serving as Washington’s Secretary of State, invented a wheel-cipher device to protect his diplomatic correspondence from prying eyes. So perhaps it’s not such an unusual irony that the new dean of the Faculty of Arts and Sciences (FAS) at Harvard University—an institution with a deep commitment to freedom of expression—is the inventor of a software technique designed to keep unauthorized people from reading electronic documents.

Liquid Machines, a Waltham, MA, startup founded in 2001 by Harvard’s Michael Smith, showed up on our radar a couple of weeks ago when the company announced a $10 million Series D funding round, led by a New York-based IT venture fund called RRE Ventures. I scored an interview last week with CEO Michael Ruffolo, who explained that the company has raised a total of $37 million in venture backing, has had products on the market since 2005, and has tripled its sales in the last year. And all that progress is founded on a clever idea pioneered by Smith—who is a professor of computer science and electrical engineering at Harvard, in addition to leading FAS—that the company calls “application injection.” The technology takes over word-processing programs, e-mail software, and the like, automatically encrypting digital documents and then decrypting them for authorized users without requiring users to exchange passwords or cryptographic keys or attend to other special chores.

“Our technology and our patents are really around how we’re able to persistently control information across file types and from origination to file-sharing and all the way through to archiving,” explains Ruffolo, who, to illustrate the costs of not controlling sensitive corporate information, cites a recent public-relations debacle at Eli Lilly. An outside lawyer for the pharmaceutical giant inadvertently e-mailed a confidential document about Lilly’s reported $1-billion-plus settlement negotiations with the government over faulty marketing of its antipsychotic drug Zyprexa to a New York Times reporter, who, naturally, published the information—resulting in a huge embarrassment for the company.

“Tens of billions of e-mails are sent each day,” says Ruffolo. “Just ask yourself, how many of those have proprietary information, and how many of those are sent erroneously? You look at that, and you start to say, ‘I need something to control the flow of information that’s leaving my company.’ The most dangerous breach is the one that you’re not aware of.”

I won’t comment on how useful those occasional breaches can be to curious journalists. Instead, I’ll turn back to application injection, which is essentially the process by which Liquid Machines’ main product, called Liquid Machines Document Control, fuses itself into and takes control of virtually any other program that can play or display digital content—such as Microsoft Word and Adobe Acrobat. The “injection” happens at the moment the display program is loaded … Next Page »

Wade Roush is a contributing editor at Xconomy. Follow @wroush

Single Page Currently on Page: 1 2

By posting a comment, you agree to our terms and conditions.

  • Don

    Liquid Machines is hardly a unique ERM solution – there are several other startups such as Authentica, SealedMedia and InstaSecure offering similar capabilities at a much lower price point and with stronger leakage prevention features…for instance, Liquid Machines has no capability to block screen capture software where as all of the above provide this security aspect as well. Also, the “injection” method that Liquid Machines uses can easily be cracked by any other plug-in that is also injected at the same time into the native application…

  • Kevin

    All the encryption in the world won’t help drug companies hide their lies. There will be honest researchers who will expose them no matter what.

  • http://none Anuj

    There are also companies like Seclore which can not only use the application injection method so that passwords are not required but can also authenticate with pretty much any authentication service available like Active Directory, Google Accounts etc.