On Mon, May 20, 2013 at 1:50 PM, Mark Seiden <[email protected]> wrote: > On May 20, 2013, at 1:18 PM, Nico Williams <[email protected]> wrote: >> Corporations are privacy freaks. I've worked or consulted for a >> number of corporations that were/are extremely concerned about data >> exfiltration. > > this is completely dependent on context -- the kind of company, the > communicants involved, > the regulatory environment, the material being conveyed. the variability is > about as high as > for natural persons, i reckon.
Yes, but there's always a need for privacy protection, and it's always well-justified and reasonable. And it's common to default to privacy protection. > particularly in financial services, firms try to record and retain all of the > communication with > their customers in any channel. if they can't record it, they don't want to > hear it (e.g. trading > instructions sent via IM…) Recording is one thing, but those recordings still need privacy protection. Customer data is treasured. >> I'd not advise such corporations to use Skype without an agreement >> with Skype as to what can/does happen to the their data, or else to be >> very careful about what is exchanged over Skype. And it does happen >> that sometimes a corporation's employees need to communicate with >> people over Skype or similar *external* systems. >> > > you can advise whatever you fancy, but skype, google, microsoft are unlikely > to agree to any such thing unless your client is a Really Big company who > pays them a lot of money. and why should they even bother their lawyers? > pretty much, their service Is What it Is, take it or leave it. Contracts are contracts. Especially if you pay for a service and privacy protection is stipulated, then the service provider has civil liability. And if you have the pocket depth for a lawsuit you have a good chance of getting said privacy protection, though not likely in relation to LEA (that depends on applicable laws and how much LEA respects them). > of course, your clients are free to use some other service that provides what > they're looking for > or… do it themselves, which gives them total control and the high costs that > go with that. Correct. But it's not always easy. People can write their own mobile apps, but that's expensive, and you still get to concern yourself with whether the device vendor can MITM you through the app store. Fortunately HTML5 is making as-good-as-native apps possible for mobiles. >> Beyond corporations, individuals absolutely have a right to private >> communications with their lawyers, etc... And there need not be any >> criminal or civil liability for an individual to hide. For example, >> if I were trying to patent something, I'd want my communications with >> my lawyer kept secret. >> > > oh, have you looked into how your lawyer receives your email? probably they > host > with the likes of google or some other outsourcer, because they're in the > business of law, not IT. I'm aware. I send sensitive documents to them via other methods, or encrypted over e-mail and then give them the passphrase out of band. > do you use "how they receive their email" as a criterion for how you choose > your patent lawyer? No. I assume e-mail is public and refrain from sending sensitive information that way. > last time i looked, the ABA does not require anything "unusual", such as > encryption, for privileged > communcation. That's because there's no real, workable e-mail encryption solution, not one that lawyers and their typical clients can use easily. Nico -- _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
