Chris, Nicely put. Agree with your comments 100%
Robert -- On 2013-02-07, at 8:14 PM, Christopher Soghoian wrote: > See Inline > > On Thu, Feb 7, 2013 at 12:15 PM, Andy Isaacson <a...@hexapodia.org> wrote: > Silent Circle may be an excellent privacy app. It might not have any > significant security problems. It might even do a good job of > mitigating important platform-based attacks and supporting important new > use cases (the "burn after reading" feature). When it's actually open > source I'll take a look and if it is good, I'll recommend it to users. > > Until that open review happens, I think it's inappropriate for voices in > our community to commend or recommend such a proprietary system. Each > person makes their own choices, of course, and nobody should base their > actions solely on what *I* think is right, but I hope you can hear my > concerns and consider the outcomes of your actions. > > Twitter's official client and server code are not open source. That hasn't > stopped the good folks at EFF, as well as many other privacy advocates from > praising the company's law enforcement transparency policies, as well as > Twitter's willingness to go the extra mile when responding to various forms > of legal process. > > Much of Google's code, including all of the Gmail backend code is not open > source, but that hasn't stopped privacy advocates from legitimately praising > the company for voluntarily publishing some really useful data on government > requests and DMCA takedown demands. > > Although I have not recommended Silent Circle to anyone, I believe that it is > entirely legitimate to praise the company for its commitment to transparency > regarding law enforcement requests and the company's overall law enforcement > policy. > > Hell, looking at the list of companies ranked on EFF's "Who's got your back" > website, closed source is by far the norm, not the exception. That hasn't > stopped EFF from giving out gold stars where they feel they are deserved. > See: > https://www.eff.org/pages/when-government-comes-knocking-who-has-your-back > > In fact, for many of the factors that I am most interested in, source code is > completely irrelevant. Client source code does not reveal a company's data > retention policy, and server data retention configurations are impossible to > verify. Source code does not reveal whether a company will tell its users > about subpoenas submitted for user data where not prevented from doing so by > a gag order. Source code will not reveal a company's willingness to spend > hundreds of thousands of dollars on legal bills to fight an improper request > submitted by lawyers at the Department of Justice. For such things, you have > to evaluate the company on its public policy (and, once the policy is put > into action, you can judge the company via its track record). > > By all means, continue to harass Silent Circle about its source code. > Likewise, please do hold journalists accountable for the bogus headlines > they, or their editors have selected. But do not dismiss my legitimate > interest in the law enforcement legal policies adopted by companies. These > policies are often just as important, yet impossible to verify, even when > companies publish their source code. > > Cheers, > > Chris > -- > Unsubscribe, change to digest, or change password at: > https://mailman.stanford.edu/mailman/listinfo/liberationtech
-- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech