How to enable End-2-End Encryption (E2EE)

Today, KidLogger is the first solution in the world that offers End-2-End Encryption (E2EE). All the data captured from child's computers will be encrypted and decrypted only for the account owner. The child's activity data captured from end-point devices will be encrypted before transfer to our cloud service. The main difference with SSL encryption is that data is still kept encrypted when it reaches KidLogger cloud storage and further, it is kept encrypted even in all types of running instances of the database, execution contexts, and processing algorithms within our cloud servers. When you log in into your account, the data is delivered to the web browser in initial encrypted form and being decrypted on-the-fly right on the Web Browser page by using the Java-Script program and encryption features of the browser.  Here we explain how to update or install new KidLogger agent software and set up the E2EE encryption feature.

We would like to announce that the "End-2-End Encryption" feature is published now and available in experimental mode for new user accounts. Like any other time-tracking solution, KidLogger records the frequency and duration of each application, document, and website opened by the child, calculates the time spent for each item, and then sorts the results for reports. But now, the architecture of E2EE in KidLogger allows protecting the confidential data from the KidLogger server itself, since the content is encrypted always.
In order to try the E2EE feature, you need to download the new KidLogger Agent for Windows with "End-2-End Encryption" support and follow the step described below.

Enable Encryption settings

Visit the profile section and click "Enable Encryption". Please note, this option will not affect existing devices and data for your account.

Click Backup Keys to download the backup file for your Master Encryption Key. This will allow you to access your data in offline mode and also restore access to your account in case you forgot the password.

Install new KidLogger Agent

Download new KidLogger agent

For Update - just reinstall KidLogger over the existing version. For fresh install - Install it and open KidLogger in order to connect it to your account. Learn more about how to connect it.

When the device is added - it will start to upload only anonymous data about child activity in plain form, until you confirm the encryption for it, in the account profile, described in the next chapter.

Confirm new devices with encrypted data

After a successful update or installation of the new KidLogger Agent application, you need to visit Dashboard again. You should see the notice to confirm new devices with encryption support. Follow confirmation link>

On the Profile page - Encryption section - check the new device and click Confirm Encryption. 

Done. Within an hour, the confirmation will be received by the KidLogger agent app on the computer, and it will start collecting and encrypting all activity data according to the settings.

Browse encrypted dashboard and reports 

You will notice no many changes in your Dashboard and report despite all information is encrypted. This is possible with the on-the-fly decryption process right in the Web Browser thanks to the Web Crypto API standard available in the majority of browsers like Chrome, Firefox, Opera, Safari, and others. The specially developed JavaScript code works in the web browser and constantly decrypts all encrypted strings within a web page content returned by KidLogger service.

How does E2EE affect time tracking?

In fact, the encrypted opaque data have an identical structure as clear text data. For example, before encryption, KidLogger uses the string "winword.exe" or "gmail.com" to calculate the total time spent in the application.
After encryption is enabled, KidLogger uses the tokenized strings that are looking as "w6Wd4SSxgK9EqmHuR4EAWw==" or "UssM8UxGazi4kDxn5JDO4g==" to calculate the same total time. This is possible because a single encryption key is used to encrypt all data uploaded by computers from a certain account to KidLogger Server. So the specific application name, title, or URL address maintains the same tokenized text form within the data of a single account.  This allows processing encrypted data in the same way, but with the highest anonymization and privacy level.

Encrypted email reports

All reports generated to account email will contain encrypted data. We are working to publish a Web Browser plugin that will allow decrypting KidLogger reports in any web-based email such as Gmail or outlook. 

Encrypted backup

KidLogger allows downloading all data for a specific computer or department. This data includes a raw productivity log of user actions in chronological order and screenshots. With encryption enabled, this backup will be encrypted. In order to view the data, you need to install the SafeJKA Browser plugin.

Technical notes

The E2EE functionality is open source and placed within the jsec.js file, available online on kidlogger.net. Encryption is based on Web Crypto API available in the majority of web browsers and executed only in the Web Browser memory. KidLogger service helps to store and exchange Public Keys and opaque encrypted data between the User account owner and computer with the KidLogger Agent application.

KidLogger End-2-End Encryption specification in brief:

Each user account and KidLogger Agents installed on computers generate its own RSA key pair with 2048 bit private and public keys. User account owner generates random AES 256-bit encryption key is referred as Master Key. Master Key is protected with user account password by using PBKDF/AES-256 intermediate key and stored in KidLogger service as an encrypted blob. User account encrypts Master Key with RSA-SHA1 and sends it to computers by using KidLogger service as an encrypted blob. KidLogger Agent encrypts sensitive information in productivity data with AES-256 bit Master Key: application name, window title, URL address, keystrokes, clipboard, chat text, document name, screenshots, camera-shots, voice data. Meta-data such as the type of action, time, and duration are stored in clear form.
PBKDF key derivation is used to protect the user account password and generate intermediate encryption keys.
User account password is never transferred to KidLogger server in clear form. Once enabled, data encryption can not be disabled in KidLogger account and Agent applications. KidLogger service does not perform crypto operations and store only public keys or opaque encrypted data. We are working to continue improvements to allow user account owners to store the Master Key and respective RSA Secret Keys only in the browser memory of the trusted computer. Currently, we are working under the SafeJKA plugin for Web Browsers that will implement strong authentication and encryption ownership principle.